npm - @contrast/assess - Versions diffs - 1.30.0 → 1.32.0 - Mend

@contrast/assess 1.30.0 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/lib/dataflow/propagation/install/path/parse.test.js ADDED Viewed

@@ -0,0 +1,238 @@
+'use strict';
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const { DataflowTag: { UNTRUSTED } } = require('@contrast/common');
+describe('assess dataflow propagation path parse', function () {
+  let core, tracker, createPropagationEvent, trackString, simulateRequestScope;
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    createPropagationEvent = sinon.spy(
+      core.assess.eventFactory,
+      'createPropagationEvent'
+    );
+    core.assess.dataflow.propagation.stringInstrumentation.concat.install();
+  });
+  ['posix', 'win32'].forEach((os) => {
+    describe(os, function () {
+      let path;
+      beforeEach(function () {
+        path = require('path')[os];
+        core.depHooks.resolve.yields(path);
+        const parseInstr = require('./parse')(core);
+        parseInstr.install();
+      });
+      it('should ignore empty string', function () {
+        simulateRequestScope(function () {
+          const result = path.parse('');
+          Object.keys(result).forEach((key) => {
+            const valInfo = tracker.getData(result[key]);
+            expect(valInfo).to.be.null;
+          });
+        });
+      });
+      it('will not propagate if there is no assess context', function () {
+        simulateRequestScope(function () {
+          const str = trackString('/path/to/file.txt');
+          const result = path.parse(str);
+          Object.keys(result).forEach((key) => {
+            const valInfo = tracker.getData(result[key]);
+            expect(valInfo).to.be.null;
+          });
+        }, {});
+      });
+      it('will not propagate if instrumentation is locked', function () {
+        simulateRequestScope(function () {
+          core.scopes.instrumentation.run({ lock: true }, function () {
+            const str = trackString('/path/to/file.txt');
+            const result = path.parse(str);
+            Object.keys(result).forEach((key) => {
+              const valInfo = tracker.getData(result[key]);
+              expect(valInfo).to.be.null;
+            });
+          });
+        });
+      });
+      it('will not propagate if the argument is not tracked', function () {
+        simulateRequestScope(function () {
+          const str = '/path/to/file.txt';
+          const result = path.parse(str);
+          Object.keys(result).forEach((key) => {
+            const valInfo = tracker.getData(result[key]);
+            expect(valInfo).to.be.null;
+          });
+          expect(createPropagationEvent).to.not.have.been.called;
+        });
+      });
+      it('will not propagate if there no event created', function () {
+        simulateRequestScope(function () {
+          core.config.assess.max_propagation_events = 0;
+          const str = trackString('/path/to/file.txt');
+          const result = path.parse(str);
+          Object.keys(result).forEach((key) => {
+            const valInfo = tracker.getData(result[key]);
+            expect(valInfo).to.be.null;
+          });
+        });
+      });
+      it('should propagate tracked dir', function() {
+        simulateRequestScope(function () {
+          const str = trackString('/path/to/file.txt', {
+            tags: {
+              UNTRUSTED: [1, 7]
+            }
+          });
+          const { dir, base, name, ext } = path.parse(str);
+          expect(dir).to.be.equal('/path/to');
+          expect(tracker.getData(dir).tags).to.deep.equal({
+            [UNTRUSTED]: [1, 7]
+          });
+          expect(tracker.getData(base)).to.be.null;
+          expect(tracker.getData(name)).to.be.null;
+          expect(tracker.getData(ext)).to.be.null;
+        });
+      });
+      it('should propagate tracked base', function() {
+        simulateRequestScope(function () {
+          const str = trackString('/path/to/file.txt', {
+            tags: {
+              UNTRUSTED: [9, 16]
+            }
+          });
+          const { dir, base, name, ext } = path.parse(str);
+          expect(base).to.be.equal('file.txt');
+          expect(tracker.getData(base).tags).to.deep.equal({
+            [UNTRUSTED]: [0, 3, 5, 7]
+          });
+          expect(name).to.be.equal('file');
+          expect(tracker.getData(name).tags).to.deep.equal({
+            [UNTRUSTED]: [0, 3]
+          });
+          expect(ext).to.be.equal('.txt');
+          expect(tracker.getData(ext).tags).to.deep.equal({
+            [UNTRUSTED]: [1, 3]
+          });
+          expect(tracker.getData(dir)).to.be.null;
+        });
+      });
+      it('should propagate tracked name', function() {
+        simulateRequestScope(function () {
+          const str = trackString('/path/to/file.txt', {
+            tags: {
+              UNTRUSTED: [9, 12]
+            }
+          });
+          const { dir, base, name, ext } = path.parse(str);
+          expect(name).to.be.equal('file');
+          expect(tracker.getData(name).tags).to.deep.equal({
+            [UNTRUSTED]: [0, 3]
+          });
+          expect(base).to.be.equal('file.txt');
+          expect(tracker.getData(base).tags).to.deep.equal({
+            [UNTRUSTED]: [0, 3]
+          });
+          expect(tracker.getData(dir)).to.be.null;
+          expect(tracker.getData(ext)).to.be.null;
+        });
+      });
+      it('should propagate tracked ext', function() {
+        simulateRequestScope(function () {
+          const str = trackString('/path/to/file.txt', {
+            tags: {
+              UNTRUSTED: [14, 16]
+            }
+          });
+          const { dir, base, name, ext } = path.parse(str);
+          expect(ext).to.be.equal('.txt');
+          expect(tracker.getData(ext).tags).to.deep.equal({
+            [UNTRUSTED]: [1, 3]
+          });
+          expect(base).to.be.equal('file.txt');
+          expect(tracker.getData(base).tags).to.deep.equal({
+            [UNTRUSTED]: [5, 7]
+          });
+          expect(tracker.getData(dir)).to.be.null;
+          expect(tracker.getData(name)).to.be.null;
+        });
+      });
+      it('should propagate multiple tracked properties', function() {
+        simulateRequestScope(function () {
+          const str = trackString('/path/to/file.txt');
+          const { dir, base, name, ext } = path.parse(str);
+          expect(dir).to.be.equal('/path/to');
+          expect(tracker.getData(dir).tags).to.deep.equal({
+            [UNTRUSTED]: [0, 7]
+          });
+          expect(base).to.be.equal('file.txt');
+          expect(tracker.getData(base).tags).to.deep.equal({
+            [UNTRUSTED]: [0, 3, 5, 7]
+          });
+          expect(name).to.be.equal('file');
+          expect(tracker.getData(name).tags).to.deep.equal({
+            [UNTRUSTED]: [0, 3]
+          });
+          expect(ext).to.be.equal('.txt');
+          expect(tracker.getData(ext).tags).to.deep.equal({
+            [UNTRUSTED]: [1, 3]
+          });
+        });
+      });
+      it('should propagate multiple tag ranges', function() {
+        simulateRequestScope(function () {
+          const str = trackString('/path/to/file.txt', {
+            tags: {
+              UNTRUSTED: [0, 7],
+              'FOO': [9, 12],
+              'BAR': [14, 16]
+            }
+          });
+          const { dir, base, name, ext } = path.parse(str);
+          expect(dir).to.be.equal('/path/to');
+          expect(tracker.getData(dir).tags).to.deep.equal({
+            [UNTRUSTED]: [0, 7]
+          });
+          expect(base).to.be.equal('file.txt');
+          expect(tracker.getData(base).tags).to.deep.equal({
+            ['FOO']: [0, 3],
+            ['BAR']: [5, 7]
+          });
+          expect(name).to.be.equal('file');
+          expect(tracker.getData(name).tags).to.deep.equal({
+            ['FOO']: [0, 3],
+          });
+          expect(ext).to.be.equal('.txt');
+          expect(tracker.getData(ext).tags).to.deep.equal({
+            ['BAR']: [1, 3]
+          });
+        });
+      });
+    });
+  });
+});

package/lib/dataflow/propagation/install/path/relative.test.js ADDED Viewed

@@ -0,0 +1,239 @@
+'use strict';
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const { DataflowTag: { UNTRUSTED } } = require('@contrast/common');
+describe('assess dataflow propagation path relative', function () {
+  let core, tracker, createPropagationEvent, trackString, simulateRequestScope;
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    createPropagationEvent = sinon.spy(
+      core.assess.eventFactory,
+      'createPropagationEvent'
+    );
+    core.assess.dataflow.propagation.stringInstrumentation.concat.install();
+  });
+  ['posix', 'win32'].forEach((os) => {
+    describe(os, function () {
+      let path;
+      beforeEach(function () {
+        path = require('path')[os];
+        core.depHooks.resolve.yields(path);
+        const relativeInstr = require('./relative')(core);
+        relativeInstr.install();
+      });
+      it('should ignore empty string', function () {
+        simulateRequestScope(function () {
+          const myPath = trackString('');
+          const file = path.relative('/to', myPath);
+          const strInfo = tracker.getData(file);
+          expect(strInfo).to.be.null;
+        });
+      });
+      it('will not propagate if there is no assess context', function () {
+        simulateRequestScope(function () {
+          const myPath = trackString('/path');
+          const result = path.relative('/to', myPath);
+          expect(tracker.getData(result)).to.be.null;
+        }, {});
+      });
+      it('will not propagate if there instrumentation is locked', function () {
+        simulateRequestScope(function () {
+          core.scopes.instrumentation.run({ lock: true }, function () {
+            const myPath = trackString('/path');
+            const result = path.relative('/to', myPath);
+            expect(tracker.getData(result)).to.be.null;
+          });
+        });
+      });
+      it('will not propagate if the argument is not tracked', function () {
+        simulateRequestScope(function () {
+          const myPath = '/path';
+          path.relative('/to', myPath);
+          expect(createPropagationEvent).to.not.have.been.called;
+        });
+      });
+      it('will not propagate if there no event created', function () {
+        simulateRequestScope(function () {
+          core.config.assess.max_propagation_events = 0;
+          const myPath = trackString('/path');
+          const result = path.relative('/to', myPath);
+          expect(tracker.getData(result)).to.be.null;
+        });
+      });
+      it('should not propagate if only the first argument is tracked', function () {
+        simulateRequestScope(function () {
+          const myPath = trackString('/to/dir/..');
+          const result = path.relative(myPath, '/dir/path');
+          expect(tracker.getData(result)).to.be.null;
+        });
+      });
+      it('should not propagate if second argument is tracked but not in result', function () {
+        simulateRequestScope(function () {
+          const myPath = trackString('/path');
+          const result = path.relative('/path', myPath);
+          expect(result).to.be.equal('');
+          expect(tracker.getData(result)).to.be.null;
+        });
+      });
+      it('should propagate if second argument is tracked', function () {
+        simulateRequestScope(function () {
+          const myPath = trackString('/my/path');
+          const result = path.relative('/my', myPath);
+          const strInfo = tracker.getData(result);
+          expect(result).to.be.equal('path');
+          expect(strInfo.tags).to.deep.equal({
+            [UNTRUSTED]: [0, 3],
+          });
+        });
+      });
+      it('should not include file extension dots in tag ranges', function () {
+        simulateRequestScope(function () {
+          const myPath = trackString('/my/path/to/file.png');
+          const result = path.relative('/my', myPath);
+          const strInfo = tracker.getData(result);
+          if (os === 'win32') {
+            expect(result).to.be.equal('path\\to\\file.png');
+            expect(strInfo.tags).to.deep.equal({
+              [UNTRUSTED]: [0, 3, 5, 6, 8, 11, 13, 15],
+            });
+          } else {
+            expect(result).to.be.equal('path/to/file.png');
+            expect(strInfo.tags).to.deep.equal({
+              [UNTRUSTED]: [0, 11, 13, 15],
+            });
+          }
+        });
+      });
+      it('should propagate if first argument is absolute and second is relative ', function () {
+        simulateRequestScope(function () {
+          const myPath = trackString('/my/path/to/../file');
+          const result = path.relative('/my/path/to/', myPath);
+          const strInfo = tracker.getData(result);
+          if (os === 'win32') {
+            expect(result).to.be.equal('..\\file');
+            expect(strInfo.tags).to.deep.equal({
+              [UNTRUSTED]: [0, 1, 3, 6],
+            });
+          } else {
+            expect(result).to.be.equal('../file');
+            expect(strInfo.tags).to.deep.equal({
+              [UNTRUSTED]: [0, 6],
+            });
+          }
+        });
+      });
+      it('should propagate if first argument is relative and second is absolute ', function () {
+        simulateRequestScope(function () {
+          const myPath = trackString('/my/path');
+          const result = path.relative('/path/..', myPath);
+          const strInfo = tracker.getData(result);
+          if (os === 'win32') {
+            expect(result).to.be.equal('my\\path');
+            expect(strInfo.tags).to.deep.equal({
+              [UNTRUSTED]: [0, 1, 3, 6],
+            });
+          } else {
+            expect(result).to.be.equal('my/path');
+            expect(strInfo.tags).to.deep.equal({
+              [UNTRUSTED]: [0, 6],
+            });
+          }
+        });
+      });
+      it('should propagate if first and second arguments are relative ', function () {
+        simulateRequestScope(function () {
+          const myPath = trackString('/../path');
+          const result = path.relative('/path/..', myPath);
+          const strInfo = tracker.getData(result);
+          expect(result).to.be.equal('path');
+          expect(strInfo.tags).to.deep.equal({
+            [UNTRUSTED]: [0, 3],
+          });
+        });
+      });
+      it('should propagate if second argument is partially tracked', function () {
+        simulateRequestScope(function () {
+          const myPath = trackString('/path/to');
+          const result = path.relative('/my', '/my'.concat(myPath));
+          const strInfo = tracker.getData(result);
+          if (os === 'win32') {
+            expect(result).to.be.equal('path\\to');
+            expect(strInfo.tags).to.deep.equal({
+              [UNTRUSTED]: [0, 3, 5, 6],
+            });
+          } else {
+            expect(result).to.be.equal('path/to');
+            expect(strInfo.tags).to.deep.equal({
+              [UNTRUSTED]: [0, 6],
+            });
+          }
+        });
+      });
+      it('should propagate multiple tag ranges', function () {
+        simulateRequestScope(function () {
+          const myPath = trackString('/my/path', {
+            tags: {
+              UNTRUSTED: [0, 7],
+              'FOO': [1, 2],
+              'BAR': [1, 7]
+            }
+          });
+          const result = path.relative('/my', myPath);
+          const strInfo = tracker.getData(result);
+          expect(result).to.be.equal('path');
+          expect(strInfo.tags).to.deep.equal({
+            [UNTRUSTED]: [0, 3],
+            ['BAR']: [0, 3]
+          });
+        });
+      });
+    });
+  });
+});

package/lib/dataflow/propagation/install/path/toNamespacedPath.test.js ADDED Viewed

@@ -0,0 +1,158 @@
+'use strict';
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const { DataflowTag: { UNTRUSTED } } = require('@contrast/common');
+describe('assess dataflow propagation path toNamespacedPath', function () {
+  let core, tracker, trackString, simulateRequestScope;
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    core.assess.dataflow.propagation.stringInstrumentation.concat.install();
+  });
+  describe('win32', function () {
+    let path;
+    beforeEach(function () {
+      path = require('path')['win32'];
+      core.depHooks.resolve.yields(path);
+      const toNamespacedPathInstr = require('./toNamespacedPath')(core);
+      toNamespacedPathInstr.install();
+    });
+    it('should ignore empty string', function () {
+      simulateRequestScope(function () {
+        const myPath = trackString('');
+        const result = path.toNamespacedPath(myPath);
+        const strInfo = tracker.getData(result);
+        expect(strInfo).to.be.null;
+      });
+    });
+    it('will not propagate if there is no assess context', function () {
+      simulateRequestScope(function () {
+        const myPath = trackString('C:\\path\\to\\file.txt');
+        const result = path.toNamespacedPath(myPath);
+        expect(tracker.getData(result)).to.be.null;
+      }, {});
+    });
+    it('will not propagate if there instrumentation is locked', function () {
+      simulateRequestScope(function () {
+        core.scopes.instrumentation.run({ lock: true }, function () {
+          const myPath = trackString('C:\\path\\to\\file.txt');
+          const result = path.toNamespacedPath(myPath);
+          expect(tracker.getData(result)).to.be.null;
+        });
+      });
+    });
+    it('will not propagate if the argument is not tracked', function () {
+      simulateRequestScope(function () {
+        const myPath = 'C:\\path\\to\\file.txt';
+        const result = path.toNamespacedPath(myPath);
+        expect(tracker.getData(result)).to.be.null;
+      });
+    });
+    it('will not propagate if there no event created', function () {
+      simulateRequestScope(function () {
+        core.config.assess.max_propagation_events = 0;
+        const myPath = trackString('C:\\path\\to\\file.txt');
+        const result = path.toNamespacedPath(myPath);
+        expect(tracker.getData(result)).to.be.null;
+      });
+    });
+    it('should propagate if entire path is tracked', function () {
+      simulateRequestScope(function () {
+        const myPath = trackString('C:\\path\\to\\file.txt');
+        const result = path.toNamespacedPath(myPath);
+        const strInfo = tracker.getData(result);
+        expect(result).to.be.equal('\\\\?\\C:\\path\\to\\file.txt');
+        expect(strInfo.tags).to.deep.equal({
+          [UNTRUSTED]: [4, 18, 20, 22]
+        });
+      });
+    });
+    it('should propagate if partial path is tracked ', function () {
+      simulateRequestScope(function () {
+        const myPath = trackString('file.txt');
+        const result = path.toNamespacedPath('C:\\path\\to\\'.concat(myPath));
+        const strInfo = tracker.getData(result);
+        expect(result).to.be.equal('\\\\?\\C:\\path\\to\\file.txt');
+        expect(strInfo.tags).to.deep.equal({
+          [UNTRUSTED]: [15, 18, 20, 22],
+        });
+      });
+    });
+    it('should propagate multiple tag ranges ', function () {
+      simulateRequestScope(function () {
+        const myPath = trackString('C:\\path\\to\\file.txt', {
+          tags: {
+            UNTRUSTED: [0, 18],
+            'FOO': [3, 14],
+            'BAR': [16, 18]
+          }
+        });
+        const result = path.toNamespacedPath(myPath);
+        const strInfo = tracker.getData(result);
+        expect(result).to.be.equal('\\\\?\\C:\\path\\to\\file.txt');
+        expect(strInfo.tags).to.deep.equal({
+          [UNTRUSTED]: [4, 18, 20, 22],
+          ['FOO']: [7, 18],
+          ['BAR']: [20, 22],
+        });
+      });
+    });
+  });
+  describe('posix', function() {
+    let path;
+    beforeEach(function () {
+      path = require('path')['posix'];
+      core.depHooks.resolve.yields(path);
+      const toNamespacedPathInstr = require('./toNamespacedPath')(core);
+      toNamespacedPathInstr.install();
+    });
+    // https://nodejs.org/api/path.html#pathtonamespacedpathpath
+    // On POSIX systems, the method is non-operational and always returns path without modifications.
+    it('should propagate if tracked', function () {
+      simulateRequestScope(function () {
+        const myPath = trackString('/path/to/file.txt');
+        const result = path.toNamespacedPath(myPath);
+        const strInfo = tracker.getData(result);
+        expect(result).to.be.equal('/path/to/file.txt');
+        expect(strInfo.tags).to.deep.equal({
+          [UNTRUSTED]: [0, 16]
+        });
+      });
+    });
+  });
+});

package/lib/dataflow/propagation/install/pug/index.test.js ADDED Viewed

@@ -0,0 +1,55 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow propagation pug', function () {
+  let core, simulateRequestScope, plugins, pugMock, patchedPug;
+  beforeEach(function () {
+    ({ core, simulateRequestScope } = initAssessFixture());
+    core.rewriter.install('assess');
+    pugMock = {
+      compile(str, options) {
+        // this is mocked enough to be simulated in unit tests, but
+        // we also have integration tests to be sure
+        let result = str;
+        plugins.forEach((p) => {
+          result = p.postCodeGen(result, null);
+        });
+        return result;
+      }
+    };
+    sinon.spy(core.rewriter, 'rewriteSync');
+    sinon.spy(core.patcher, 'patch');
+    require('.')(core).install();
+    patchedPug = core.depHooks.resolve.yield(pugMock)[0];
+    core.patcher.patch.resetHistory();
+    plugins = [];
+  });
+  [
+    {
+      input: '1 + 1',
+      expected: 'ContrastMethods.add(1, 1);\n',
+    },
+    {
+      input: 'const foot = 12;',
+      expected: 'const foot = 12;\n',
+    }
+  ].forEach(({ input, expected }) => {
+    it('plugin should return rewritten value on success', function () {
+      let result;
+      simulateRequestScope(() => {
+        result = patchedPug.compile(input, { plugins });
+      });
+      expect(result).to.equal(expected);
+    });
+  });
+});