@contrast/assess
Advanced tools
Comparing version 1.36.0 to 1.37.0
@@ -18,2 +18,3 @@ /* | ||
const semver = require('semver'); | ||
const { DataflowTag, primordials: { StringPrototypeSubstring } } = require('@contrast/common'); | ||
@@ -38,2 +39,95 @@ const { patchType } = require('../../common'); | ||
function patchCastForQuery(SchemaString, { version }) { | ||
if (semver.gte(version, '7.0.0')) { | ||
patcher.patch(SchemaString.prototype, 'castForQuery', { | ||
name: 'mongoose.SchemaString.prototype.castForQuery', | ||
patchType, | ||
post(data) { | ||
// if a conditional is provided as the first argument castForQuery gets | ||
// called subsequently with the individual value(s) | ||
if (!getSourceContext() || data.args[0]) return; | ||
const strInfo = tracker.getData(data.result); | ||
if (!strInfo) return; | ||
const event = createPropagationEvent({ | ||
addedTags: [DataflowTag.STRING_TYPE_CHECKED], | ||
name: data.name, | ||
moduleName: 'mongoose', | ||
methodName: 'SchemaString.prototype.castForQuery', | ||
history: [{ ...strInfo }], | ||
object: { | ||
tracked: false, | ||
value: 'mongoose.SchemaString', | ||
}, | ||
args: [{ tracked: true, value: strInfo.value }], | ||
result: { tracked: true, value: data.result }, | ||
source: 'P1', | ||
tags: { | ||
...strInfo.tags, | ||
[DataflowTag.STRING_TYPE_CHECKED]: [0, data.result.length - 1], | ||
}, | ||
target: 'R', | ||
stacktraceOpts: { | ||
prependFrames: [data.orig], | ||
}, | ||
}); | ||
if (!event) return; | ||
// in case the event type changed e.g. Source->Propagation | ||
for (const key of Object.keys(strInfo)) { | ||
if (key === 'value' || key === 'extern') continue; | ||
delete strInfo[key]; | ||
} | ||
Object.assign(strInfo, event); | ||
} | ||
}); | ||
} else { | ||
// v6 | ||
patcher.patch(SchemaString.prototype, '_castForQuery', { | ||
name: 'mongoose.SchemaString.prototype._castForQuery', | ||
patchType, | ||
post(data) { | ||
const strInfo = tracker.getData(data.result); | ||
if (!strInfo) return; | ||
const event = createPropagationEvent({ | ||
addedTags: [DataflowTag.STRING_TYPE_CHECKED], | ||
name: data.name, | ||
moduleName: 'mongoose', | ||
methodName: 'SchemaString.prototype._castForQuery', | ||
history: [{ ...strInfo }], | ||
object: { | ||
tracked: false, | ||
value: 'mongoose.SchemaString', | ||
}, | ||
args: [{ tracked: true, value: strInfo.value }], | ||
result: { tracked: true, value: data.result }, | ||
source: 'P0', | ||
tags: { | ||
...strInfo.tags, | ||
[DataflowTag.STRING_TYPE_CHECKED]: [0, data.result.length - 1], | ||
}, | ||
target: 'R', | ||
stacktraceOpts: { | ||
prependFrames: [data.orig], | ||
}, | ||
}); | ||
if (!event) return; | ||
// in case the event type changed e.g. Source->Propagation | ||
for (const key of Object.keys(strInfo)) { | ||
if (key === 'value' || key === 'extern') continue; | ||
delete strInfo[key]; | ||
} | ||
Object.assign(strInfo, event); | ||
} | ||
}); | ||
} | ||
} | ||
function patchEnum(SchemaString) { | ||
@@ -201,3 +295,4 @@ patcher.patch(SchemaString.prototype, 'enum', { | ||
}, | ||
(SchemaString) => { | ||
(SchemaString, metadata) => { | ||
patchCastForQuery(SchemaString, metadata); | ||
patchEnum(SchemaString); | ||
@@ -204,0 +299,0 @@ patchDoValidate(SchemaString); |
@@ -7,3 +7,3 @@ 'use strict'; | ||
describe('assess dataflow propagation mongoose.StringSchema', function () { | ||
describe('assess dataflow propagation mongoose.SchemaString', function () { | ||
let core, | ||
@@ -32,2 +32,5 @@ trackString, | ||
}; | ||
MockSchemaString.prototype.castForQuery = function($c, v) { | ||
return v; | ||
}; | ||
MockSchemaString.prototype.enum = function () { | ||
@@ -44,3 +47,3 @@ return this; | ||
core.assess.dataflow.propagation.mongooseInstrumentation.schemaString.install(); | ||
core.depHooks.resolve.yield(MockSchemaString); | ||
core.depHooks.resolve.yield(MockSchemaString, { version: '7.5.3' }); | ||
}); | ||
@@ -66,2 +69,38 @@ | ||
describe('SchemaString#castForQuery()', function () { | ||
it('adds STRING_TYPE_CHECKED when called directly on a value', function () { | ||
simulateRequestScope(function () { | ||
const str = trackString('foo'); | ||
const strInfo = tracker.getData(str); | ||
mockSchemaString.castForQuery(null, str); | ||
expect(strInfo).to.deep.include({ | ||
value: 'foo', | ||
addedTags: ['STRING_TYPE_CHECKED'], | ||
tags: { UNTRUSTED: [0, 2], STRING_TYPE_CHECKED: [0, 2] }, | ||
}); | ||
}); | ||
}); | ||
it('does not add STRING_TYPE_CHECKED when called with a conditional', function () { | ||
simulateRequestScope(function () { | ||
const str = trackString('foo'); | ||
const strInfo = tracker.getData(str); | ||
mockSchemaString.castForQuery('$ne', str); | ||
expect(strInfo).to.deep.include({ | ||
value: 'foo', | ||
tags: { UNTRUSTED: [0, 2] }, | ||
}); | ||
expect(strInfo).not.to.deep.include({ | ||
addedTags: ['STRING_TYPE_CHECKED'], | ||
tags: { UNTRUSTED: [0, 2], STRING_TYPE_CHECKED: [0, 2] }, | ||
}); | ||
}); | ||
}); | ||
}); | ||
it('SchemaString.doValidate adds STRING_TYPE_CHECKED tag', function () { | ||
@@ -68,0 +107,0 @@ return new Promise((resolve) => { |
{ | ||
"name": "@contrast/assess", | ||
"version": "1.36.0", | ||
"version": "1.37.0", | ||
"description": "Contrast service providing framework-agnostic Assess support", | ||
@@ -22,12 +22,12 @@ "license": "SEE LICENSE IN LICENSE", | ||
"@contrast/config": "1.34.0", | ||
"@contrast/core": "1.38.0", | ||
"@contrast/dep-hooks": "1.6.0", | ||
"@contrast/core": "1.39.0", | ||
"@contrast/dep-hooks": "1.7.0", | ||
"@contrast/distringuish": "^5.1.0", | ||
"@contrast/instrumentation": "1.16.0", | ||
"@contrast/logger": "1.11.0", | ||
"@contrast/patcher": "1.10.0", | ||
"@contrast/rewriter": "1.14.0", | ||
"@contrast/scopes": "1.7.0", | ||
"@contrast/instrumentation": "1.17.0", | ||
"@contrast/logger": "1.12.0", | ||
"@contrast/patcher": "1.11.0", | ||
"@contrast/rewriter": "1.15.0", | ||
"@contrast/scopes": "1.8.0", | ||
"semver": "^7.6.0" | ||
} | ||
} |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
1462904
41295
+ Added@contrast/core@1.39.0(transitive)
+ Added@contrast/dep-hooks@1.7.0(transitive)
+ Added@contrast/instrumentation@1.17.0(transitive)
+ Added@contrast/logger@1.12.0(transitive)
+ Added@contrast/patcher@1.11.0(transitive)
+ Added@contrast/rewriter@1.15.0(transitive)
+ Added@contrast/scopes@1.8.0(transitive)
- Removed@contrast/core@1.38.0(transitive)
- Removed@contrast/dep-hooks@1.6.0(transitive)
- Removed@contrast/instrumentation@1.16.0(transitive)
- Removed@contrast/logger@1.11.0(transitive)
- Removed@contrast/patcher@1.10.0(transitive)
- Removed@contrast/rewriter@1.14.0(transitive)
- Removed@contrast/scopes@1.7.0(transitive)
Updated@contrast/core@1.39.0
Updated@contrast/dep-hooks@1.7.0
Updated@contrast/logger@1.12.0
Updated@contrast/patcher@1.11.0
Updated@contrast/rewriter@1.15.0
Updated@contrast/scopes@1.8.0