@contrast/assess 1.30.0 → 1.32.0

package/lib/dataflow/propagation/install/sequelize/query-generator.test.js

@@ -0,0 +1,73 @@
+'use strict';
+
+const { expect } = require('chai');
+const {
+  DataflowTag: { UNTRUSTED, SQL_ENCODED }
+} = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess dataflow propagation sequelize QueryGenerators', function() {
+  let core, component, trackString, simulateRequestScope, tracker;
+
+  class QueryGeneratorMock {
+    quoteIdentifier(identifier) {
+      return '`'.concat(identifier).concat('`');
+    }
+  }
+
+  before(function() {
+    ({ core, trackString, simulateRequestScope } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    core.assess.dataflow.propagation.stringInstrumentation.concat.install();
+    component = require('./query-generator')(core);
+  });
+
+  after(function() {
+    core.assess.dataflow.propagation.stringInstrumentation.concat.uninstall();
+  });
+
+  [
+    {
+      Ctor: class MSSQLQueryGenerator extends QueryGeneratorMock {},
+      file: 'lib/dialects/mssql/query-generator.js',
+    },
+    {
+      Ctor: class MySqlQueryGenerator extends QueryGeneratorMock {},
+      file: 'lib/dialects/mysql/query-generator.js',
+    },
+    {
+      Ctor: class PostgresQueryGenerator extends QueryGeneratorMock {},
+      file: 'lib/dialects/postgres/query-generator.js',
+    },
+    {
+      Ctor: class SQLiteQueryGenerator extends QueryGeneratorMock {},
+      file: 'lib/dialects/sqlite/query-generator.js',
+    },
+  ].forEach(({ Ctor, file }) => {
+    it(`${Ctor.name}.prototype.quoteIdentifier adds sql-encoded tag`, function() {
+      core.depHooks.resolve.withArgs({ name: 'sequelize', file }).yields(Ctor);
+      component.install();
+
+      simulateRequestScope(() => {
+        const tracked = trackString('foo');
+        const result = new Ctor().quoteIdentifier(tracked);
+        const strInfo = tracker.getData(result);
+
+        expect(strInfo).to.deep.include({
+          args: [{ tracked: true, value: 'foo' }],
+          moduleName: 'sequelize',
+          methodName: `${Ctor.name}.prototype.quoteIdentifier`,
+          object: { tracked: false, value: Ctor.name },
+          result: { tracked: true, value: '`foo`' },
+          source: 'P',
+          tags: {
+            [UNTRUSTED]: [1, 3],
+            [SQL_ENCODED]: [0, 4],
+          },
+          target: 'R',
+        });
+        expect(strInfo.history).to.have.lengthOf(1);
+      });
+    });
+  });
+});

package/lib/dataflow/propagation/install/sequelize/sql-string.test.js

@@ -0,0 +1,130 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const {
+  DataflowTag: { SQL_ENCODED, UNTRUSTED },
+} = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess dataflow propagation sequelize sql-string', function () {
+  let core, trackString, simulateRequestScope, tracker, mockSequelizeSqlString;
+
+  beforeEach(function () {
+    ({
+      core,
+      simulateRequestScope,
+      trackString
+    } = initAssessFixture());
+
+    mockSequelizeSqlString = {
+      escape: (str) => str,
+      format(str, repl) {
+        repl.forEach((r) => {
+          str = str.replace(/\?/, r);
+        });
+
+        return str;
+      },
+      formatNamedParameters(str, repl) {
+        Object.keys(repl).forEach((key) => {
+          str = str.replace(new RegExp(`:${key}`), repl[key]);
+        });
+
+        return str;
+      }
+    };
+    tracker = core.assess.dataflow.tracker;
+    core.assess.dataflow.propagation.stringInstrumentation.install();
+    core.assess.dataflow.propagation.sequelizeInstrumentation.install();
+    core.depHooks.resolve.yield(mockSequelizeSqlString);
+  });
+
+
+  afterEach(function () {
+    core.assess.dataflow.propagation.stringInstrumentation.uninstall();
+    sinon.resetHistory();
+  });
+
+  [
+    {
+      method: 'escape',
+      args: [() => trackString('inserted-value')],
+      notTrackedArgs: ['safe-value'],
+      expectedTags: {
+        [UNTRUSTED]: [0, 13],
+        [SQL_ENCODED]: [0, 13]
+      }
+    },
+    {
+      method: 'format',
+      args: [() => 'SELECT ? FROM ?', () => ['id', trackString('users')]],
+      notTrackedArgs: ['SELECT ? FROM ?', ['id', 'users']],
+      expectedTags: {
+        [UNTRUSTED]: [15, 19],
+        [SQL_ENCODED]: [15, 19]
+      }
+    },
+    {
+      onlySanitizeCheck: true,
+      method: 'format',
+      args: [() => trackString('SELECT password FROM users'), () => ['id', trackString('users')]],
+      notTrackedArgs: ['SELECT ? FROM ?', ['id', 'users']],
+      expectedTags: {
+        [UNTRUSTED]: [0, 25],
+      }
+    },
+    {
+      method: 'formatNamedParameters',
+      args: [() => 'SELECT :columns FROM :table', () => ({ columns: 'id', table: trackString('users') })],
+      notTrackedArgs: ['SELECT :columns FROM :table', { columns: 'id', table: 'users' }],
+      expectedTags: {
+        [UNTRUSTED]: [15, 19],
+        [SQL_ENCODED]: [15, 19]
+      }
+    },
+    {
+      onlySanitizeCheck: true,
+      method: 'formatNamedParameters',
+      args: [() => trackString('SELECT password FROM users'), () => ({ columns: 'id', table: trackString('users') })],
+      notTrackedArgs: ['SELECT ? FROM ?', ['id', 'users']],
+      expectedTags: {
+        [UNTRUSTED]: [0, 25],
+      }
+    },
+  ].forEach(({ onlySanitizeCheck, method, args, notTrackedArgs, expectedTags }) => {
+    describe(method, function () {
+      it('sanitizes correctly', function () {
+        simulateRequestScope(function () {
+
+          const notTrackedResult = mockSequelizeSqlString[method](...notTrackedArgs);
+          const notTrackedStrInfo = tracker.getData(notTrackedResult);
+
+          const trackedResult = mockSequelizeSqlString[method](...args.map(a => a()));
+          const trackedStrInfo = tracker.getData(trackedResult);
+
+          expect(notTrackedStrInfo).to.be.null;
+          expect(trackedStrInfo?.tags).to.deep.equal(expectedTags);
+        });
+      });
+
+      if (!onlySanitizeCheck) {
+        it('will not sanitize if there is no assess context', function () {
+          simulateRequestScope(function () {
+            const result = mockSequelizeSqlString[method](...args.map(a => a()));
+            expect(tracker.getData(result)).to.be.null;
+          }, {});
+        });
+
+        it('will not sanitize if there instrumentation is locked', function () {
+          simulateRequestScope(function () {
+            core.scopes.instrumentation.run({ lock: true }, function () {
+              const result = mockSequelizeSqlString[method](...args.map(a => a()));
+              expect(tracker.getData(result)?.tags || {}).to.not.haveOwnProperty(SQL_ENCODED);
+            });
+          });
+        });
+      }
+    });
+  });
+});

package/lib/dataflow/propagation/install/sql-template-strings.test.js

@@ -0,0 +1,100 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const {
+  DataflowTag: { UNTRUSTED, SQL_ENCODED }
+} = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+// TODO: The proper usage of the method is with a template string so
+// meaningful tests can be written after we add support for them (NODE-2826);
+describe('assess dataflow propagation sql-template-strings', function () {
+  let core, trackString, simulateRequestScope, tracker, mockSqlTemplateStrings;
+
+  beforeEach(function () {
+    ({
+      core,
+      simulateRequestScope,
+      trackString
+    } = initAssessFixture());
+
+    mockSqlTemplateStrings = {
+      // SQL: (str) => ['mock-template-strings', str, 'mock-template-strings'].join('')
+      SQL: (str) => {
+        const ret = {
+          strings: [],
+          values: []
+        };
+        const valueLength = 'inserted-value'.length;
+        let idx = str.indexOf('inserted-value');
+        let newStr = str;
+        while (idx >= 0) {
+          ret.strings.push(newStr.substring(0, idx));
+          ret.values.push(newStr.substring(idx, idx + valueLength));
+
+          newStr = newStr.substring(idx + valueLength);
+          idx = newStr.indexOf('inserted-value');
+        }
+
+        if (newStr) ret.strings.push(newStr);
+
+        return ret;
+      }
+    };
+
+    tracker = core.assess.dataflow.tracker;
+    core.assess.dataflow.propagation.stringInstrumentation.install();
+    core.assess.dataflow.propagation.arrayJoin.install();
+    core.assess.dataflow.propagation.sqlTemplateStrings.install();
+    core.depHooks.resolve.yield(mockSqlTemplateStrings);
+  });
+
+  afterEach(function () {
+    sinon.resetHistory();
+  });
+
+  it('propagates correctly', function () {
+    simulateRequestScope(function () {
+      const trackedValue = trackString('inserted-value', { tags: { [UNTRUSTED]: [9, 13] } });
+      const trackedContext = trackString('tracked-context', { tags: { [UNTRUSTED]: [0, 13] } });
+
+      const notTrackedResult = mockSqlTemplateStrings.SQL('foo-inserted-value-bar-baz-inserted-value');
+      const notTrackedStrInfoStrings = tracker.getData(notTrackedResult.strings.toString());
+      const notTrackedStrInfoValues = tracker.getData(notTrackedResult.values.toString());
+
+      const trackedResult = mockSqlTemplateStrings.SQL([trackedContext, 'foo', trackedValue, 'bar', trackedValue].join('-'));
+      const trackedStrInfoStrings = tracker.getData(trackedResult.strings.toString());
+      const trackedStrInfoValues = tracker.getData(trackedResult.values.toString());
+
+      expect(notTrackedStrInfoStrings).to.be.null;
+      expect(notTrackedStrInfoValues).to.be.null;
+      expect(trackedStrInfoStrings?.tags).to.deep.equal({
+        [UNTRUSTED]: [0, 13],
+        [SQL_ENCODED]: [0, 19],
+      }); // the string is 'tracked-context-foo-,-bar-'
+      expect(trackedStrInfoValues?.tags).to.deep.equal({
+        [UNTRUSTED]: [9, 13, 24, 28],
+        [SQL_ENCODED]: [0, 13, 15, 28]
+      }); // the string is 'inserted-value,inserted-value'
+    });
+  });
+
+  it('will not propagate if there is no assess context', function () {
+    simulateRequestScope(function () {
+      const value = trackString('foo');
+      const result = mockSqlTemplateStrings.SQL(['foo', value].join());
+      expect(tracker.getData(result.strings.toString())).to.be.null;
+    }, {});
+  });
+
+  it('will not propagate if there instrumentation is locked', function () {
+    simulateRequestScope(function () {
+      core.scopes.instrumentation.run({ lock: true }, function () {
+        const value = trackString('foo');
+        const result = mockSqlTemplateStrings.SQL(['foo', value].join());
+        expect(tracker.getData(result.strings.toString())).to.be.null;
+      });
+    });
+  });
+});

package/lib/dataflow/propagation/install/string/concat.test.js

@@ -0,0 +1,132 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess dataflow propagation string concat', function () {
+  let core, trackString, simulateRequestScope, tracker;
+
+  beforeEach(function () {
+    ({
+      core,
+      simulateRequestScope,
+      trackString
+    } = initAssessFixture());
+
+    tracker = core.assess.dataflow.tracker;
+    core.assess.dataflow.propagation.stringInstrumentation.concat.install();
+  });
+
+  afterEach(function () {
+    core.assess.dataflow.propagation.stringInstrumentation.concat.uninstall();
+    sinon.resetHistory();
+  });
+
+  [
+    {
+      str: 'foo',
+      tags: {
+        untrusted: [0, 2]
+      },
+      args: [() => 'bar', () => 'baz'],
+      expected: {
+        untrusted: [0, 2]
+      }
+    },
+    {
+      str: 'foo',
+      tags: {
+        untrusted: [0, 2]
+      },
+      args: [
+        () => trackString('bar', { tags: { untrusted: [0, 2] } }),
+        () => trackString('baz', { tags: { untrusted: [0, 2] } }),
+      ],
+      expected: {
+        untrusted: [0, 8]
+      }
+    },
+    {
+      str: 'boo',
+      tags: {
+        untrusted: [0, 2]
+      },
+      args: [
+        () => trackString('bar', { tags: { untrusted: [0, 2] } }),
+        () => null,
+        () => undefined,
+        () => trackString('baz', { tags: { untrusted: [0, 2] } }),
+      ],
+      expected: {
+        untrusted: [0, 5, 19, 21]
+      }
+    },
+    {
+      str: 'foo',
+      tags: {
+        untrusted: [0, 2]
+      },
+      args: [
+        () => trackString('bar', { other: 'metadata', tags: undefined }),
+        () => trackString('baz', { tags: { untrusted: [0, 2] } }),
+      ],
+      expected: {
+        untrusted: [0, 2, 6, 8]
+      }
+    },
+    {
+      str: 'not-tracked',
+      args: [
+        () => trackString('bar', { tags: { untrusted: [0, 2] } }),
+        () => trackString('baz', { tags: { untrusted: [0, 2] } }),
+      ],
+      expected: {
+        untrusted: [11, 16]
+      }
+    },
+  ].forEach(({ str, tags, args, expected = null }) => {
+    it('concat', function () {
+      simulateRequestScope(function () {
+        let result;
+        const value = str !== 'not-tracked' ? trackString(str, { tags }) : str;
+
+        if (str !== 'boo') {
+          result = value.concat(...args.map((a) => a()));
+        } else {
+          result = value.concat.bind('', value, ...args.map((a) => a()))();
+        }
+
+        const strInfo = tracker.getData(result);
+        expect(strInfo?.tags).to.deep.equal(expected);
+      });
+    });
+  });
+
+  it('will nto "retrack" if result is unchanged', function () {
+    simulateRequestScope(function () {
+      const value = trackString('foo');
+      const result = value.concat('');
+
+      expect(tracker.getData(value)).to.equal(tracker.getData(result));
+    });
+  });
+
+  it('will not propagate if there is no assess context', function () {
+    simulateRequestScope(function () {
+      const value = trackString('foo');
+      const result = value.concat('bar');
+      expect(tracker.getData(result)).to.be.null;
+    }, {});
+  });
+
+  it('will not propagate if there instrumentation is locked', function () {
+    simulateRequestScope(function () {
+      core.scopes.instrumentation.run({ lock: true }, function () {
+        const value = trackString('foo');
+        const result = value.concat('bar');
+        expect(tracker.getData(result)).to.be.null;
+      });
+    });
+  });
+});

package/lib/dataflow/propagation/install/string/format-methods.test.js

@@ -0,0 +1,61 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess dataflow propagation string format-methods', function () {
+  let core, trackString, simulateRequestScope, tracker;
+
+  beforeEach(function () {
+    ({
+      core,
+      simulateRequestScope,
+      trackString
+    } = initAssessFixture());
+
+    tracker = core.assess.dataflow.tracker;
+    core.assess.dataflow.propagation.stringInstrumentation.formatMethods.install();
+  });
+
+  afterEach(function () {
+    core.assess.dataflow.propagation.stringInstrumentation.formatMethods.uninstall();
+    sinon.resetHistory();
+  });
+
+  ['toLowerCase', 'toUpperCase', 'toLocaleLowerCase', 'toLocaleUpperCase'].forEach((method) => {
+    it(method, function () {
+      simulateRequestScope(function () {
+        const notTrackedValue = 'foo';
+        const trackedValue = trackString('foo', { tags: { untrusted: [0, 2] } });
+
+        const notTrackedResult = notTrackedValue[method]();
+        const notTrackedStrInfo = tracker.getData(notTrackedResult);
+
+        const trackedResult = trackedValue[method]();
+        const trackedStrInfo = tracker.getData(trackedResult);
+
+        expect(notTrackedStrInfo).to.be.null;
+        expect(trackedStrInfo?.tags).to.deep.equal({ untrusted: [0, 2] });
+      });
+    });
+  });
+
+  it('will not propagate if there is no assess context', function () {
+    simulateRequestScope(function () {
+      const value = trackString('foo');
+      const result = value.toLowerCase('bar');
+      expect(tracker.getData(result)).to.be.null;
+    }, {});
+  });
+
+  it('will not propagate if there instrumentation is locked', function () {
+    simulateRequestScope(function () {
+      core.scopes.instrumentation.run({ lock: true }, function () {
+        const value = trackString('foo');
+        const result = value.toLowerCase('bar');
+        expect(tracker.getData(result)).to.be.null;
+      });
+    });
+  });
+});

package/lib/dataflow/propagation/install/string/html-methods.test.js

@@ -0,0 +1,164 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess dataflow propagation string html-methods', function () {
+  let core, trackString, simulateRequestScope, tracker;
+
+  beforeEach(function () {
+    ({
+      core,
+      simulateRequestScope,
+      trackString
+    } = initAssessFixture());
+
+    tracker = core.assess.dataflow.tracker;
+    core.assess.dataflow.propagation.stringInstrumentation.htmlMethods.install();
+  });
+
+  afterEach(function () {
+    core.assess.dataflow.propagation.stringInstrumentation.htmlMethods.uninstall();
+    sinon.resetHistory();
+  });
+
+  [
+    {
+      method: 'anchor',
+      str: 'foo',
+      args: [() => undefined, () => 'id', () => trackString('tracked-id', { tags: { untrusted: [0, 9] } })],
+      tags: {
+        untrusted: [0, 2]
+      },
+      expected: [{ untrusted: [20, 22] }, { untrusted: [13, 15] }, { untrusted: [9, 18, 21, 23] }],
+    },
+    {
+      method: 'anchor',
+      str: 'not-tracked',
+      args: [() => 'id', () => trackString('tracked-id', { tags: { untrusted: [0, 9] } })],
+      expected: [undefined, { untrusted: [9, 18] }]
+    },
+    {
+      method: 'big',
+      str: 'foo',
+      tags: {
+        untrusted: [0, 2]
+      },
+      expected: { untrusted: [5, 7] }
+    },
+    {
+      method: 'big',
+      str: 'not-tracked',
+    },
+    {
+      method: 'blink',
+      str: 'foo',
+      tags: {
+        untrusted: [0, 2]
+      },
+      expected: { untrusted: [7, 9] }
+    },
+    {
+      method: 'blink',
+      str: 'not-tracked',
+    },
+    {
+      method: 'italics',
+      str: 'foo',
+      tags: {
+        untrusted: [0, 2]
+      },
+      expected: { untrusted: [3, 5] }
+    },
+    {
+      method: 'italics',
+      str: 'not-tracked',
+    },
+    {
+      method: 'small',
+      str: 'foo',
+      tags: {
+        untrusted: [0, 2]
+      },
+      expected: { untrusted: [7, 9] }
+    },
+    {
+      method: 'small',
+      str: 'not-tracked',
+    },
+    {
+      method: 'strike',
+      str: 'foo',
+      tags: {
+        untrusted: [0, 2]
+      },
+      expected: { untrusted: [8, 10] }
+    },
+    {
+      method: 'strike',
+      str: 'not-tracked',
+    },
+    {
+      method: 'sub',
+      str: 'foo',
+      tags: {
+        untrusted: [0, 2]
+      },
+      expected: { untrusted: [5, 7] }
+    },
+    {
+      method: 'sub',
+      str: 'not-tracked',
+    },
+    {
+      method: 'fixed',
+      str: 'foo',
+      tags: {
+        untrusted: [0, 2]
+      },
+      expected: { untrusted: [4, 6] }
+    },
+    {
+      method: 'fixed',
+      str: 'not-tracked',
+    },
+  ].forEach(({ str, tags, args, method, expected }) => {
+    it(method, function () {
+      simulateRequestScope(function () {
+        const value = str !== 'not-tracked' ? trackString(str, { tags }) : str;
+
+        if (args?.length) {
+          for (let i = 0; i < args.length; i++) {
+            const result = value[method](args[i]());
+            const strInfo = tracker.getData(result);
+            expect(strInfo?.tags).to.deep.equal(expected[i]);
+          }
+        } else {
+          const result = value[method]();
+          const strInfo = tracker.getData(result);
+          expect(strInfo?.tags).to.deep.equal(expected);
+        }
+
+      });
+    });
+  });
+
+  it('will not propagate if there is no assess context', function () {
+    simulateRequestScope(function () {
+      const value = trackString('foo');
+      const result = value.anchor('bar');
+      expect(tracker.getData(result)).to.be.null;
+    }, {});
+  });
+
+  it('will not propagate if there instrumentation is locked', function () {
+    simulateRequestScope(function () {
+      core.scopes.instrumentation.run({ lock: true }, function () {
+        const value = trackString('foo');
+        const result = value.anchor('bar');
+        expect(tracker.getData(result)).to.be.null;
+      });
+    });
+  });
+});