@contrast/protect
Advanced tools
Comparing version 1.8.0 to 1.8.1
@@ -27,3 +27,4 @@ /* | ||
throwSecurityException, | ||
} | ||
}, | ||
captureStacktrace, | ||
} = core; | ||
@@ -42,3 +43,3 @@ | ||
const mode = sourceContext.policy[ruleId]; | ||
const { name, value } = sinkContext; | ||
const { name, value, stacktraceData } = sinkContext; | ||
@@ -53,2 +54,3 @@ if (mode === 'off') return; | ||
captureStacktrace(sinkContext, stacktraceData); | ||
results.push({ | ||
@@ -55,0 +57,0 @@ blocked, |
@@ -24,3 +24,2 @@ /* | ||
patcher, | ||
captureStacktrace, | ||
protect, | ||
@@ -47,6 +46,7 @@ protect: { | ||
const sinkContext = captureStacktrace( | ||
{ name: `${name}.${method}`, value }, | ||
{ constructorOpt: hooked, prependFrames: [orig] }, | ||
); | ||
const sinkContext = { | ||
name: `${name}.${method}`, | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
hardening.handleUntrustedDeserialization(sourceContext, sinkContext); | ||
@@ -53,0 +53,0 @@ }, |
@@ -217,8 +217,2 @@ /* | ||
// only add queries if it's known that 'qs' or equivalent won't be used. | ||
/* c8 ignore next 3 */ | ||
if (reqData.standardUrlParsing) { | ||
connectInputs.queries = reqData.queries; | ||
} | ||
if (inputAnalysis.virtualPatchesEvaluators?.length) { | ||
@@ -225,0 +219,0 @@ store.protect.virtualPatchesEvaluators.push(...inputAnalysis.virtualPatchesEvaluators.map((e) => new Map(e))); |
@@ -27,5 +27,14 @@ /* | ||
module.exports = function(core) { | ||
const { protect: { agentLib, inputTracing, throwSecurityException } } = core; | ||
const { | ||
protect: { | ||
agentLib, | ||
inputTracing, | ||
throwSecurityException | ||
}, | ||
captureStacktrace, | ||
} = core; | ||
function handleFindings(sourceContext, sinkContext, ruleId, result, findings) { | ||
const { stacktraceData } = sinkContext; | ||
captureStacktrace(sinkContext, stacktraceData); | ||
result.details.push({ sinkContext, findings }); | ||
@@ -32,0 +41,0 @@ |
@@ -26,3 +26,2 @@ /* | ||
depHooks, | ||
captureStacktrace, | ||
protect, | ||
@@ -47,6 +46,7 @@ protect: { inputTracing } | ||
const sinkContext = captureStacktrace( | ||
{ name, value }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name, | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -53,0 +53,0 @@ inputTracing.handleCommandInjection(sourceContext, sinkContext); |
@@ -26,3 +26,2 @@ /* | ||
patcher, | ||
captureStacktrace, | ||
protect, | ||
@@ -49,6 +48,7 @@ protect: { inputTracing } | ||
const sinkContext = captureStacktrace( | ||
{ name: 'eval', value }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name: 'eval', | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
inputTracing.ssjsInjection(sourceContext, sinkContext); | ||
@@ -55,0 +55,0 @@ } |
@@ -67,3 +67,2 @@ /* | ||
depHooks, | ||
captureStacktrace, | ||
protect, | ||
@@ -105,6 +104,7 @@ protect: { inputTracing } | ||
for (const value of values) { | ||
const sinkContext = captureStacktrace( | ||
{ name, value }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name, | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
inputTracing.handlePathTraversal(sourceContext, sinkContext); | ||
@@ -111,0 +111,0 @@ core.protect.semanticAnalysis.handlePathTraversalFileSecurityBypass(sourceContext, sinkContext); |
@@ -26,3 +26,2 @@ /* | ||
patcher, | ||
captureStacktrace, | ||
protect, | ||
@@ -50,6 +49,8 @@ protect: { inputTracing } | ||
const sinkContext = captureStacktrace( | ||
{ name: 'Function', value: fnBody }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name: 'Function', | ||
value: fnBody, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
console.log({ sinkContext: sinkContext.stacktraceData }); | ||
inputTracing.ssjsInjection(sourceContext, sinkContext); | ||
@@ -56,0 +57,0 @@ } |
@@ -25,3 +25,2 @@ /* | ||
depHooks, | ||
captureStacktrace, | ||
protect, | ||
@@ -48,6 +47,7 @@ protect: { inputTracing } | ||
const sinkContext = captureStacktrace( | ||
{ name, value }, | ||
{ constructorOpt: data.hooked } | ||
); | ||
const sinkContext = { | ||
name, | ||
value, | ||
stacktraceData: { constructorOpt: data.hooked }, | ||
}; | ||
inputTracing.handleReflectedXss(sourceContext, sinkContext); | ||
@@ -54,0 +54,0 @@ } |
@@ -25,3 +25,2 @@ /* | ||
patcher, | ||
captureStacktrace, | ||
protect, | ||
@@ -71,6 +70,7 @@ protect: { inputTracing }, | ||
const sinkContext = captureStacktrace( | ||
{ name, value }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name, | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
inputTracing.nosqlInjectionMongo(sourceContext, sinkContext); | ||
@@ -96,6 +96,7 @@ } | ||
if (value) { | ||
const sinkContext = captureStacktrace( | ||
{ name, value }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name, | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
inputTracing.nosqlInjectionMongo(sourceContext, sinkContext); | ||
@@ -138,6 +139,7 @@ } | ||
const sinkContext = captureStacktrace( | ||
{ name, value }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name, | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
inputTracing.nosqlInjectionMongo(sourceContext, sinkContext); | ||
@@ -157,6 +159,7 @@ }, | ||
const sinkContext = captureStacktrace( | ||
{ name, value }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name, | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
inputTracing.nosqlInjectionMongo(sourceContext, sinkContext); | ||
@@ -182,6 +185,7 @@ } | ||
const sinkContext = captureStacktrace( | ||
{ name, value }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name, | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -202,6 +206,7 @@ inputTracing.nosqlInjectionMongo(sourceContext, sinkContext); | ||
const sinkContext = captureStacktrace( | ||
{ name, value }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name, | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
inputTracing.nosqlInjectionMongo(sourceContext, sinkContext); | ||
@@ -208,0 +213,0 @@ } |
@@ -25,3 +25,2 @@ /* | ||
patcher, | ||
captureStacktrace, | ||
protect, | ||
@@ -60,6 +59,7 @@ protect: { inputTracing } | ||
const sinkContext = captureStacktrace( | ||
{ name, value }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name, | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -66,0 +66,0 @@ inputTracing.handleSqlInjection(sourceContext, sinkContext); |
@@ -25,3 +25,2 @@ /* | ||
patcher, | ||
captureStacktrace, | ||
protect, | ||
@@ -44,6 +43,7 @@ protect: { inputTracing } | ||
const sinkContext = captureStacktrace( | ||
{ name, value }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name, | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -50,0 +50,0 @@ inputTracing.handleSqlInjection(sourceContext, sinkContext); |
@@ -26,3 +26,2 @@ /* | ||
depHooks, | ||
captureStacktrace, | ||
protect, | ||
@@ -53,6 +52,8 @@ protect: { inputTracing } | ||
const sinkContext = captureStacktrace( | ||
{ name, value }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name, | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
inputTracing.handleSqlInjection(sourceContext, sinkContext); | ||
@@ -59,0 +60,0 @@ } |
@@ -26,3 +26,2 @@ /* | ||
depHooks, | ||
captureStacktrace, | ||
protect, | ||
@@ -48,6 +47,7 @@ protect: { inputTracing } | ||
const sinkContext = captureStacktrace( | ||
{ name, value }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name, | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -54,0 +54,0 @@ inputTracing.handleSqlInjection(sourceContext, sinkContext); |
@@ -26,3 +26,2 @@ /* | ||
depHooks, | ||
captureStacktrace, | ||
protect, | ||
@@ -50,6 +49,7 @@ protect: { inputTracing } | ||
const sinkContext = captureStacktrace( | ||
{ name, value: codeString }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name, | ||
value: codeString, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
inputTracing.ssjsInjection(sourceContext, sinkContext); | ||
@@ -75,10 +75,12 @@ } | ||
const codeStringSinkContext = (codeString && isString(codeString)) ? captureStacktrace( | ||
{ name: 'vm.runInNewContext', value: codeString }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
) : null; | ||
const envObjSinkContext = isNonEmptyObject(envObj) ? captureStacktrace( | ||
{ name: 'vm.runInNewContext', value: envObj }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
) : null; | ||
const codeStringSinkContext = (codeString && isString(codeString)) ? { | ||
name: 'vm.runInNewContext', | ||
value: codeString, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] } | ||
} : null; | ||
const envObjSinkContext = isNonEmptyObject(envObj) ? { | ||
name: 'vm.runInNewContext', | ||
value: envObj, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] } | ||
} : null; | ||
@@ -102,6 +104,7 @@ codeStringSinkContext && inputTracing.ssjsInjection(sourceContext, codeStringSinkContext); | ||
const sinkContext = captureStacktrace( | ||
{ name: 'vm.createContext', value: envObj }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name: 'vm.createContext', | ||
value: envObj, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
inputTracing.ssjsInjection(sourceContext, sinkContext); | ||
@@ -123,6 +126,7 @@ } | ||
const sinkContext = captureStacktrace( | ||
{ name: 'vm.Script.prototype.runInNewContext', value: envObj }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name: 'vm.Script.prototype.runInNewContext', | ||
value: envObj, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
inputTracing.ssjsInjection(sourceContext, sinkContext); | ||
@@ -129,0 +133,0 @@ } |
@@ -63,11 +63,2 @@ /* | ||
// if it can be determined that qs-type parsing is not being done then set | ||
// standardUrlParsing to true. if it is true, then the query params and bodies | ||
// that are form-url-encoded will be parsed by agent-lib and will not need to | ||
// be parsed separately. | ||
// | ||
// the code that scans the dependencies is probably the best place to make the | ||
// determination. | ||
const standardUrlParsing = false; | ||
// contains request data and information derived from request data. it's | ||
@@ -85,3 +76,2 @@ // possible for any derived information to be derived later, but doing | ||
contentType, | ||
standardUrlParsing, | ||
}; | ||
@@ -88,0 +78,0 @@ |
@@ -39,11 +39,15 @@ /* | ||
const compiled = { | ||
url: [], | ||
querystring: [], | ||
header: [], | ||
body: [], | ||
cookie: [], | ||
parameter: [], | ||
}; | ||
function initCompiled() { | ||
return { | ||
url: [], | ||
querystring: [], | ||
header: [], | ||
body: [], | ||
cookie: [], | ||
parameter: [], | ||
}; | ||
} | ||
let compiled = initCompiled(); | ||
const policy = protect.policy = { | ||
@@ -278,2 +282,3 @@ exclusions: compiled | ||
if (!exclusions.length) return; | ||
compiled = initCompiled(); | ||
@@ -280,0 +285,0 @@ for (const exclusionDtm of exclusions) { |
@@ -41,8 +41,10 @@ /* | ||
module.exports = function(core) { | ||
const { protect: { agentLib, semanticAnalysis, throwSecurityException } } = core; | ||
const { protect: { agentLib, semanticAnalysis, throwSecurityException }, captureStacktrace } = core; | ||
function handleResult(sourceContext, sinkContext, ruleId, mode, finding) { | ||
const { value, stacktraceData } = sinkContext; | ||
captureStacktrace(sinkContext, stacktraceData); | ||
const result = { | ||
blocked: false, | ||
findings: { command: sinkContext.value }, | ||
findings: { command: value }, | ||
sinkContext, | ||
@@ -49,0 +51,0 @@ ...finding |
@@ -29,3 +29,2 @@ /* | ||
protect, | ||
captureStacktrace | ||
} = core; | ||
@@ -64,6 +63,7 @@ | ||
const sinkContext = captureStacktrace( | ||
{ name: 'libxmljs.parseXmlString', value }, | ||
{ constructorOpt: hooked, prependFrames: [orig] } | ||
); | ||
const sinkContext = { | ||
name: 'libxmljs.parseXmlString', | ||
value, | ||
stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }, | ||
}; | ||
@@ -70,0 +70,0 @@ try { |
{ | ||
"name": "@contrast/protect", | ||
"version": "1.8.0", | ||
"version": "1.8.1", | ||
"description": "Contrast service providing framework-agnostic Protect support", | ||
@@ -21,5 +21,5 @@ "license": "SEE LICENSE IN LICENSE", | ||
"@contrast/agent-lib": "^5.1.0", | ||
"@contrast/common": "1.1.4", | ||
"@contrast/core": "1.7.0", | ||
"@contrast/esm-hooks": "1.3.0", | ||
"@contrast/common": "1.1.5", | ||
"@contrast/core": "1.7.1", | ||
"@contrast/esm-hooks": "1.3.1", | ||
"@contrast/scopes": "1.2.0", | ||
@@ -26,0 +26,0 @@ "ipaddr.js": "^2.0.1", |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
4868
187521
+ Added@contrast/common@1.1.5(transitive)
+ Added@contrast/config@1.3.3(transitive)
+ Added@contrast/core@1.7.1(transitive)
+ Added@contrast/esm-hooks@1.3.1(transitive)
+ Added@contrast/reporter@1.6.2(transitive)
- Removed@contrast/common@1.1.4(transitive)
- Removed@contrast/config@1.3.2(transitive)
- Removed@contrast/core@1.7.0(transitive)
- Removed@contrast/esm-hooks@1.3.0(transitive)
- Removed@contrast/reporter@1.6.1(transitive)
Updated@contrast/common@1.1.5
Updated@contrast/core@1.7.1
Updated@contrast/esm-hooks@1.3.1