@contrast/assess - npm Package Compare versions

Comparing version 1.36.0 to 1.37.0

lib/dataflow/propagation/install/mongoose/schema-string.js

		@@ -18,2 +18,3 @@ /*

		const semver = require('semver');
		const { DataflowTag, primordials: { StringPrototypeSubstring } } = require('@contrast/common');
		@@ -38,2 +39,95 @@ const { patchType } = require('../../common');

		function patchCastForQuery(SchemaString, { version }) {
		if (semver.gte(version, '7.0.0')) {
		patcher.patch(SchemaString.prototype, 'castForQuery', {
		name: 'mongoose.SchemaString.prototype.castForQuery',
		patchType,
		post(data) {
		// if a conditional is provided as the first argument castForQuery gets
		// called subsequently with the individual value(s)
		if (!getSourceContext() \|\| data.args[0]) return;

		const strInfo = tracker.getData(data.result);
		if (!strInfo) return;

		const event = createPropagationEvent({
		addedTags: [DataflowTag.STRING_TYPE_CHECKED],
		name: data.name,
		moduleName: 'mongoose',
		methodName: 'SchemaString.prototype.castForQuery',
		history: [{ ...strInfo }],
		object: {
		tracked: false,
		value: 'mongoose.SchemaString',
		},
		args: [{ tracked: true, value: strInfo.value }],
		result: { tracked: true, value: data.result },
		source: 'P1',
		tags: {
		...strInfo.tags,
		[DataflowTag.STRING_TYPE_CHECKED]: [0, data.result.length - 1],
		},
		target: 'R',
		stacktraceOpts: {
		prependFrames: [data.orig],
		},
		});

		if (!event) return;

		// in case the event type changed e.g. Source->Propagation
		for (const key of Object.keys(strInfo)) {
		if (key === 'value' \|\| key === 'extern') continue;
		delete strInfo[key];
		}

		Object.assign(strInfo, event);
		}
		});
		} else {
		// v6
		patcher.patch(SchemaString.prototype, '_castForQuery', {
		name: 'mongoose.SchemaString.prototype._castForQuery',
		patchType,
		post(data) {
		const strInfo = tracker.getData(data.result);
		if (!strInfo) return;

		const event = createPropagationEvent({
		addedTags: [DataflowTag.STRING_TYPE_CHECKED],
		name: data.name,
		moduleName: 'mongoose',
		methodName: 'SchemaString.prototype._castForQuery',
		history: [{ ...strInfo }],
		object: {
		tracked: false,
		value: 'mongoose.SchemaString',
		},
		args: [{ tracked: true, value: strInfo.value }],
		result: { tracked: true, value: data.result },
		source: 'P0',
		tags: {
		...strInfo.tags,
		[DataflowTag.STRING_TYPE_CHECKED]: [0, data.result.length - 1],
		},
		target: 'R',
		stacktraceOpts: {
		prependFrames: [data.orig],
		},
		});

		if (!event) return;

		// in case the event type changed e.g. Source->Propagation
		for (const key of Object.keys(strInfo)) {
		if (key === 'value' \|\| key === 'extern') continue;
		delete strInfo[key];
		}

		Object.assign(strInfo, event);
		}
		});
		}
		}

		function patchEnum(SchemaString) {
		@@ -201,3 +295,4 @@ patcher.patch(SchemaString.prototype, 'enum', {
		},
		(SchemaString) => {
		(SchemaString, metadata) => {
		patchCastForQuery(SchemaString, metadata);
		patchEnum(SchemaString);
		@@ -204,0 +299,0 @@ patchDoValidate(SchemaString);

lib/dataflow/propagation/install/mongoose/schema-string.test.js

		@@ -7,3 +7,3 @@ 'use strict';

		describe('assess dataflow propagation mongoose.StringSchema', function () {
		describe('assess dataflow propagation mongoose.SchemaString', function () {
		let core,
		@@ -32,2 +32,5 @@ trackString,
		};
		MockSchemaString.prototype.castForQuery = function($c, v) {
		return v;
		};
		MockSchemaString.prototype.enum = function () {
		@@ -44,3 +47,3 @@ return this;
		core.assess.dataflow.propagation.mongooseInstrumentation.schemaString.install();
		core.depHooks.resolve.yield(MockSchemaString);
		core.depHooks.resolve.yield(MockSchemaString, { version: '7.5.3' });
		});
		@@ -66,2 +69,38 @@

		describe('SchemaString#castForQuery()', function () {
		it('adds STRING_TYPE_CHECKED when called directly on a value', function () {
		simulateRequestScope(function () {
		const str = trackString('foo');
		const strInfo = tracker.getData(str);

		mockSchemaString.castForQuery(null, str);

		expect(strInfo).to.deep.include({
		value: 'foo',
		addedTags: ['STRING_TYPE_CHECKED'],
		tags: { UNTRUSTED: [0, 2], STRING_TYPE_CHECKED: [0, 2] },
		});
		});
		});

		it('does not add STRING_TYPE_CHECKED when called with a conditional', function () {
		simulateRequestScope(function () {
		const str = trackString('foo');
		const strInfo = tracker.getData(str);

		mockSchemaString.castForQuery('$ne', str);

		expect(strInfo).to.deep.include({
		value: 'foo',
		tags: { UNTRUSTED: [0, 2] },
		});
		expect(strInfo).not.to.deep.include({
		addedTags: ['STRING_TYPE_CHECKED'],
		tags: { UNTRUSTED: [0, 2], STRING_TYPE_CHECKED: [0, 2] },
		});

		});
		});
		});

		it('SchemaString.doValidate adds STRING_TYPE_CHECKED tag', function () {
		@@ -68,0 +107,0 @@ return new Promise((resolve) => {

package.json

		{
		"name": "@contrast/assess",
		"version": "1.36.0",
		"version": "1.37.0",
		"description": "Contrast service providing framework-agnostic Assess support",
		@@ -22,12 +22,12 @@ "license": "SEE LICENSE IN LICENSE",
		"@contrast/config": "1.34.0",
		"@contrast/core": "1.38.0",
		"@contrast/dep-hooks": "1.6.0",
		"@contrast/core": "1.39.0",
		"@contrast/dep-hooks": "1.7.0",
		"@contrast/distringuish": "^5.1.0",
		"@contrast/instrumentation": "1.16.0",
		"@contrast/logger": "1.11.0",
		"@contrast/patcher": "1.10.0",
		"@contrast/rewriter": "1.14.0",
		"@contrast/scopes": "1.7.0",
		"@contrast/instrumentation": "1.17.0",
		"@contrast/logger": "1.12.0",
		"@contrast/patcher": "1.11.0",
		"@contrast/rewriter": "1.15.0",
		"@contrast/scopes": "1.8.0",
		"semver": "^7.6.0"
		}
		}

@contrast/assess - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Dependency changes