npm - @contrast/protect - Versions diffs - 1.54.2 → 1.56.0 - Mend

@contrast/protect 1.54.2 → 1.56.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/lib/{make-response-blocker.js → blocker.js} +20 -17
package/lib/error-handlers/common-handler.js +1 -1
package/lib/error-handlers/install/express.js +1 -1
package/lib/error-handlers/install/fastify.js +1 -1
package/lib/error-handlers/install/koa2.js +1 -1
package/lib/error-handlers/install/restify.js +1 -1
package/lib/index.d.ts +3 -3
package/lib/index.js +1 -1
package/lib/input-analysis/index.js +4 -0
package/lib/input-analysis/install/fastify-send.js +52 -0
package/lib/input-analysis/install/http.js +1 -1
package/lib/input-analysis/install/send.js +45 -0
package/lib/make-source-context.js +1 -1
package/package.json +12 -12

package/lib/{make-response-blocker.js → blocker.js} RENAMED Viewed

@@ -27,32 +27,35 @@ module.exports = function(core) {
   const blocked = new WeakSet();
   const { patcher, logger } = core;
-  function makeResponseBlocker(res) {
-    return function block(mode, ruleId) {
-      if (blocked.has(res)) return;
+  class Blocker {
+    #res;
-      blocked.add(res);
+    constructor(response) {
+      this.#res = response;
+      this._blocked = blocked; //expose for testing
+    }
+    block(mode, ruleId) {
+      if (blocked.has(this.#res)) return;
+      blocked.add(this.#res);
       mode = StringPrototypeToUpperCase.call(mode);
-      const end = patcher.unwrap(res.end);
-      const writeHead = patcher.unwrap(res.writeHead);
+      const end = patcher.unwrap(this.#res.end);
+      const writeHead = patcher.unwrap(this.#res.writeHead);
       try {
-        clearTimeout(res[kMetrics]?.timeout);
-        delete res[kMetrics];
+        clearTimeout(this.#res[kMetrics]?.timeout);
+        delete this.#res[kMetrics];
-        if (!res.headersSent) writeHead.call(res, 403);
-        end.call(res, '');
+        if (!this.#res.headersSent) writeHead.call(this.#res, 403);
+        end.call(this.#res, '');
         logger.info({ mode, ruleId }, 'Request blocked');
       } catch (err) {
         logger.error({ err, mode, ruleId }, 'Error blocking request');
       }
-    };
+    }
   }
+  core.protect.Blocker = Blocker;
-  // expose. for testing?
-  makeResponseBlocker.blocked = blocked;
-  core.protect.makeResponseBlocker = makeResponseBlocker;
-  return makeResponseBlocker;
+  return Blocker;
 };

package/lib/error-handlers/common-handler.js CHANGED Viewed

@@ -35,6 +35,6 @@ module.exports = function (core) {
     }
     const blockInfo = sourceContext.securityException;
-    sourceContext.block(...blockInfo);
+    sourceContext.blocker.block(...blockInfo);
   };
 };

package/lib/error-handlers/install/express.js CHANGED Viewed

@@ -35,7 +35,7 @@ module.exports = function (core) {
     if (isSecurityException && sourceContext) {
       const blockInfo = sourceContext.securityException;
-      sourceContext.block(...blockInfo);
+      sourceContext.blocker.block(...blockInfo);
       return;
     }

package/lib/error-handlers/install/fastify.js CHANGED Viewed

@@ -63,7 +63,7 @@ module.exports = function (core) {
         normalHandler.call(this, err, request, reply);
       } else {
         const blockInfo = sourceContext.securityException;
-        sourceContext.block(...blockInfo);
+        sourceContext.blocker.block(...blockInfo);
       }
     } else {
       normalHandler.call(this, err, request, reply);

package/lib/error-handlers/install/koa2.js CHANGED Viewed

@@ -47,7 +47,7 @@ module.exports = function (core) {
               if (isSecurityException && sourceContext) {
                 data.obj.body = '';
                 const blockInfo = sourceContext.securityException;
-                sourceContext.block(...blockInfo);
+                sourceContext.blocker.block(...blockInfo);
                 return;
               }

package/lib/error-handlers/install/restify.js CHANGED Viewed

@@ -38,7 +38,7 @@ module.exports = function init(core) {
                   return;
                 }
-                sourceContext.block(...sourceContext.securityException);
+                sourceContext.blocker.block(...sourceContext.securityException);
                 return;
               }

package/lib/index.d.ts CHANGED Viewed

@@ -13,7 +13,7 @@
  * way not consistent with the End User License Agreement.
  */
-import { ReqData, ProtectMessage, ResultMap, ProtectRuleMode } from '@contrast/common';
+import { ReqData, ProtectMessage, ResultMap, ProtectRuleMode, Blocker } from '@contrast/common';
 import { IncomingMessage, ServerResponse } from 'node:http';
 import * as http from 'node:http';
 import * as https from 'node:https';
@@ -25,7 +25,7 @@ type Https = typeof https;
 export type Block = (mode: string, ruleId: string) => void;
 export interface ProtectRequestStore {
   reqData: ReqData;
-  block: Block;
+  blocker: Blocker;
   rules: Record<Rule, { mode: ProtectRuleMode }>;
   exclusions: any[]; // TODO
   virtualPatches: any[]; // TODO
@@ -56,7 +56,7 @@ export interface ExclusionPolicy {
 export type ProtectPolicy = ExclusionPolicy & Record<rule, ProtectRuleMode> & { rulesMask: number };
 export interface Protect {
-  makeResponseBlocker: (res: ServerResponse) => Block,
+  Blocker: Blocker,
   makeSourceContext: (req: IncomingMessage, res: ServerResponse) => ProtectRequestStore,
   throwSecurityException: (sourceContext: ProtectRequestStore) => void,
   policy: ProtectPolicy,

package/lib/index.js CHANGED Viewed

@@ -26,7 +26,7 @@ module.exports = function(core) {
   require('./policy')(core);
   require('./throw-security-exception')(core);
-  require('./make-response-blocker')(core);
+  require('./blocker')(core);
   require('./make-source-context')(core);
   require('./get-source-context')(core);
   require('./error-handlers')(core);

package/lib/input-analysis/index.js CHANGED Viewed

@@ -43,6 +43,10 @@ module.exports = function(core) {
   require('./install/hapi')(core);
   require('./install/restify')(core);
+  // no-instrumentation scope wrappers for false positive prevention
+  require('./install/fastify-send')(core);
+  require('./install/send')(core);
   // virtual patches
   require('./virtual-patches')(core);
   require('./ip-analysis')(core);

package/lib/input-analysis/install/fastify-send.js ADDED Viewed

@@ -0,0 +1,52 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../constants');
+module.exports = function (core) {
+  const { depHooks, patcher, scopes: { instrumentation } } = core;
+  return core.protect.inputAnalysis.fastifySendInstrumentation = {
+    install() {
+      const store = { lock: true, name: 'protect:input-analysis:fastify-send' };
+      const around = (next) => {
+        if (!instrumentation.isLocked()) {
+          return instrumentation.run(store, next);
+        }
+        return next();
+      };
+      depHooks.resolve({ name: '@fastify/send', version: '<3', file: 'lib/SendStream.js' }, (SendStream) => {
+        patcher.patch(SendStream.prototype, 'sendFile', {
+          name: '@fastify/send/lib/SendStream.js',
+          patchType,
+          around,
+        });
+      });
+      depHooks.resolve({ name: '@fastify/send', version: '>=3 <5', file: 'lib/send.js' }, (send) => {
+        patcher.patch(send, 'send', {
+          name: '@fastify/send/lib/send.js',
+          patchType,
+          around,
+        });
+      });
+    }
+  };
+};

package/lib/input-analysis/install/http.js CHANGED Viewed

@@ -112,7 +112,7 @@ module.exports = function (core) {
     if (!block) {
       callNext();
     } else {
-      store.protect.block(...block);
+      store.protect.blocker.block(...block);
       logger.debug({ block, funcKey: data.funcKey }, 'request blocked by not emitting request event');
     }
   }

package/lib/input-analysis/install/send.js ADDED Viewed

@@ -0,0 +1,45 @@
+/*
+ * Copyright: 2025 Contrast Security, Inc
+ * Contact: support@contrastsecurity.com
+ * License: Commercial
+ * NOTICE: This Software and the patented inventions embodied within may only be
+ * used as part of Contrast Security’s commercial offerings. Even though it is
+ * made available through public repositories, use of this Software is subject to
+ * the applicable End User Licensing Agreement found at
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+ * between Contrast Security and the End User. The Software may not be reverse
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
+ * way not consistent with the End User License Agreement.
+ */
+'use strict';
+const { patchType } = require('../constants');
+module.exports = function (core) {
+  const { depHooks, patcher, scopes: { instrumentation } } = core;
+  return core.protect.inputAnalysis.sendInstrumentation = {
+    install() {
+      const store = { lock: true, name: 'protect:input-analysis:send' };
+      const around = (next) => {
+        if (!instrumentation.isLocked()) {
+          return instrumentation.run(store, next);
+        }
+        return next();
+      };
+      depHooks.resolve(
+        { name: 'send', version: '<2' },
+        (send) => patcher.patch(send, {
+          name: 'send',
+          patchType,
+          around,
+        })
+      );
+    }
+  };
+};

package/lib/make-source-context.js CHANGED Viewed

@@ -82,7 +82,7 @@ module.exports = function(core) {
         statusCode: null,
       },
       // block closure captures res so it isn't exposed to beyond here
-      block: core.protect.makeResponseBlocker(res),
+      blocker: new core.protect.Blocker(res),
       policy,
       exclusions: [],
       virtualPatchesEvaluators: [],

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.54.2",
+  "version": "1.56.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -20,17 +20,17 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agent-lib": "^9.0.0",
-    "@contrast/common": "1.29.1",
-    "@contrast/config": "1.40.2",
-    "@contrast/core": "1.45.2",
-    "@contrast/dep-hooks": "1.14.2",
-    "@contrast/esm-hooks": "2.19.4",
-    "@contrast/instrumentation": "1.24.2",
-    "@contrast/logger": "1.18.2",
-    "@contrast/patcher": "1.17.2",
-    "@contrast/rewriter": "1.21.4",
-    "@contrast/scopes": "1.15.2",
+    "@contrast/agent-lib": "^9.1.0",
+    "@contrast/common": "1.31.0",
+    "@contrast/config": "1.42.0",
+    "@contrast/core": "1.47.0",
+    "@contrast/dep-hooks": "1.16.0",
+    "@contrast/esm-hooks": "2.21.0",
+    "@contrast/instrumentation": "1.26.0",
+    "@contrast/logger": "1.20.0",
+    "@contrast/patcher": "1.19.0",
+    "@contrast/rewriter": "1.23.0",
+    "@contrast/scopes": "1.17.0",
     "async-hook-domain": "^4.0.1",
     "ipaddr.js": "^2.0.1",
     "on-finished": "^2.4.1",