@contrast/assess
Advanced tools
Comparing version 1.29.1 to 1.30.0
@@ -27,14 +27,26 @@ /* | ||
const SAFE_HASH_ALGORITHMS = new Set([ | ||
'RSA-SHA1-2', | ||
'RSA-SHA224', | ||
'RSA-SHA256', | ||
'RSA-SHA384', | ||
'RSA-SHA512', | ||
// SHA224 | ||
'rsa-sha224', | ||
'sha-224', | ||
'sha2-224', | ||
'sha224', | ||
'sha224WithRSAEncryption', | ||
'sha224withrsaencryption', | ||
// SHA256 | ||
'rsa-sha256', | ||
'sha-256', | ||
'sha2-256', | ||
'sha256', | ||
'sha256WithRSAEncryption', | ||
'sha256withrsaencryption', | ||
// SHA384 | ||
'rsa-sha384', | ||
'sha-384', | ||
'sha2-384', | ||
'sha384', | ||
'sha384WithRSAEncryption', | ||
'sha512' | ||
'sha384withrsaencryption', | ||
// SHA512 | ||
'rsa-sha512', | ||
'sha-512', | ||
'sha2-512', | ||
'sha512', | ||
'sha512withrsaencryption', | ||
]); | ||
@@ -57,3 +69,2 @@ const SAFE_HASH_LIBS = ['etag', 'browserify', 'deps-sort']; | ||
assess: { | ||
inspect, // todo: remove | ||
eventFactory, | ||
@@ -73,12 +84,10 @@ cryptoAnalysis, | ||
const [alg] = data.args; | ||
if (!isString(alg) || !getSourceContext(RULE, Rule.CRYPTO_BAD_MAC)) return; | ||
if ( | ||
!isString(alg) || | ||
!getSourceContext(RULE, Rule.CRYPTO_BAD_MAC) || | ||
SAFE_HASH_ALGORITHMS.has(alg) | ||
) return; | ||
const algLower = StringPrototypeToLowerCase.call(alg); | ||
if (SAFE_HASH_ALGORITHMS.has(algLower)) return; | ||
const event = eventFactory.createCryptoAnalysisEvent({ | ||
args: [{ tracked: false, value: alg }], | ||
context: `crypto.createHash(${inspect(alg)})`, | ||
context: `crypto.createHash(${algLower})`, | ||
methodName: 'createHash', | ||
@@ -136,3 +145,3 @@ moduleName: 'crypto', | ||
args: [{ tracked: false, value: alg }], | ||
context: `crypto.${method}(${inspect(alg)})`, | ||
context: `crypto.${method}(${algLower})`, | ||
methodName: method, | ||
@@ -139,0 +148,0 @@ moduleName: 'crypto', |
@@ -80,7 +80,9 @@ /* | ||
const preHook = (name, method) => (data) => { | ||
const preHook = (moduleName, responseName, method) => ({ args, obj: response, result, hooked, orig }) => { | ||
const methodName = `${responseName + (moduleName !== 'spdy' ? '.prototype' : '')}.${method}`; | ||
const name = `${moduleName}.${methodName}`; | ||
const sourceContext = getSourceContext(RULE, ruleId); | ||
if (!sourceContext) return; | ||
const payload = data.args[0]; | ||
const payload = args[0]; | ||
if (!payload) return; | ||
@@ -94,2 +96,3 @@ | ||
if (moduleName === 'spdy') response.spdyStream.once('finish', () => response.emit('finish')); | ||
if (isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) { | ||
@@ -104,10 +107,10 @@ const event = createSinkEvent({ | ||
name, | ||
moduleName: 'http', | ||
methodName: `ServerResponse.prototype.${method}`, | ||
moduleName, | ||
methodName, | ||
object: { | ||
tracked: false, | ||
value: 'http.ServerResponse' | ||
value: `${moduleName}.${responseName}` | ||
}, | ||
result: { | ||
value: data.result, | ||
value: result, | ||
tracked: false, | ||
@@ -117,4 +120,4 @@ }, | ||
stacktraceOpts: { | ||
constructorOpt: data.hooked, | ||
prependFrames: [data.orig] | ||
constructorOpt: hooked, | ||
prependFrames: [orig] | ||
}, | ||
@@ -146,20 +149,46 @@ tags: strInfo.tags, | ||
{ | ||
const name = 'http.ServerResponse.prototype.write'; | ||
const method = 'write'; | ||
patcher.patch(http.ServerResponse.prototype, method, { | ||
name, | ||
name: 'http.ServerResponse.prototype.write', | ||
patchType, | ||
pre: preHook(name, method), | ||
pre: preHook('http', 'ServerResponse', method), | ||
}); | ||
} | ||
{ | ||
const name = 'http.ServerResponse.prototype.end'; | ||
const method = 'end'; | ||
patcher.patch(http.ServerResponse.prototype, method, { | ||
name, | ||
name: 'http.ServerResponse.prototype.end', | ||
patchType, | ||
pre: preHook(name, method), | ||
pre: preHook('http', 'ServerResponse', method), | ||
}); | ||
} | ||
}); | ||
depHooks.resolve({ name: 'http2' }, (http2) => { | ||
{ | ||
const method = 'write'; | ||
patcher.patch(http2.Http2ServerResponse.prototype, method, { | ||
name: 'http2.Http2ServerResponse.prototype.write', | ||
patchType, | ||
pre: preHook('http2', 'Http2ServerResponse', method), | ||
}); | ||
} | ||
{ | ||
const method = 'end'; | ||
patcher.patch(http2.Http2ServerResponse.prototype, method, { | ||
name: 'http2.Http2ServerResponse.prototype.end', | ||
patchType, | ||
pre: preHook('http2', 'Http2ServerResponse', method), | ||
}); | ||
} | ||
}); | ||
depHooks.resolve({ name: 'spdy', file: 'lib/spdy/response.js' }, (response) => { | ||
{ | ||
const method = 'end'; | ||
patcher.patch(response, method, { | ||
name: 'spdy.response.end', | ||
patchType, | ||
pre: preHook('spdy', 'response', method), | ||
}); | ||
} | ||
}); | ||
}; | ||
@@ -166,0 +195,0 @@ |
{ | ||
"name": "@contrast/assess", | ||
"version": "1.29.1", | ||
"version": "1.30.0", | ||
"description": "Contrast service providing framework-agnostic Assess support", | ||
@@ -20,3 +20,3 @@ "license": "SEE LICENSE IN LICENSE", | ||
"dependencies": { | ||
"@contrast/common": "1.21.2", | ||
"@contrast/common": "1.21.3", | ||
"@contrast/distringuish": "^5.0.0", | ||
@@ -23,0 +23,0 @@ "@contrast/scopes": "1.4.1" |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
624364
17684
+ Added@contrast/common@1.21.3(transitive)
- Removed@contrast/common@1.21.2(transitive)
Updated@contrast/common@1.21.3