@contrast/protect
Advanced tools
Comparing version 1.11.0 to 1.12.0
@@ -42,3 +42,3 @@ /* | ||
const mode = sourceContext.policy[ruleId]; | ||
const { name, value, stacktraceData } = sinkContext; | ||
const { name, value, stacktraceOpts } = sinkContext; | ||
@@ -53,3 +53,3 @@ if (mode === 'off') return; | ||
captureStacktrace(sinkContext, stacktraceData); | ||
captureStacktrace(sinkContext, stacktraceOpts); | ||
results.push({ | ||
@@ -56,0 +56,0 @@ value: sinkContext.value, |
@@ -48,3 +48,3 @@ /* | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -51,0 +51,0 @@ hardening.handleUntrustedDeserialization(sourceContext, sinkContext); |
@@ -38,4 +38,4 @@ /* | ||
function handleFindings(sourceContext, sinkContext, ruleId, result, findings) { | ||
const { stacktraceData } = sinkContext; | ||
captureStacktrace(sinkContext, stacktraceData); | ||
const { stacktraceOpts } = sinkContext; | ||
captureStacktrace(sinkContext, stacktraceOpts); | ||
result.exploitMetadata.push({ sinkContext, findings }); | ||
@@ -146,2 +146,3 @@ | ||
if (stringInjectionResults) { | ||
@@ -152,8 +153,23 @@ let stringFindings = null; | ||
if (typeof sinkContext.value === 'object') { | ||
traverseKeysAndValues(sinkContext.value, function(path, type, value) { | ||
traverseKeysAndValues(sinkContext.value, function(path, type, value, obj) { | ||
if (type !== 'Key' && !agentLib.isMongoQueryType(value)) return; | ||
const cmdVal = sinkContext.value[value]; | ||
stringFindings = handleStringValue(result, cmdVal?.['$function']?.body || cmdVal, agentLib); | ||
// halt traversal | ||
return true; | ||
if (!stringFindings && type == 'Key' && value == '$accumulator') { | ||
stringFindings = | ||
handleStringValue(result, obj[value]?.['init'], agentLib) || | ||
handleStringValue(result, obj[value]?.['merge'], agentLib) || | ||
handleStringValue(result, obj[value]?.['finalize'], agentLib) || | ||
handleStringValue(result, obj[value]?.['accumulate'], agentLib); | ||
} | ||
if (!stringFindings && type == 'Key' && value == '$function') { | ||
stringFindings = | ||
handleStringValue(result, obj['$function']?.body, agentLib); | ||
} | ||
if (!stringFindings) { | ||
stringFindings = handleStringValue(result, obj[value], agentLib); | ||
} | ||
if (stringFindings) return true; | ||
}); | ||
@@ -259,3 +275,6 @@ } else if (typeof sinkContext.value === 'string') { | ||
} | ||
return context.resultsMap[ruleId]; | ||
// because agent-lib stores all nosql-injection results under nosql-injection-mongo | ||
const resultsMapRuleId = ruleId === 'nosql-injection' ? 'nosql-injection-mongo' : ruleId; | ||
return context.resultsMap[resultsMapRuleId]; | ||
} | ||
@@ -262,0 +281,0 @@ |
@@ -30,2 +30,3 @@ /* | ||
require('./install/mongodb')(core); | ||
require('./install/marsdb')(core); | ||
require('./install/mysql')(core); | ||
@@ -32,0 +33,0 @@ require('./install/postgres')(core); |
@@ -40,3 +40,3 @@ /* | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -43,0 +43,0 @@ |
@@ -50,3 +50,3 @@ /* | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -53,0 +53,0 @@ inputTracing.ssjsInjection(sourceContext, sinkContext); |
@@ -106,3 +106,3 @@ /* | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -109,0 +109,0 @@ inputTracing.handlePathTraversal(sourceContext, sinkContext); |
@@ -51,3 +51,3 @@ /* | ||
value: fnBody, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -54,0 +54,0 @@ |
@@ -49,3 +49,3 @@ /* | ||
value, | ||
stacktraceData: { constructorOpt: data.hooked }, | ||
stacktraceOpts: { constructorOpt: data.hooked }, | ||
}; | ||
@@ -52,0 +52,0 @@ inputTracing.handleReflectedXss(sourceContext, sinkContext); |
@@ -65,3 +65,3 @@ /* | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -126,2 +126,3 @@ inputTracing.nosqlInjectionMongo(sourceContext, sinkContext); | ||
'distinct', | ||
'aggregate' | ||
], | ||
@@ -128,0 +129,0 @@ patchType, |
@@ -61,3 +61,3 @@ /* | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -64,0 +64,0 @@ |
@@ -45,3 +45,3 @@ /* | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -48,0 +48,0 @@ |
@@ -54,3 +54,3 @@ /* | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -57,0 +57,0 @@ |
@@ -49,3 +49,3 @@ /* | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -52,0 +52,0 @@ |
@@ -43,3 +43,3 @@ /* | ||
value: arg, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -46,0 +46,0 @@ inputTracing.ssjsInjection(sourceContext, sinkContext); |
@@ -44,4 +44,4 @@ /* | ||
function handleResult(sourceContext, sinkContext, ruleId, mode, finding) { | ||
const { value, stacktraceData } = sinkContext; | ||
captureStacktrace(sinkContext, stacktraceData); | ||
const { value, stacktraceOpts } = sinkContext; | ||
captureStacktrace(sinkContext, stacktraceOpts); | ||
const result = { | ||
@@ -48,0 +48,0 @@ blocked: false, |
@@ -65,3 +65,3 @@ /* | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -68,0 +68,0 @@ |
@@ -43,3 +43,3 @@ /* | ||
const entityRegex = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+(?<type>SYSTEM|PUBLIC)\s+"(?<uri1>.*?)"\s*("(?<uri2>.*?)"\s*)?>/g; | ||
const entityRegex = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+(?<type>SYSTEM|PUBLIC)\s+['"](?<uri1>.*?)['"]\s*(['"](?<uri2>.*?)['"]\s*)?>/g; | ||
@@ -46,0 +46,0 @@ // Helper Functions |
{ | ||
"name": "@contrast/protect", | ||
"version": "1.11.0", | ||
"version": "1.12.0", | ||
"description": "Contrast service providing framework-agnostic Protect support", | ||
@@ -20,6 +20,6 @@ "license": "SEE LICENSE IN LICENSE", | ||
"dependencies": { | ||
"@contrast/agent-lib": "^5.1.0", | ||
"@contrast/agent-lib": "^5.3.0", | ||
"@contrast/common": "1.3.1", | ||
"@contrast/core": "1.10.0", | ||
"@contrast/esm-hooks": "1.6.0", | ||
"@contrast/core": "1.10.1", | ||
"@contrast/esm-hooks": "1.6.1", | ||
"@contrast/scopes": "1.2.0", | ||
@@ -26,0 +26,0 @@ "ipaddr.js": "^2.0.1", |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
179904
62
4777
+ Added@contrast/core@1.10.1(transitive)
+ Added@contrast/esm-hooks@1.6.1(transitive)
+ Added@contrast/reporter@1.8.2(transitive)
- Removed@contrast/core@1.10.0(transitive)
- Removed@contrast/esm-hooks@1.6.0(transitive)
- Removed@contrast/reporter@1.8.1(transitive)
Updated@contrast/agent-lib@^5.3.0
Updated@contrast/core@1.10.1
Updated@contrast/esm-hooks@1.6.1