npm - @contrast/assess - Versions diffs - 1.30.0 → 1.32.0 - Mend

@contrast/assess 1.30.0 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/lib/dataflow/sinks/install/koa/unvalidated-redirect.test.js ADDED Viewed

@@ -0,0 +1,200 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    URL_ENCODED,
+  }
+} = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow sinks koa unvalidated-redirect', function () {
+  let core, Response, simulateRequestScope, trackString, reportFindings, reportSafePositive;
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
+    Response = {
+      ctx: {
+        // eslint-disable-next-line object-shorthand
+        get: function () {
+          return this.referrer;
+        }
+      },
+      redirect: () => { }
+    };
+    core.depHooks.resolve.yields(Response);
+    require('./unvalidated-redirect')(core).install();
+  });
+  it('skips instrumentation if there is no assess store', function () {
+    Response.redirect('hello');
+    expect(reportFindings).to.not.have.been.called;
+  });
+  it('skips instrumentation if url does not exist', function () {
+    simulateRequestScope(function () {
+      Response.redirect();
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('skip instrumentation if url is not string', function () {
+    simulateRequestScope(function () {
+      Response.redirect(1, 2);
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('skips instrumentation if url is not tracked', function () {
+    simulateRequestScope(function () {
+      Response.redirect('url');
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('reports a "safe positive" event when safe tags overlap UNTRUSTED', function () {
+    simulateRequestScope(function () {
+      const value = 'https%3A%2F%2Fhello.com';
+      const stop = value.length - 1;
+      const extern = trackString(value, {
+        tags: {
+          [URL_ENCODED]: [0, stop],
+          [UNTRUSTED]: [0, stop],
+        },
+      });
+      Response.redirect(extern);
+      expect(reportSafePositive).to.have.been.calledWithMatch({
+        name: 'Koa.Response.redirect',
+        ruleId: 'unvalidated-redirect',
+        safeTags: [URL_ENCODED],
+        strInfo: {
+          tags: { [URL_ENCODED]: [0, stop], [UNTRUSTED]: [0, stop] },
+          value
+        },
+      });
+    });
+  });
+  it('reports an unvalidated-redirect', function () {
+    simulateRequestScope(function () {
+      const value = 'https://hello.com';
+      const extern = trackString(value, {
+        tags: {
+          [URL_ENCODED]: [0, 2],
+          [UNTRUSTED]: [0, 16],
+        },
+      });
+      Response.redirect(extern);
+      expect(reportFindings).to.have.been.calledWithMatch({
+        ruleId: 'unvalidated-redirect',
+        sinkEvent: {
+          args: [{ value, tracked: true }],
+          context: 'response.redirect(\'https://hello.com\')',
+          name: 'Koa.Response.redirect',
+          moduleName: 'koa',
+          methodName: 'Response.redirect',
+          object: {
+            value: 'Koa.Response',
+            tracked: false,
+          },
+          result: { value: undefined, tracked: false },
+          source: 'P0',
+          tags: {
+            [UNTRUSTED]: [0, 16],
+            [URL_ENCODED]: [0, 2],
+          },
+        },
+      });
+    });
+  });
+  it('reports an unvalidated-redirect from a Referrer header', function () {
+    simulateRequestScope(function () {
+      const value = 'https://hello.com';
+      const extern = trackString(value, {
+        tags: {
+          [URL_ENCODED]: [0, 2],
+          [UNTRUSTED]: [0, 16],
+        },
+      });
+      Response.ctx.referrer = extern;
+      Response.redirect('back');
+      expect(reportFindings).to.have.been.calledWithMatch({
+        ruleId: 'unvalidated-redirect',
+        sinkEvent: {
+          args: [{ value: 'back', tracked: false }, { value, tracked: true }],
+          context: 'response.redirect(\'https://hello.com\')',
+          name: 'Koa.Response.redirect',
+          object: {
+            value: 'Koa.Response',
+            tracked: false,
+          },
+          result: { value: undefined, tracked: false },
+          source: 'P1',
+          tags: {
+            [URL_ENCODED]: [0, 2],
+            [UNTRUSTED]: [0, 16]
+          },
+        },
+      });
+    });
+  });
+  it('reports an unvalidated-redirect from the second argument', function () {
+    simulateRequestScope(function () {
+      const value = 'https://hello.com';
+      const extern = trackString(value, {
+        tags: {
+          [URL_ENCODED]: [0, 2],
+          [UNTRUSTED]: [0, 16],
+        },
+      });
+      Response.redirect('back', extern);
+      expect(reportFindings).to.have.been.calledWithMatch({
+        ruleId: 'unvalidated-redirect',
+        sinkEvent: {
+          args: [{ value: 'back', tracked: false }, { value, tracked: true }],
+          context: 'response.redirect(\'https://hello.com\')',
+          name: 'Koa.Response.redirect',
+          object: {
+            value: 'Koa.Response',
+            tracked: false,
+          },
+          result: { value: undefined, tracked: false },
+          source: 'P1',
+          tags: {
+            [URL_ENCODED]: [0, 2],
+            [UNTRUSTED]: [0, 16]
+          },
+        },
+      });
+    });
+  });
+  it('does not report an unvalidated-redirect if the tainted data is not in the URI path', function () {
+    simulateRequestScope(function () {
+      const value = 'https://hello.com/query?test=value';
+      const extern = trackString(value, {
+        tags: {
+          [URL_ENCODED]: [0, 2],
+          [UNTRUSTED]: [24, 33],
+        },
+      });
+      Response.redirect(extern);
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+});

package/lib/dataflow/sinks/install/libxmljs.test.js ADDED Viewed

@@ -0,0 +1,158 @@
+'use strict';
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow sinks libxmljs', function () {
+  let modules, core, simulateRequestScope, trackString, reportFindings;
+  beforeEach(function () {
+    modules = {
+      'libxmljs@0': {
+        parseXml: sinon.stub(),
+        parseXmlString: sinon.stub()
+      },
+      'libxmljs@1': {
+        parseXml: sinon.stub(),
+        parseXmlAsync: sinon.stub()
+      },
+      'libxmljs2': {
+        parseXml: sinon.stub(),
+        parseXmlString: sinon.stub()
+      },
+    };
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    core.depHooks.resolve
+      .withArgs({ name: 'libxmljs', version: '<1' })
+      .yields(modules['libxmljs@0']);
+    core.depHooks.resolve
+      .withArgs({ name: 'libxmljs', version: '>=1' })
+      .yields(modules['libxmljs@1']);
+    core.depHooks.resolve
+      .withArgs({ name: 'libxmljs2' })
+      .yields(modules['libxmljs2']);
+    require('./libxmljs')(core).install();
+  });
+  [
+    {
+      module: 'libxmljs@0',
+      moduleName: 'libxmljs',
+      methods: ['parseXml', 'parseXmlString']
+    },
+    {
+      module: 'libxmljs@1',
+      moduleName: 'libxmljs',
+      methods: ['parseXml', 'parseXmlAsync']
+    },
+    {
+      module: 'libxmljs2',
+      moduleName: 'libxmljs2',
+      methods: ['parseXml', 'parseXmlString']
+    }
+  ].forEach(({ module, moduleName, methods }) => {
+    describe(`${module}`, function() {
+      methods.forEach((method) => {
+        describe(`${method}`, function() {
+          it('skips instrumentation if assess store is missing', function () {
+            modules[module][method]('<foo>', { noent: true });
+            expect(reportFindings).not.to.have.been.called;
+          });
+          it('skips instrumentation if no argument is provided', function () {
+            simulateRequestScope(function () {
+              modules[module][method]();
+              expect(reportFindings).not.to.have.been.called;
+            });
+          });
+          it('skips instrumentation if instrumentation is locked', function () {
+            simulateRequestScope(function () {
+              core.scopes.instrumentation.run({ lock: true }, function () {
+                modules[module][method]('<foo>', { noent: true });
+                expect(reportFindings).not.to.have.been.called;
+              });
+            });
+          });
+          it('skips instrumentation if the argument is not a string', function () {
+            simulateRequestScope(function () {
+              modules[module][method](true, { noent: true });
+              expect(reportFindings).not.to.have.been.called;
+            });
+          });
+          it('skips instrumentation if the argument is not tracked', function () {
+            simulateRequestScope(function () {
+              modules[module][method]('<foo>', { noent: true });
+              expect(reportFindings).not.to.have.been.called;
+            });
+          });
+          it('skips instrumentation if the argument is safe', function () {
+            simulateRequestScope(function () {
+              const extern = trackString('<foo>', {
+                tags: {
+                  LIMITED_CHARS: [0, 4],
+                  UNTRUSTED: [0, 4],
+                },
+              });
+              modules[module][method](extern, { noent: true });
+              expect(reportFindings).not.to.have.been.called;
+            });
+          });
+          it('skips instrumentation if noenet is set to false', function () {
+            simulateRequestScope(function () {
+              const extern = trackString('<foo>', {
+                tags: {
+                  LIMITED_CHARS: [0, 4],
+                  UNTRUSTED: [0, 4],
+                },
+              });
+              modules[module][method](extern, { noent: false });
+              expect(reportFindings).not.to.have.been.called;
+            });
+          });
+          it('reports xxe', function () {
+            simulateRequestScope(function () {
+              const value = '<xxe>';
+              const extern = trackString(value);
+              modules[module][method](extern, { noent: true });
+              expect(reportFindings).to.have.been.calledWithMatch({
+                ruleId: 'xxe',
+                sinkEvent: {
+                  name: `${moduleName}.${method}`,
+                  moduleName,
+                  methodName: method,
+                  context: `${moduleName}.${method}(<xxe>, { noent: true })`,
+                  object: {
+                    value: moduleName,
+                    tracked: false,
+                  },
+                  args: [{ value, tracked: true }],
+                  tags: { UNTRUSTED: [0, 4] },
+                  source: 'P0',
+                },
+              });
+            });
+          });
+        });
+      });
+    });
+  });
+});

package/lib/dataflow/sinks/install/marsdb.test.js ADDED Viewed

@@ -0,0 +1,166 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const {
+  DataflowTag: { UNTRUSTED, LIMITED_CHARS },
+  Rule,
+} = require('@contrast/common');
+describe('assess dataflow marsdb', function () {
+  let core,
+    simulateRequestScope,
+    createSinkEvent,
+    trackString,
+    reportFindings,
+    instr;
+  class Collection {
+    find() { }
+    findOne() { }
+    update() { }
+    remove() { }
+  }
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    createSinkEvent = sinon.stub(
+      core.assess.eventFactory,
+      'createSinkEvent'
+    );
+    core.depHooks.resolve.withArgs({ name: 'marsdb' }).yields({ Collection });
+    instr = require('./marsdb')(core);
+    instr.install();
+  });
+  [
+    { subject: Collection, method: 'find' },
+    { subject: Collection, method: 'findOne' },
+    { subject: Collection, method: 'update' },
+    { subject: Collection, method: 'remove' },
+  ].forEach(({ subject, method }) => {
+    describe(`${subject.name}.prototype.${method}()`, function () {
+      it('skips instrumentation if assess store is missing', function () {
+        const tracked = trackString('foo');
+        new subject()[method]({ tracked });
+        expect(reportFindings).not.to.have.been.called;
+        expect(createSinkEvent).not.to.have.been.called;
+      });
+      it('skips instrumentation if instrumentation is locked', function () {
+        core.scopes.instrumentation.isLocked = () => true;
+        simulateRequestScope(function () {
+          const tracked = trackString('foo');
+          new subject()[method]({ tracked });
+          expect(reportFindings).not.to.have.been.called;
+          expect(createSinkEvent).not.to.have.been.called;
+        });
+      });
+      it('skips instrumentation if there is no argument', function () {
+        simulateRequestScope(function () {
+          new subject()[method]();
+          expect(reportFindings).not.to.have.been.called;
+          expect(createSinkEvent).not.to.have.been.called;
+        });
+      });
+      it('passing not tracked string', function () {
+        simulateRequestScope(function () {
+          new subject()[method]({ id: '1231' });
+          expect(reportFindings).not.to.have.been.called;
+          expect(createSinkEvent).not.to.have.been.called;
+        });
+      });
+      it(`reports vulnerability - ${subject.name}.prototype.${method}()`, function () {
+        createSinkEvent.returns(true);
+        simulateRequestScope(function () {
+          const tracked = trackString('foo');
+          new subject()[method]({ tracked });
+          expect(reportFindings).to.have.been.calledWithMatch({
+            ruleId: Rule.NOSQL_INJECTION_MONGO,
+            sinkEvent: true,
+          });
+          expect(createSinkEvent).to.have.been.calledWithMatch({
+            args: [{ value: "{ tracked: 'foo' }", tracked: true }],
+            context: `marsdb.Collection.${method}({ tracked: 'foo' })`,
+            object: {
+              tracked: false,
+              value: 'marsdb.Collection',
+            },
+            name: `marsdb.Collection.prototype.${method}`,
+            moduleName: 'marsdb',
+            methodName: `Collection.prototype.${method}`,
+            result: {
+              tracked: true,
+              value: 'foo',
+            },
+            source: 'P0',
+            tags: {
+              UNTRUSTED: [0, 2],
+            },
+          });
+        });
+      });
+      it('should not report in case the input is safe', function () {
+        simulateRequestScope(function () {
+          const tracked = trackString('foo', {
+            tags: {
+              [LIMITED_CHARS]: [0, 2],
+              [UNTRUSTED]: [0, 2],
+            },
+          });
+          new subject()[method]({ tracked });
+          expect(reportFindings).not.to.have.been.called;
+          expect(createSinkEvent).not.to.have.been.called;
+        });
+      });
+      it(`should not report vulnerability if createSinkEvent returns null - ${subject.name}.prototype.${method}()`, function () {
+        createSinkEvent.returns(null);
+        simulateRequestScope(function () {
+          const tracked = trackString('foo');
+          new subject()[method]({ tracked });
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+    });
+  });
+});
+describe('installing marsdb', function () {
+  let core, instr;
+  it('should log trace error if the method does not exist', function () {
+    class Collection {
+      find() { }
+      findOne() { }
+      insert() { }
+    }
+    ({ core } = initAssessFixture());
+    core.depHooks.resolve.withArgs({ name: 'marsdb' }).yields({ Collection });
+    instr = require('./marsdb')(core);
+    instr.install();
+    expect(core.logger.trace).to.have.been.calledWith(
+      'method %s not found - skipping instrumentation',
+      'marsdb.Collection.prototype.update',
+    );
+  });
+});