@contrast/assess 1.30.0 → 1.32.0

package/lib/dataflow/propagation/install/querystring/stringify.test.js

@@ -0,0 +1,301 @@
+'use strict';
+
+const { expect } = require('chai');
+const {
+  DataflowTag: { URL_ENCODED, UNTRUSTED }
+} = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess dataflow propagation querystring stringify', function () {
+  let core, simulateRequestScope, tracker, trackString, querystring;
+
+  before(function () {
+    ({ core, trackString, simulateRequestScope } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+
+    querystring = require('querystring');
+    core.depHooks.resolve.withArgs({ name: 'querystring' }).yields(querystring);
+
+    core.assess.dataflow.propagation.stringInstrumentation.concat.install();
+    core.assess.dataflow.propagation.querystringInstrumentation.escape.install();
+    core.assess.dataflow.propagation.querystringInstrumentation.stringify.install();
+  });
+
+  after(function () {
+    core.assess.dataflow.propagation.stringInstrumentation.concat.uninstall();
+    core.assess.dataflow.propagation.querystringInstrumentation.escape.uninstall();
+    core.assess.dataflow.propagation.querystringInstrumentation.stringify.uninstall();
+  });
+
+  [
+    'stringify',
+    'encode',
+  ].forEach((methodName) => {
+    const baseEvent = {
+      moduleName: 'querystring',
+      methodName: 'stringify',
+      object: { tracked: false, value: 'querystring' },
+      source: 'P',
+      target: 'R',
+    };
+
+    describe(`querystring.${methodName}`, function () {
+
+      it('no action is taken when result is not a string', function () {
+        simulateRequestScope(() => {
+          [null, undefined, 'foo', {}, []].forEach((value) => {
+            const result = querystring.stringify(value);
+            expect(tracker.getData(result)).to.be.null;
+          });
+        });
+      });
+
+      it('result should not be tracked if no object values are tracked', function () {
+        simulateRequestScope(() => {
+          const obj = {
+            x: 'abcd',
+            y: 'bcde',
+            z: '',
+            w: 'cdef'
+          };
+          const result = querystring.stringify(obj);
+          expect(tracker.getData(result)).to.be.null;
+        });
+      });
+
+      it('should propagate tags correctly for flat object with tracked values (values unchanged)', function () {
+        simulateRequestScope(() => {
+          const obj = {
+            x: trackString('abcd'),
+            y: trackString('bcde'),
+            z: '',
+            w: 'cdef',
+            aa: ['a', trackString('b')],
+            bb: { c: 'd' },
+          };
+          const result = querystring.stringify(obj);
+          const strInfo = tracker.getData(result);
+
+          expect(strInfo).to.deep.include({
+            ...baseEvent,
+            context: 'querystring.stringify({\n  x: \'abcd\',\n  y: \'bcde\',\n  z: \'\',\n  w: \'cdef\',\n  aa: [ \'a\', \'b\' ],\n  bb: { c: \'d\' }\n})',
+            result: { tracked: true, value: 'x=abcd&y=bcde&z=&w=cdef&aa=a&aa=b&bb=' },
+            tags: {
+              [UNTRUSTED]: [2, 5, 9, 12, 32, 32],
+              [URL_ENCODED]: [2, 5, 9, 12, 32, 32],
+            },
+            value: 'x=abcd&y=bcde&z=&w=cdef&aa=a&aa=b&bb=',
+          });
+          expect(strInfo.history).to.have.lengthOf(3);
+        });
+      });
+
+      it('should propagate tags correctly for flat object with tracked values (values percent encoded)', function () {
+        simulateRequestScope(() => {
+          const obj = {
+            x: trackString('✓😐🙉'),
+            y: trackString('/?#'),
+            z: '',
+            w: 'cdef'
+          };
+          const result = querystring.stringify(obj);
+          const strInfo = tracker.getData(result);
+
+          expect(strInfo).to.deep.include({
+            ...baseEvent,
+            context: 'querystring.stringify({ x: \'✓😐🙉\', y: \'/?#\', z: \'\', w: \'cdef\' })',
+            result: {
+              tracked: true,
+              value: 'x=%E2%9C%93%F0%9F%98%90%F0%9F%99%89&y=%2F%3F%23&z=&w=cdef'
+            },
+            tags: {
+              [UNTRUSTED]: [2, 34, 38, 46],
+              [URL_ENCODED]: [2, 34, 38, 46],
+            },
+            //        ✓        😐          🙉             /  ?  #
+            value: 'x=%E2%9C%93%F0%9F%98%90%F0%9F%99%89&y=%2F%3F%23&z=&w=cdef'
+          });
+          expect(strInfo.history).to.have.lengthOf(2);
+        });
+      });
+
+      it('will propagate tags correctly through custom encoding function (custom validators disabled)', function () {
+        simulateRequestScope(() => {
+          const obj = {
+            foo: ['a', trackString('b'), trackString('c')],
+            bar: 'baz'
+          };
+          const options = {
+            encodeURIComponent(value) {
+              return value.concat('_');
+            }
+          };
+          const result = querystring.stringify(obj, false, false, options);
+          const strInfo = tracker.getData(result);
+
+          expect(strInfo).to.deep.include({
+            ...baseEvent,
+            context: 'querystring.stringify({ foo: [ \'a\', \'b\', \'c\' ], bar: \'baz\' }, false, false, { encodeURIComponent: [Function: encodeURIComponent] })',
+            result: { tracked: true, value: 'foo_=a_&foo_=b_&foo_=c_&bar_=baz_' },
+            tags: {
+              [UNTRUSTED]: [13, 14, 21, 22],
+            },
+            value: 'foo_=a_&foo_=b_&foo_=c_&bar_=baz_',
+          });
+          expect(strInfo.tags).not.to.have.property(URL_ENCODED);
+          expect(strInfo.history).to.have.lengthOf(2);
+        });
+      });
+
+      // NODE-2835
+      it.skip('will propagate tags correctly through custom encoding function (custom validators enabled)', function () {
+        core.config.assess.trust_custom_validators = true;
+        simulateRequestScope(() => {
+          const obj = {
+            foo: ['a', trackString('b'), trackString('c')],
+            bar: 'baz'
+          };
+          const options = {
+            encodeURIComponent(value) {
+              return value.concat('_');
+            }
+          };
+          const result = querystring.stringify(obj, false, false, options);
+          const strInfo = tracker.getData(result);
+
+          expect(strInfo).to.deep.include({
+            ...baseEvent,
+            context: 'querystring.stringify({ foo: [ \'a\', \'b\', \'c\' ], bar: \'baz\' }, false, false, { encodeURIComponent: [Function: encodeURIComponent] })',
+            result: { tracked: true, value: 'foo_=a_&foo_=b_&foo_=c_&bar_=baz_' },
+            tags: {
+              [UNTRUSTED]: [13, 14, 21, 22],
+              [URL_ENCODED]: [13, 14, 21, 22],
+            },
+            value: 'foo_=a_&foo_=b_&foo_=c_&bar_=baz_',
+          });
+          expect(strInfo.history).to.have.lengthOf(2);
+        });
+      });
+
+      it('options with encodeURIComponent (add\'l tagged string in escape)', function () {
+        simulateRequestScope(() => {
+          const obj = {
+            foo: trackString('a'),
+            bar: ['b', 'c']
+          };
+          const options = {
+            encodeURIComponent(value) {
+              return value.concat(trackString('_'));
+            }
+          };
+          const result = querystring.stringify(obj, false, false, options);
+          const strInfo = tracker.getData(result);
+
+          expect(strInfo).to.deep.include({
+            ...baseEvent,
+            context: 'querystring.stringify({ foo: \'a\', bar: [ \'b\', \'c\' ] }, false, false, { encodeURIComponent: [Function: encodeURIComponent] })',
+            result: { tracked: true, value: 'foo_=a_&bar_=b_&bar_=c_' },
+            tags: {
+              [UNTRUSTED]: [3, 3, 5, 6, 11, 11, 13, 14, 19, 19, 21, 22],
+            },
+            value: 'foo_=a_&bar_=b_&bar_=c_',
+          });
+          expect(strInfo.history).to.have.lengthOf(5);
+        });
+      });
+
+      it('should handle multi-char separators and eq', function () {
+        simulateRequestScope(() => {
+          const obj = {
+            x: trackString('abcd'),
+            y: trackString('bcde'),
+            z: '',
+            w: 'cdef'
+          };
+          const result = querystring.stringify(obj, '&&&', '====');
+          const strInfo = tracker.getData(result);
+
+          expect(strInfo).to.deep.include({
+            ...baseEvent,
+            context: 'querystring.stringify({ x: \'abcd\', y: \'bcde\', z: \'\', w: \'cdef\' }, \'&&&\', \'====\')',
+            result: { tracked: true, value: 'x====abcd&&&y====bcde&&&z====&&&w====cdef' },
+            tags: {
+              [UNTRUSTED]: [5, 8, 17, 20],
+              [URL_ENCODED]: [5, 8, 17, 20],
+            },
+            value: 'x====abcd&&&y====bcde&&&z====&&&w====cdef',
+          });
+          expect(strInfo.history).to.have.lengthOf(2);
+        });
+      });
+
+      it('should propagate if `separator` or `equals` char is also contained in key or value', function () {
+        simulateRequestScope(() => {
+          const obj = {
+            x: trackString('abcd'),
+            y: trackString('bcde'),
+            z: '',
+            w: 'cdef'
+          };
+          const result = querystring.stringify(obj, 'a', 'b');
+          const strInfo = tracker.getData(result);
+
+          expect(strInfo).to.deep.include({
+            ...baseEvent,
+            context: 'querystring.stringify({ x: \'abcd\', y: \'bcde\', z: \'\', w: \'cdef\' }, \'a\', \'b\')',
+            result: { tracked: true, value: 'xbabcdaybbcdeazbawbcdef' },
+            tags: {
+              [UNTRUSTED]: [2, 5, 9, 12],
+              [URL_ENCODED]: [2, 5, 9, 12],
+            },
+            value: 'xbabcdaybbcdeazbawbcdef',
+          });
+          expect(strInfo.history).to.have.lengthOf(2);
+        });
+      });
+
+      it('should handle multiple tag ranges being shifted', function () {
+        simulateRequestScope(() => {
+          const obj = {
+            x: trackString('one😐two🙉three', {
+              tags: {
+                tag1: [0, 2],
+                tag2: [5, 7],
+                tag3: [10, 14],
+              }
+            }),
+            y: trackString('one#two?three', {
+              tags: {
+                tag1: [0, 2],
+                tag2: [4, 6],
+                tag3: [8, 12],
+              }
+            }),
+          };
+          const result = querystring.stringify(obj);
+          const strInfo = tracker.getData(result);
+
+          expect(strInfo).to.deep.include({
+            ...baseEvent,
+            result: { tracked: true, value: 'x=one%F0%9F%98%90two%F0%9F%99%89three&y=one%23two%3Fthree' },
+            tags: {
+              tag1: [2, 36, 40, 56],
+              tag2: [2, 36, 40, 56],
+              tag3: [2, 36, 40, 56],
+              [URL_ENCODED]: [2, 36, 40, 56],
+            },
+            value: 'x=one%F0%9F%98%90two%F0%9F%99%89three&y=one%23two%3Fthree',
+          });
+          expect(strInfo.history).to.have.lengthOf(2);
+        });
+      });
+
+      it.skip('should propagate tags from basic keys', function () {
+        // this is also skipped in v4 b/c tracking object keys causes issues
+        // const obj = {
+        //   [trackString('x')] = 'abcd',
+        // };
+      });
+    });
+  });
+});

package/lib/dataflow/propagation/install/reg-exp-prototype-exec.test.js

@@ -0,0 +1,281 @@
+'use strict';
+
+const { expect } = require('chai');
+const { inspect } = require('util');
+const { DataflowTag: { UNTRUSTED, CUSTOM_ENCODED, LIMITED_CHARS } } = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess dataflow propagation RegExp exec', function () {
+  let core, simulateRequestScope, trackString, tracker, instr;
+
+  beforeEach(function () {
+    ({
+      core,
+      trackString,
+      simulateRequestScope
+    } = initAssessFixture());
+
+    tracker = core.assess.dataflow.tracker;
+    instr = require('./reg-exp-prototype-exec')(core);
+    instr.install();
+  });
+
+  afterEach(function () {
+    instr.uninstall();
+  });
+
+  describe('base cases', function () {
+    [
+      [],
+      [undefined],
+      ['']
+    ].forEach((val) => {
+      it(`returns null when called with ${inspect(val[0])}`, function () {
+        simulateRequestScope(() => {
+          const re = /test/;
+          const ret = re.exec(val[0]);
+
+          expect(ret).to.be.null;
+        });
+      });
+    });
+
+    it('returns null when no match is found', function () {
+      simulateRequestScope(() => {
+        const re = /test/;
+        const ret = re.exec('foo');
+
+        expect(ret).to.be.null;
+      });
+    });
+
+    it('returns only the first match string', function () {
+      simulateRequestScope(() => {
+        const re = /o/;
+        const ret = re.exec('foo');
+
+        expect(ret).to.deep.equal(['o']);
+        expect(tracker.getData(ret[0])).to.be.null;
+      });
+    });
+
+    it('returns first match string using capture groups', function () {
+      simulateRequestScope(() => {
+        const re = /(f)|(o)/;
+        const ret = re.exec('foo');
+        expect(ret).to.deep.equal(['f', 'f', undefined]);
+        expect(ret.groups).to.be.undefined;
+        ret.forEach((val) => {
+          expect(tracker.getData(val)).to.be.null;
+        });
+      });
+    });
+
+    it('returns first match string using named capture groups', function () {
+      simulateRequestScope(() => {
+        const re = /(?<foo>f)|(?<bar>o)/;
+        const ret = re.exec('foo');
+        expect(ret).to.deep.equal(['f', 'f', undefined]);
+        expect(ret.groups.foo).to.equal('f');
+        ret.forEach((val) => {
+          expect(tracker.getData(val)).to.be.null;
+        });
+      });
+    });
+  });
+
+  describe('propagation', function () {
+    it('propagates a fully tracked string', function () {
+      simulateRequestScope(() => {
+        const re = /f/;
+        const extern = trackString('foo');
+
+        const ret = re.exec(extern);
+        const matchInfo = tracker.getData(ret[0]);
+
+        expect(ret).to.deep.equal(['f']);
+        expect(matchInfo.tags).to.deep.equal({
+          [UNTRUSTED]: [0, 0]
+        });
+        expect(matchInfo.name).to.equal('RegExp.prototype.exec');
+      });
+    });
+
+    it.skip('propagates strings when iteratively called', function() {
+      simulateRequestScope(() => {
+        const re = /^\/?$/i;
+        //                          0123456789*1234567
+        const extern = trackString('');
+
+        let ret;
+        while ((ret = re.exec(''))) {
+          const matchInfo = tracker.getData(ret[0]);
+          // console.log(re.lastIndex, ret.index, ret.indices);
+          re.lastIndex += 1;
+          //console.log(matchInfo);
+          // check match info...
+        }
+      });
+    });
+
+    it('propagates a partialy tracked string', function () {
+      simulateRequestScope(() => {
+        const re = /bar/;
+        const extern = trackString('foobar', {
+          tags: {
+            [UNTRUSTED]: [0, 4]
+          }
+        });
+
+        const ret = re.exec(extern);
+        const matchInfo = tracker.getData(ret[0]);
+
+        expect(ret).to.deep.equal(['bar']);
+        expect(matchInfo.tags).to.deep.equal({
+          [UNTRUSTED]: [0, 1]
+        });
+        expect(matchInfo.name).to.equal('RegExp.prototype.exec');
+      });
+    });
+
+    it('does not propagate if we exeeded the maximum propagation count for a match', function () {
+      simulateRequestScope(() => {
+        const re = /foo/;
+        const extern = trackString('foobar');
+
+        const ret = re.exec(extern);
+        const matchInfo = tracker.getData(ret[0]);
+
+        expect(ret).to.deep.equal(['foo']);
+        expect(matchInfo).to.be.null;
+      }, { assess: { propagationEventsCount: 500 } });
+    });
+
+    it('does not propagate if we exeeded the maximum propagation count for a group', function () {
+      simulateRequestScope(() => {
+        const re = /foo(?<bar>bar)/;
+        const extern = trackString('foobar');
+
+        const ret = re.exec(extern);
+        const foobarInfo = tracker.getData(ret[0]);
+        const barInfo = tracker.getData(ret[1]);
+        const barGroupInfo = tracker.getData(ret.groups.b);
+
+        expect(ret).to.deep.equal([
+          'foobar',
+          'bar'
+        ]);
+        expect(ret.groups.bar).to.equal('bar');
+        expect(foobarInfo.tags).to.deep.equal({
+          [UNTRUSTED]: [0, 5]
+        });
+        expect(barInfo.tags).to.deep.equal({
+          [UNTRUSTED]: [0, 2]
+        });
+        expect(barGroupInfo).to.be.null;
+      }, { assess: { propagationEventsCount: 498 } });
+    });
+
+
+    it('handles RegExp that matches an empty string', function () {
+      simulateRequestScope(() => {
+        const re = /foo(?<empty>)bar/;
+        const extern = trackString('foobar');
+
+        const ret = re.exec(extern);
+        const matchInfo = tracker.getData(ret[0]);
+        const emptyMatchInfo = tracker.getData(ret[1]);
+        const emptyGroupInfo = tracker.getData(ret.groups.empty);
+
+        expect(ret).to.deep.equal([
+          'foobar',
+          '',
+        ]);
+        expect(matchInfo.tags).to.deep.equal({
+          [UNTRUSTED]: [0, 5]
+        });
+        expect(matchInfo.name).to.equal('RegExp.prototype.exec');
+        expect(emptyMatchInfo).to.be.null;
+        expect(ret.groups.empty).to.equal('');
+        expect(emptyGroupInfo).to.be.null;
+      });
+    });
+
+    it('handles RegExp that matches the full string', function () {
+      simulateRequestScope(() => {
+        const re = /(?<full>foobar)/;
+        const extern = trackString('foobar');
+
+        const ret = re.exec(extern);
+        const matchInfo = tracker.getData(ret[0]);
+        const captrueMatchInfo = tracker.getData(ret[1]);
+        const fullGroupInfo = tracker.getData(ret.groups.full);
+
+        expect(ret).to.deep.equal([
+          'foobar',
+          'foobar',
+        ]);
+        expect(matchInfo.tags).to.deep.equal({
+          [UNTRUSTED]: [0, 5]
+        });
+        expect(matchInfo.name).to.equal('RegExp.prototype.exec');
+        expect(captrueMatchInfo.tags).to.deep.equal({
+          [UNTRUSTED]: [0, 5]
+        });
+        expect(captrueMatchInfo.name).to.equal('RegExp.prototype.exec');
+        expect(ret.groups.full).to.equal('foobar');
+        expect(fullGroupInfo.tags).to.deep.equal({
+          [UNTRUSTED]: [0, 5]
+        });
+        expect(fullGroupInfo.name).to.equal('RegExp.prototype.exec');
+      });
+    });
+
+    it('handles complex cases', function () {
+      simulateRequestScope(() => {
+        const re = /quick\s(?<color>brown|black).+?(jumps).+(Black)/gi;
+        //                          01234567890123456789012345678901234567890123456789012345678
+        const extern = trackString('The Quick Brown Fox Jumps Over The Lazy Black And Brown Dog', {
+          //                                  1         2         3         4         5
+          tags: {
+            [UNTRUSTED]: [0, 6, 13, 15, 40, 44],
+            [CUSTOM_ENCODED]: [16, 19],
+            [LIMITED_CHARS]: [20, 29, 40, 58]
+          }
+        });
+
+        const ret = re.exec(extern);
+        const fullMatchInfo = tracker.getData(ret[0]);
+        const brownInfo = tracker.getData(ret[1]);
+        const jumpsInfo = tracker.getData(ret[2]);
+        const blackInfo = tracker.getData(ret[3]);
+        const colorGroupInfo = tracker.getData(ret.groups.color);
+
+
+        expect(ret).to.deep.equal([
+          'Quick Brown Fox Jumps Over The Lazy Black',
+          'Brown',
+          'Jumps',
+          'Black'
+        ]);
+        expect(ret.groups.color).to.equal('Brown');
+        expect(fullMatchInfo.tags).to.deep.equal({
+          [UNTRUSTED]: [0, 2, 9, 11, 36, 40],
+          [CUSTOM_ENCODED]: [12, 15],
+          [LIMITED_CHARS]: [16, 25, 36, 40]
+        });
+        expect(brownInfo.tags).to.deep.equal({
+          [UNTRUSTED]: [3, 4],
+        });
+        expect(jumpsInfo.tags).to.deep.equal({
+          [LIMITED_CHARS]: [0, 4]
+        });
+        expect(blackInfo.tags).to.deep.equal({
+          [UNTRUSTED]: [0, 4],
+          [LIMITED_CHARS]: [0, 4]
+        });
+        expect(colorGroupInfo.tags).to.deep.equal(brownInfo.tags);
+      });
+    });
+  });
+});

package/lib/dataflow/propagation/install/send.test.js

@@ -0,0 +1,63 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('../../../../../test/fixtures');
+const {
+  DataflowTag: { UNTRUSTED }
+} = require('@contrast/common');
+
+describe('assess send', function() {
+  let core, simulateRequestScope, mockSend, sendInstanceMock, trackString, tracker;
+
+  beforeEach(function() {
+    ({
+      core,
+      simulateRequestScope,
+      trackString
+    } = initAssessFixture());
+
+    tracker = core.assess.dataflow.tracker;
+
+    sendInstanceMock = {
+      sendFile: sinon.stub()
+    };
+
+    require('./send')(core).install();
+
+    const result = core.depHooks.resolve.yield(() => sendInstanceMock);
+    mockSend = result[0];
+  });
+
+  afterEach(function() {
+    sinon.resetHistory();
+  });
+
+  it('should skip instrumentation if it is out of scope', function() {
+    const path = trackString('foo');
+    sendInstanceMock.sendFile = (path) => {
+      expect(tracker.getData(path)).to.be.null;
+    };
+
+    const { sendFile } = mockSend();
+    sendFile(path);
+  });
+
+  it('should create an untagged copy of the string', function() {
+    simulateRequestScope(() => {
+      const path = trackString('foo');
+
+      sendInstanceMock.sendFile = (path) => {
+        expect(tracker.getData(path)).to.be.null;
+      };
+
+      const { sendFile } = mockSend();
+      sendFile(path);
+
+      const stringInfo = tracker.getData(path);
+      expect(stringInfo.tags).to.be.eql({
+        [UNTRUSTED]: [0, 2]
+      });
+    });
+  });
+});