npm - @contrast/assess - Versions diffs - 1.30.0 → 1.32.0 - Mend

@contrast/assess 1.30.0 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/lib/dataflow/sinks/install/restify.test.js ADDED Viewed

@@ -0,0 +1,142 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow restify sinks', function () {
+  let core,
+    simulateRequestScope,
+    trackString,
+    reportFindings,
+    getRes,
+    patchMock;
+  function next() {}
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    // this represents mock of what restify does here: https://github.com/restify/node-restify/blob/master/lib/response.js
+    function patch(Orig) {
+      Orig.prototype.redirect = function() {
+        return 'canary';
+      };
+    }
+    function Response() {}
+    getRes = () => {
+      // this mimics running of restify's patch, and our it will trigger out instrumentation
+      patchMock(Response);
+      return new Response();
+    };
+    core.depHooks.resolve
+      .withArgs({ name: 'restify', file: 'lib/response.js' })
+      .callsFake((desc, cb) => {
+        patchMock = cb(patch);
+      });
+    require('./restify')(core).install();
+  });
+  describe('res.redirect(String, Function)', function() {
+    it('reports when string is tracked', function() {
+      simulateRequestScope(() => {
+        const res = getRes();
+        res.redirect(trackString('/fargs'), next);
+        expect(reportFindings).to.have.been.calledWithMatch({
+          ruleId: 'unvalidated-redirect',
+          sinkEvent: sinon.match({
+            args: [
+              { tracked: true, value: '\'/fargs\'' },
+              { tracked: false, value: 'Function' }
+            ],
+            context: 'res.redirect(\'/fargs\',Function)',
+            tags: { UNTRUSTED: [1, 6] },
+            source: 'P0',
+          }),
+        });
+      });
+    });
+    it('does not report if string arg is untracked or safely tagged', function() {
+      simulateRequestScope(() => {
+        const res = getRes();
+        const str = trackString('/fargs', { tags: { UNTRUSTED: [0, 5], URL_ENCODED: [0, 5] } });
+        res.redirect(str, next);
+        res.redirect('/fargs', next);
+        expect(reportFindings.getCalls()).to.have.lengthOf(0);
+      });
+    });
+  });
+  describe('res.redirect(Number, String, Function)', function() {
+    it('reports when string is tracked', function() {
+      simulateRequestScope(() => {
+        const res = getRes();
+        res.redirect(301, trackString('/fargs'), next);
+        expect(reportFindings).to.have.been.calledWithMatch({
+          ruleId: 'unvalidated-redirect',
+          sinkEvent: sinon.match({
+            args: [
+              { tracked: false, value: 'Number' },
+              { tracked: true, value: '\'/fargs\'' },
+              { tracked: false, value: 'Function' }
+            ],
+            context: 'res.redirect(Number,\'/fargs\',Function)',
+            tags: { UNTRUSTED: [1, 6] },
+            source: 'P1',
+          }),
+        });
+      });
+    });
+    it('does not report if string arg is untracked or safely tagged', function() {
+      simulateRequestScope(() => {
+        const res = getRes();
+        const str = trackString('/fargs', { tags: { UNTRUSTED: [0, 5], URL_ENCODED: [0, 5] } });
+        res.redirect(301, str, next);
+        res.redirect('/fargs', next);
+        expect(reportFindings.getCalls()).to.have.lengthOf(0);
+      });
+    });
+  });
+  describe('res.redirect(Object, Function)', function() {
+    it('reports when string options are tracked', function() {
+      simulateRequestScope(() => {
+        const res = getRes();
+        res.redirect({ pathname: trackString('/fargs') }, next);
+        expect(reportFindings).to.have.been.calledWithMatch({
+          ruleId: 'unvalidated-redirect',
+          sinkEvent: sinon.match({
+            args: [
+              { tracked: true, value: '{...\'pathname\':\'/fargs\'...}' },
+              { tracked: false, value: 'Function' }
+            ],
+            context: 'res.redirect({...\'pathname\':\'/fargs\'...},Function)',
+            tags: { UNTRUSTED: [16, 21] },
+            source: 'P0',
+          }),
+        });
+      });
+    });
+    it('does not report if string arg is untracked or safely tagged', function() {
+      simulateRequestScope(() => {
+        const res = getRes();
+        const str = trackString('/fargs', { tags: { UNTRUSTED: [0, 5], URL_ENCODED: [0, 5] } });
+        res.redirect({ pathname: str }, next);
+        res.redirect({ pathname: '/fargs' }, next);
+        expect(reportFindings.getCalls()).to.have.lengthOf(0);
+      });
+    });
+  });
+});

package/lib/dataflow/sinks/install/sequelize.test.js ADDED Viewed

@@ -0,0 +1,100 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { inspect } = require('util');
+const {
+  DataflowTag: { SQL_ENCODED, UNTRUSTED },
+} = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow sinks sequelize', function () {
+  let core, simulateRequestScope, trackString, tracker, reportFindings;
+  class Sequelize {
+    query() { }
+  }
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    core.depHooks.resolve.yields(Sequelize);
+    require('./sequelize')(core).install();
+  });
+  it('skips instrumentation if assess store is missing', function () {
+    Sequelize.prototype.query();
+    expect(reportFindings).to.not.have.been.called;
+  });
+  it('skips instrumentation if a query is not provided ', function () {
+    simulateRequestScope(function () {
+      Sequelize.prototype.query();
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('skips instrumentation if the query is not a string', function () {
+    simulateRequestScope(function () {
+      Sequelize.prototype.query({});
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('skips instrumentation if the query is not a tracked', function () {
+    simulateRequestScope(function () {
+      Sequelize.prototype.query('hello');
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('skips instrumentation if the query is safe', function () {
+    simulateRequestScope(function () {
+      const str = trackString('drop table', {
+        tags: {
+          [SQL_ENCODED]: [0, 9],
+          [UNTRUSTED]: [0, 9],
+        },
+      });
+      const { extern } = tracker.getData(str);
+      Sequelize.prototype.query(extern);
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('reports an sql-injection', function () {
+    simulateRequestScope(function () {
+      const str = trackString('drop table', {
+        tags: {
+          [SQL_ENCODED]: [0, 4],
+          [UNTRUSTED]: [0, 9],
+        },
+      });
+      const { value } = tracker.getData(str);
+      const options = { dialect: 'mysql' };
+      Sequelize.prototype.query(str, options);
+      expect(reportFindings).to.have.been.calledWithMatch({
+        ruleId: 'sql-injection',
+        sinkEvent: {
+          name: 'sequelize.prototype.query',
+          moduleName: 'sequelize',
+          methodName: 'prototype.query',
+          context: `sequelize.prototype.query('${value}', { dialect: 'mysql' })`,
+          object: {
+            value: sinon.match('sequelize'),
+            tracked: false,
+          },
+          args: [{ value, tracked: true }, { value: inspect(options), tracked: false }],
+          tags: { [SQL_ENCODED]: [0, 4], [UNTRUSTED]: [0, 9] },
+          source: 'P0',
+        },
+      });
+    });
+  });
+});

package/lib/dataflow/sinks/install/sqlite3.test.js ADDED Viewed

@@ -0,0 +1,118 @@
+'use strict';
+const sinon = require('sinon');
+const { expect } = require('chai');
+const {
+  DataflowTag: { UNTRUSTED, SQL_ENCODED },
+} = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow sinks sqlite3', function () {
+  let core, sqlite3, simulateRequestScope, trackString, tracker, reportFindings;
+  beforeEach(function () {
+    sqlite3 = {
+      // eslint-disable-next-line object-shorthand
+      Database: function () { }
+    };
+    sqlite3.Database.prototype = {
+      all: sinon.stub(),
+      run: sinon.stub(),
+      get: sinon.stub(),
+      each: sinon.stub(),
+      exec: sinon.stub(),
+      prepare: sinon.stub()
+    };
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    core.depHooks.resolve.yields(sqlite3);
+    require('./sqlite3')(core).install();
+  });
+  ['all', 'run', 'get', 'each', 'exec', 'prepare'].forEach((method) => {
+    describe(`instruments connection.${method}()`, function () {
+      it('skips instrumentation if assess store is missing', function () {
+        const db = new sqlite3.Database();
+        db[method]('SELECT "foo"');
+        expect(reportFindings).not.to.have.been.called;
+      });
+      it('skips instrumentation if a value is not provided ', function () {
+        simulateRequestScope(function () {
+          const db = new sqlite3.Database();
+          db[method]();
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+      it('skips instrumentation if the value is not a string', function () {
+        simulateRequestScope(function () {
+          const db = new sqlite3.Database();
+          db[method]({});
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+      it('skips instrumentation if the query is not a tracked', function () {
+        simulateRequestScope(function () {
+          const db = new sqlite3.Database();
+          db[method]('SELECT "foo"');
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+      it('skips instrumentation if the query is safe', function () {
+        simulateRequestScope(function () {
+          const str = trackString('SELECT "foo"', {
+            tags: {
+              [SQL_ENCODED]: [0, 11],
+              [UNTRUSTED]: [0, 11],
+            },
+          });
+          const { extern } = tracker.getData(str);
+          const db = new sqlite3.Database();
+          db[method](extern);
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+      it('reports an sql-injection', function() {
+        simulateRequestScope(function () {
+          const value = 'SELECT "foo"';
+          const extern = trackString(value, {
+            tags: {
+              [UNTRUSTED]: [0, 11],
+            },
+          });
+          const db = new sqlite3.Database();
+          db[method](extern);
+          expect(reportFindings).to.have.been.calledWithMatch({
+            ruleId: 'sql-injection',
+            sinkEvent: {
+              name: `sqlite3.Database.prototype.${method}`,
+              moduleName: 'sqlite3',
+              methodName: `Database.prototype.${method}`,
+              context: `db.${method}('${extern}')`,
+              object: {
+                value: '[Module<sqlite3>].Database',
+                tracked: false,
+              },
+              args: [{ value, tracked: true }],
+              tags: { [UNTRUSTED]: [0, 11] },
+              source: 'P0',
+            },
+          });
+        });
+      });
+    });
+  });
+});

package/lib/dataflow/sinks/install/vm.test.js ADDED Viewed

@@ -0,0 +1,326 @@
+'use strict';
+const sinon = require('sinon');
+const { expect } = require('chai');
+const {
+  DataflowTag: { UNTRUSTED, CUSTOM_VALIDATED },
+  Rule: { UNSAFE_CODE_EXECUTION },
+  UtilInspect,
+} = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow sinks vm', function () {
+  let vm, core, simulateRequestScope, trackString, reportFindings, reportSafePositive;
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    vm = require('vm');
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
+    core.depHooks.resolve.yields(vm);
+    require('./vm')(core).install();
+  });
+  [
+    {
+      method: 'Script',
+      vulnerableArgs: [{ type: 'string', index: 0 }],
+      args: () => ['val = "test"'],
+      sanitizedArgs: () => [trackString('val = "test"', {
+        tags: {
+          [UNTRUSTED]: [0, 11],
+          [CUSTOM_VALIDATED]: [0, 11]
+        }
+      })],
+      isConstructor: true,
+      expectedSafeReportInfo: [{
+        value: UtilInspect('val = "test"'),
+        strValues: ['val = "test"'],
+        tags: [{ [UNTRUSTED]: [0, 11], [CUSTOM_VALIDATED]: [0, 11] }]
+      }],
+      expectedSinkEvent: [{
+        args: [{ value: 'val = "test"', tracked: true }],
+        context: 'vm.Script("val = "test"")',
+        name: 'vm.Script',
+        moduleName: 'vm',
+        methodName: 'Script',
+        object: { value: 'vm', tracked: false },
+        source: 'P0',
+        tags: { [UNTRUSTED]: [0, 11] }
+      }]
+    },
+    {
+      method: 'createScript',
+      vulnerableArgs: [{ type: 'string', index: 0 }],
+      args: () => ['val = "test"'],
+      sanitizedArgs: () => [trackString('val = "test"', {
+        tags: {
+          [UNTRUSTED]: [0, 11],
+          [CUSTOM_VALIDATED]: [0, 11]
+        }
+      })],
+      expectedSafeReportInfo: [{
+        value: UtilInspect('val = "test"'),
+        strValues: ['val = "test"'],
+        tags: [{ [UNTRUSTED]: [0, 11], [CUSTOM_VALIDATED]: [0, 11] }]
+      }],
+      expectedSinkEvent: [{
+        args: [{ value: 'val = "test"', tracked: true }],
+        context: 'vm.createScript("val = "test"")',
+        name: 'vm.createScript',
+        moduleName: 'vm',
+        methodName: 'createScript',
+        object: { value: 'vm', tracked: false },
+        source: 'P0',
+        tags: { [UNTRUSTED]: [0, 11] }
+      }]
+    },
+    {
+      method: 'runInContext',
+      vulnerableArgs: [{ type: 'string', index: 0 }],
+      args: () => ['val = "test"', vm.createContext({ val: '' })],
+      sanitizedArgs: () => [trackString('val = "test"', {
+        tags: {
+          [UNTRUSTED]: [0, 11],
+          [CUSTOM_VALIDATED]: [0, 11]
+        }
+      }),
+      vm.createContext({ val: '' })],
+      missingArgs: () => ['', vm.createContext({})],
+      expectedSafeReportInfo: [{
+        value: UtilInspect('val = "test"'),
+        strValues: ['val = "test"'],
+        tags: [{ [UNTRUSTED]: [0, 11], [CUSTOM_VALIDATED]: [0, 11] }]
+      }],
+      expectedSinkEvent: [{
+        args: [{ value: 'val = "test"', tracked: true }, { value: UtilInspect({ val: '' }), tracked: false }],
+        context: 'vm.runInContext("val = "test"", { val: \'\' })',
+        name: 'vm.runInContext',
+        moduleName: 'vm',
+        methodName: 'runInContext',
+        object: { value: 'vm', tracked: false },
+        source: 'P0',
+        tags: { [UNTRUSTED]: [0, 11] }
+      }]
+    },
+    {
+      method: 'runInThisContext',
+      vulnerableArgs: [{ type: 'string', index: 0 }],
+      sanitizedArgs: () => [trackString('val = "test"', {
+        tags: {
+          [UNTRUSTED]: [0, 11],
+          [CUSTOM_VALIDATED]: [0, 11]
+        }
+      })],
+      args: () => ['val = "test"'],
+      expectedSafeReportInfo: [{
+        value: UtilInspect('val = "test"'),
+        strValues: ['val = "test"'],
+        tags: [{ [UNTRUSTED]: [0, 11], [CUSTOM_VALIDATED]: [0, 11] }]
+      }],
+      expectedSinkEvent: [{
+        args: [{ value: 'val = "test"', tracked: true }],
+        context: 'vm.runInThisContext("val = "test"")',
+        name: 'vm.runInThisContext',
+        moduleName: 'vm',
+        methodName: 'runInThisContext',
+        object: { value: 'vm', tracked: false },
+        source: 'P0',
+        tags: { [UNTRUSTED]: [0, 11] }
+      }]
+    },
+    {
+      method: 'createContext',
+      vulnerableArgs: [{ type: 'object', index: 0 }],
+      sanitizedArgs: () => [{
+        val: trackString('value', {
+          tags: {
+            [UNTRUSTED]: [0, 4],
+            [CUSTOM_VALIDATED]: [0, 4]
+          }
+        })
+      }],
+      args: () => [{ val: 'value' }],
+      expectedSafeReportInfo: [{
+        value: UtilInspect({ val: 'value' }),
+        strValues: ['value'],
+        tags: [{ [UNTRUSTED]: [8, 12], [CUSTOM_VALIDATED]: [8, 12] }]
+      }],
+      expectedSinkEvent: [{
+        args: [{ value: UtilInspect({ val: 'value' }), tracked: false }],
+        context: 'vm.createContext({ val: \'value\' })',
+        name: 'vm.createContext',
+        moduleName: 'vm',
+        methodName: 'createContext',
+        object: { value: 'vm', tracked: false },
+        source: 'P0',
+        tags: { [UNTRUSTED]: [8, 12] }
+      }]
+    },
+    {
+      method: 'runInNewContext',
+      vulnerableArgs: [{ type: 'string', index: 0 }, { type: 'object', index: 1 }],
+      sanitizedArgs: () => [trackString('val = "test"', {
+        tags: {
+          [UNTRUSTED]: [0, 11],
+          [CUSTOM_VALIDATED]: [0, 11]
+        }
+      }), {
+        val: trackString('SAFE', {
+          tags: {
+            [UNTRUSTED]: [0, 3],
+            [CUSTOM_VALIDATED]: [0, 3]
+          }
+        })
+      }],
+      args: () => ['val = "test"', { val: 'value' }],
+      expectedSafeReportInfo: [
+        {
+          value: UtilInspect('val = "test"'),
+          strValues: ['val = "test"'],
+          tags: [{ [UNTRUSTED]: [0, 11], [CUSTOM_VALIDATED]: [0, 11] }]
+        },
+        {
+          value: UtilInspect({ val: 'SAFE' }),
+          strValues: ['SAFE'],
+          tags: [{ [UNTRUSTED]: [8, 11], [CUSTOM_VALIDATED]: [8, 11] }]
+        }
+      ],
+      expectedSinkEvent: [{
+        args: [{ value: 'val = "test"', tracked: true }, { value: UtilInspect({ val: 'value' }), tracked: false }],
+        context: 'vm.runInNewContext("val = "test"", { val: \'value\' })',
+        name: 'vm.runInNewContext',
+        moduleName: 'vm',
+        methodName: 'runInNewContext',
+        object: { value: 'vm', tracked: false },
+        source: 'P0',
+        tags: { [UNTRUSTED]: [0, 11] }
+      },
+      {
+        args: [{ value: 'val = "test"', tracked: false }, { value: UtilInspect({ val: 'value' }), tracked: false }],
+        context: 'vm.runInNewContext("val = "test"", { val: \'value\' })',
+        name: 'vm.runInNewContext',
+        moduleName: 'vm',
+        methodName: 'runInNewContext',
+        object: { value: 'vm', tracked: false },
+        source: 'P1',
+        tags: { [UNTRUSTED]: [8, 12] }
+      }]
+    },
+    {
+      method: 'runInNewContext',
+      vulnerableArgs: [{ type: 'object', index: 0 }],
+      args: () => [{ val: 'value' }],
+      sanitizedArgs: () => [{
+        val: trackString('SAFE', {
+          tags: {
+            [UNTRUSTED]: [0, 3],
+            [CUSTOM_VALIDATED]: [0, 3]
+          }
+        })
+      }],
+      scriptEntity: true,
+      expectedSafeReportInfo: [
+        {
+          value: UtilInspect({ val: 'SAFE' }),
+          strValues: ['SAFE'],
+          tags: [{ [UNTRUSTED]: [8, 11], [CUSTOM_VALIDATED]: [8, 11] }]
+        }
+      ],
+      expectedSinkEvent: [{
+        args: [{ value: UtilInspect({ val: 'value' }), tracked: false }],
+        context: 'vm.Script.prototype.runInNewContext({ val: \'value\' })',
+        name: 'vm.Script.prototype.runInNewContext',
+        moduleName: 'vm',
+        methodName: 'runInNewContext',
+        object: { value: 'vm.Script.prototype', tracked: false },
+        source: 'P0',
+        tags: { [UNTRUSTED]: [8, 12] }
+      }]
+    }
+  ].forEach(({ method, args, missingArgs = () => [], vulnerableArgs, sanitizedArgs, isConstructor, scriptEntity, expectedSafeReportInfo, expectedSinkEvent }) => {
+    describe(`vm.${method}`, function () {
+      let fn;
+      if (scriptEntity) {
+        fn = () => {
+          const scr = new vm.Script('val = "test"');
+          return scr;
+        };
+      } else {
+        fn = () => vm[method];
+      }
+      function makeAVmMethodCall(args) {
+        const vmMethod = fn();
+        if (isConstructor) {
+          new vmMethod(...args());
+        } else if (scriptEntity) {
+          vmMethod.runInNewContext(...args());
+        } else {
+          vmMethod(...args());
+        }
+      }
+      it('skips instrumentation if assess store is missing', function () {
+        makeAVmMethodCall(args);
+        expect(reportFindings).not.to.have.been.called;
+      });
+      it('skips instrumentation if a value is not provided ', function () {
+        simulateRequestScope(function () {
+          makeAVmMethodCall(missingArgs);
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+      it('skips instrumentation if the argument is not a tracked', function () {
+        simulateRequestScope(function () {
+          makeAVmMethodCall(args);
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+      it('skips instrumentation if the argument is sanitized', function () {
+        simulateRequestScope(function () {
+          makeAVmMethodCall(sanitizedArgs);
+          expect(reportFindings).not.to.have.been.called;
+          expect(reportSafePositive).to.have.been.calledOnce;
+          expect(reportSafePositive).to.have.been.calledWith({
+            name: scriptEntity ? `vm.Script.prototype.${method}` : `vm.${method}`,
+            ruleId: UNSAFE_CODE_EXECUTION,
+            safeTags: [CUSTOM_VALIDATED],
+            strInfo: expectedSafeReportInfo
+          });
+        });
+      });
+      it('reports an unsafe-code-execution', function () {
+        simulateRequestScope(function () {
+          vulnerableArgs.forEach((arg, idx) => {
+            const argsCopy = [...args()];
+            const extern = arg.type === 'string' ? trackString(argsCopy[arg.index]) : trackString(argsCopy[arg.index].val);
+            argsCopy[arg.index] = arg.type === 'string' ? extern : { val: extern };
+            makeAVmMethodCall(() => argsCopy);
+            expect(reportFindings).to.have.been.calledOnce;
+            expect(reportFindings).to.have.been.calledWithMatch({
+              ruleId: UNSAFE_CODE_EXECUTION,
+              sinkEvent: expectedSinkEvent[idx],
+            });
+            reportFindings.resetHistory();
+          });
+        });
+      });
+    });
+  });
+});