@contrast/protect 1.35.2 → 1.36.1

package/lib/input-analysis/handlers.js

@@ -24,9 +24,9 @@ const {
   traverseKeysAndValues,
   traverseValues,
   InputType,
-  toLowerCase,
-  split,
-  join
+  ArrayPrototypeJoin,
+  StringPrototypeToLowerCase,
+  StringPrototypeSplit,
 } = require('@contrast/common');
 
 //
@@ -595,7 +595,7 @@ module.exports = function (core) {
         const probe = Object.assign({}, resultByRuleId, result, {
           mappedId: result.ruleId,
         });
-        const key = join([
+        const key = ArrayPrototypeJoin.call([
           probe.ruleId,
           probe.inputType,
           ...probe.path,
@@ -725,7 +725,7 @@ module.exports = function (core) {
 
     for (let i = 0; i < reqHeaders.length; i++) {
       if (reqHeaders[i] === 'x-forwarded-for') {
-        const ipsFromHeaders = split(reqHeaders[i + 1], /[,;]+/);
+        const ipsFromHeaders = StringPrototypeSplit.call(reqHeaders[i + 1], /[,;]+/);
         forwardedIps.push(...ipsFromHeaders);
       }
     }
@@ -797,7 +797,7 @@ function isResultExcluded(sourceContext, result) {
     }
     case 'HeaderKey':
     case 'HeaderValue': {
-      if (path[0] && toLowerCase(path[0]) === 'cookie') {
+      if (path[0] && StringPrototypeToLowerCase.call(path[0]) === 'cookie') {
         inputExclusions = exclusions.cookie;
         checkCookiesInHeader = true;
       } else {

package/lib/input-analysis/install/http.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { Event, toLowerCase } = require('@contrast/common');
+const { Event, StringPrototypeToLowerCase } = require('@contrast/common');
 const { patchType } = require('../constants');
 
 module.exports = function (core) {
@@ -94,7 +94,7 @@ module.exports = function (core) {
       const connectInputs = {
         headers: removeCookies(headers),
         uriPath,
-        method: toLowerCase(method),
+        method:StringPrototypeToLowerCase.call(method),
       };
 
       if (inputAnalysis.virtualPatchesEvaluators?.length) {

package/lib/input-analysis/ip-analysis.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { Event, substr } = require('@contrast/common');
+const { Event, StringPrototypeSubstr } = require('@contrast/common');
 const address = require('ipaddr.js');
 
 module.exports = (core) => {
@@ -57,7 +57,7 @@ function ipEntryMap(ipEntry, startTime) {
   const slashIdx = ip.indexOf('/');
   const isCIDR = slashIdx >= 0;
   const ipInstance = isCIDR
-    ? address.process(substr(ip, 0, slashIdx))
+    ? address.process(StringPrototypeSubstr.call(ip, 0, slashIdx))
     : address.process(ip);
 
   const normalizedValue = ipInstance.toNormalizedString();

package/lib/input-analysis/virtual-patches.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { Event, toLowerCase } = require('@contrast/common');
+const { Event, StringPrototypeToLowerCase } = require('@contrast/common');
 
 module.exports = (core) => {
   const {
@@ -47,7 +47,7 @@ function buildVPEvaluators(virtualPatches, evaluatorsArray) {
             acc.push(...entry);
             return acc;
           }, []);
-          const keyIndex = headersArray.indexOf(toLowerCase(name));
+          const keyIndex = headersArray.indexOf(StringPrototypeToLowerCase.call(name));
 
           result = keyIndex !== -1 && evalCheck(headersArray[keyIndex + 1], value);
           if (!result) break;

package/lib/input-tracing/handlers/index.js

@@ -20,7 +20,7 @@ const {
   ProtectRuleMode: { OFF },
   BLOCKING_MODES,
   isString,
-  stringify,
+  JSONStringify,
   traverseKeys,
   traverseKeysAndValues,
   agentLibIDListTypes,
@@ -351,7 +351,7 @@ function handleObjectValue(result, object) {
       obj = obj[value];
       // does the found object in the query equal the saved object?
       if (util.isDeepStrictEqual(obj, result.mongoContext.inputToCheck)) {
-        const start = stringify(object).indexOf(value);
+        const start = JSONStringify(object).indexOf(value);
         const end = start + value.length;
         const inputBoundaryIndex = 0;
         findings = { start, end, boundaryOverrunIndex: start, inputBoundaryIndex };

package/lib/make-response-blocker.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { toUpperCase } = require('@contrast/common');
+const { StringPrototypeToUpperCase } = require('@contrast/common');
 
 module.exports = function(core) {
   // i think this should be a weakset. we don't want to accumulate
@@ -29,7 +29,7 @@ module.exports = function(core) {
       if (blocked.has(res)) return;
 
       blocked.add(res);
-      mode = toUpperCase(mode);
+      mode = StringPrototypeToUpperCase.call(mode);
       const end = patcher.unwrap(res.end);
       const writeHead = patcher.unwrap(res.writeHead);
 

package/lib/make-source-context.js

@@ -15,7 +15,7 @@
 
 'use strict';
 
-const { toLowerCase, slice } = require('@contrast/common');
+const { StringPrototypeToLowerCase, StringPrototypeSlice } = require('@contrast/common');
 
 module.exports = function(core) {
   const {
@@ -36,8 +36,8 @@ module.exports = function(core) {
     const ix = req.url.indexOf('?');
 
     if (ix >= 0) {
-      uriPath = slice(req.url, 0, ix);
-      queries = slice(req.url, ix + 1);
+      uriPath = StringPrototypeSlice.call(req.url, 0, ix);
+      queries = StringPrototypeSlice.call(req.url, ix + 1);
     } else {
       uriPath = req.url;
       queries = '';
@@ -55,10 +55,10 @@ module.exports = function(core) {
     const headers = Array(req.rawHeaders.length);
 
     for (let i = 0; i < req.rawHeaders.length; i += 2) {
-      headers[i] = toLowerCase(req.rawHeaders[i]);
+      headers[i] = StringPrototypeToLowerCase.call(req.rawHeaders[i]);
       headers[i + 1] = req.rawHeaders[i + 1];
       if (headers[i] === 'content-type') {
-        contentType = toLowerCase(headers[i + 1]);
+        contentType = StringPrototypeToLowerCase.call(headers[i + 1]);
       }
     }
 

package/lib/policy.js

@@ -19,9 +19,9 @@ const {
   Rule,
   ProtectRuleMode,
   Event,
-  toLowerCase,
-  split,
-  join
+  ArrayPrototypeJoin,
+  StringPrototypeToLowerCase,
+  StringPrototypeSplit,
 } = require('@contrast/common');
 const { ConfigSource } = require('@contrast/config');
 
@@ -88,7 +88,7 @@ module.exports = function (core) {
       }
     }
     if (regExpNeeded) {
-      const rx = new RegExp(`^${join(urls, '|')}$`);
+      const rx = new RegExp(`^${ArrayPrototypeJoin.call(urls, '|')}$`);
 
       return (uriPath) => rx ? rx.test(uriPath) : false;
     }
@@ -305,7 +305,7 @@ module.exports = function (core) {
       exclusionDtm.type = exclusionDtm.type || 'URL';
 
       const { name, protect_rules, urls, type } = exclusionDtm;
-      const key = toLowerCase(type);
+      const key = StringPrototypeToLowerCase.call(type);
 
       if (!compiled[key]) continue;
 
@@ -340,8 +340,8 @@ module.exports = function (core) {
         }
         if (key === 'cookie') {
           e.checkCookieInHeader = (cookieHeader) => {
-            for (const cookiePair of split(cookieHeader, ';')) {
-              const cookieKey = split(cookiePair, '=')[0];
+            for (const cookiePair of StringPrototypeSplit.call(cookieHeader, ';')) {
+              const cookieKey = StringPrototypeSplit.call(cookiePair, '=')[0];
               if (e.matchesInputName(cookieKey)) {
                 return true;
               }

package/lib/semantic-analysis/handlers.js

@@ -21,7 +21,7 @@ const {
   ProtectRuleMode: { OFF },
   InputType,
   traverseValues,
-  replace
+  StringPrototypeReplace,
 } = require('@contrast/common');
 
 const {
@@ -29,7 +29,7 @@ const {
 } = require('./utils/xml-analysis');
 
 const SINK_EXPLOIT_PATTERN_START = /(?:^|\\|\/)(?:sh|bash|zsh|ksh|tcsh|csh|fish|cmd)/;
-const stripWhiteSpace = (str) => replace(str, /\s/g, '');
+const stripWhiteSpace = (str) => StringPrototypeReplace.call(str, /\s/g, '');
 
 const getRuleResults = function(obj, prop) {
   return obj[prop] || (obj[prop] = []);

package/lib/semantic-analysis/utils/xml-analysis.js

@@ -14,7 +14,7 @@
  */
 'use strict';
 
-const { substr, toLowerCase } = require('@contrast/common');
+const { StringPrototypeSubstr, StringPrototypeToLowerCase } = require('@contrast/common');
 
 const PROTOCOLS = {
   FTP: 'FTP',
@@ -23,9 +23,9 @@ const PROTOCOLS = {
   TCP: 'TCP'
 };
 
-const FTP = `${toLowerCase(PROTOCOLS.FTP)}:`;
-const HTTP = `${toLowerCase(PROTOCOLS.HTTP)}:`;
-const HTTPS = `${toLowerCase(PROTOCOLS.HTTPS)}:`;
+const FTP = `${StringPrototypeToLowerCase.call(PROTOCOLS.FTP)}:`;
+const HTTP = `${StringPrototypeToLowerCase.call(PROTOCOLS.HTTP)}:`;
+const HTTPS = `${StringPrototypeToLowerCase.call(PROTOCOLS.HTTPS)}:`;
 const DTD_EXTENSION = '.dtd';
 const FILE_START = 'file:';
 const GOPHER_START = 'gopher:';
@@ -101,7 +101,7 @@ module.exports.findExternalEntities = function(xml = '') {
 
   return {
     entities,
-    prolog: len && substr(xml, 0, entities[len - 1].finish) || null
+    prolog: len && StringPrototypeSubstr.call(xml, 0, entities[len - 1].finish) || null
   };
 };
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.35.2",
+  "version": "1.36.1",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -11,17 +11,17 @@
   "types": "lib/index.d.ts",
   "engines": {
     "npm": ">=6.13.7 <7 || >= 8.3.1",
-    "node": ">= 14.18.0"
+    "node": ">= 16.9.1"
   },
   "scripts": {
     "test": "../scripts/test.sh"
   },
   "dependencies": {
     "@contrast/agent-lib": "^7.0.1",
-    "@contrast/common": "1.20.1",
-    "@contrast/config": "1.27.1",
-    "@contrast/core": "1.31.2",
-    "@contrast/esm-hooks": "2.5.2",
+    "@contrast/common": "1.21.1",
+    "@contrast/config": "1.28.1",
+    "@contrast/core": "1.32.1",
+    "@contrast/esm-hooks": "2.6.1",
     "@contrast/scopes": "1.4.1",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.3.7"