Socket
Socket
Sign inDemoInstall

@contrast/protect

Package Overview
Dependencies
Maintainers
17
Versions
73
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@contrast/protect - npm Package Compare versions

Comparing version 1.11.0 to 1.12.0

lib/input-tracing/install/marsdb.js

4

lib/hardening/handlers.js

@@ -42,3 +42,3 @@ /*

const mode = sourceContext.policy[ruleId];
const { name, value, stacktraceData } = sinkContext;
const { name, value, stacktraceOpts } = sinkContext;

@@ -53,3 +53,3 @@ if (mode === 'off') return;

captureStacktrace(sinkContext, stacktraceData);
captureStacktrace(sinkContext, stacktraceOpts);
results.push({

@@ -56,0 +56,0 @@ value: sinkContext.value,

2

lib/hardening/install/node-serialize0.js

@@ -48,3 +48,3 @@ /*

value,
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
};

@@ -51,0 +51,0 @@ hardening.handleUntrustedDeserialization(sourceContext, sinkContext);

35

lib/input-tracing/handlers/index.js

@@ -38,4 +38,4 @@ /*

function handleFindings(sourceContext, sinkContext, ruleId, result, findings) {
const { stacktraceData } = sinkContext;
captureStacktrace(sinkContext, stacktraceData);
const { stacktraceOpts } = sinkContext;
captureStacktrace(sinkContext, stacktraceOpts);
result.exploitMetadata.push({ sinkContext, findings });

@@ -146,2 +146,3 @@

if (stringInjectionResults) {

@@ -152,8 +153,23 @@ let stringFindings = null;

if (typeof sinkContext.value === 'object') {
traverseKeysAndValues(sinkContext.value, function(path, type, value) {
traverseKeysAndValues(sinkContext.value, function(path, type, value, obj) {
if (type !== 'Key' && !agentLib.isMongoQueryType(value)) return;
const cmdVal = sinkContext.value[value];
stringFindings = handleStringValue(result, cmdVal?.['$function']?.body || cmdVal, agentLib);
// halt traversal
return true;
if (!stringFindings && type == 'Key' && value == '$accumulator') {
stringFindings =
handleStringValue(result, obj[value]?.['init'], agentLib) ||
handleStringValue(result, obj[value]?.['merge'], agentLib) ||
handleStringValue(result, obj[value]?.['finalize'], agentLib) ||
handleStringValue(result, obj[value]?.['accumulate'], agentLib);
}
if (!stringFindings && type == 'Key' && value == '$function') {
stringFindings =
handleStringValue(result, obj['$function']?.body, agentLib);
}
if (!stringFindings) {
stringFindings = handleStringValue(result, obj[value], agentLib);
}
if (stringFindings) return true;
});

@@ -259,3 +275,6 @@ } else if (typeof sinkContext.value === 'string') {

}
return context.resultsMap[ruleId];
// because agent-lib stores all nosql-injection results under nosql-injection-mongo
const resultsMapRuleId = ruleId === 'nosql-injection' ? 'nosql-injection-mongo' : ruleId;
return context.resultsMap[resultsMapRuleId];
}

@@ -262,0 +281,0 @@

1

lib/input-tracing/index.js

@@ -30,2 +30,3 @@ /*

require('./install/mongodb')(core);
require('./install/marsdb')(core);
require('./install/mysql')(core);

@@ -32,0 +33,0 @@ require('./install/postgres')(core);

2

lib/input-tracing/install/child-process.js

@@ -40,3 +40,3 @@ /*

value,
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
};

@@ -43,0 +43,0 @@

2

lib/input-tracing/install/eval.js

@@ -50,3 +50,3 @@ /*

value,
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
};

@@ -53,0 +53,0 @@ inputTracing.ssjsInjection(sourceContext, sinkContext);

2

lib/input-tracing/install/fs.js

@@ -106,3 +106,3 @@ /*

value,
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
};

@@ -109,0 +109,0 @@ inputTracing.handlePathTraversal(sourceContext, sinkContext);

2

lib/input-tracing/install/function.js

@@ -51,3 +51,3 @@ /*

value: fnBody,
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
};

@@ -54,0 +54,0 @@

2

lib/input-tracing/install/http.js

@@ -49,3 +49,3 @@ /*

value,
stacktraceData: { constructorOpt: data.hooked },
stacktraceOpts: { constructorOpt: data.hooked },
};

@@ -52,0 +52,0 @@ inputTracing.handleReflectedXss(sourceContext, sinkContext);

3

lib/input-tracing/install/mongodb.js

@@ -65,3 +65,3 @@ /*

value,
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
};

@@ -126,2 +126,3 @@ inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);

'distinct',
'aggregate'
],

@@ -128,0 +129,0 @@ patchType,

2

lib/input-tracing/install/mysql.js

@@ -61,3 +61,3 @@ /*

value,
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
};

@@ -64,0 +64,0 @@

2

lib/input-tracing/install/postgres.js

@@ -45,3 +45,3 @@ /*

value,
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
};

@@ -48,0 +48,0 @@

2

lib/input-tracing/install/sequelize.js

@@ -54,3 +54,3 @@ /*

value,
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
};

@@ -57,0 +57,0 @@

2

lib/input-tracing/install/sqlite3.js

@@ -49,3 +49,3 @@ /*

value,
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
};

@@ -52,0 +52,0 @@

2

lib/input-tracing/install/vm.js

@@ -43,3 +43,3 @@ /*

value: arg,
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
};

@@ -46,0 +46,0 @@ inputTracing.ssjsInjection(sourceContext, sinkContext);

4

lib/semantic-analysis/handlers.js

@@ -44,4 +44,4 @@ /*

function handleResult(sourceContext, sinkContext, ruleId, mode, finding) {
const { value, stacktraceData } = sinkContext;
captureStacktrace(sinkContext, stacktraceData);
const { value, stacktraceOpts } = sinkContext;
captureStacktrace(sinkContext, stacktraceOpts);
const result = {

@@ -48,0 +48,0 @@ blocked: false,

2

lib/semantic-analysis/install/libxmljs.js

@@ -65,3 +65,3 @@ /*

value,
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
stacktraceOpts: { constructorOpt: hooked, prependFrames: [orig] },
};

@@ -68,0 +68,0 @@

2

lib/semantic-analysis/utils/xml-analysis.js

@@ -43,3 +43,3 @@ /*

const entityRegex = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+(?<type>SYSTEM|PUBLIC)\s+"(?<uri1>.*?)"\s*("(?<uri2>.*?)"\s*)?>/g;
const entityRegex = /<!ENTITY\s+(?<name>[a-zA-Z0-f]+)\s+(?<type>SYSTEM|PUBLIC)\s+['"](?<uri1>.*?)['"]\s*(['"](?<uri2>.*?)['"]\s*)?>/g;

@@ -46,0 +46,0 @@ // Helper Functions

8

package.json
{
"name": "@contrast/protect",
"version": "1.11.0",
"version": "1.12.0",
"description": "Contrast service providing framework-agnostic Protect support",

@@ -20,6 +20,6 @@ "license": "SEE LICENSE IN LICENSE",

"dependencies": {
"@contrast/agent-lib": "^5.1.0",
"@contrast/agent-lib": "^5.3.0",
"@contrast/common": "1.3.1",
"@contrast/core": "1.10.0",
"@contrast/esm-hooks": "1.6.0",
"@contrast/core": "1.10.1",
"@contrast/esm-hooks": "1.6.1",
"@contrast/scopes": "1.2.0",

@@ -26,0 +26,0 @@ "ipaddr.js": "^2.0.1",

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc