@contrast/assess
Advanced tools
Comparing version 1.33.1 to 1.34.0
@@ -23,2 +23,3 @@ /* | ||
} = require('@contrast/common'); | ||
const semver = require('semver'); | ||
const { InstrumentationType: { RULE } } = require('../../constants'); | ||
@@ -128,3 +129,6 @@ const { PATCH_TYPE: patchType } = require('../common'); | ||
for (const method of ['createCipher', 'createCipheriv']) { | ||
// See NODE-3533 'createCipher' not included in Node 22+ | ||
const methods = ['createCipheriv']; | ||
if (semver.lt(process.version, '22.0.0')) methods.push('createCipher'); | ||
for (const method of methods) { | ||
patcher.patch(_export, method, { | ||
@@ -131,0 +135,0 @@ name: `crypto.${method}`, |
'use strict'; | ||
const sinon = require('sinon'); | ||
const semver = require('semver'); | ||
const { expect } = require('chai'); | ||
const sinon = require('sinon'); | ||
const { Rule } = require('@contrast/common'); | ||
@@ -96,6 +97,5 @@ const { ConfigSource } = require('@contrast/config'); | ||
[ | ||
'createCipher', | ||
'createCipheriv' | ||
].forEach((method) => { | ||
const methods = ['createCipheriv']; | ||
if (semver.lt(process.version, '22.0.0')) methods.push('createCipher'); | ||
methods.forEach((method) => { | ||
describe(`crypto.${method}()`, function() { | ||
@@ -102,0 +102,0 @@ [ |
@@ -81,5 +81,7 @@ /* | ||
const bufferFrom = 'global.Buffer.from'; | ||
patcher.patch(global.Buffer, 'from', { | ||
patchType, | ||
name, | ||
name: bufferFrom, | ||
post(data) { | ||
@@ -116,3 +118,3 @@ const firstArg = data.args[0]; | ||
history: [trkInfo], | ||
name, | ||
name: bufferFrom, | ||
result: { | ||
@@ -119,0 +121,0 @@ tracked: true, |
@@ -77,2 +77,5 @@ 'use strict'; | ||
tags: { UNTRUSTED: [0, 7] }, | ||
name: 'global.Buffer.from', | ||
moduleName: 'Buffer', | ||
methodName: 'from', | ||
}; | ||
@@ -79,0 +82,0 @@ |
@@ -52,3 +52,3 @@ /* | ||
methodName: 'prototype.matchAll', | ||
context: `'${objInfo.value}'.matcAll(${arg})`, | ||
context: `'${objInfo.value}'.matchAll(${arg})`, | ||
history: [objInfo], | ||
@@ -55,0 +55,0 @@ object: { |
@@ -200,10 +200,3 @@ /* | ||
if (vulnerabilityMetadata.insecure) { | ||
// We do this because TS API will expect these keys (although it is a typo) | ||
// When they fix the API we can remove this | ||
vulnerabilityMetadata.refererSecure = vulnerabilityMetadata.referrerSecure; | ||
vulnerabilityMetadata.refererValue = vulnerabilityMetadata.referrerValue; | ||
delete vulnerabilityMetadata.insecure; | ||
delete vulnerabilityMetadata.referrerSecure; | ||
delete vulnerabilityMetadata.referrerValue; | ||
@@ -210,0 +203,0 @@ reportFindings(sourceContext, { |
@@ -254,4 +254,2 @@ 'use strict'; | ||
defaultSrcValue: '"self"', | ||
baseUriSecure: false, | ||
baseUriValue: '', | ||
childSrcSecure: true, | ||
@@ -271,2 +269,4 @@ childSrcValue: '', | ||
styleSrcValue: '', | ||
baseUriSecure: false, | ||
baseUriValue: '', | ||
formActionSecure: true, | ||
@@ -276,8 +276,2 @@ formActionValue: '"foobar"', | ||
frameAncestorsValue: '"foobar"', | ||
pluginTypesSecure: true, | ||
pluginTypesValue: '"foobar"', | ||
reflectedXssSecure: true, | ||
reflectedXssValue: '', | ||
refererSecure: true, | ||
refererValue: '' | ||
}) | ||
@@ -284,0 +278,0 @@ } |
@@ -264,26 +264,4 @@ /* | ||
/** | ||
* Evaluator for reflected-xss directive. Checks if the value is not | ||
* equal to 1 | ||
* Note: If empty it is secure | ||
* @param {Array} sources sources for a given csp directive | ||
* @return {Boolean} whether a directive is secure | ||
*/ | ||
function xssCheck(sources) { | ||
return sources.every((source) => parseInt(source) === 1); | ||
} | ||
/** | ||
* Evaluator for referrer directive. Checks if value is not * | ||
* or contains unsafe-url | ||
* @param {Array} sources sources for a given csp directive | ||
* @return {Boolean} whether a directive is secure | ||
*/ | ||
function referrerCheck(sources) { | ||
return sources.every((source) => !/unsafe-url|\*/.test(source)); | ||
} | ||
const KNOWN_DIRECTIVES = [ | ||
{ name: 'default-src', camelCasedName: 'defaultSrc', evaluator: isSourceSecure }, | ||
{ name: 'base-uri', camelCasedName: 'baseUri', evaluator: isSourceSecure }, | ||
{ name: 'child-src', camelCasedName: 'childSrc' }, | ||
@@ -296,7 +274,5 @@ { name: 'connect-src', camelCasedName: 'connectSrc' }, | ||
{ name: 'style-src', camelCasedName: 'styleSrc' }, | ||
{ name: 'base-uri', camelCasedName: 'baseUri', evaluator: isSourceSecure }, | ||
{ name: 'form-action', camelCasedName: 'formAction', evaluator: isSourceSecure }, | ||
{ name: 'frame-ancestors', camelCasedName: 'frameAncestors', evaluator: isSourceSecure }, | ||
{ name: 'plugin-types', camelCasedName: 'pluginTypes', evaluator: isSourceSecure }, | ||
{ name: 'reflected-xss', camelCasedName: 'reflectedXss', evaluator: xssCheck }, | ||
{ name: 'referrer', evaluator: referrerCheck } | ||
]; | ||
@@ -303,0 +279,0 @@ |
@@ -301,8 +301,2 @@ 'use strict'; | ||
objectSrcValue: '', | ||
pluginTypesSecure: false, | ||
pluginTypesValue: '', | ||
referrerSecure: true, | ||
referrerValue: '', | ||
reflectedXssSecure: true, | ||
reflectedXssValue: '', | ||
scriptSrcSecure: false, | ||
@@ -370,5 +364,2 @@ scriptSrcValue: '', | ||
...defaultValues, | ||
reflectedXssValue: '1', | ||
referrerSecure: false, | ||
referrerValue: '*', | ||
insecure: true | ||
@@ -381,4 +372,2 @@ } | ||
...defaultValues, | ||
referrerSecure: false, | ||
referrerValue: 'unsafe-url', | ||
insecure: true | ||
@@ -385,0 +374,0 @@ } |
{ | ||
"name": "@contrast/assess", | ||
"version": "1.33.1", | ||
"version": "1.34.0", | ||
"description": "Contrast service providing framework-agnostic Assess support", | ||
@@ -20,13 +20,14 @@ "license": "SEE LICENSE IN LICENSE", | ||
"dependencies": { | ||
"@contrast/common": "1.24.0", | ||
"@contrast/config": "1.31.0", | ||
"@contrast/core": "1.35.1", | ||
"@contrast/dep-hooks": "1.3.4", | ||
"@contrast/distringuish": "^5.0.0", | ||
"@contrast/instrumentation": "1.13.1", | ||
"@contrast/logger": "1.8.5", | ||
"@contrast/patcher": "1.7.5", | ||
"@contrast/rewriter": "1.11.1", | ||
"@contrast/scopes": "1.4.2" | ||
"@contrast/common": "1.25.0", | ||
"@contrast/config": "1.32.0", | ||
"@contrast/core": "1.36.0", | ||
"@contrast/dep-hooks": "1.4.0", | ||
"@contrast/distringuish": "^5.1.0", | ||
"@contrast/instrumentation": "1.14.0", | ||
"@contrast/logger": "1.9.0", | ||
"@contrast/patcher": "1.8.0", | ||
"@contrast/rewriter": "1.12.0", | ||
"@contrast/scopes": "1.5.0", | ||
"semver": "^7.6.0" | ||
} | ||
} |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
1435339
11
40695
+ Addedsemver@^7.6.0
+ Added@contrast/common@1.25.0(transitive)
+ Added@contrast/config@1.32.0(transitive)
+ Added@contrast/core@1.36.0(transitive)
+ Added@contrast/dep-hooks@1.4.0(transitive)
+ Added@contrast/instrumentation@1.14.0(transitive)
+ Added@contrast/logger@1.9.0(transitive)
+ Added@contrast/patcher@1.8.0(transitive)
+ Added@contrast/rewriter@1.12.0(transitive)
+ Added@contrast/scopes@1.5.0(transitive)
- Removed@contrast/common@1.24.0(transitive)
- Removed@contrast/config@1.31.0(transitive)
- Removed@contrast/core@1.35.1(transitive)
- Removed@contrast/dep-hooks@1.3.4(transitive)
- Removed@contrast/instrumentation@1.13.1(transitive)
- Removed@contrast/logger@1.8.5(transitive)
- Removed@contrast/patcher@1.7.5(transitive)
- Removed@contrast/rewriter@1.11.1(transitive)
- Removed@contrast/scopes@1.4.2(transitive)
Updated@contrast/common@1.25.0
Updated@contrast/config@1.32.0
Updated@contrast/core@1.36.0
Updated@contrast/dep-hooks@1.4.0
Updated@contrast/logger@1.9.0
Updated@contrast/patcher@1.8.0
Updated@contrast/rewriter@1.12.0
Updated@contrast/scopes@1.5.0