npm - @contrast/assess - Versions diffs - 1.30.0 → 1.32.0 - Mend

@contrast/assess 1.30.0 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/lib/crypto-analysis/install/crypto.test.js ADDED Viewed

@@ -0,0 +1,146 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { Rule } = require('@contrast/common');
+const { ConfigSource } = require('@contrast/config');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess crypto-analysis node:crypto', function () {
+  let core, simulateRequestScope, mockCrypto;
+  beforeEach(function () {
+    ({ core, simulateRequestScope } = initAssessFixture());
+    mockCrypto = {
+      createHash: sinon.stub(),
+      createCipher: sinon.stub(),
+      createCipheriv: sinon.stub(),
+    };
+    core.depHooks.resolve.withArgs({ name: 'crypto' }).yields(mockCrypto);
+    sinon.spy(core.assess.cryptoAnalysis, 'report');
+    core.assess.cryptoAnalysis.installers.crypto.install();
+  });
+  describe('crypto.createHash()', function() {
+    [
+      'sha2-224',
+      'Sha224',
+      'rsa-sha256',
+      'sha256withrsaencryption',
+      'sha-384',
+      'SHA384WITHRSAENCRYPTION',
+      'sha-512',
+      'sha2-512',
+      'sha512',
+      'ShA512WiThRsAeNcRyPtIoN',
+    ].forEach((alg) => {
+      it(`doesn't report when algorithm is safe: ${alg}`, function () {
+        simulateRequestScope(() => {
+          mockCrypto.createHash(alg);
+          expect(core.assess.cryptoAnalysis.report).not.to.have.been.called;
+        });
+      });
+    });
+    [
+      'RSA-SHA1-2',
+      'MD4',
+      'md5',
+      'MD5-SHA1',
+    ].forEach((alg) => {
+      it(`reports when algorithm is unsafe: ${alg}`, function () {
+        simulateRequestScope(() => {
+          mockCrypto.createHash(alg);
+          expect(core.assess.cryptoAnalysis.report).to.have.been.calledWithMatch({
+            ruleId: Rule.CRYPTO_BAD_MAC,
+            finding: sinon.match({
+              args: [{ tracked: false, value: alg }],
+              methodName: 'createHash',
+              moduleName: 'crypto',
+              object: { tracked: false, value: 'crypto' },
+              result: { tracked: false, value: 'Hash' },
+              source: 'P0',
+              stack: sinon.match.array,
+              stacktraceOpts: {
+                constructorOpt: sinon.match.func,
+              }
+            }),
+          });
+        });
+      });
+    });
+    [
+      'etag',
+      'browserify',
+      'deps-sort'
+    ].forEach((lib) => {
+      [
+        'ALL',
+        'SOME'
+      ].forEach((stacktraceConfig) => {
+        it('will not report when library is trusted', function() {
+          core.config.setValue('assess.stacktraces', stacktraceConfig, ConfigSource.ENVIRONMENT_VARIABLE);
+          simulateRequestScope(() => {
+            sinon.stub(core.assess.eventFactory, 'createCryptoAnalysisEvent').returns({
+              stack: [{ file: `node_modules/${lib}/index.js` }]
+            });
+            mockCrypto.createHash('MD4', 'foo');
+            expect(core.assess.cryptoAnalysis.report).not.to.have.been.called;
+          });
+        });
+      });
+    });
+  });
+  [
+    'createCipher',
+    'createCipheriv'
+  ].forEach((method) => {
+    describe(`crypto.${method}()`, function() {
+      [
+        'des-ede',
+        'DES-EDE-CBC',
+        'aes128',
+        'rsa',
+        'id-aes128-wrap',
+      ].forEach((alg) => {
+        it(`doesn't report when algorithm is safe: ${alg}`, function () {
+          simulateRequestScope(() => {
+            mockCrypto[method](alg, 'foo');
+            expect(core.assess.cryptoAnalysis.report).not.to.have.been.called;
+          });
+        });
+      });
+      [
+        'RC2-64',
+        'rc2-64',
+        'SM4-OFB',
+      ].forEach((alg) => {
+        it(`reports when algorithm is unsafe: ${alg}`, function () {
+          simulateRequestScope(() => {
+            mockCrypto[method](alg, 'foo');
+            expect(core.assess.cryptoAnalysis.report).to.have.been.calledWithMatch({
+              ruleId: Rule.CRYPTO_BAD_CIPHERS,
+              finding: sinon.match({
+                args: [{ tracked: false, value: alg }],
+                methodName: method,
+                moduleName: 'crypto',
+                object: { tracked: false, value: 'crypto' },
+                result: { tracked: false, value: 'Cipher' },
+                source: 'P0',
+                stack: sinon.match.array,
+                stacktraceOpts: {
+                  constructorOpt: sinon.match.func,
+                }
+              }),
+            });
+          });
+        });
+      });
+    });
+  });
+});

package/lib/crypto-analysis/install/math.test.js ADDED Viewed

@@ -0,0 +1,65 @@
+'use strict';
+const { expect } = require('chai');
+const { Rule } = require('@contrast/common');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess cryptographic analysis Math instrumentation', function () {
+  let core, simulateRequestScope;
+  beforeEach(function () {
+    ({ core, simulateRequestScope } = initAssessFixture());
+    sinon.spy(core.assess.cryptoAnalysis, 'report');
+    core.assess.cryptoAnalysis.installers.math.install();
+  });
+  afterEach(function () {
+    core.assess.cryptoAnalysis.installers.math.uninstall();
+  });
+  describe('Math.random()', function () {
+    it('reports when', function () {
+      simulateRequestScope(() => {
+        Math.random();
+        expect(core.assess.cryptoAnalysis.report).to.have.been.calledWithMatch({
+          ruleId: Rule.CRYPTO_WEAK_RANDOMNESS,
+          finding: sinon.match({
+            args: [],
+            methodName: 'random',
+            moduleName: 'global.Math',
+            object: { tracked: false, value: 'global.Math' },
+            result: { tracked: false, value: sinon.match.string },
+            source: 'A',
+            stack: sinon.match.array,
+            stacktraceOpts: {
+              constructorOpt: sinon.match.func,
+            },
+          })
+        });
+      });
+    });
+    [
+      'node_modules/node-uuid/',
+      'browserify'
+    ].forEach((lib) => {
+      it('will not report when library is trusted', function () {
+        core.config.setValue('assess.stacktraces', 'ALL');
+        sinon.stub(core.assess.eventFactory, 'createCryptoAnalysisEvent').returns({
+          stack: [{ file: `${lib}/index.js` }],
+        });
+        simulateRequestScope(() => {
+          Math.random();
+          expect(core.logger.trace).to.have.been.calledWith(
+            { funcKey: 'assess-cryptographic-analysis:global.Math.random' },
+            'skipping reporting for %s - trusting %s',
+            'crypto-weak-randomness',
+            lib,
+          );
+          expect(core.assess.cryptoAnalysis.report).not.to.have.been.called;
+        });
+      });
+    });
+  });
+});

package/lib/dataflow/index.test.js ADDED Viewed

@@ -0,0 +1,36 @@
+'use strict';
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+const mocks = require('@contrast/test/mocks');
+const moduleMock = (moduleName, mock) => (deps) => {
+  deps.assess.dataflow[moduleName] = mock[moduleName];
+};
+describe('assess dataflow', function () {
+  let core, dataflowMock, dataflowModule, modulesWithInstall;
+  beforeEach(function () {
+    core = mocks.core();
+    core.scopes = mocks.scopes();
+    core.assess = mocks.assess();
+    dataflowMock = core.assess.dataflow;
+    dataflowModule = proxyquire('.', {
+      './tracker': moduleMock('tracker', dataflowMock),
+      './sources': moduleMock('sources', dataflowMock),
+      './sinks': moduleMock('sinks', dataflowMock),
+      './propagation': moduleMock('propagation', dataflowMock),
+    });
+    modulesWithInstall = ['sources', 'sinks', 'propagation'];
+  });
+  it('installs the components', function () {
+    dataflowModule(core).install();
+    modulesWithInstall.forEach((module) => {
+      expect(dataflowMock[module].install).to.have.been.calledOnce;
+    });
+  });
+});

package/lib/dataflow/propagation/index.test.js ADDED Viewed

@@ -0,0 +1,103 @@
+'use strict';
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+const mocks = require('@contrast/test/mocks');
+const moduleMock = (moduleName, mock) => (deps) => {
+  deps.assess.dataflow.propagation[moduleName] = mock[moduleName];
+};
+describe('assess dataflow propagation', function () {
+  let core, propagationMock, propagationModule, modulesWithInstall, modulesWithUninstall;
+  beforeEach(function () {
+    core = mocks.core();
+    core.assess = mocks.assess();
+    core.depHooks = mocks.depHooks();
+    core.patcher = mocks.patcher();
+    core.scopes = mocks.scopes();
+    propagationMock = core.assess.dataflow.propagation;
+    propagationModule = proxyquire('.', {
+      './install/contrast-methods': moduleMock('contrastMethodsInstrumentation', propagationMock),
+      './install/buffer': moduleMock('bufferInstrumentation', propagationMock),
+      './install/ejs': moduleMock('ejsInstrumentation', propagationMock),
+      './install/pug': moduleMock('pugInstrumentation', propagationMock),
+      './install/string': moduleMock('stringInstrumentation', propagationMock),
+      './install/url': moduleMock('urlInstrumentation', propagationMock),
+      './install/validator': moduleMock('validatorInstrumentation', propagationMock),
+      './install/array-prototype-join': moduleMock('arrayJoin', propagationMock),
+      './install/decode-uri-component': moduleMock('decodeURIComponent', propagationMock),
+      './install/encode-uri': moduleMock('encodeURI', propagationMock),
+      './install/escape-html': moduleMock('escapeHtml', propagationMock),
+      './install/escape': moduleMock('escape', propagationMock),
+      './install/handlebars-utils-escape-expression': moduleMock('handlebarsEscapeExpression', propagationMock),
+      './install/mongoose': moduleMock('mongooseInstrumentation', propagationMock),
+      './install/mustache-escape': moduleMock('mustacheEscape', propagationMock),
+      './install/mysql-connection-escape': moduleMock('mysqlEscape', propagationMock),
+      './install/pug-runtime-escape': moduleMock('pugRuntimeEscape', propagationMock),
+      './install/sql-template-strings': moduleMock('sqlTemplateStrings', propagationMock),
+      './install/unescape': moduleMock('unescape', propagationMock),
+      './install/querystring': moduleMock('querystringInstrumentation', propagationMock),
+      './install/sequelize': moduleMock('sequelizeInstrumentation', propagationMock),
+      './install/JSON': moduleMock('jsonInstrumentation', propagationMock),
+      './install/reg-exp-prototype-exec': moduleMock('regExpExec', propagationMock),
+      './install/joi': moduleMock('joiInstrumentation', propagationMock),
+      './install/util-format': moduleMock('utilFormatInstrumentation', propagationMock)
+    });
+    modulesWithInstall = [
+      'contrastMethodsInstrumentation',
+      'ejsInstrumentation',
+      'pugInstrumentation',
+      'stringInstrumentation',
+      'urlInstrumentation',
+      'validatorInstrumentation',
+      'arrayJoin',
+      'encodeURI',
+      'decodeURIComponent',
+      'escapeHtml',
+      'escape',
+      'handlebarsEscapeExpression',
+      'mongooseInstrumentation',
+      'mustacheEscape',
+      'mysqlEscape',
+      'pugRuntimeEscape',
+      'sqlTemplateStrings',
+      'unescape',
+      'querystringInstrumentation',
+      'jsonInstrumentation',
+      'regExpExec',
+      'joiInstrumentation'
+    ];
+    modulesWithUninstall = [
+      'contrastMethodsInstrumentation',
+      'stringInstrumentation',
+      'arrayJoin',
+      'encodeURI',
+      'decodeURIComponent',
+      'escape',
+      'unescape',
+      'jsonInstrumentation',
+      'regExpExec'
+    ];
+  });
+  it('installs the components', function () {
+    propagationModule(core).install();
+    modulesWithInstall.forEach((module) => {
+      expect(propagationMock[module].install).to.have.been.calledOnce;
+    });
+  });
+  it('uninstalls the components', function () {
+    propagationModule(core).uninstall();
+    modulesWithUninstall.forEach((module) => {
+      if (propagationMock[module].uninstall) {
+        expect(propagationMock[module].uninstall).to.have.been.calledOnce;
+      }
+    });
+  });
+});

package/lib/dataflow/propagation/install/JSON/index.test.js ADDED Viewed

@@ -0,0 +1,50 @@
+'use strict';
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow propagation JSON', function () {
+  let core, instr;
+  beforeEach(function () {
+    ({ core } = initAssessFixture());
+    instr = core.assess.dataflow.propagation.jsonInstrumentation;
+  });
+  const propagatorList = [
+    'stringify',
+    'parse'
+  ];
+  it('composes different installers', function () {
+    propagatorList.forEach((name) => {
+      expect(instr[name]).to.have.property('install').and.be.a('function');
+      expect(instr[name]).to.have.property('uninstall').and.be.a('function');
+    });
+  });
+  it('dispatches installation to sub-components', function () {
+    const installs = [];
+    const uninstalls = [];
+    // stub these to prevent side effects
+    propagatorList.forEach((name) => {
+      const instr = core.assess.dataflow.propagation.jsonInstrumentation;
+      installs.push(sinon.stub(instr[name], 'install'));
+      uninstalls.push(sinon.stub(instr[name], 'uninstall'));
+    });
+    instr.install();
+    instr.uninstall();
+    expect(installs).to.have.lengthOf(2);
+    installs.forEach((installer) => {
+      expect(installer).to.have.been.called;
+    });
+    expect(uninstalls).to.have.lengthOf(2);
+    uninstalls.forEach((installer) => {
+      expect(installer).to.have.been.called;
+    });
+  });
+});

package/lib/dataflow/propagation/install/JSON/parse-fn.test.js ADDED Viewed

@@ -0,0 +1,232 @@
+'use strict';
+const { expect } = require('chai');
+const { getKeyValueIndices } = require('./parse-fn');
+describe('assess dataflow propagation JSON getValueIndexes', function () {
+  const obj = {
+    prop1: 'test',
+    prop2: 'test2',
+    test2: '',
+    arr: [{ name: { prop3: 'test3' } }, 2, 'test4'],
+    nested: { prop4: 'prop' },
+    prop5: 'test5',
+    obj: {
+      name: 'john',
+      0: ['0', -1, -10, '-10'],
+      '': { '&&': '{{', '{}': ',,' },
+    },
+  };
+  it('should parse a string', function () {
+    const result = getKeyValueIndices('"hello"');
+    expect(result).to.eql([{ key: '', value: [1, 5] }]);
+  });
+  it('should parse a string without quotation marks', function () {
+    const result = getKeyValueIndices('hello');
+    expect(result).to.eql([{ key: '', value: [0, 4] }]);
+  });
+  it('should parse true', function () {
+    const result = getKeyValueIndices('true');
+    expect(result).to.eql([{ key: '', value: [0, 3] }]);
+  });
+  it('should parse false', function () {
+    const result = getKeyValueIndices('false');
+    expect(result).to.eql([{ key: '', value: [0, 4] }]);
+  });
+  it('should parse a number', function () {
+    const result = getKeyValueIndices('1231');
+    expect(result).to.eql([{ key: '', value: [0, 3] }]);
+  });
+  it('should parse a negative number', function () {
+    const result = getKeyValueIndices('-1231');
+    expect(result).to.eql([{ key: '', value: [0, 4] }]);
+  });
+  it('should parse an array', function () {
+    const result = getKeyValueIndices(
+      '[1, 2, 3, null, true, false, {}, [], ["a"]]');
+    expect(result).to.eql([
+      { key: [null, null], value: [1, 1] },
+      { key: [null, null], value: [4, 4] },
+      { key: [null, null], value: [7, 7] },
+      { key: [null, null], value: [10, 13] },
+      { key: [null, null], value: [16, 19] },
+      { key: [null, null], value: [22, 26] },
+      { key: [null, null], value: [29, 30] },
+      { key: [null, null], value: [33, 34] },
+      { key: [null, null], value: [39, 39] },
+      { key: [null, null], value: [37, 41] },
+      { key: '', value: [0, 42] },
+    ]);
+  });
+  it('should parse an object', function () {
+    const result = getKeyValueIndices(JSON.stringify(obj));
+    expect(result).to.eql([
+      { key: [2, 6], value: [10, 13] },
+      { key: [17, 21], value: [25, 29] },
+      { key: [33, 37], value: [null, null] },
+      { key: [60, 64], value: [68, 72] },
+      { key: [52, 55], value: [58, 74] },
+      { key: [null, null], value: [50, 75] },
+      { key: [null, null], value: [77, 77] },
+      { key: [null, null], value: [80, 84] },
+      { key: [44, 46], value: [49, 86] },
+      { key: [99, 103], value: [107, 110] },
+      { key: [89, 94], value: [97, 112] },
+      { key: [115, 119], value: [123, 127] },
+      { key: [null, null], value: [143, 143] },
+      { key: [null, null], value: [146, 147] },
+      { key: [null, null], value: [149, 151] },
+      { key: [null, null], value: [154, 156] },
+      { key: [138, 138], value: [141, 158] },
+      { key: [161, 164], value: [168, 171] },
+      { key: [179, 180], value: [184, 185] },
+      { key: [189, 190], value: [194, 195] },
+      { key: [null, null], value: [177, 197] },
+      { key: [131, 133], value: [136, 198] },
+      { key: '', value: [0, 199] },
+    ]);
+  });
+  it('should parse an object with spaces', function () {
+    const result = getKeyValueIndices(JSON.stringify(obj, null, '   '));
+    expect(result).to.eql([
+      {
+        key: [6, 10],
+        value: [15, 18],
+      },
+      {
+        key: [26, 30],
+        value: [35, 39],
+      },
+      {
+        key: [47, 51],
+        value: [null, null],
+      },
+      {
+        key: [111, 115],
+        value: [120, 124],
+      },
+      {
+        key: [89, 92],
+        value: [96, 136],
+      },
+      {
+        key: [null, null],
+        value: [77, 144],
+      },
+      {
+        key: [null, null],
+        value: [153, 153],
+      },
+      {
+        key: [null, null],
+        value: [163, 167],
+      },
+      {
+        key: [63, 65],
+        value: [69, 173],
+      },
+      {
+        key: [198, 202],
+        value: [207, 210],
+      },
+      {
+        key: [180, 185],
+        value: [189, 216],
+      },
+      {
+        key: [223, 227],
+        value: [232, 236],
+      },
+      {
+        key: [null, null],
+        value: [275, 275],
+      },
+      {
+        key: [null, null],
+        value: [288, 289],
+      },
+      {
+        key: [null, null],
+        value: [301, 303],
+      },
+      {
+        key: [null, null],
+        value: [316, 318],
+      },
+      {
+        key: [259, 259],
+        value: [263, 327],
+      },
+      {
+        key: [337, 340],
+        value: [345, 348],
+      },
+      {
+        key: [374, 375],
+        value: [380, 381],
+      },
+      {
+        key: [395, 396],
+        value: [401, 402],
+      },
+      {
+        key: [null, null],
+        value: [362, 411],
+      },
+      {
+        key: [244, 246],
+        value: [250, 416],
+      },
+      {
+        key: '',
+        value: [0, 418],
+      },
+    ]);
+  });
+  it('should parse escaped values', function () {
+    const data = {
+      '"': "na\"'me",
+      '\\&': '&amp;',
+    };
+    const result = getKeyValueIndices(JSON.stringify(data));
+    // `{"\\"":"na\\"'me","\\\\&":"&amp;"}`
+    expect(result).to.eql([
+      { key: [2, 3], value: [7, 13] },
+      { key: [17, 19], value: [23, 27] },
+      { key: '', value: [0, 29] },
+    ]);
+  });
+  it('should parse decimal numbers', function () {
+    const data = {
+      a: 0.11,
+      b: 1.01,
+      c: 0.00001,
+    };
+    const result = getKeyValueIndices(JSON.stringify(data));
+    // '{"a":0.11,"b":1.01,"c":0.00001}'
+    expect(result).to.eql([
+      { key: [2, 2], value: [5, 8] },
+      { key: [11, 11], value: [14, 17] },
+      { key: [20, 20], value: [23, 29] },
+      { key: '', value: [0, 30] },
+    ]);
+  });
+});