@contrast/protect 1.56.0 → 1.58.0

package/lib/input-analysis/index.js

@@ -21,7 +21,7 @@ module.exports = function(core) {
   const inputAnalysis = core.protect.inputAnalysis = {};
 
   // inputAnalysis handlers
-  require('./handlers')(core);
+  core.initComponentSync(require('./handlers'));
 
   // http(s) modules instrumentation
   require('./install/http')(core);

package/lib/input-tracing/handlers/index.js

@@ -328,7 +328,7 @@ module.exports = function(core) {
  * @returns {AnalysisResult[]}
  */
 function getResultsByRuleId(ruleId, context) {
-  if (context.policy[ruleId] === OFF) {
+  if (!context.policy || context.policy[ruleId] === OFF) {
     return;
   }
   // because agent-lib stores all nosql-injection results under nosql-injection-mongo

package/lib/input-tracing/install/fs.js

@@ -36,7 +36,7 @@ module.exports = function init(core) {
     // obtain the Protect sourceContext
     const sourceContext = core.protect.getSourceContext();
 
-    if (!sourceContext) return;
+    if (!sourceContext || sourceContext.allowed) return;
 
     // build list of values on which to perform INPUT TRACING
     const values = getValues(indices, args);

package/lib/make-source-context.js

@@ -22,7 +22,13 @@ module.exports = function(core) {
     protect: { getPolicy }
   } = core;
 
+  const disabledPolicy = { allowed: true };
+
   function makeSourceContext(req, res) {
+    if (!core.config.getEffectiveValue('protect.enable')) {
+      return disabledPolicy;
+    }
+
     // make the abstract request. it is an abstraction of a request that
     // contains only the pieces of the request required by handlers. this
     // is done to make an explicit contract for data that is required by
@@ -47,7 +53,7 @@ module.exports = function(core) {
 
     // URL exclusions can disable all rules
     if (!policy || policy.rulesMask === 0) {
-      return { allowed: true };
+      return disabledPolicy;
     }
 
     // lowercase header keys and capture content-type

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.56.0",
+  "version": "1.58.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,16 +21,16 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^9.1.0",
-    "@contrast/common": "1.31.0",
-    "@contrast/config": "1.42.0",
-    "@contrast/core": "1.47.0",
-    "@contrast/dep-hooks": "1.16.0",
-    "@contrast/esm-hooks": "2.21.0",
-    "@contrast/instrumentation": "1.26.0",
-    "@contrast/logger": "1.20.0",
-    "@contrast/patcher": "1.19.0",
-    "@contrast/rewriter": "1.23.0",
-    "@contrast/scopes": "1.17.0",
+    "@contrast/common": "1.32.0",
+    "@contrast/config": "1.44.0",
+    "@contrast/core": "1.49.0",
+    "@contrast/dep-hooks": "1.18.0",
+    "@contrast/esm-hooks": "2.23.0",
+    "@contrast/instrumentation": "1.28.0",
+    "@contrast/logger": "1.22.0",
+    "@contrast/patcher": "1.21.0",
+    "@contrast/rewriter": "1.25.0",
+    "@contrast/scopes": "1.19.0",
     "async-hook-domain": "^4.0.1",
     "ipaddr.js": "^2.0.1",
     "on-finished": "^2.4.1",