@contrast/protect 1.60.0 → 1.62.0

package/lib/input-analysis/install/fastify.js

@@ -41,6 +41,9 @@ module.exports = (core) => {
       patchType,
       post({ result: server, funcKey }) {
         server.addHook('preValidation', function (request, reply, done) {
+          // todo(NODE-3793): support for @fastify/websocket
+          if (request.constructor.name == 'WebSocket') return;
+
           let securityException;
           const sourceContext = protect.getSourceContext();
 

package/lib/semantic-analysis/handlers.js

@@ -43,21 +43,28 @@ const getRuleResults = function(obj, prop) {
 // See files in protect/lib/input-tracing/install/.
 
 module.exports = function(core) {
-  const { protect: { agentLib, semanticAnalysis, throwSecurityException }, captureStacktrace } = core;
+  const {
+    protect: {
+      agentLib,
+      semanticAnalysis,
+      throwSecurityException
+    },
+    captureStacktrace,
+  } = core;
 
   function handleResult(sourceContext, sinkContext, ruleId, mode, finding) {
     const { value, stacktraceOpts } = sinkContext;
     captureStacktrace(sinkContext, stacktraceOpts);
+
+    // shoehorn findings into agent-lib result data model
     const result = {
       blocked: false,
       ruleId,
       value,
       mappedId: ruleId,
-      exploitMetadata: [{ command: value }],
-      sinkContext,
+      exploitMetadata: [{ sinkContext, command: value }],
       ...finding
     };
-
     getRuleResults(sourceContext.resultsMap, ruleId).push(result);
 
     if (BLOCKING_MODES.includes(mode)) {
@@ -111,7 +118,7 @@ module.exports = function(core) {
 
     if (agentLib.isDangerousPath(sinkContext.value, true)) {
       handleResult(sourceContext, sinkContext, Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS, mode, {
-        exploitMetadata: [{ path: sinkContext.value }]
+        exploitMetadata: [{ sinkContext, path: sinkContext.value }]
       });
     }
   };
@@ -123,7 +130,7 @@ module.exports = function(core) {
     const findings = findExternalEntities(sinkContext.value);
     if (findings.entities.length) {
       handleResult(sourceContext, sinkContext, Rule.XXE, mode, {
-        exploitMetadata: [findings],
+        exploitMetadata: [{ sinkContext, ...findings }],
       });
     }
   };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.60.0",
+  "version": "1.62.0",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -22,15 +22,15 @@
   "dependencies": {
     "@contrast/agent-lib": "^9.1.0",
     "@contrast/common": "1.32.0",
-    "@contrast/config": "1.45.0",
-    "@contrast/core": "1.50.0",
-    "@contrast/dep-hooks": "1.19.0",
-    "@contrast/esm-hooks": "2.24.0",
-    "@contrast/instrumentation": "1.29.0",
-    "@contrast/logger": "1.23.0",
-    "@contrast/patcher": "1.22.0",
-    "@contrast/rewriter": "1.26.0",
-    "@contrast/scopes": "1.20.0",
+    "@contrast/config": "1.47.0",
+    "@contrast/core": "1.52.0",
+    "@contrast/dep-hooks": "1.21.0",
+    "@contrast/esm-hooks": "2.26.0",
+    "@contrast/instrumentation": "1.31.0",
+    "@contrast/logger": "1.25.0",
+    "@contrast/patcher": "1.24.0",
+    "@contrast/rewriter": "1.28.0",
+    "@contrast/scopes": "1.22.0",
     "async-hook-domain": "^4.0.1",
     "ipaddr.js": "^2.0.1",
     "on-finished": "^2.4.1",