@contrast/assess - npm Package Compare versions

Comparing version 1.33.1 to 1.34.0

lib/crypto-analysis/install/crypto.js

		@@ -23,2 +23,3 @@ /*
		} = require('@contrast/common');
		const semver = require('semver');
		const { InstrumentationType: { RULE } } = require('../../constants');
		@@ -128,3 +129,6 @@ const { PATCH_TYPE: patchType } = require('../common');

		for (const method of ['createCipher', 'createCipheriv']) {
		// See NODE-3533 'createCipher' not included in Node 22+
		const methods = ['createCipheriv'];
		if (semver.lt(process.version, '22.0.0')) methods.push('createCipher');
		for (const method of methods) {
		patcher.patch(_export, method, {
		@@ -131,0 +135,0 @@ name: `crypto.${method}`,

lib/crypto-analysis/install/crypto.test.js

		'use strict';

		const sinon = require('sinon');
		const semver = require('semver');
		const { expect } = require('chai');
		const sinon = require('sinon');
		const { Rule } = require('@contrast/common');
		@@ -96,6 +97,5 @@ const { ConfigSource } = require('@contrast/config');

		[
		'createCipher',
		'createCipheriv'
		].forEach((method) => {
		const methods = ['createCipheriv'];
		if (semver.lt(process.version, '22.0.0')) methods.push('createCipher');
		methods.forEach((method) => {
		describe(`crypto.${method}()`, function() {
		@@ -102,0 +102,0 @@ [

lib/dataflow/propagation/install/buffer.js

		@@ -81,5 +81,7 @@ /*

		const bufferFrom = 'global.Buffer.from';

		patcher.patch(global.Buffer, 'from', {
		patchType,
		name,
		name: bufferFrom,
		post(data) {
		@@ -116,3 +118,3 @@ const firstArg = data.args[0];
		history: [trkInfo],
		name,
		name: bufferFrom,
		result: {
		@@ -119,0 +121,0 @@ tracked: true,

lib/dataflow/propagation/install/buffer.test.js

lib/dataflow/propagation/install/string/match-all.js

		@@ -52,3 +52,3 @@ /*
		methodName: 'prototype.matchAll',
		context: `'${objInfo.value}'.matcAll(${arg})`,
		context: `'${objInfo.value}'.matchAll(${arg})`,
		history: [objInfo],
		@@ -55,0 +55,0 @@ object: {

lib/response-scanning/handlers/index.js

		@@ -200,10 +200,3 @@ /*
		if (vulnerabilityMetadata.insecure) {
		// We do this because TS API will expect these keys (although it is a typo)
		// When they fix the API we can remove this
		vulnerabilityMetadata.refererSecure = vulnerabilityMetadata.referrerSecure;
		vulnerabilityMetadata.refererValue = vulnerabilityMetadata.referrerValue;

		delete vulnerabilityMetadata.insecure;
		delete vulnerabilityMetadata.referrerSecure;
		delete vulnerabilityMetadata.referrerValue;

		@@ -210,0 +203,0 @@ reportFindings(sourceContext, {

lib/response-scanning/handlers/index.test.js

		@@ -254,4 +254,2 @@ 'use strict';
		defaultSrcValue: '"self"',
		baseUriSecure: false,
		baseUriValue: '',
		childSrcSecure: true,
		@@ -271,2 +269,4 @@ childSrcValue: '',
		styleSrcValue: '',
		baseUriSecure: false,
		baseUriValue: '',
		formActionSecure: true,
		@@ -276,8 +276,2 @@ formActionValue: '"foobar"',
		frameAncestorsValue: '"foobar"',
		pluginTypesSecure: true,
		pluginTypesValue: '"foobar"',
		reflectedXssSecure: true,
		reflectedXssValue: '',
		refererSecure: true,
		refererValue: ''
		})
		@@ -284,0 +278,0 @@ }

lib/response-scanning/handlers/utils.js

		@@ -264,26 +264,4 @@ /*

		/**
		* Evaluator for reflected-xss directive. Checks if the value is not
		* equal to 1
		* Note: If empty it is secure
		* @param {Array} sources sources for a given csp directive
		* @return {Boolean} whether a directive is secure
		*/
		function xssCheck(sources) {
		return sources.every((source) => parseInt(source) === 1);
		}

		/**
		* Evaluator for referrer directive. Checks if value is not *
		* or contains unsafe-url
		* @param {Array} sources sources for a given csp directive
		* @return {Boolean} whether a directive is secure
		*/
		function referrerCheck(sources) {
		return sources.every((source) => !/unsafe-url\|\*/.test(source));
		}

		const KNOWN_DIRECTIVES = [
		{ name: 'default-src', camelCasedName: 'defaultSrc', evaluator: isSourceSecure },
		{ name: 'base-uri', camelCasedName: 'baseUri', evaluator: isSourceSecure },
		{ name: 'child-src', camelCasedName: 'childSrc' },
		@@ -296,7 +274,5 @@ { name: 'connect-src', camelCasedName: 'connectSrc' },
		{ name: 'style-src', camelCasedName: 'styleSrc' },
		{ name: 'base-uri', camelCasedName: 'baseUri', evaluator: isSourceSecure },
		{ name: 'form-action', camelCasedName: 'formAction', evaluator: isSourceSecure },
		{ name: 'frame-ancestors', camelCasedName: 'frameAncestors', evaluator: isSourceSecure },
		{ name: 'plugin-types', camelCasedName: 'pluginTypes', evaluator: isSourceSecure },
		{ name: 'reflected-xss', camelCasedName: 'reflectedXss', evaluator: xssCheck },
		{ name: 'referrer', evaluator: referrerCheck }
		];
		@@ -303,0 +279,0 @@

lib/response-scanning/handlers/utils.test.js

package.json

		{
		"name": "@contrast/assess",
		"version": "1.33.1",
		"version": "1.34.0",
		"description": "Contrast service providing framework-agnostic Assess support",
		@@ -20,13 +20,14 @@ "license": "SEE LICENSE IN LICENSE",
		"dependencies": {
		"@contrast/common": "1.24.0",
		"@contrast/config": "1.31.0",
		"@contrast/core": "1.35.1",
		"@contrast/dep-hooks": "1.3.4",
		"@contrast/distringuish": "^5.0.0",
		"@contrast/instrumentation": "1.13.1",
		"@contrast/logger": "1.8.5",
		"@contrast/patcher": "1.7.5",
		"@contrast/rewriter": "1.11.1",
		"@contrast/scopes": "1.4.2"
		"@contrast/common": "1.25.0",
		"@contrast/config": "1.32.0",
		"@contrast/core": "1.36.0",
		"@contrast/dep-hooks": "1.4.0",
		"@contrast/distringuish": "^5.1.0",
		"@contrast/instrumentation": "1.14.0",
		"@contrast/logger": "1.9.0",
		"@contrast/patcher": "1.8.0",
		"@contrast/rewriter": "1.12.0",
		"@contrast/scopes": "1.5.0",
		"semver": "^7.6.0"
		}
		}

New alerts