Launch Week Day 5: Introducing Reachability for PHP.Learn More →
@contrast/core
Advanced tools
@contrast/core - npm Package Compare versions
@@ -18,16 +18,23 @@ /* | ||
| const { Event } = require('@contrast/common'); | ||
| const { Event, featureReaders, settingsReaders, mergeRemoteData } = require('@contrast/common'); | ||
| const { configOptions } = require('@contrast/config/lib/options'); | ||
| const settingsReaders = require('./settings-readers'); | ||
| const featureReaders = require('./feature-readers'); | ||
| module.exports = function(core) { | ||
| const { config, messages } = core; | ||
| const effectiveConfig = createEffectiveConfig({ config, remoteData: {} }); | ||
| function setterFn(target, name, value) { | ||
| let remoteValue = value; | ||
| if (typeof value === 'string') remoteValue = remoteValue.toLowerCase(); | ||
| target.set(name, { | ||
| CanonicalName: name, | ||
| Name: name, | ||
| Value: remoteValue, | ||
| Source: 'ContrastUI', | ||
| }); | ||
| } | ||
| if (core.config?.protect?.enable === true) { | ||
| messages.on(Event.SERVER_SETTINGS_UPDATE, (msg) => { | ||
| msg.features && mergeRemoteData(msg, featureReaders); | ||
| msg.settings && mergeRemoteData(msg, settingsReaders); | ||
| msg.features && mergeRemoteData(config, msg, featureReaders, setterFn, effectiveConfig); | ||
| msg.settings && mergeRemoteData(config, msg, settingsReaders, setterFn, effectiveConfig); | ||
| }); | ||
@@ -76,16 +83,2 @@ } | ||
| } | ||
| function mergeRemoteData(remoteData, readers) { | ||
| for (const [name, readerFn] of Object.entries(readers)) { | ||
| const remoteValue = readerFn(remoteData); | ||
| if (config._sources[name] === 'DEFAULT' && remoteValue != null) { | ||
| effectiveConfig.set(name, { | ||
| CanonicalName: name, | ||
| Name: name, | ||
| Value: remoteValue, | ||
| Source: 'ContrastUI', | ||
| }); | ||
| } | ||
| } | ||
| } | ||
| }; |
+4
-4
| { | ||
| "name": "@contrast/core", | ||
| "version": "1.10.1", | ||
| "version": "1.10.2", | ||
| "description": "Preconfigured Contrast agent core services and models", | ||
@@ -21,4 +21,4 @@ "license": "SEE LICENSE IN LICENSE", | ||
| "@contrast/agentify": "1.3.1", | ||
| "@contrast/common": "1.3.1", | ||
| "@contrast/config": "1.5.1", | ||
| "@contrast/common": "1.3.2", | ||
| "@contrast/config": "1.5.2", | ||
| "@contrast/deadzones": "1.0.0", | ||
@@ -30,3 +30,3 @@ "@contrast/dep-hooks": "1.0.5", | ||
| "@contrast/patcher": "1.1.0", | ||
| "@contrast/reporter": "1.8.2", | ||
| "@contrast/reporter": "1.8.3", | ||
| "@contrast/rewriter": "1.3.1", | ||
@@ -33,0 +33,0 @@ "@contrast/scopes": "1.2.0" |
| /* | ||
| * Copyright: 2022 Contrast Security, Inc | ||
| * Contact: support@contrastsecurity.com | ||
| * License: Commercial | ||
| * NOTICE: This Software and the patented inventions embodied within may only be | ||
| * used as part of Contrast Security’s commercial offerings. Even though it is | ||
| * made available through public repositories, use of this Software is subject to | ||
| * the applicable End User Licensing Agreement found at | ||
| * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed | ||
| * between Contrast Security and the End User. The Software may not be reverse | ||
| * engineered, modified, repackaged, sold, redistributed or otherwise used in a | ||
| * way not consistent with the End User License Agreement. | ||
| */ | ||
| 'use strict'; | ||
| const featureReaders = { | ||
| 'agent.logger.level': (remoteData) => remoteData.features?.logLevel, | ||
| 'agent.logger.path': (remoteData) => remoteData.features?.logFile, | ||
| 'agent.security_logger.syslog.enable': (remoteData) => remoteData.features?.defend?.syslog?.syslogEnabled, | ||
| 'agent.security_logger.syslog.ip': (remoteData) => remoteData.features?.defend?.syslog?.syslogIpAddress, | ||
| 'agent.security_logger.syslog.port': (remoteData) => remoteData.features?.defend?.syslog?.syslogPortNumber, | ||
| 'agent.security_logger.syslog.facility': (remoteData) => remoteData.features?.defend?.syslog?.syslogFacilityCode, | ||
| 'agent.security_logger.syslog.severity_exploited': (remoteData) => remoteData.features?.defend?.syslog?.syslogSeverityExploit, | ||
| 'agent.security_logger.syslog.severity_blocked': (remoteData) => remoteData.features?.defend?.syslog?.syslogSeverityBlocke, | ||
| 'agent.security_logger.syslog.severity_probed': (remoteData) => remoteData.features?.defend?.syslog?.syslogSeverityProbed, | ||
| }; | ||
| module.exports = featureReaders; |
| /* | ||
| * Copyright: 2022 Contrast Security, Inc | ||
| * Contact: support@contrastsecurity.com | ||
| * License: Commercial | ||
| * NOTICE: This Software and the patented inventions embodied within may only be | ||
| * used as part of Contrast Security’s commercial offerings. Even though it is | ||
| * made available through public repositories, use of this Software is subject to | ||
| * the applicable End User Licensing Agreement found at | ||
| * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed | ||
| * between Contrast Security and the End User. The Software may not be reverse | ||
| * engineered, modified, repackaged, sold, redistributed or otherwise used in a | ||
| * way not consistent with the End User License Agreement. | ||
| */ | ||
| 'use strict'; | ||
| const { | ||
| ProtectRuleMode: { | ||
| OFF, | ||
| BLOCK, | ||
| MONITOR, | ||
| BLOCK_AT_PERIMETER | ||
| } | ||
| } = require('@contrast/common'); | ||
| const settingsReaders = [ | ||
| 'protect.rules.cmd-injection.mode', | ||
| 'protect.rules.cmd-injection-command-backdoors.mode', | ||
| 'protect.rules.cmd-injection-semantic-chained-commands.mode', | ||
| 'protect.rules.cmd-injection-semantic-dangerous-paths.mode', | ||
| 'protect.rules.method-tampering.mode', | ||
| 'protect.rules.nosql-injection.mode', | ||
| 'protect.rules.nosql-injection-mongo.mode', | ||
| 'protect.rules.path-traversal.mode', | ||
| 'protect.rules.path-traversal-semantic-file-security-bypass.mode', | ||
| 'protect.rules.reflected-xss.mode', | ||
| 'protect.rules.sql-injection.mode', | ||
| 'protect.rules.ssjs-injection.mode', | ||
| 'protect.rules.unsafe-file-upload.mode', | ||
| 'protect.rules.untrusted-deserialization.mode', | ||
| 'protect.rules.xxe.mode', | ||
| ].reduce((acc, name) => { | ||
| const ruleId = name.split('.')[2]; | ||
| return Object.assign(acc, { | ||
| [name]: (remoteData) => { | ||
| const remoteSetting = remoteData.settings?.defend?.protectionRules?.find(r => r.id == ruleId); | ||
| switch (remoteSetting?.mode) { | ||
| case 'OFF': return OFF; | ||
| case 'MONITORING': return MONITOR; | ||
| case 'BLOCKING': return remoteSetting.blockAtEntry ? BLOCK_AT_PERIMETER : BLOCK; | ||
| } | ||
| } | ||
| }); | ||
| }, {}); | ||
| module.exports = settingsReaders; |
New alerts
Dynamic require
Supply chain riskDynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Fixed alerts
Dynamic require
Supply chain riskDynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
Long strings
Supply chain riskContains long string literals, which may be a sign of obfuscated or packed code.
Found 1 instance in 1 package
Worsened metrics
- Total package byte prevSize
31822
-10.99%- Number of package files
14
-12.5%- Lines of code
773
-9.7%Dependency changes
+ Added
@contrast/common@1.3.2(transitive)+ Added
@contrast/config@1.5.2(transitive)+ Added
@contrast/reporter@1.8.3(transitive)- Removed
@contrast/common@1.3.1(transitive)- Removed
@contrast/config@1.5.1(transitive)- Removed
@contrast/reporter@1.8.2(transitive)Updated
@contrast/common@1.3.2Updated
@contrast/config@1.5.2Updated
@contrast/reporter@1.8.3