@contrast/protect 1.49.0 → 1.51.0

package/lib/input-tracing/install/marsdb.js

@@ -43,7 +43,7 @@ module.exports = function(core) {
   }
 
   function install() {
-    depHooks.resolve({ name: 'marsdb' }, marsdb => {
+    depHooks.resolve({ name: 'marsdb', version: '<1' }, marsdb => {
       methods.forEach((method) => {
         const name = `marsdb.Collection.prototype.${method}`;
 
@@ -52,7 +52,7 @@ module.exports = function(core) {
           patchType,
           pre({ args, hooked, orig }) {
             const value = getCursorQueryData(args);
-            const sourceContext = getSourceContext(name);
+            const sourceContext = getSourceContext();
 
             if (
               !sourceContext ||

package/lib/input-tracing/install/marsdb.test.js

@@ -34,7 +34,7 @@ describe('protect input-tracing marsdb', function () {
       mockMarsDb.Collection.prototype[method] = () => { };
     });
 
-    core.depHooks.resolve.withArgs({ name: 'marsdb' }).yields(mockMarsDb);
+    core.depHooks.resolve.yields(mockMarsDb);
 
     marsdbInstr = require('./marsdb')(core);
   });

package/lib/input-tracing/install/mongodb.js

@@ -142,7 +142,7 @@ module.exports = function(core) {
     const argsIdxsToCheck = vulnerableArgIdxs || [0];
     return function(next, data) {
       const { args, name, hooked, orig } = data;
-      const sourceCtx = getSourceContext(name);
+      const sourceCtx = getSourceContext();
 
       if (instrumentation.isLocked() || !sourceCtx) {
         return next();
@@ -158,7 +158,7 @@ module.exports = function(core) {
   }
 
   instr.install = function() {
-    depHooks.resolve({ name: 'mongodb' }, (mongodb, version) => {
+    depHooks.resolve({ name: 'mongodb', version: '<7' }, (mongodb, version) => {
       patchCollection(mongodb, version);
       patchDatabase(mongodb, version);
     });

package/lib/input-tracing/install/mongodb.test.js

@@ -39,9 +39,7 @@ describe('protect input-tracing mongodb', function() {
     ({ core, simulateRequestScope } = initProtectFixture());
     require('../../get-source-context')(core);
 
-    core.depHooks.resolve
-      .withArgs({ name: 'mongodb' })
-      .yields({ Collection, Db });
+    core.depHooks.resolve.yields({ Collection, Db });
 
     instr = require('./mongodb')(core);
     instr.install();
@@ -247,7 +245,7 @@ describe('protect input-tracing mongodb', function() {
         command() { }
       }
       core.depHooks.resolve
-        .withArgs({ name: 'mongodb' })
+        .withArgs(sinon.match({ name: 'mongodb' }))
         .yields({ Collection, Db }, 'v5.x.x');
 
       const instr = require('./mongodb')(core);

package/lib/input-tracing/install/mssql.js

@@ -27,7 +27,7 @@ module.exports = function (core) {
   } = core;
 
   const pre = ({ args, hooked, name, orig }) => {
-    const sourceContext = protect.getSourceContext(name);
+    const sourceContext = protect.getSourceContext();
     const [value] = args;
     if (!sourceContext || !value || !isString(value)) return;
 
@@ -46,7 +46,7 @@ module.exports = function (core) {
   core.protect.inputTracing.mssqlInstrumentation = {
     install() {
       depHooks.resolve(
-        { name: 'mssql', file: 'lib/base/prepared-statement.js' },
+        { name: 'mssql', version: '<12', file: 'lib/base/prepared-statement.js' },
         (PreparedStatement) => {
           patcher.patch(PreparedStatement.prototype, 'prepare', {
             name: 'mssql.PreparedStatement.prototype.prepare',
@@ -57,7 +57,7 @@ module.exports = function (core) {
       );
 
       depHooks.resolve(
-        { name: 'mssql', file: 'lib/base/request.js' },
+        { name: 'mssql', version: '<12', file: 'lib/base/request.js' },
         (Request) => {
           patcher.patch(Request.prototype, 'batch', {
             name: 'mssql.Request.prototype.batch',

package/lib/input-tracing/install/mssql.test.js

@@ -27,11 +27,11 @@ describe('protect input-tracing mssql', function () {
     Request.prototype.query = sinon.stub();
 
     core.depHooks.resolve
-      .withArgs({ name: 'mssql', file: 'lib/base/prepared-statement.js' })
+      .withArgs(sinon.match({ file: 'lib/base/prepared-statement.js' }))
       .yields(PreparedStatement);
 
     core.depHooks.resolve
-      .withArgs({ name: 'mssql', file: 'lib/base/request.js' })
+      .withArgs(sinon.match({ file: 'lib/base/request.js' }))
       .yields(Request);
 
     require('./mssql')(core).install();

package/lib/input-tracing/install/mysql.js

@@ -40,20 +40,18 @@ module.exports = function(core) {
 
   mysqlInstr.install = function() {
     [
-      { module: 'mysql', file: 'lib/Connection.js', method: 'query' },
-      { module: 'mysql2', file: 'lib/connection.js', method: 'execute' },
-      { module: 'mysql2', file: 'lib/connection.js', method: 'query' }
+      { name: 'mysql', version: '<3', file: 'lib/Connection.js', method: 'query' },
+      { name: 'mysql2', version: '<4', file: 'lib/connection.js', method: 'execute' },
+      { name: 'mysql2', version: '<4', file: 'lib/connection.js', method: 'query' }
     ].forEach(
-      ({ module, file, method }) => {
-        depHooks.resolve({ module, file, method }, conn => {
-          const name = `${module}.Connection.prototype.${method}`;
-
+      ({ name, version, file, method }) => {
+        depHooks.resolve({ name, version, file }, conn => {
           patcher.patch(conn.prototype, method, {
-            name,
+            name: `${name}.Connection.prototype.${method}`,
             patchType,
             pre(data) {
               const { args, hooked, name, orig } = data;
-              const sourceContext = protect.getSourceContext(name);
+              const sourceContext = protect.getSourceContext();
 
               if (!sourceContext) return;
 

package/lib/input-tracing/install/postgres.js

@@ -32,7 +32,7 @@ module.exports = function(core) {
   }
 
   function preHook({ args, hooked, name, orig }) {
-    const sourceContext = protect.getSourceContext(name);
+    const sourceContext = protect.getSourceContext();
 
     if (!sourceContext) return;
 
@@ -49,7 +49,7 @@ module.exports = function(core) {
   }
 
   function install() {
-    depHooks.resolve({ name: 'pg', file: 'lib/client.js' }, client => {
+    depHooks.resolve({ name: 'pg', version: '<9', file: 'lib/client.js' }, client => {
       const name = 'pg.Client.prototype.query';
       patcher.patch(client.prototype, 'query', {
         name,
@@ -58,7 +58,7 @@ module.exports = function(core) {
       });
     });
 
-    depHooks.resolve({ name: 'pg-pool' }, pool => {
+    depHooks.resolve({ name: 'pg-pool', version: '<4' }, pool => {
       const name = 'pg-pool.Pool.prototype.query';
       patcher.patch(pool.prototype, 'query', {
         name,

package/lib/input-tracing/install/postgres.test.js

@@ -31,11 +31,7 @@ describe('protect input-tracing postgres', function () {
     beforeEach(function () {
       Client = function () { };
       Client.prototype.query = sinon.stub();
-      core
-        .depHooks
-        .resolve
-        .withArgs({ name: 'pg', file: 'lib/client.js' })
-        .yields(Client);
+      core.depHooks.resolve.withArgs(sinon.match({ name: 'pg' })).yields(Client);
       require('./postgres')(core).install();
     });
 
@@ -79,11 +75,7 @@ describe('protect input-tracing postgres', function () {
     beforeEach(function () {
       Pool = function () { };
       Pool.prototype.query = sinon.stub();
-      core
-        .depHooks
-        .resolve
-        .withArgs({ name: 'pg-pool' })
-        .yields(Pool);
+      core.depHooks.resolve.withArgs(sinon.match({ name: 'pg-pool' })).yields(Pool);
 
       require('./postgres')(core).install();
     });

package/lib/input-tracing/install/sequelize.js

@@ -33,7 +33,7 @@ module.exports = function(core) {
   }
 
   function install() {
-    depHooks.resolve({ name: 'sequelize' }, sequelize => {
+    depHooks.resolve({ name: 'sequelize', version: '<7' }, sequelize => {
       const name = 'sequelize.prototype.query';
       patcher.patch(sequelize.prototype, 'query', {
         name,
@@ -41,7 +41,7 @@ module.exports = function(core) {
         pre({ args, hooked, name, orig }) {
           if (instrumentation.isLocked()) return;
 
-          const sourceContext = protect.getSourceContext(name);
+          const sourceContext = protect.getSourceContext();
 
           if (!sourceContext || sourceContext.allowed) return;
 

package/lib/input-tracing/install/spdy.js

@@ -27,7 +27,7 @@ module.exports = function(core) {
   } = core;
 
   function install() {
-    depHooks.resolve({ name: 'spdy' }, spdy => {
+    depHooks.resolve({ name: 'spdy', version: '<5' }, spdy => {
       const name = 'spdy.response.end';
       patcher.patch(spdy.response, 'end', {
         name,
@@ -35,7 +35,7 @@ module.exports = function(core) {
         pre({ args, obj: response, hooked }) {
           if (instrumentation.isLocked()) return;
 
-          const sourceContext = protect.getSourceContext(name);
+          const sourceContext = protect.getSourceContext();
 
           if (!sourceContext) return;
 

package/lib/input-tracing/install/sqlite3.js

@@ -28,7 +28,7 @@ module.exports = function(core) {
   } = core;
 
   function install() {
-    depHooks.resolve({ name: 'sqlite3' }, sqlite3 => {
+    depHooks.resolve({ name: 'sqlite3', version: '<6' }, sqlite3 => {
       ['all', 'run', 'get', 'each', 'exec', 'prepare'].forEach((method) => {
         const name = `sqlite3.Database.prototype.${method}`;
         patcher.patch(sqlite3.Database.prototype, method, {
@@ -37,7 +37,7 @@ module.exports = function(core) {
           pre({ args, hooked, name, orig }) {
             if (instrumentation.isLocked()) return;
 
-            const sourceContext = protect.getSourceContext(name);
+            const sourceContext = protect.getSourceContext();
             if (!sourceContext) return;
 
             const value = args[0];

package/lib/input-tracing/install/vm.js

@@ -44,7 +44,7 @@ module.exports = function (core) {
   const createPre = (arity) => ({ args, hooked, orig, name }) => {
     if (instrumentation.isLocked()) return;
 
-    const sourceContext = protect.getSourceContext(name);
+    const sourceContext = protect.getSourceContext();
     if (!sourceContext) return;
 
     for (let i = 0; i < arity; i++) {
@@ -62,7 +62,7 @@ module.exports = function (core) {
 
   const vmInstrumentation = inputTracing.vmInstrumentation = {
     install() {
-      depHooks.resolve({ name: 'vm' }, (vm) => {
+      depHooks.resolve({ name: 'vm', version: '*' }, (vm) => {
         VM_METHODS.forEach(([method, arity]) => {
           patcher.patch(vm, method, {
             name: `vm.${method}`,

package/lib/semantic-analysis/install/libxmljs.js

@@ -45,7 +45,7 @@ module.exports = function (core) {
         name,
         patchType,
         pre({ args, hooked, orig, funcKey }) {
-          const sourceContext = protect.getSourceContext(name);
+          const sourceContext = protect.getSourceContext();
           const [value, options] = args;
 
           if (!sourceContext || !value || !isString(value) || checkOptions(options)) {
@@ -78,11 +78,11 @@ module.exports = function (core) {
   protect.semanticAnalysis.libxmljs = {
     install() {
       // libxmljs changed its API in version 1.0.0
-      depHooks.resolve({ name: 'libxmljs', version: '>=1' }, handler(true));
+      depHooks.resolve({ name: 'libxmljs', version: '>=1 <2' }, handler(true));
 
       // libxmljs versions prior to 1.0.0 and libxmljs2 share the same API
       depHooks.resolve({ name: 'libxmljs', version: '<1' }, handler(false));
-      depHooks.resolve({ name: 'libxmljs2' }, handler(false));
+      depHooks.resolve({ name: 'libxmljs2', version: '<1' }, handler(false));
     }
   };
 

package/lib/semantic-analysis/install/libxmljs.test.js

@@ -35,13 +35,13 @@ describe('protect semantic-analysis libxmljs', function () {
     };
 
     core.depHooks.resolve
-      .withArgs({ name: 'libxmljs', version: '>=1' })
+      .withArgs({ name: 'libxmljs', version: '>=1 <2' })
       .yields(modules['libxmljs@1'], { name: 'libxmljs', version: '1.0.9' });
     core.depHooks.resolve
       .withArgs({ name: 'libxmljs', version: '<1' })
       .yields(modules['libxmljs@0'], { name: 'libxmljs', version: '0.19.10' });
     core.depHooks.resolve
-      .withArgs({ name: 'libxmljs2' })
+      .withArgs({ name: 'libxmljs2', version: '<1' })
       .yields(modules.libxmljs2, { name: 'libxmljs2', version: '0.32.0' });
 
     require('../../get-source-context')(core);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.49.0",
+  "version": "1.51.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -18,20 +18,18 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^7.0.1",
-    "@contrast/common": "1.26.0",
-    "@contrast/config": "1.36.0",
-    "@contrast/core": "1.41.1",
-    "@contrast/dep-hooks": "1.10.0",
-    "@contrast/esm-hooks": "2.15.1",
-    "@contrast/instrumentation": "1.20.0",
-    "@contrast/logger": "1.14.0",
-    "@contrast/patcher": "1.13.0",
-    "@contrast/rewriter": "1.17.1",
-    "@contrast/scopes": "1.11.0",
+    "@contrast/common": "1.28.0",
+    "@contrast/config": "1.38.0",
+    "@contrast/core": "1.43.0",
+    "@contrast/dep-hooks": "1.12.0",
+    "@contrast/esm-hooks": "2.17.0",
+    "@contrast/instrumentation": "1.22.0",
+    "@contrast/logger": "1.16.0",
+    "@contrast/patcher": "1.15.0",
+    "@contrast/rewriter": "1.19.0",
+    "@contrast/scopes": "1.13.0",
+    "async-hook-domain": "^4.0.1",
     "ipaddr.js": "^2.0.1",
     "semver": "^7.6.0"
-  },
-  "optionalDependencies": {
-    "async-hook-domain": "^3.0.2"
   }
 }

package/lib/error-handlers/install/express4.js

@@ -1,138 +0,0 @@
-/*
- * Copyright: 2024 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-
-'use strict';
-
-const SecurityException = require('../../security-exception');
-const { patchType } = require('../constants');
-
-
-module.exports = function (core) {
-  const {
-    logger,
-    depHooks,
-    patcher,
-    protect,
-  } = core;
-
-  const express4ErrorHandler = protect.errorHandlers.express4ErrorHandler = {};
-
-  function aroundFn(name) {
-    return function around(orig, data) {
-      const [err] = data.args;
-      const sourceContext = protect.getSourceContext(name);
-      const isSecurityException = SecurityException.isSecurityException(err);
-
-      if (isSecurityException && sourceContext) {
-        const blockInfo = sourceContext.securityException;
-
-        sourceContext.block(...blockInfo);
-        return;
-      }
-
-      if (!sourceContext && isSecurityException) {
-        logger.info({ funcKey: data.funcKey }, 'source context not found; unable to handle response');
-      }
-      return orig();
-    };
-  }
-
-  express4ErrorHandler.install = function () {
-    depHooks.resolve({ name: 'finalhandler' }, (finalhandler) =>
-      patcher.patch(finalhandler, {
-        name: 'finalHandler',
-        patchType,
-        post(data) {
-          data.result = patcher.patch(data.result, {
-            name: 'finalHandler.returnedFunction',
-            patchType,
-            around: aroundFn('finalHandler')
-          });
-        },
-      })
-    );
-
-    depHooks.resolve({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/layer.js' }, (Layer) => {
-      patcher.patch(Layer.prototype, 'handle_error', {
-        name: 'Layer.prototype.handle_error',
-        patchType,
-        around: aroundFn('express.Layer.handle_error')
-      });
-
-      // This should be revisited after the research ticket NODE-2556
-      Object.defineProperty(Layer.prototype, 'handle', {
-        enumerable: true,
-        configurable: true,
-        get() {
-          return this.__handle;
-        },
-        set(fn) {
-          fn = patchFn(fn);
-          this.__handle = fn;
-        },
-      });
-    });
-
-    // This should be revisited after the research ticket NODE-2556
-    depHooks.resolve({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/index.js' }, (Router) => {
-      patcher.patch(Router.prototype.constructor, 'param', {
-        name: 'Router.prototype.constructor.param',
-        patchType,
-        pre({ args }) {
-          if (typeof args[1] === 'function') {
-            args[1] = patchFn(args[1]);
-          }
-        }
-      });
-    });
-
-    // This should be revisited after the research ticket NODE-2556
-    function patchFn(fn) {
-      return patcher.patch(fn, {
-        name: 'express.route-handler',
-        patchType,
-        around(orig, data) {
-          const ret = orig();
-          if (ret && ret.catch) {
-            return ret.catch((err) => {
-              const sourceContext = protect.getSourceContext();
-              const isSecurityException = SecurityException.isSecurityException(err);
-
-              if (isSecurityException && sourceContext) {
-                const blockInfo = sourceContext.securityException;
-
-                sourceContext.block(...blockInfo);
-                return;
-              }
-
-              if (!sourceContext && isSecurityException) {
-                logger.info({ funcKey: data.funcKey }, 'source context not found; unable to handle response');
-                return;
-              }
-
-              throw err;
-            });
-          }
-
-          return ret;
-        }
-      });
-    }
-
-
-  };
-
-  return express4ErrorHandler;
-};