npm - @contrast/assess - Versions diffs - 1.30.0 → 1.32.0 - Mend

@contrast/assess 1.30.0 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/lib/dataflow/propagation/install/url/parse.test.js ADDED Viewed

@@ -0,0 +1,391 @@
+'use strict';
+const url = require('url');
+const sinon = require('sinon');
+const { expect } = require('chai');
+const querystring = require('querystring');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const keys = [
+  'href',
+  'protocol',
+  'auth',
+  'host',
+  'hostname',
+  'port',
+  'path',
+  'pathname',
+  'search',
+  'query',
+  'hash'
+];
+describe('assess dataflow propagation url.parse', function () {
+  let core, trackString, simulateRequestScope, tracker, matchURL;
+  beforeEach(function () {
+    ({
+      core,
+      simulateRequestScope,
+      trackString
+    } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    core.assess.dataflow.propagation.stringInstrumentation.install();
+    core.assess.dataflow.propagation.querystringInstrumentation.parse.install();
+    core.assess.dataflow.propagation.urlInstrumentation.parse.install();
+    core.depHooks.resolve.withArgs({ name: 'url' }).yield(url);
+    core.depHooks.resolve.withArgs({ name: 'querystring' }).yield(querystring);
+    matchURL = {
+      href: 'https://user:pass@foo.com:3000/path?query=input#hash',
+      protocol: 'https:',
+      auth: 'user:pass',
+      host: 'foo.com:3000',
+      hostname: 'foo.com',
+      port: '3000',
+      path: '/path?query=input',
+      pathname: '/path',
+      search: '?query=input',
+      query: 'query=input',
+      hash: '#hash'
+    };
+  });
+  afterEach(function () {
+    sinon.resetHistory();
+    core.assess.dataflow.propagation.stringInstrumentation.uninstall();
+  });
+  it('will not propagate if nothing in url is tracked', function () {
+    simulateRequestScope(function () {
+      const result = new url.parse('http://foo:3000/path');
+      keys.forEach((key) => {
+        expect(tracker.getData(result[key])).to.be.null;
+      });
+    });
+  });
+  it('will not propagate if there is no assess context', function () {
+    simulateRequestScope(function () {
+      const value = trackString('foo');
+      const result = new url.parse('http://'.concat(value, ':3000/path'));
+      keys.forEach((key) => {
+        expect(tracker.getData(result[key])).to.be.null;
+      });
+    }, {});
+  });
+  it('will not propagate if there instrumentation is locked', function () {
+    simulateRequestScope(function () {
+      core.scopes.instrumentation.run({ lock: true }, function () {
+        const value = trackString('foo');
+        const result = new url.parse('http://'.concat(value, ':3000/path'));
+        keys.forEach((key) => {
+          expect(tracker.getData(result[key])).to.be.null;
+        });
+      });
+    });
+  });
+  describe('URL properties', function () {
+    it('propagates vulnerable protocol', function () {
+      simulateRequestScope(function () {
+        const value = trackString('https');
+        const result = new url.parse(value.concat('://user:pass@foo.com:3000/path?query=input#hash'));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4]
+        });
+        expect(tracker.getData(result.protocol).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4]
+        });
+        ['auth', 'host', 'hostname', 'port', 'path', 'pathname', 'search', 'query', 'hash'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates vulnerable username', function () {
+      simulateRequestScope(function () {
+        const value = trackString('user');
+        const result = new url.parse('https://'.concat(value, ':pass@foo.com:3000/path?query=input#hash'));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [8, 11]
+        });
+        expect(tracker.getData(result.auth).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3]
+        });
+        ['protocol', 'host', 'hostname', 'port', 'path', 'pathname', 'search', 'query', 'hash'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates vulnerable password', function () {
+      simulateRequestScope(function () {
+        const value = trackString('pass');
+        const result = new url.parse('https://user:'.concat(value, '@foo.com:3000/path?query=input#hash'));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [13, 16]
+        });
+        expect(tracker.getData(result.auth).tags).to.be.deep.equal({
+          UNTRUSTED: [5, 8]
+        });
+        ['protocol', 'host', 'hostname', 'port', 'path', 'pathname', 'search', 'query', 'hash'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates vulnerable hostname', function () {
+      simulateRequestScope(function () {
+        const value = trackString('foo');
+        const result = new url.parse('https://user:pass@'.concat(value, '.com:3000/path?query=input#hash'));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [18, 20]
+        });
+        expect(tracker.getData(result.hostname).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2]
+        });
+        expect(tracker.getData(result.host).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2]
+        });
+        ['protocol', 'auth', 'port', 'path', 'pathname', 'search', 'query', 'hash'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates vulnerable port', function () {
+      simulateRequestScope(function () {
+        const value = trackString('3000');
+        const result = new url.parse('https://user:pass@foo.com:'.concat(value, '/path?query=input#hash'));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [26, 29]
+        });
+        expect(tracker.getData(result.host).tags).to.be.deep.equal({
+          UNTRUSTED: [8, 11]
+        });
+        expect(tracker.getData(result.port).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3]
+        });
+        ['protocol', 'hostname', 'auth', 'path', 'pathname', 'search', 'query', 'hash'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates vulnerable pathname', function () {
+      simulateRequestScope(function () {
+        const value = trackString('path');
+        const result = new url.parse('https://user:pass@foo.com:3000/'.concat(value, '?query=input#hash'));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [31, 34]
+        });
+        expect(tracker.getData(result.path).tags).to.be.deep.equal({
+          UNTRUSTED: [1, 4]
+        });
+        expect(tracker.getData(result.pathname).tags).to.be.deep.equal({
+          UNTRUSTED: [1, 4]
+        });
+        ['protocol', 'host', 'hostname', 'auth', 'search', 'query', 'hash'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates vulnerable search', function () {
+      simulateRequestScope(function () {
+        const value = trackString('input');
+        const result = new url.parse('https://user:pass@foo.com:3000/path?query='.concat(value, '#hash'));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [42, 46]
+        });
+        expect(tracker.getData(result.path).tags).to.be.deep.equal({
+          UNTRUSTED: [12, 16]
+        });
+        expect(tracker.getData(result.query).tags).to.be.deep.equal({
+          UNTRUSTED: [6, 10]
+        });
+        expect(tracker.getData(result.search).tags).to.be.deep.equal({
+          UNTRUSTED: [7, 11]
+        });
+        ['protocol', 'auth', 'host', 'hostname', 'port', 'pathname', 'hash'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates vulnerable hash', function () {
+      simulateRequestScope(function () {
+        const value = trackString('hash');
+        const result = new url.parse('https://user:pass@foo.com:3000/path?query=input#'.concat(value));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [48, 51]
+        });
+        expect(tracker.getData(result.hash).tags).to.be.deep.equal({
+          UNTRUSTED: [1, 4]
+        });
+        ['protocol', 'auth', 'host', 'hostname', 'port', 'path', 'pathname', 'search', 'query'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates multiple vulnerable properties', function () {
+      simulateRequestScope(function () {
+        const protocol = trackString('https');
+        const user = trackString('user');
+        const pass = trackString('pass');
+        const hostname = trackString('foo');
+        const port = trackString('3000');
+        const path = trackString('path');
+        const query = trackString('input');
+        const hash = trackString('hash');
+        const result = new url.parse(protocol.concat('://', user, ':', pass, '@', hostname, '.com:', port, '/', path, '?query=', query, '#', hash));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4, 8, 11, 13, 16, 18, 20, 26, 29, 31, 34, 42, 46, 48, 51]
+        });
+        expect(tracker.getData(result.protocol).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4]
+        });
+        expect(tracker.getData(result.auth).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3, 5, 8]
+        });
+        expect(tracker.getData(result.host).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2, 8, 11]
+        });
+        expect(tracker.getData(result.hostname).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2]
+        });
+        expect(tracker.getData(result.port).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3]
+        });
+        expect(tracker.getData(result.path).tags).to.be.deep.equal({
+          UNTRUSTED: [1, 4, 12, 16]
+        });
+        expect(tracker.getData(result.pathname).tags).to.be.deep.equal({
+          UNTRUSTED: [1, 4]
+        });
+        expect(tracker.getData(result.query).tags).to.be.deep.equal({
+          UNTRUSTED: [6, 10]
+        });
+        expect(tracker.getData(result.search).tags).to.be.deep.equal({
+          UNTRUSTED: [7, 11]
+        });
+        expect(tracker.getData(result.hash).tags).to.be.deep.equal({
+          UNTRUSTED: [1, 4]
+        });
+      });
+    });
+    it('propagates query when parseQueryString is set to true', function () {
+      simulateRequestScope(function () {
+        const value = trackString('input');
+        const result = new url.parse('https://user:pass@foo.com:3000/path?query='.concat(value, '#hash'), true);
+        expect(result.query).to.be.deep.equal({ query: 'input' });
+        expect(tracker.getData(result.query.query).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4]
+        });
+        // Everything else propagates (or doesn't) normally
+        keys.forEach((key) => {
+          if (key !== 'query') expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [42, 46]
+        });
+        expect(tracker.getData(result.path).tags).to.be.deep.equal({
+          UNTRUSTED: [12, 16]
+        });
+        expect(tracker.getData(result.search).tags).to.be.deep.equal({
+          UNTRUSTED: [7, 11]
+        });
+        ['protocol', 'auth', 'host', 'hostname', 'port', 'pathname', 'hash'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+  });
+});