@contrast/protect 1.12.0 → 1.12.1

package/lib/input-analysis/handlers.js

@@ -220,7 +220,7 @@ module.exports = function(core) {
           key: path.pop(), // there should always be at least the param name
           value,
           score: item.score,
-          idsList: [],
+          idsList: item.idsList
         });
       }
     });

package/lib/input-tracing/handlers/index.js

@@ -142,7 +142,6 @@ module.exports = function(core) {
       }
     }
 
-
     if (stringInjectionResults) {
       let stringFindings = null;
 
@@ -325,7 +324,10 @@ function handleStringValue(result, cmd, agentLib) {
       inputBoundaryIndex: 0,
     };
   } else {
-    const isAttack = agentLib.checkSsjsInjectionSink(cmd, inputIndex, result.value.length);
+    // This is a temporary workaround, while `agent-lib` fixes
+    // the `checkSsjsInjectionSink` so it can detect the "TRUE-CLAUSE-1" correctly
+    // TODO: NODE-2897
+    const isAttack = result.idsList.includes('TRUE-CLAUSE-1') || agentLib.checkSsjsInjectionSink(cmd, inputIndex, result.value.length);
     if (!isAttack) return findings;
 
     findings = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.12.0",
+  "version": "1.12.1",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,10 +17,10 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agent-lib": "^5.3.0",
-    "@contrast/common": "1.3.1",
-    "@contrast/core": "1.10.1",
-    "@contrast/esm-hooks": "1.6.1",
+    "@contrast/agent-lib": "^5.3.1",
+    "@contrast/common": "1.3.2",
+    "@contrast/core": "1.10.2",
+    "@contrast/esm-hooks": "1.6.2",
     "@contrast/scopes": "1.2.0",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"