@contrast/assess 1.30.0 → 1.32.0

package/lib/dataflow/propagation/install/string/replace.test.js

@@ -0,0 +1,588 @@
+'use strict';
+
+const { expect } = require('chai');
+const { inspect } = require('util');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess dataflow propagation string replace', function () {
+  let core, simulateRequestScope, trackString, tracker;
+
+  beforeEach(function () {
+    ({
+      core,
+      trackString,
+      simulateRequestScope
+    } = initAssessFixture());
+
+    tracker = core.assess.dataflow.tracker;
+
+    core.assess.dataflow.propagation.stringInstrumentation.substring.install();
+    core.assess.dataflow.propagation.stringInstrumentation.replace.install();
+  });
+
+  afterEach(function () {
+    core.assess.dataflow.propagation.stringInstrumentation.replace.uninstall();
+  });
+
+  ['string', 'function'].forEach((replacerType) => {
+    function getReplacement(replacerType, replacement) {
+      return replacerType === 'function' ? () => replacement : replacement;
+    }
+    describe(`string-arg custom ${replacerType} replacer`, function () {
+      it('untracked string replace with untracked string', function () {
+        simulateRequestScope(() => {
+          const val = '?bcd';
+          const ret = val.replace('?', getReplacement(replacerType, 'a'));
+          expect(ret).to.equal('abcd');
+          expect(tracker.getData(ret)).to.be.null;
+        });
+      });
+
+      [
+        [],
+        [undefined],
+        [null]
+      ].forEach((rest) => {
+        it(`full replacement with nullish value: ${inspect(rest[0])}`, function () {
+          simulateRequestScope(() => {
+            const val = 'abcd';
+            const extern = trackString(val);
+            const ret = extern.replace(val, getReplacement(replacerType, rest[0]));
+            expect(ret).to.equal(String(rest[0]));
+            expect(tracker.getData(ret)).to.be.null;
+          });
+        });
+      });
+
+      it('empty match string', function () {
+        simulateRequestScope(() => {
+          const extern = trackString('bcde', {
+            tags: {
+              UNTRUSTED: [0, 3]
+            }
+          });
+          const ret = extern.replace('', getReplacement(replacerType, 'a'));
+          expect(ret).to.equal('abcde');
+          expect(tracker.getData(ret).tags).to.deep.equal({
+            UNTRUSTED: [1, 4]
+          });
+        });
+      });
+
+      it('empty replacer string', function () {
+        simulateRequestScope(() => {
+          const extern = trackString('abcd', {
+            tags: {
+              UNTRUSTED: [0, 3]
+            }
+          });
+          const ret = extern.replace('', getReplacement(replacerType, ''));
+          expect(ret).to.equal('abcd');
+          expect(tracker.getData(ret).tags).to.deep.equal({
+            UNTRUSTED: [0, 3]
+          });
+        });
+      });
+
+      it('untracked string replaced with tracked', function () {
+        simulateRequestScope(() => {
+          const val = '?bcd';
+          const replacement = trackString('a', {
+            tags: {
+              UNTRUSTED: [0, 0]
+            }
+          });
+          const ret = val.replace('?', getReplacement(replacerType, replacement));
+          expect(ret).to.equal('abcd');
+          expect(tracker.getData(ret).tags).to.deep.equal({
+            UNTRUSTED: [0, 0]
+          });
+        });
+      });
+
+      it('does not track return with all tracked values removed', function () {
+        simulateRequestScope(() => {
+          const extern = trackString('_TT_', {
+            tags: {
+              UNTRUSTED: [1, 2]
+            }
+          });
+          const ret = extern.replace('TT', getReplacement(replacerType, '__'));
+          expect(ret).to.equal('____');
+          expect(tracker.getData(ret)).to.be.null;
+        });
+      });
+
+      it('tracks result highspan', function () {
+        simulateRequestScope(() => {
+          const extern = trackString('_TT_', {
+            tags: {
+              UNTRUSTED: [1, 2],
+              history: [{ mock: 'sourceEvent' }]
+            }
+          });
+          const ret = extern.replace('_T', getReplacement(replacerType, '__'));
+          expect(ret).to.equal('__T_');
+          expect(tracker.getData(ret).tags).to.deep.equal({
+            UNTRUSTED: [2, 2]
+          });
+        });
+      });
+
+      it('tracks result lospan', function () {
+        simulateRequestScope(() => {
+          const extern = trackString('_TT_', {
+            tags: {
+              UNTRUSTED: [1, 2],
+              history: [{ mock: 'sourceEvent' }]
+            }
+          });
+          const ret = extern.replace('T_', getReplacement(replacerType, '__'));
+          expect(ret).to.equal('_T__');
+          expect(tracker.getData(ret).tags).to.deep.equal({
+            UNTRUSTED: [1, 1]
+          });
+        });
+      });
+
+      it('tracks result highspan tracked replacement', function () {
+        simulateRequestScope(() => {
+          const extern = trackString('_TT_', {
+            tags: {
+              UNTRUSTED: [1, 2]
+            }
+          });
+          const replacement = trackString('TT', {
+            tags: {
+              UNTRUSTED: [0, 1]
+            }
+          });
+          const ret = extern.replace('T_', getReplacement(replacerType, replacement));
+          expect(ret).to.equal('_TTT');
+          expect(tracker.getData(ret).tags).to.deep.equal({
+            UNTRUSTED: [1, 3]
+          });
+        });
+      });
+
+      it('keeps track of multiple tag ranges', function () {
+        simulateRequestScope(() => {
+          const extern = trackString('a?cd', {
+            tags: {
+              UNTRUSTED: [0, 3],
+              foo: [1, 2]
+            }
+          });
+          const replacement = trackString('b', {
+            tags: {
+              foo: [0, 0],
+              bar: [0, 0]
+            }
+          });
+          const ret = extern.replace('?', getReplacement(replacerType, replacement));
+          expect(ret).to.equal('abcd');
+          expect(tracker.getData(ret).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 0, 2, 3],
+            foo: [1, 2],
+            bar: [1, 1]
+          });
+        });
+      });
+    });
+
+    describe(`regEx custom ${replacerType} replacer`, function () {
+      it('keeps track of tagged strings not replaced', function () {
+        simulateRequestScope(() => {
+          const extern = trackString('abcd');
+          const ret = extern.replace(/e/g, getReplacement(replacerType, 'e'));
+          expect(ret).to.equal('abcd');
+          expect(tracker.getData(ret).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 3]
+          });
+        });
+      });
+
+      it('keeps track of tagged strings replaced by untracked strings', function () {
+        simulateRequestScope(() => {
+          const extern = trackString('a?a?');
+          const ret = extern.replace(/\?/g, getReplacement(replacerType, 'b'));
+          expect(ret).to.equal('abab');
+          expect(tracker.getData(ret).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 0, 2, 2]
+          });
+        });
+      });
+
+      it('keeps track of tagged strings replaced by larger untracked strings', function () {
+        simulateRequestScope(() => {
+          const extern = trackString('a?a?');
+          const ret = extern.replace(/\?/g, getReplacement(replacerType, 'bbb'));
+          expect(ret).to.equal('abbbabbb');
+          expect(tracker.getData(ret).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 0, 4, 4]
+          });
+        });
+      });
+
+      it('keeps track of tagged strings replaced by smaller untracked strings', function () {
+        simulateRequestScope(() => {
+          const extern = trackString('a???a???');
+          const ret = extern.replace(/\?\?\?/g, getReplacement(replacerType, 'b'));
+          expect(ret).to.equal('abab');
+          expect(tracker.getData(ret).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 0, 2, 2]
+          });
+        });
+      });
+
+      it('keeps track of tagged strings replaced by tracked strings', function () {
+        simulateRequestScope(() => {
+          const extern = trackString('a?a?', {
+            tags: {
+              UNTRUSTED: [0, 3]
+            }
+          });
+          const replacement = trackString('b', {
+            tags: {
+              UNTRUSTED: [0, 0]
+            }
+          });
+          const ret = extern.replace(/\?/g, getReplacement(replacerType, replacement));
+          expect(ret).to.equal('abab');
+          expect(tracker.getData(ret).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 3]
+          });
+        });
+      });
+
+      it('keeps track of tagged strings replaced by larger tracked strings', function () {
+        simulateRequestScope(() => {
+          const extern = trackString('a?a?', {
+            tags: {
+              UNTRUSTED: [0, 3]
+            }
+          });
+          const replacement = trackString('bbb', {
+            tags: {
+              UNTRUSTED: [0, 2]
+            }
+          });
+          const ret = extern.replace(/\?/g, getReplacement(replacerType, replacement));
+          expect(ret).to.equal('abbbabbb');
+          expect(tracker.getData(ret).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 7]
+          });
+        });
+      });
+
+      it('keeps track of tagged strings replaced by smaller tracked strings', function () {
+        simulateRequestScope(() => {
+          const extern = trackString('a???a???', {
+            tags: {
+              UNTRUSTED: [0, 7]
+            }
+          });
+          const replacement = trackString('b', {
+            tags: {
+              UNTRUSTED: [0, 0]
+            }
+          });
+          const ret = extern.replace(/\?\?\?/g, getReplacement(replacerType, replacement));
+          expect(ret).to.equal('abab');
+          expect(tracker.getData(ret).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 3]
+          });
+        });
+      });
+
+      it('keeps track of multiple tag ranges', function () {
+        simulateRequestScope(() => {
+          const extern = trackString('a??a??a', {
+            tags: {
+              UNTRUSTED: [0, 6],
+              foo: [0, 2],
+              bar: [4, 6]
+            }
+          });
+          const replacement = trackString('b', {
+            tags: {
+              foo: [0, 0],
+              bar: [0, 0]
+            }
+          });
+          const ret = extern.replace(/\?/g, replacement);
+          expect(ret).to.equal('abbabba');
+          expect(tracker.getData(ret).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 0, 3, 3, 6, 6],
+            foo: [0, 2, 4, 5],
+            bar: [1, 2, 4, 6]
+          });
+        });
+      });
+    });
+  });
+
+  describe('complex/edge cases', function () {
+    it('replacer function returns a non-string', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('123?', {
+          tags: {
+            UNTRUSTED: [0, 3]
+          }
+        });
+        const ret = extern.replace('?', (match, offset) => offset + 1);
+        expect(ret).to.equal('1234');
+        expect(tracker.getData(ret).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2]
+        });
+      });
+    });
+
+    it('replacer operates on capture groups', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('AaaBbbCcc', {
+          tags: {
+            UNTRUSTED: [0, 8],
+            groupOne: [0, 2],
+            groupTwo: [3, 5],
+            groupThree: [6, 8]
+          }
+        });
+        const ret = extern.replace(/(A)|(B)|(C)/g, (match => match.toLowerCase()));
+        expect(ret).to.equal('aaabbbccc');
+        expect(tracker.getData(ret).tags).to.be.deep.equal({
+          UNTRUSTED: [1, 2, 4, 5, 7, 8],
+          groupOne: [1, 2],
+          groupTwo: [4, 5],
+          groupThree: [7, 8]
+        });
+      });
+    });
+
+    it('handles edge case where we have a function that sets the replacement to be a special value',
+      function () {
+        simulateRequestScope(() => {
+          let counter = 0;
+          const extern = trackString('SELECT ? FROM ?', {
+            tags: {
+              UNTRUSTED: [0, 14],
+              groupOne: [9, 12],
+            }
+          });
+          const ret = extern.replace(/(\?)/g, () => `$${counter++}`);
+          expect(ret).to.equal('SELECT $0 FROM $1');
+          expect(tracker.getData(ret).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 6, 9, 14],
+            groupOne: [10, 13],
+          });
+        });
+      });
+
+    it('replacer operates on named capture groups', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('AaaBbbCcc', {
+          tags: {
+            UNTRUSTED: [0, 8],
+            groupOne: [0, 2],
+            groupTwo: [3, 5],
+            groupThree: [6, 8]
+          }
+        });
+        const ret = extern.replace(/(?<g1>A)|(?<g2>B)|(?<g3>C)/g, (match => match.toLowerCase()));
+        expect(ret).to.equal('aaabbbccc');
+        expect(tracker.getData(ret).tags).to.be.deep.equal({
+          UNTRUSTED: [1, 2, 4, 5, 7, 8],
+          groupOne: [1, 2],
+          groupTwo: [4, 5],
+          groupThree: [7, 8]
+        });
+      });
+    });
+
+    it('keeps track of multiple overlapping tag ranges over multiple calls', function () {
+      simulateRequestScope(() => {
+        let ret;
+        const extern = trackString('a??cd?g?', {
+          tags: {
+            UNTRUSTED: [0, 7],
+            foo: [0, 2],
+            bar: [1, 3],
+            fizz: [4, 7],
+            buzz: [1, 6]
+          }
+        });
+        const replB = trackString('b', {
+          tags: {
+            foo: [0, 0],
+            bar: [0, 0]
+          }
+        });
+        const replEf = trackString('ef', {
+          tags: {
+            fizz: [0, 0],
+            buzz: [1, 1]
+          }
+        });
+        const replH = trackString('h', {
+          tags: {
+            foobar: [0, 0]
+          }
+        });
+        ret = extern.replace('??', replB);
+        ret = ret.replace('?', () => replEf);
+        ret = ret.replace(/\?/g, replH);
+        expect(ret).to.be.equal('abcdefgh');
+        expect(tracker.getData(ret).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 0, 2, 3, 6, 6],
+          foo: [0, 1],
+          bar: [1, 2],
+          fizz: [3, 4, 6, 6],
+          buzz: [2, 3, 5, 6],
+          foobar: [7, 7]
+        });
+      });
+    });
+
+    it('keeps track of replacement history', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('aa??');
+        const replacementOne = trackString('bb');
+        const replacementTwo = trackString('cc');
+        const replacements = ['', '', replacementOne, replacementTwo];
+        const ret = extern.replace(/\?/g, (match, offset) => replacements[offset]);
+        expect(ret).to.equal('aabbcc');
+        expect(tracker.getData(ret).history.length).to.equal(3);
+        expect(tracker.getData(ret).history).to.be.like([
+          { value: 'aa??', tags: { UNTRUSTED: [0, 3] } },
+          { value: 'bb', tags: { UNTRUSTED: [0, 1] } },
+          { value: 'cc', tags: { UNTRUSTED: [0, 1] } }
+        ]);
+      });
+    });
+  });
+
+  describe('special characters', function () {
+    it('replaces and handles $$', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo?foo');
+        const ret = extern.replace('?', '$$ $$');
+        expect(ret).to.equal('foo$ $foo');
+        expect(tracker.getData(ret).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2, 6, 8]
+        });
+      });
+    });
+
+    it('replaces and handles untracked $&', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo bar');
+        const ret = extern.replace('bar', '[$&]-[$&]');
+        expect(ret).to.equal('foo [bar]-[bar]');
+        expect(tracker.getData(ret).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3]
+        });
+      });
+    });
+
+    it('replaces and handles tracked $&', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo bar');
+        const replacement = trackString('bar');
+        const ret = extern.replace(replacement, '[$&]-[$&]');
+        expect(ret).to.equal('foo [bar]-[bar]');
+        expect(tracker.getData(ret).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3, 5, 7, 11, 13]
+        });
+      });
+    });
+
+    it('replaces and handles $`', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foobar');
+        const ret = extern.replace('bar', '$`$`');
+        expect(ret).to.equal('foofoofoo');
+        expect(tracker.getData(ret).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 8]
+        });
+      });
+    });
+
+    it('replaces and handles $\'', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foobar');
+        const ret = extern.replace('foo', '$\'$\'');
+        expect(ret).to.equal('barbarbar');
+        expect(tracker.getData(ret).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 8]
+        });
+      });
+    });
+
+    it('replaces and handles $N', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('aabbcc');
+        const ret = extern.replace(/(aa)(bb)/g, '$2$1');
+        expect(ret).to.equal('bbaacc');
+        expect(tracker.getData(ret).tags).to.be.deep.equal({
+          UNTRUSTED: [4, 5]
+        });
+      });
+    });
+
+    it('replaces and handles $name', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('aabbcc');
+        const ret = extern.replace(/(?<g1>aa)(?<g2>bb)/g, '$g2$g1');
+        expect(ret).to.equal('bbaacc');
+        expect(tracker.getData(ret).tags).to.be.deep.equal({
+          UNTRUSTED: [4, 5]
+        });
+      });
+    });
+
+    it('replaces and handles strings containing multiple special characters', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('aabbcc');
+        const ret = extern.replace('bb', '($&)-($\')-($`)');
+        expect(ret).to.equal('aa(bb)-(cc)-(aa)cc');
+        expect(tracker.getData(ret).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 1, 8, 9, 13, 14, 16, 17]
+        });
+      });
+    });
+
+    it('replaces and handles strings containing multiple special characters that replace multiple strings', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('aa?bb?cc?');
+        const ret = extern.replace(/(\?)/g, '$$$1');
+        expect(ret).to.equal('aa$?bb$?cc$?');
+        expect(tracker.getData(ret).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 1, 4, 5, 8, 9]
+        });
+      });
+    });
+
+    it('replaces and handles multiple special characters and tracked strings', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foobar');
+        const replacement = trackString('bar');
+        const ret = extern.replace(replacement, '$$$&$$$&');
+        expect(ret).to.equal('foo$bar$bar');
+        expect(tracker.getData(ret).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2, 4, 6, 8, 10]
+        });
+      });
+    });
+
+    // example is from shell-quote
+    it('replaces and handles special characters of form $\\d when capture group exists or doesn\'t', function() {
+      const s = 'http://example.com?a=1&a=2';
+      const expected = s.replace(/([A-Za-z]:)?([#!"$&'()*,:;<=>?@[\\\]^`{|}])/g, '$1\\$2');
+      simulateRequestScope(() => {
+        const result = s.replace(/([A-Za-z]:)?([#!"$&'()*,:;<=>?@[\\\]^`{|}])/g, '$1\\$2');
+        // http\://example.com\?a\=1\&a\=2
+        expect(result).to.equal(expected);
+      });
+    });
+  });
+});