@contrast/assess
Advanced tools
@contrast/assess - npm Package Compare versions
Comparing version 1.29.1 to 1.30.0
@@ -27,14 +27,26 @@ /* | ||
| const SAFE_HASH_ALGORITHMS = new Set([ | ||
| 'RSA-SHA1-2', | ||
| 'RSA-SHA224', | ||
| 'RSA-SHA256', | ||
| 'RSA-SHA384', | ||
| 'RSA-SHA512', | ||
| // SHA224 | ||
| 'rsa-sha224', | ||
| 'sha-224', | ||
| 'sha2-224', | ||
| 'sha224', | ||
| 'sha224WithRSAEncryption', | ||
| 'sha224withrsaencryption', | ||
| // SHA256 | ||
| 'rsa-sha256', | ||
| 'sha-256', | ||
| 'sha2-256', | ||
| 'sha256', | ||
| 'sha256WithRSAEncryption', | ||
| 'sha256withrsaencryption', | ||
| // SHA384 | ||
| 'rsa-sha384', | ||
| 'sha-384', | ||
| 'sha2-384', | ||
| 'sha384', | ||
| 'sha384WithRSAEncryption', | ||
| 'sha512' | ||
| 'sha384withrsaencryption', | ||
| // SHA512 | ||
| 'rsa-sha512', | ||
| 'sha-512', | ||
| 'sha2-512', | ||
| 'sha512', | ||
| 'sha512withrsaencryption', | ||
| ]); | ||
@@ -57,3 +69,2 @@ const SAFE_HASH_LIBS = ['etag', 'browserify', 'deps-sort']; | ||
| assess: { | ||
| inspect, // todo: remove | ||
| eventFactory, | ||
@@ -73,12 +84,10 @@ cryptoAnalysis, | ||
| const [alg] = data.args; | ||
| if (!isString(alg) || !getSourceContext(RULE, Rule.CRYPTO_BAD_MAC)) return; | ||
| if ( | ||
| !isString(alg) || | ||
| !getSourceContext(RULE, Rule.CRYPTO_BAD_MAC) || | ||
| SAFE_HASH_ALGORITHMS.has(alg) | ||
| ) return; | ||
| const algLower = StringPrototypeToLowerCase.call(alg); | ||
| if (SAFE_HASH_ALGORITHMS.has(algLower)) return; | ||
| const event = eventFactory.createCryptoAnalysisEvent({ | ||
| args: [{ tracked: false, value: alg }], | ||
| context: `crypto.createHash(${inspect(alg)})`, | ||
| context: `crypto.createHash(${algLower})`, | ||
| methodName: 'createHash', | ||
@@ -136,3 +145,3 @@ moduleName: 'crypto', | ||
| args: [{ tracked: false, value: alg }], | ||
| context: `crypto.${method}(${inspect(alg)})`, | ||
| context: `crypto.${method}(${algLower})`, | ||
| methodName: method, | ||
@@ -139,0 +148,0 @@ moduleName: 'crypto', |
@@ -80,7 +80,9 @@ /* | ||
| const preHook = (name, method) => (data) => { | ||
| const preHook = (moduleName, responseName, method) => ({ args, obj: response, result, hooked, orig }) => { | ||
| const methodName = `${responseName + (moduleName !== 'spdy' ? '.prototype' : '')}.${method}`; | ||
| const name = `${moduleName}.${methodName}`; | ||
| const sourceContext = getSourceContext(RULE, ruleId); | ||
| if (!sourceContext) return; | ||
| const payload = data.args[0]; | ||
| const payload = args[0]; | ||
| if (!payload) return; | ||
@@ -94,2 +96,3 @@ | ||
| if (moduleName === 'spdy') response.spdyStream.once('finish', () => response.emit('finish')); | ||
| if (isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) { | ||
@@ -104,10 +107,10 @@ const event = createSinkEvent({ | ||
| name, | ||
| moduleName: 'http', | ||
| methodName: `ServerResponse.prototype.${method}`, | ||
| moduleName, | ||
| methodName, | ||
| object: { | ||
| tracked: false, | ||
| value: 'http.ServerResponse' | ||
| value: `${moduleName}.${responseName}` | ||
| }, | ||
| result: { | ||
| value: data.result, | ||
| value: result, | ||
| tracked: false, | ||
@@ -117,4 +120,4 @@ }, | ||
| stacktraceOpts: { | ||
| constructorOpt: data.hooked, | ||
| prependFrames: [data.orig] | ||
| constructorOpt: hooked, | ||
| prependFrames: [orig] | ||
| }, | ||
@@ -146,20 +149,46 @@ tags: strInfo.tags, | ||
| { | ||
| const name = 'http.ServerResponse.prototype.write'; | ||
| const method = 'write'; | ||
| patcher.patch(http.ServerResponse.prototype, method, { | ||
| name, | ||
| name: 'http.ServerResponse.prototype.write', | ||
| patchType, | ||
| pre: preHook(name, method), | ||
| pre: preHook('http', 'ServerResponse', method), | ||
| }); | ||
| } | ||
| { | ||
| const name = 'http.ServerResponse.prototype.end'; | ||
| const method = 'end'; | ||
| patcher.patch(http.ServerResponse.prototype, method, { | ||
| name, | ||
| name: 'http.ServerResponse.prototype.end', | ||
| patchType, | ||
| pre: preHook(name, method), | ||
| pre: preHook('http', 'ServerResponse', method), | ||
| }); | ||
| } | ||
| }); | ||
| depHooks.resolve({ name: 'http2' }, (http2) => { | ||
| { | ||
| const method = 'write'; | ||
| patcher.patch(http2.Http2ServerResponse.prototype, method, { | ||
| name: 'http2.Http2ServerResponse.prototype.write', | ||
| patchType, | ||
| pre: preHook('http2', 'Http2ServerResponse', method), | ||
| }); | ||
| } | ||
| { | ||
| const method = 'end'; | ||
| patcher.patch(http2.Http2ServerResponse.prototype, method, { | ||
| name: 'http2.Http2ServerResponse.prototype.end', | ||
| patchType, | ||
| pre: preHook('http2', 'Http2ServerResponse', method), | ||
| }); | ||
| } | ||
| }); | ||
| depHooks.resolve({ name: 'spdy', file: 'lib/spdy/response.js' }, (response) => { | ||
| { | ||
| const method = 'end'; | ||
| patcher.patch(response, method, { | ||
| name: 'spdy.response.end', | ||
| patchType, | ||
| pre: preHook('spdy', 'response', method), | ||
| }); | ||
| } | ||
| }); | ||
| }; | ||
@@ -166,0 +195,0 @@ |
| { | ||
| "name": "@contrast/assess", | ||
| "version": "1.29.1", | ||
| "version": "1.30.0", | ||
| "description": "Contrast service providing framework-agnostic Assess support", | ||
@@ -20,3 +20,3 @@ "license": "SEE LICENSE IN LICENSE", | ||
| "dependencies": { | ||
| "@contrast/common": "1.21.2", | ||
| "@contrast/common": "1.21.3", | ||
| "@contrast/distringuish": "^5.0.0", | ||
@@ -23,0 +23,0 @@ "@contrast/scopes": "1.4.1" |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by0.21%
624364
- Lines of code
- increased by0.22%
17684
Dependency changes
+ Added@contrast/common@1.21.3(transitive)
- Removed@contrast/common@1.21.2(transitive)
Updated@contrast/common@1.21.3