@contrast/protect - npm Package Compare versions

6

lib/hardening/handlers.js

		@@ -27,3 +27,4 @@ /*
		throwSecurityException,
		}
		},
		captureStacktrace,
		} = core;
		@@ -42,3 +43,3 @@
		const mode = sourceContext.policy[ruleId];
		const { name, value } = sinkContext;
		const { name, value, stacktraceData } = sinkContext;

		@@ -53,2 +54,3 @@ if (mode === 'off') return;

		captureStacktrace(sinkContext, stacktraceData);
		results.push({
		@@ -55,0 +57,0 @@ blocked,

10

lib/hardening/install/node-serialize0.js

		@@ -24,3 +24,2 @@ /*
		patcher,
		captureStacktrace,
		protect,
		@@ -47,6 +46,7 @@ protect: {

		const sinkContext = captureStacktrace(
		{ name: `${name}.${method}`, value },
		{ constructorOpt: hooked, prependFrames: [orig] },
		);
		const sinkContext = {
		name: `${name}.${method}`,
		value,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};
		hardening.handleUntrustedDeserialization(sourceContext, sinkContext);
		@@ -53,0 +53,0 @@ },

6

lib/input-analysis/install/http.js

		@@ -217,8 +217,2 @@ /*

		// only add queries if it's known that 'qs' or equivalent won't be used.
		/* c8 ignore next 3 */
		if (reqData.standardUrlParsing) {
		connectInputs.queries = reqData.queries;
		}

		if (inputAnalysis.virtualPatchesEvaluators?.length) {
		@@ -225,0 +219,0 @@ store.protect.virtualPatchesEvaluators.push(...inputAnalysis.virtualPatchesEvaluators.map((e) => new Map(e)));

11

lib/input-tracing/handlers/index.js

		@@ -27,5 +27,14 @@ /*
		module.exports = function(core) {
		const { protect: { agentLib, inputTracing, throwSecurityException } } = core;
		const {
		protect: {
		agentLib,
		inputTracing,
		throwSecurityException
		},
		captureStacktrace,
		} = core;

		function handleFindings(sourceContext, sinkContext, ruleId, result, findings) {
		const { stacktraceData } = sinkContext;
		captureStacktrace(sinkContext, stacktraceData);
		result.details.push({ sinkContext, findings });
		@@ -32,0 +41,0 @@

10

lib/input-tracing/install/child-process.js

		@@ -26,3 +26,2 @@ /*
		depHooks,
		captureStacktrace,
		protect,
		@@ -47,6 +46,7 @@ protect: { inputTracing }

		const sinkContext = captureStacktrace(
		{ name, value },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name,
		value,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};

		@@ -53,0 +53,0 @@ inputTracing.handleCommandInjection(sourceContext, sinkContext);

10

lib/input-tracing/install/eval.js

		@@ -26,3 +26,2 @@ /*
		patcher,
		captureStacktrace,
		protect,
		@@ -49,6 +48,7 @@ protect: { inputTracing }

		const sinkContext = captureStacktrace(
		{ name: 'eval', value },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name: 'eval',
		value,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};
		inputTracing.ssjsInjection(sourceContext, sinkContext);
		@@ -55,0 +55,0 @@ }

10

lib/input-tracing/install/fs.js

		@@ -67,3 +67,2 @@ /*
		depHooks,
		captureStacktrace,
		protect,
		@@ -105,6 +104,7 @@ protect: { inputTracing }
		for (const value of values) {
		const sinkContext = captureStacktrace(
		{ name, value },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name,
		value,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};
		inputTracing.handlePathTraversal(sourceContext, sinkContext);
		@@ -111,0 +111,0 @@ core.protect.semanticAnalysis.handlePathTraversalFileSecurityBypass(sourceContext, sinkContext);

11

lib/input-tracing/install/function.js

		@@ -26,3 +26,2 @@ /*
		patcher,
		captureStacktrace,
		protect,
		@@ -50,6 +49,8 @@ protect: { inputTracing }

		const sinkContext = captureStacktrace(
		{ name: 'Function', value: fnBody },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name: 'Function',
		value: fnBody,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};
		console.log({ sinkContext: sinkContext.stacktraceData });
		inputTracing.ssjsInjection(sourceContext, sinkContext);
		@@ -56,0 +57,0 @@ }

10

lib/input-tracing/install/http.js

		@@ -25,3 +25,2 @@ /*
		depHooks,
		captureStacktrace,
		protect,
		@@ -48,6 +47,7 @@ protect: { inputTracing }

		const sinkContext = captureStacktrace(
		{ name, value },
		{ constructorOpt: data.hooked }
		);
		const sinkContext = {
		name,
		value,
		stacktraceData: { constructorOpt: data.hooked },
		};
		inputTracing.handleReflectedXss(sourceContext, sinkContext);
		@@ -54,0 +54,0 @@ }

55

lib/input-tracing/install/mongodb.js

		@@ -25,3 +25,2 @@ /*
		patcher,
		captureStacktrace,
		protect,
		@@ -71,6 +70,7 @@ protect: { inputTracing },

		const sinkContext = captureStacktrace(
		{ name, value },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name,
		value,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};
		inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
		@@ -96,6 +96,7 @@ }
		if (value) {
		const sinkContext = captureStacktrace(
		{ name, value },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name,
		value,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};
		inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
		@@ -138,6 +139,7 @@ }

		const sinkContext = captureStacktrace(
		{ name, value },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name,
		value,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};
		inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
		@@ -157,6 +159,7 @@ },

		const sinkContext = captureStacktrace(
		{ name, value },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name,
		value,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};
		inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
		@@ -182,6 +185,7 @@ }

		const sinkContext = captureStacktrace(
		{ name, value },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name,
		value,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};

		@@ -202,6 +206,7 @@ inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);

		const sinkContext = captureStacktrace(
		{ name, value },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name,
		value,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};
		inputTracing.nosqlInjectionMongo(sourceContext, sinkContext);
		@@ -208,0 +213,0 @@ }

10

lib/input-tracing/install/mysql.js

		@@ -25,3 +25,2 @@ /*
		patcher,
		captureStacktrace,
		protect,
		@@ -60,6 +59,7 @@ protect: { inputTracing }

		const sinkContext = captureStacktrace(
		{ name, value },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name,
		value,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};

		@@ -66,0 +66,0 @@ inputTracing.handleSqlInjection(sourceContext, sinkContext);

10

lib/input-tracing/install/postgres.js

		@@ -25,3 +25,2 @@ /*
		patcher,
		captureStacktrace,
		protect,
		@@ -44,6 +43,7 @@ protect: { inputTracing }

		const sinkContext = captureStacktrace(
		{ name, value },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name,
		value,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};

		@@ -50,0 +50,0 @@ inputTracing.handleSqlInjection(sourceContext, sinkContext);

11

lib/input-tracing/install/sequelize.js

		@@ -26,3 +26,2 @@ /*
		depHooks,
		captureStacktrace,
		protect,
		@@ -53,6 +52,8 @@ protect: { inputTracing }

		const sinkContext = captureStacktrace(
		{ name, value },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name,
		value,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};

		inputTracing.handleSqlInjection(sourceContext, sinkContext);
		@@ -59,0 +60,0 @@ }

10

lib/input-tracing/install/sqlite3.js

		@@ -26,3 +26,2 @@ /*
		depHooks,
		captureStacktrace,
		protect,
		@@ -48,6 +47,7 @@ protect: { inputTracing }

		const sinkContext = captureStacktrace(
		{ name, value },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name,
		value,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};

		@@ -54,0 +54,0 @@ inputTracing.handleSqlInjection(sourceContext, sinkContext);

46

lib/input-tracing/install/vm.js

		@@ -26,3 +26,2 @@ /*
		depHooks,
		captureStacktrace,
		protect,
		@@ -50,6 +49,7 @@ protect: { inputTracing }

		const sinkContext = captureStacktrace(
		{ name, value: codeString },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name,
		value: codeString,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};
		inputTracing.ssjsInjection(sourceContext, sinkContext);
		@@ -75,10 +75,12 @@ }

		const codeStringSinkContext = (codeString && isString(codeString)) ? captureStacktrace(
		{ name: 'vm.runInNewContext', value: codeString },
		{ constructorOpt: hooked, prependFrames: [orig] }
		) : null;
		const envObjSinkContext = isNonEmptyObject(envObj) ? captureStacktrace(
		{ name: 'vm.runInNewContext', value: envObj },
		{ constructorOpt: hooked, prependFrames: [orig] }
		) : null;
		const codeStringSinkContext = (codeString && isString(codeString)) ? {
		name: 'vm.runInNewContext',
		value: codeString,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }
		} : null;
		const envObjSinkContext = isNonEmptyObject(envObj) ? {
		name: 'vm.runInNewContext',
		value: envObj,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] }
		} : null;

		@@ -102,6 +104,7 @@ codeStringSinkContext && inputTracing.ssjsInjection(sourceContext, codeStringSinkContext);

		const sinkContext = captureStacktrace(
		{ name: 'vm.createContext', value: envObj },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name: 'vm.createContext',
		value: envObj,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};
		inputTracing.ssjsInjection(sourceContext, sinkContext);
		@@ -123,6 +126,7 @@ }

		const sinkContext = captureStacktrace(
		{ name: 'vm.Script.prototype.runInNewContext', value: envObj },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name: 'vm.Script.prototype.runInNewContext',
		value: envObj,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};
		inputTracing.ssjsInjection(sourceContext, sinkContext);
		@@ -129,0 +133,0 @@ }

10

lib/make-source-context.js

 @@ -63,11 +63,2 @@ /*
     // if it can be determined that qs-type parsing is not being done then set
     // standardUrlParsing to true. if it is true, then the query params and bodies
     // that are form-url-encoded will be parsed by agent-lib and will not need to
     // be parsed separately.
     //
     // the code that scans the dependencies is probably the best place to make the
     // determination.
     const standardUrlParsing = false;
     // contains request data and information derived from request data. it's
 @@ -85,3 +76,2 @@ // possible for any derived information to be derived later, but doing
       contentType,
       standardUrlParsing,
     };
 @@ -88,0 +78,0 @@

21

lib/policy.js

		@@ -39,11 +39,15 @@ /*

		const compiled = {
		url: [],
		querystring: [],
		header: [],
		body: [],
		cookie: [],
		parameter: [],
		};
		function initCompiled() {
		return {
		url: [],
		querystring: [],
		header: [],
		body: [],
		cookie: [],
		parameter: [],
		};
		}

		let compiled = initCompiled();

		const policy = protect.policy = {
		@@ -278,2 +282,3 @@ exclusions: compiled
		if (!exclusions.length) return;
		compiled = initCompiled();

		@@ -280,0 +285,0 @@ for (const exclusionDtm of exclusions) {

6

lib/semantic-analysis/handlers.js

		@@ -41,8 +41,10 @@ /*
		module.exports = function(core) {
		const { protect: { agentLib, semanticAnalysis, throwSecurityException } } = core;
		const { protect: { agentLib, semanticAnalysis, throwSecurityException }, captureStacktrace } = core;

		function handleResult(sourceContext, sinkContext, ruleId, mode, finding) {
		const { value, stacktraceData } = sinkContext;
		captureStacktrace(sinkContext, stacktraceData);
		const result = {
		blocked: false,
		findings: { command: sinkContext.value },
		findings: { command: value },
		sinkContext,
		@@ -49,0 +51,0 @@ ...finding

10

lib/semantic-analysis/install/libxmljs.js

		@@ -29,3 +29,2 @@ /*
		protect,
		captureStacktrace
		} = core;
		@@ -64,6 +63,7 @@

		const sinkContext = captureStacktrace(
		{ name: 'libxmljs.parseXmlString', value },
		{ constructorOpt: hooked, prependFrames: [orig] }
		);
		const sinkContext = {
		name: 'libxmljs.parseXmlString',
		value,
		stacktraceData: { constructorOpt: hooked, prependFrames: [orig] },
		};

		@@ -70,0 +70,0 @@ try {

8

package.json

		{
		"name": "@contrast/protect",
		"version": "1.8.0",
		"version": "1.8.1",
		"description": "Contrast service providing framework-agnostic Protect support",
		@@ -21,5 +21,5 @@ "license": "SEE LICENSE IN LICENSE",
		"@contrast/agent-lib": "^5.1.0",
		"@contrast/common": "1.1.4",
		"@contrast/core": "1.7.0",
		"@contrast/esm-hooks": "1.3.0",
		"@contrast/common": "1.1.5",
		"@contrast/core": "1.7.1",
		"@contrast/esm-hooks": "1.3.1",
		"@contrast/scopes": "1.2.0",
		@@ -26,0 +26,0 @@ "ipaddr.js": "^2.0.1",

@contrast/protect - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics

Dependency changes