npm - @contrast/protect - Versions diffs - 1.57.0 → 1.59.0 - Mend

@contrast/protect 1.57.0 → 1.59.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/lib/error-handlers/install/express.js +3 -0
package/lib/get-source-context.js +2 -0
package/lib/index.js +12 -2
package/lib/input-analysis/handlers.js +581 -578
package/lib/input-analysis/index.js +1 -1
package/lib/input-tracing/handlers/index.js +1 -1
package/lib/input-tracing/install/fs.js +1 -1
package/lib/make-source-context.js +7 -1
package/package.json +10 -10

package/lib/input-analysis/index.js CHANGED Viewed

@@ -21,7 +21,7 @@ module.exports = function(core) {
   const inputAnalysis = core.protect.inputAnalysis = {};
   // inputAnalysis handlers
-  require('./handlers')(core);
+  core.initComponentSync(require('./handlers'));
   // http(s) modules instrumentation
   require('./install/http')(core);

package/lib/input-tracing/handlers/index.js CHANGED Viewed

@@ -328,7 +328,7 @@ module.exports = function(core) {
  * @returns {AnalysisResult[]}
  */
 function getResultsByRuleId(ruleId, context) {
-  if (context.policy[ruleId] === OFF) {
+  if (!context.policy || context.policy[ruleId] === OFF) {
     return;
   }
   // because agent-lib stores all nosql-injection results under nosql-injection-mongo

package/lib/input-tracing/install/fs.js CHANGED Viewed

@@ -36,7 +36,7 @@ module.exports = function init(core) {
     // obtain the Protect sourceContext
     const sourceContext = core.protect.getSourceContext();
-    if (!sourceContext) return;
+    if (!sourceContext || sourceContext.allowed) return;
     // build list of values on which to perform INPUT TRACING
     const values = getValues(indices, args);

package/lib/make-source-context.js CHANGED Viewed

@@ -22,7 +22,13 @@ module.exports = function(core) {
     protect: { getPolicy }
   } = core;
+  const disabledPolicy = { allowed: true };
   function makeSourceContext(req, res) {
+    if (!core.config.getEffectiveValue('protect.enable')) {
+      return disabledPolicy;
+    }
     // make the abstract request. it is an abstraction of a request that
     // contains only the pieces of the request required by handlers. this
     // is done to make an explicit contract for data that is required by
@@ -47,7 +53,7 @@ module.exports = function(core) {
     // URL exclusions can disable all rules
     if (!policy || policy.rulesMask === 0) {
-      return { allowed: true };
+      return disabledPolicy;
     }
     // lowercase header keys and capture content-type

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.57.0",
+  "version": "1.59.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -22,15 +22,15 @@
   "dependencies": {
     "@contrast/agent-lib": "^9.1.0",
     "@contrast/common": "1.32.0",
-    "@contrast/config": "1.43.0",
-    "@contrast/core": "1.48.0",
-    "@contrast/dep-hooks": "1.17.0",
-    "@contrast/esm-hooks": "2.22.0",
-    "@contrast/instrumentation": "1.27.0",
-    "@contrast/logger": "1.21.0",
-    "@contrast/patcher": "1.20.0",
-    "@contrast/rewriter": "1.24.0",
-    "@contrast/scopes": "1.18.0",
+    "@contrast/config": "1.45.0",
+    "@contrast/core": "1.50.0",
+    "@contrast/dep-hooks": "1.19.0",
+    "@contrast/esm-hooks": "2.24.0",
+    "@contrast/instrumentation": "1.29.0",
+    "@contrast/logger": "1.23.0",
+    "@contrast/patcher": "1.22.0",
+    "@contrast/rewriter": "1.26.0",
+    "@contrast/scopes": "1.20.0",
     "async-hook-domain": "^4.0.1",
     "ipaddr.js": "^2.0.1",
     "on-finished": "^2.4.1",