@contrast/assess - npm Package Compare versions

Comparing version 1.16.1 to 1.17.0

lib/dataflow/propagation/index.js

@@ -33,3 +33,3 @@ /*
   require('./install/decode-uri-component')(core);
-  require('./install/encode-uri-component')(core);
+  require('./install/encode-uri')(core);
   require('./install/escape-html')(core);
@@ -39,2 +39,3 @@ require('./install/escape')(core);
   require('./install/isnumeric-0')(core);
+  require('./install/mustache-escape')(core);
   require('./install/mysql-connection-escape')(core);
@@ -41,0 +42,0 @@ require('./install/parse-int')(core);

lib/dataflow/propagation/install/escape-html.js

@@ -22,3 +22,3 @@ /*
 const {
-  createFullLengthCopyTags
+  createEscapeTagRanges
 } = require('../../tag-utils');
@@ -56,3 +56,3 @@ const { patchType } = require('../common');
             const history = [{ ...argInfo }];
-            const newTags = createFullLengthCopyTags(argInfo.tags, result.length);
+            const newTags = createEscapeTagRanges(args[0], result, argInfo.tags);
 
@@ -59,0 +59,0 @@ newTags[HTML_ENCODED] = [0, result.length - 1];

lib/dataflow/propagation/install/path/index.js

@@ -29,7 +29,11 @@ /*
   require('./dirname')(core);
+  require('./extname')(core);
+  require('./format')(core);
   require('./join-and-resolve')(core);
   require('./normalize')(core);
+  require('./parse')(core);
   require('./relative')(core);
+  require('./toNamespacedPath')(core);
 
   return pathInstrumentation;
 };

lib/dataflow/propagation/install/querystring/index.js

@@ -27,5 +27,7 @@ /*
 
+  require('./escape')(core);
   require('./parse')(core);
+  require('./stringify')(core);
 
   return querystringInstrumentation;
 };

lib/dataflow/propagation/install/string/concat.js

@@ -46,3 +46,2 @@ /*
           const rInfo = tracker.getData(result);
-
           if (rInfo) {
@@ -81,3 +80,3 @@ // this may happen w/ trackedStr.concat('') => trackedStr
               methodName: 'prototype.concat',
-              context: `${inspect(objInfo?.value) || String(obj)}.concat(${join(argsData.map(d => d.value), ', ')})`,
+              context: `${inspect(objInfo?.value) || String(obj)}.concat(${inspect(join(argsData.map(d => d.value)), ', ')})`,
               object: {
@@ -103,3 +102,2 @@ value: objInfo?.value || String(obj),
             if (!event) return;
-
             const { extern } = tracker.track(result, event);
@@ -106,0 +104,0 @@

lib/dataflow/propagation/install/string/trim.js

@@ -54,11 +54,6 @@ /*
       const start = presetStart || obj.indexOf(result);
-      const newTags = {};
       const objTags = objInfo.tags || {};
-      Object.assign(newTags, createSubsetTags(objTags, start, result.length));
+      const newTags = createSubsetTags(objTags, start, result.length);
 
-      if (!newTags.untrusted) {
-        return;
-      }
-
-      const event = createPropagationEvent({
+      const event = newTags && createPropagationEvent({
         name: `String.prototype.${methodName}`,
@@ -65,0 +60,0 @@ moduleName: 'String',

lib/dataflow/tag-utils.js

@@ -27,2 +27,8 @@ /*
 function atomicAppend(firstTagRanges, secondTagRanges, offset) {
+  if (!firstTagRanges.length) {
+    const ret = secondTagRanges.map((v) => v + offset);
+    return ret;
+  }
+
+
   const newTagRanges = [...firstTagRanges];
@@ -275,2 +281,36 @@
 
+function createEscapeTagRanges(input, result, tags) {
+  const inputArr = input.split('');
+  const escapedArr = result.split('');
+  const overlap = inputArr.filter((x) => {
+    if (escapedArr.includes(x)) {
+      return x;
+    }
+  });
+  if (overlap.length === 0) {
+    return [];
+  }
+  const newTagRanges = [];
+  let firstIndex = escapedArr.indexOf(overlap[0]);
+  let currIndex = firstIndex;
+  let nextIndex;
+  for (let i = 1; i < overlap.length; i++) {
+    nextIndex = escapedArr.indexOf(overlap[i], currIndex + 1);
+    if (nextIndex !== currIndex + 1) {
+      newTagRanges.push(firstIndex, currIndex);
+      firstIndex = nextIndex;
+    }
+    if (i === overlap.length - 1) {
+      newTagRanges.push(firstIndex, nextIndex);
+    }
+    currIndex = nextIndex;
+  }
+
+  const ret = Object.create(null);
+  for (const tagName of Object.keys(tags)) {
+    ret[tagName] = newTagRanges;
+  }
+  return ret;
+}
+
 module.exports = {
@@ -283,3 +323,4 @@ createSubsetTags,
   createAdjustedQueryTags,
-  createOverlappingTags
+  createOverlappingTags,
+  createEscapeTagRanges
 };

package.json

 {
   "name": "@contrast/assess",
-  "version": "1.16.1",
+  "version": "1.17.0",
   "description": "Contrast service providing framework-agnostic Assess support",
@@ -5,0 +5,0 @@ "license": "SEE LICENSE IN LICENSE",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

511721

increased by5.76%

Number of package files

142

increased by5.19%

Lines of code

14657

increased by5.64%

No dependency changes