@contrast/agent-lib - npm Package Compare versions

Comparing version 7.0.1 to 8.0.0

113

index.d.ts

		@@ -91,2 +91,7 @@ /// <reference types="node" />

		type XssState = {
		inputs: ArrayBuffer;
		state: ArrayBuffer;
		}

		export type Agent = {
		@@ -101,2 +106,3 @@ /**
		scoreRequestConnect(rules: RuleBitMask, reqData: ScoreRequestData, options?: EvalOptions): ScoreRequestResult;

		/**
		@@ -110,2 +116,3 @@ * Evaluate the body of a request after making a guess as to the format.
		scoreRequestBody(rules: RuleBitMask, body: JsString \| Buffer, options?: EvalOptions): ScoreRequestResult;

		/**
		@@ -120,2 +127,3 @@ * Scores a single string value for any input type
		scoreAtom(rules: RuleBitMask, value: JsString, inputType: InputType, options?: EvalOptions): ScoreAtomFinding[];

		/**
		@@ -130,2 +138,3 @@ * Scores a single string value for a header input type
		scoreHeader(rules: RuleBitMask, key: JsString, value: JsString, options?: EvalOptions): ScoreAtomFinding[];

		/**
		@@ -139,2 +148,3 @@ * Check if a shell command string contains a possible command injection in a specified substring.
		checkCommandInjectionSink(index: number, length: number, command: JsString): CheckInjectionResult;

		/**
		@@ -149,2 +159,3 @@ * Check if a SQL query string contains a possible SQL injection in a specified substring.
		checkSqlInjectionSink(index: number, length: number, dbType: DbType, query: JsString): CheckInjectionResult;

		/**
		@@ -158,2 +169,3 @@ * Check if a MongoDB query string contains a possible NoSQL injection in a specified substring.
		checkSsjsInjectionSink(command: JsString, index: number, length: number): boolean;

		/**
		@@ -164,2 +176,3 @@ * Finds MongoDB comparators in a string
		findMongoComparators(text: JsString): { path: string[] }[];

		/**
		@@ -172,2 +185,3 @@ * Return true if the text argument is a valid mongo query operator
		isMongoQueryType(text: JsString): boolean;

		/**
		@@ -180,2 +194,3 @@ * Determine if path is dangerous based on text semantics and whether or not it is in 'custom' code.
		isDangerousPath(path: JsString, isCustomCode: boolean): boolean;

		/**
		@@ -187,4 +202,5 @@ * Determine if a path called by a shell command is trying to access a restricted or dangerous path.
		containsDangerousPath(path: JsString): boolean;

		/**
		* Determine if a shell command is trying to chain commands together and if so,
		* Determine if a shell command is trying to chain commands together and if so,
		* return the index of the chain command in the string.
		@@ -196,2 +212,3 @@ * returns -1 if chaining not found.
		indexOfChaining(command: JsString): number;

		/**
		@@ -203,26 +220,63 @@ * Check if a given HTTP method may have been tampered with because it's not one of the known standard HTTP methods.
		isMethodTampering(method: JsString): boolean;

		/**
		* __(RASPv3 only)__
		* Content-aware XSS sink evaluation for RASP v3 agents. This rule does not have
		* a Protect analogue, so it can be ignored for Protect agents.
		* @param savedInputs - the saved list of inputs (both source history and propagation history)
		* @param body - the request body given to the sink. Can be either the full request or a chunk
		* @param evalState - an eval state object. Either a newly initalized one or the result of
		* a previous evaluation. Do not pass on fisrt call or in cases when
		* you are parsing the whole body and not chunks
		* @returns - The result of the evaluation as well as partial evaluation state.
		* __(RASPv3 only)__
		* XSS sinks do not have a Protect analog, so this method should not be used by Protect agents.
		*
		* Determine if the any input is an XSS attack in the context of the body. This is a convenience
		* method for use when the body is a single chunk, so the caller doesn't have to create state.
		*
		* @param {Buffer} body a buffer encoded as utf8 containing the full response body.
		*
		* @param {JsString[]} inputs both the source and propagation history
		* @returns {boolean} true if any input is an XSS attack in the context of the body, else false.
		*/
		checkXssContextAwareSink(savedInputs: JsString[], body: JsString, evalState?: CheckXssEvalState): CheckXssResult;
		isXssAttack(body: Buffer, inputs: JsString[]): boolean;

		/**
		* __(RASPv3 only)__
		* Check for the presence of eggregious XSS in the soure value history.
		* This should ONLY be called with the /source/ inputs, NOT with any values from the
		* propagation history. Call this BEFORE evalXssSink.
		* XSS sinks do not have a Protect analog, so this method should not be used by Protect agents.
		*
		* @param savedInputs - The list of saved source inputs. NOT propagation history
		* @returns boolean indicating if there was an eggregious XSS attack present.
		* Create the state object for isXssAttackStateful(). The object holds the state between calls to
		* isXssAttackStateful(). Each call to isXssAttackStateful() checks a chunk of the response body.
		* This function filters out inputs that do not contain at least one character that is required
		* for an XSS attack. This is checked in isXssAttackStateful() but if the caller wishes to check
		* and skip calling isXssAttackStateful(), then if XssState.inputs.byteLength <= 1, then all calls
		* to isXssAttackStateful() will return false.
		*
		* @param {JsString[]} inputs both the source and propagation history
		* @returns {XssState} the initial state to pass to isXssAttackStateful(body_chunk, state).
		*/
		checkXssObviousAttacks(savedInputs: JsString[]): boolean;
		makeXssState(inputs: JsString[]): XssState;

		/**
		* __(RASPv3 only)__
		* XSS sinks do not have a Protect analog, so this method should not be used by Protect agents.
		*
		* Determine if the any input is an XSS attack in the context of the body. Each response must
		* have a separate state object, created by makeXssState(). The state will be updated each time
		* isXssAttackStateful() is called with the next chunk of the response body.
		*
		* @param {Buffer} body a buffer encoded as utf8 containing a chunk of the response body.
		* @param {XssState} state the state object created by makeXssState(). It will be updated each call.
		* @returns {boolean} true if any input is an XSS attack in the context of the body, else false.
		*/
		isXssAttackStateful(body: Buffer, state: XssState): boolean;

		/**
		* __(RASPv3 only)__
		* XSS sinks do not have a Protect analog, so this method should not be used by Protect agents.
		*
		* Check the inputs for egregious XSS.
		*
		* This should ONLY be called with the SOURCE inputs, NOT with any values from the
		* propagation history. Call this BEFORE isXssAttack() or isXssAttackStateful().
		*
		* @param {JsString[]} inputs An array of the saved source inputs, NOT propagation history.
		* @returns {boolean} true if an egregious XSS attack found, else false.
		*/
		isXssObviousAttack(inputs: JsString[]): boolean;

		/**
		* __(RASPv3 only)__
		* Context-free SQLi sink evaluation for RASP v3 agents. This rule will check for tautologies
		@@ -237,27 +291,2 @@ * in SQL statements and is roughly analogous to semantic SQL.

		type CheckXssEvalState = {
		remainingSavedSubstring: string;
		remainingScriptSubstring: string;
		remainingScriptTerminatorSubstring: string;
		parserState: CheckXssParserState;
		}

		export const CheckXssParserStates: {
		Scanning: 0,
		ScriptContext: 1,
		TagContext: 2
		}
		type CheckXssParserState = typeof CheckXssParserStates[keyof typeof CheckXssParserStates]

		type CheckXssResult = { found: true } \|
		{
		found: false,
		remainingSavedSubstring: string,
		remainingScriptSubstring: string,
		remainingScriptTerminatorSubstring: string,
		parserState: CheckXssParserState
		}



		type EvalOptions = {
		@@ -264,0 +293,0 @@ preferWorthWatching: boolean;

index.js

@@ -0,0 +0,0 @@ 'use strict';

package.json

		{
		"name": "@contrast/agent-lib",
		"version": "7.0.1",
		"version": "8.0.0",
		"description": "",
		@@ -36,3 +36,3 @@ "keywords": [],
		"@swc-node/register": "^1.3.5",
		"@types/node": "^18.16.3",
		"@types/node": "^18.16.19",
		"chai": "^4.3.4",
		@@ -39,0 +39,0 @@ "chalk": "^4.1.2",

contrast.darwin-arm64.node