@contrast/protect 1.73.0 → 1.74.1

package/lib/error-handlers/install/fastify.js

@@ -74,7 +74,7 @@ module.exports = function (core) {
    * Instruments fastify in order to add our custom error handler.
    */
   fastifyErrorHandler.install = function () {
-    depHooks.resolve({ name: 'fastify', version: '>=3 <6' }, (fastify) => patcher.patch(fastify, {
+    depHooks.resolve({ name: 'fastify', version: '>=4 <6' }, (fastify) => patcher.patch(fastify, {
       name: 'fastify',
       patchType,
       post(data) {

package/lib/index.d.ts

@@ -116,7 +116,7 @@ export interface Protect {
   errorHandlers: {
     commonHandler: (err: Error) => void;
     initDomain: () => Domain;
-    fastify3ErrorHandler: {
+    fastifyErrorHandler: {
       _userHandler: null | ((...args: any[]) => any),
       defaultErrorHandler: (error: Error, request: IncomingMessage, reply: ServerResponse) => void,
       handler: (err: Error, request: IncomingMessage, reply: ServerResponse) => void,

package/lib/input-analysis/handlers.js

@@ -20,6 +20,7 @@ const {
   BLOCKING_MODES,
   Rule,
   ProtectRuleMode: { OFF, MONITOR },
+  identity,
   isString,
   traverseKeysAndValues,
   traverseValues,
@@ -676,41 +677,48 @@ module.exports = Core.makeComponent({
       const findingsForScoreAtom = {};
       const valueToResultByRuleId = {};
 
-      Object.values(resultsMap).forEach(resultsByRuleId => {
-        resultsByRuleId.forEach(resultByRuleId => {
-          const {
-            ruleId,
-            exploited,
-            score,
-            value,
-            key,
-            inputType
-          } = resultByRuleId;
+      const flattened = Object.values(resultsMap).flatMap(identity);
+      for (const result of flattened) {
+        const {
+          ruleId,
+          exploited,
+          score,
+          value,
+          key,
+          inputType
+        } = result;
+        if (
+          sourceContext.policy.getRuleMode(ruleId) !== MONITOR ||
+          exploited === true ||
+          score >= 90 ||
+          !probesRules.some((rule) => rule === ruleId) ||
+          inputType == InputType.UNKNOWN ||
+          flattened.some((maybeReported) => (
+            // remove chances of duplicate analysis for "similar" findings that
+            // would have already been reported for being blocked or exploited
+            maybeReported.value == result.value &&
+            maybeReported.inputType == result.inputType &&
+            maybeReported.key == result.key &&
+            (maybeReported.exploited || maybeReported.blocked)
+          ))
+        ) {
+          continue;
+        }
 
-          if (
-            sourceContext.policy.getRuleMode(ruleId) !== MONITOR ||
-            exploited === true || // todo: remove
-            score >= 90 ||
-            !probesRules.some((rule) => rule === ruleId) ||
-            inputType == InputType.UNKNOWN
-          ) {
-            return;
+        const dataType = findingsForScoreRequest[inputType];
+        if (!dataType) {
+          if (!findingsForScoreAtom[value]) {
+            findingsForScoreAtom[value] = {};
           }
 
-          const dataType = findingsForScoreRequest[inputType];
-          if (!dataType) {
-            if (!findingsForScoreAtom[value]) {
-              findingsForScoreAtom[value] = {};
-            }
+          findingsForScoreAtom[value][inputType] = result;
+          continue;
+        }
 
-            findingsForScoreAtom[value][inputType] = resultByRuleId;
-            return;
-          }
+        dataType[key] = value;
+        valueToResultByRuleId[value] = result;
+      }
 
-          dataType[key] = value;
-          valueToResultByRuleId[value] = resultByRuleId;
-        });
-      });
       const { ParameterValue, HeaderValue, CookieValue } = findingsForScoreRequest;
       const results =
         agentLib.scoreRequestConnect(

package/lib/input-analysis/install/fastify.js

@@ -36,7 +36,7 @@ module.exports = (core) => {
    * registers a depHook for fastify module instrumentation
    */
   function install() {
-    depHooks.resolve({ name: 'fastify', version: '>=3 <6' }, (fastify) => patcher.patch(fastify, {
+    depHooks.resolve({ name: 'fastify', version: '>=4 <6' }, (fastify) => patcher.patch(fastify, {
       name: 'fastify.build',
       patchType,
       post({ result: server, funcKey }) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/protect",
-  "version": "1.73.0",
+  "version": "1.74.1",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -21,17 +21,17 @@
   },
   "dependencies": {
     "@contrast/agent-lib": "^9.1.0",
-    "@contrast/common": "1.40.0",
-    "@contrast/config": "1.56.0",
-    "@contrast/core": "1.61.0",
-    "@contrast/dep-hooks": "1.30.0",
-    "@contrast/esm-hooks": "2.36.0",
-    "@contrast/instrumentation": "1.40.0",
-    "@contrast/logger": "1.34.0",
-    "@contrast/patcher": "1.33.0",
-    "@contrast/rewriter": "1.38.0",
-    "@contrast/scopes": "1.31.0",
-    "@contrast/stack-trace-factory": "1.1.0",
+    "@contrast/common": "1.41.1",
+    "@contrast/config": "1.57.1",
+    "@contrast/core": "1.62.1",
+    "@contrast/dep-hooks": "1.31.1",
+    "@contrast/esm-hooks": "2.37.1",
+    "@contrast/instrumentation": "1.41.1",
+    "@contrast/logger": "1.35.1",
+    "@contrast/patcher": "1.34.1",
+    "@contrast/rewriter": "1.39.1",
+    "@contrast/scopes": "1.32.1",
+    "@contrast/stack-trace-factory": "1.2.1",
     "async-hook-domain": "^4.0.1",
     "ipaddr.js": "^2.0.1",
     "on-finished": "^2.4.1",