@contrast/protect 1.75.5 → 1.77.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/lib/input-analysis/index.js +2 -1
  2. package/lib/input-analysis/install/@sap.js +72 -0
  3. package/lib/input-analysis/install/express.js +1 -1
  4. package/lib/input-analysis/install/{multer1.js → multer.js} +3 -3
  5. package/lib/input-tracing/install/sqlite3.js +38 -25
  6. package/package.json +2 -2
package/lib/input-analysis/index.js CHANGED
@@ -31,7 +31,7 @@ module.exports = function(core) {
31
31
  require('./install/cookie-parser1')(core);
32
32
  require('./install/formidable1')(core);
33
33
  require('./install/koa-bodyparsers')(core);
34
- require('./install/multer1')(core);
34
+ require('./install/multer')(core);
35
35
  require('./install/qs6')(core);
36
36
  require('./install/universal-cookie4')(core);
37
37
 
@@ -41,6 +41,7 @@ module.exports = function(core) {
41
41
  require('./install/express')(core);
42
42
  require('./install/hapi')(core);
43
43
  require('./install/restify')(core);
44
+ require('./install/@sap')(core);
44
45
 
45
46
  // virtual patches
46
47
  require('./virtual-patches')(core);
package/lib/input-analysis/install/@sap.js ADDED
@@ -0,0 +1,72 @@
1
+ /*
2
+ * Copyright: 2026 Contrast Security, Inc
3
+ * Contact: support@contrastsecurity.com
4
+ * License: Commercial
5
+
6
+ * NOTICE: This Software and the patented inventions embodied within may only be
7
+ * used as part of Contrast Security’s commercial offerings. Even though it is
8
+ * made available through public repositories, use of this Software is subject to
9
+ * the applicable End User Licensing Agreement found at
10
+ * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
11
+ * between Contrast Security and the End User. The Software may not be reverse
12
+ * engineered, modified, repackaged, sold, redistributed or otherwise used in a
13
+ * way not consistent with the End User License Agreement.
14
+ */
15
+
16
+ 'use strict';
17
+
18
+ const { traverseValues } = require('@contrast/common');
19
+ const { patchType } = require('../constants');
20
+
21
+ module.exports = function(core) {
22
+ const {
23
+ depHooks,
24
+ patcher,
25
+ protect,
26
+ protect: { inputAnalysis },
27
+ } = core;
28
+
29
+ function install() {
30
+ depHooks.resolve(
31
+ { name: '@sap/cds', version: '*', file: 'lib/srv/cds.Service.js' }, (Service) => {
32
+ patcher.patch(Service.prototype, 'dispatch', {
33
+ name: '@sap/cds.Service.prototype.dispatch',
34
+ patchType,
35
+ pre(data) {
36
+ const req = data.args[0];
37
+
38
+ const sourceContext = protect.getSourceContext();
39
+ if (!sourceContext || sourceContext.parsedCdsKeyParams) return;
40
+ sourceContext.parsedCdsKeyParams = true;
41
+
42
+ const params = req?.params?.length ? req.params : [];
43
+ const queries = Array.isArray(req?.query)
44
+ ? req.query
45
+ : req?.query ? [req.query] : [];
46
+
47
+ for (const cqn of queries) {
48
+ if (!cqn || typeof cqn !== 'object') continue;
49
+
50
+ traverseValues(cqn, (path, _type, value, parent) => {
51
+ const lastKey = path[path.length - 1];
52
+ if (!Array.isArray(parent) && (lastKey === 'val' || lastKey === 'ref')) {
53
+ params.push(value);
54
+ }
55
+ });
56
+ }
57
+
58
+ if (params.length) {
59
+ inputAnalysis.handleUrlParams(sourceContext, params);
60
+ }
61
+ }
62
+ });
63
+ }
64
+ );
65
+ }
66
+
67
+ const sapInstrumentation = inputAnalysis.sapInstrumentation = {
68
+ install
69
+ };
70
+
71
+ return sapInstrumentation;
72
+ };
package/lib/input-analysis/install/express.js CHANGED
@@ -39,7 +39,7 @@ module.exports = (core) => {
39
39
  // we can exit early if
40
40
  // the layer doesn't match the request or
41
41
  // the layer doesn't recognize any parameters
42
- if (!data.result || !layer.keys || layer.keys.length === 0 || layer.route?.path === '*') {
42
+ if (!data.result || !layer.keys || layer.keys.length === 0 || layer.route?.path === '*' || layer.route?.path === '{*splat}') {
43
43
  return;
44
44
  }
45
45
 
package/lib/input-analysis/install/{multer1.js → multer.js} RENAMED
@@ -30,7 +30,7 @@ module.exports = (core) => {
30
30
 
31
31
  // Patch `multer`
32
32
  function install() {
33
- depHooks.resolve({ name: 'multer', version: '<2', file: 'lib/make-middleware.js' }, (multerMakeMiddleware) => patcher.patch(multerMakeMiddleware, {
33
+ depHooks.resolve({ name: 'multer', version: '<3', file: 'lib/make-middleware.js' }, (multerMakeMiddleware) => patcher.patch(multerMakeMiddleware, {
34
34
  name: 'multer.make-middleware',
35
35
  patchType,
36
36
  post(data) {
@@ -104,9 +104,9 @@ module.exports = (core) => {
104
104
  }));
105
105
  }
106
106
 
107
- const multer1Instrumentation = inputAnalysis.multer1Instrumentation = {
107
+ const multerInstrumentation = inputAnalysis.multerInstrumentation = {
108
108
  install
109
109
  };
110
110
 
111
- return multer1Instrumentation;
111
+ return multerInstrumentation;
112
112
  };
package/lib/input-tracing/install/sqlite3.js CHANGED
@@ -28,32 +28,45 @@ module.exports = function(core) {
28
28
  } = core;
29
29
 
30
30
  function install() {
31
- depHooks.resolve({ name: 'sqlite3', version: '<6' }, sqlite3 => {
32
- ['all', 'run', 'get', 'each', 'exec', 'prepare'].forEach((method) => {
33
- const name = `sqlite3.Database.prototype.${method}`;
34
- patcher.patch(sqlite3.Database.prototype, method, {
35
- name,
36
- patchType,
37
- pre({ args, hooked, name, orig }) {
38
- if (instrumentation.isLocked()) return;
39
-
40
- const sourceContext = protect.getSourceContext();
41
- if (!sourceContext) return;
42
-
43
- const value = args[0];
44
- if (!value || !isString(value)) return;
45
-
46
- const sinkContext = {
47
- name,
48
- value,
49
- stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
50
- };
51
-
52
- inputTracing.handleSqlInjection(sourceContext, sinkContext);
53
- }
54
- });
31
+ [
32
+ {
33
+ moduleName: 'sqlite3',
34
+ version: '<6',
35
+ methods: ['all', 'run', 'get', 'each', 'exec', 'prepare']
36
+ },
37
+ {
38
+ moduleName: 'better-sqlite3',
39
+ version: '<13',
40
+ methods: ['exec', 'prepare']
41
+ }
42
+ ].forEach(({ moduleName, version, methods }) => {
43
+ depHooks.resolve({ name: moduleName, version }, module => {
44
+ methods.forEach((method) => {
45
+ const name = `${moduleName}.Database.prototype.${method}`;
46
+ patcher.patch(moduleName == 'sqlite3' ? module.Database.prototype : module.prototype, method, {
47
+ name,
48
+ patchType,
49
+ pre({ args, hooked, name, orig }) {
50
+ if (instrumentation.isLocked()) return;
51
+
52
+ const sourceContext = protect.getSourceContext();
53
+ if (!sourceContext) return;
54
+
55
+ const value = args[0];
56
+ if (!value || !isString(value)) return;
57
+
58
+ const sinkContext = {
59
+ name,
60
+ value,
61
+ stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
62
+ };
63
+
64
+ inputTracing.handleSqlInjection(sourceContext, sinkContext);
65
+ }
66
+ });
67
+ })
55
68
  });
56
- });
69
+ })
57
70
  }
58
71
 
59
72
  const sqlite3Instrumentation = inputTracing.sqlite3Instrumentation = { install };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@contrast/protect",
3
- "version": "1.75.5",
3
+ "version": "1.77.0",
4
4
  "description": "Contrast service providing framework-agnostic Protect support",
5
5
  "license": "SEE LICENSE IN LICENSE",
6
6
  "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -31,7 +31,7 @@
31
31
  "@contrast/patcher": "1.35.2",
32
32
  "@contrast/rewriter": "1.40.3",
33
33
  "@contrast/scopes": "1.33.2",
34
- "@contrast/stack-trace-factory": "1.3.3",
34
+ "@contrast/stack-trace-factory": "1.4.0",
35
35
  "async-hook-domain": "4.0.1",
36
36
  "ipaddr.js": "2.0.1",
37
37
  "on-finished": "2.4.1",