@contrast/protect 1.12.0 → 1.12.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/lib/input-analysis/handlers.js +1 -1
  2. package/lib/input-tracing/handlers/index.js +4 -2
  3. package/lib/policy.js +7 -0
  4. package/package.json +5 -5
package/lib/input-analysis/handlers.js CHANGED
@@ -220,7 +220,7 @@ module.exports = function(core) {
220
220
  key: path.pop(), // there should always be at least the param name
221
221
  value,
222
222
  score: item.score,
223
- idsList: [],
223
+ idsList: item.idsList
224
224
  });
225
225
  }
226
226
  });
package/lib/input-tracing/handlers/index.js CHANGED
@@ -142,7 +142,6 @@ module.exports = function(core) {
142
142
  }
143
143
  }
144
144
 
145
-
146
145
  if (stringInjectionResults) {
147
146
  let stringFindings = null;
148
147
 
@@ -325,7 +324,10 @@ function handleStringValue(result, cmd, agentLib) {
325
324
  inputBoundaryIndex: 0,
326
325
  };
327
326
  } else {
328
- const isAttack = agentLib.checkSsjsInjectionSink(cmd, inputIndex, result.value.length);
327
+ // This is a temporary workaround, while `agent-lib` fixes
328
+ // the `checkSsjsInjectionSink` so it can detect the "TRUE-CLAUSE-1" correctly
329
+ // TODO: NODE-2897
330
+ const isAttack = result.idsList.includes('TRUE-CLAUSE-1') || agentLib.checkSsjsInjectionSink(cmd, inputIndex, result.value.length);
329
331
  if (!isAttack) return findings;
330
332
 
331
333
  findings = {
package/lib/policy.js CHANGED
@@ -98,6 +98,9 @@ module.exports = function(core) {
98
98
  if (config.protect.disabled_rules.includes(ruleId)) {
99
99
  return OFF;
100
100
  }
101
+ if (ruleId === 'nosql-injection-mongo') {
102
+ return config.protect.rules?.[ruleId]?.mode || config.protect.rules?.['nosql-injection']?.mode;
103
+ }
101
104
  return config.protect.rules?.[ruleId]?.mode;
102
105
  }
103
106
 
@@ -132,12 +135,16 @@ module.exports = function(core) {
132
135
  function updateFromProtectionRules(protectionRules) {
133
136
  for (const remoteSetting of Object.values(protectionRules)) {
134
137
  const { id: ruleId } = remoteSetting;
138
+ if (ruleId === 'nosql-injection' && !getModeFromConfig('nosql-injection-mongo')) {
139
+ policy['nosql-injection-mongo'] = readModeFromSetting(remoteSetting);
140
+ }
135
141
 
136
142
  if (getModeFromConfig(ruleId)) {
137
143
  continue;
138
144
  }
139
145
 
140
146
  policy[ruleId] = readModeFromSetting(remoteSetting);
147
+
141
148
  }
142
149
  }
143
150
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@contrast/protect",
3
- "version": "1.12.0",
3
+ "version": "1.12.2",
4
4
  "description": "Contrast service providing framework-agnostic Protect support",
5
5
  "license": "SEE LICENSE IN LICENSE",
6
6
  "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,10 +17,10 @@
17
17
  "test": "../scripts/test.sh"
18
18
  },
19
19
  "dependencies": {
20
- "@contrast/agent-lib": "^5.3.0",
21
- "@contrast/common": "1.3.1",
22
- "@contrast/core": "1.10.1",
23
- "@contrast/esm-hooks": "1.6.1",
20
+ "@contrast/agent-lib": "^5.3.1",
21
+ "@contrast/common": "1.3.2",
22
+ "@contrast/core": "1.10.2",
23
+ "@contrast/esm-hooks": "1.6.2",
24
24
  "@contrast/scopes": "1.2.0",
25
25
  "ipaddr.js": "^2.0.1",
26
26
  "semver": "^7.3.7"