@contrast/assess 1.30.0 → 1.32.0

package/lib/response-scanning/handlers/utils.test.js

@@ -0,0 +1,391 @@
+'use strict';
+
+const { expect } = require('chai');
+const {
+  escapeHtml,
+  isHtmlContent,
+  getElements,
+  getAttribute,
+  isParseableResponse,
+  checkCacheControlValue,
+  checkMetaTags,
+  getCspHeaders,
+  checkCspSources
+} = require('./utils');
+
+describe('assess response scanning handlers utils', function() {
+  describe('escapeHtml', function() {
+    it('returns the original string when there are no characters to be escaped', function() {
+      expect(escapeHtml('test')).to.equal('test');
+    });
+
+    it('returns empty string when called with falsy value', function() {
+      expect(escapeHtml()).to.equal('');
+    });
+
+    it('retrurns the string with escaped characters where necessary', function() {
+      expect(escapeHtml('<input type="text">Test&Go<input type=\'text\'>'))
+        .to.equal('&lt;input type=&quot;text&quot;&gt;Test&amp;Go&lt;input type=&#39;text&#39;&gt;');
+    });
+  });
+
+  describe('isHtmlContent', function() {
+    it('returns true if the passed argument is falsy', function() {
+      expect(isHtmlContent()).to.be.true;
+      expect(isHtmlContent('')).to.be.true;
+    });
+
+    it('returns true if the passed headers does not have specified content type', function() {
+      expect(isHtmlContent({ 'content-type': '' })).to.be.true;
+      expect(isHtmlContent({ 'test-header': 'some-value' })).to.be.true;
+    });
+
+    it('returns true if the passed headers have the right content type for html content', function() {
+      expect(isHtmlContent({ 'content-type': 'text/css' })).to.be.true;
+      expect(isHtmlContent({ 'Content-Type': '*/html' })).to.be.true;
+    });
+  });
+
+  describe('getElements', function() {
+    [
+      {
+        tag: 'p',
+        content: undefined,
+        expectedResult: []
+      },
+      {
+        tag: 'p',
+        content: '<div><form><input type="text"></form><div>',
+        expectedResult: []
+      },
+      {
+        tag: 'input',
+        content: '<div><form><input type="text"></form><div>',
+        expectedResult: ['<input type="text">']
+      },
+      {
+        tag: 'label',
+        content: '<form><label for="fname">First Name</label><label for="lname">Last Name</label><form>',
+        expectedResult: ['<label for="fname">', '<label for="lname">']
+      },
+    ].forEach(({ tag, content, expectedResult }) => {
+      it('gets the correct elements', function() {
+        expect(getElements(tag, content)).to.deep.equal(expectedResult);
+      });
+    });
+  });
+
+  describe('getAttribute', function() {
+    it('returns undefined if the attribute is not found', function() {
+      expect(getAttribute('method', '<label for="fname">')).to.be.undefined;
+    });
+
+    it('returns undefined if there is an empty space after the attr assignment', function() {
+      expect(getAttribute('for', '<label for= "fname">')).to.be.undefined;
+    });
+
+    [
+      '<label for="fname">',
+      "<label for='fname'>",
+      '<label for=fname >',
+      '<label for=fname>',
+      '<label for=fname/>',
+    ].forEach((htmlTag) => {
+      it('returns the correct attribute', function() {
+        expect(getAttribute('for', htmlTag)).to.equal('fname');
+      });
+    });
+  });
+
+  describe('isParseableResponse', function() {
+    it('returns true if the passed argument is falsy', function() {
+      expect(isParseableResponse()).to.be.true;
+    });
+
+    [
+      {
+        responseHeaders: {},
+        expectedResult: true
+      },
+      {
+        responseHeaders: {
+          'content-type': 'multipart/form-data'
+        },
+        expectedResult: false
+      },
+      {
+        responseHeaders: {
+          'Content-Type': 'text/css'
+        },
+        expectedResult: true
+      },
+      {
+        responseHeaders: {
+          'Content-Type': '*/html'
+        },
+        expectedResult: true
+      },
+      {
+        responseHeaders: {
+          'Content-Type': 'application/xml'
+        },
+        expectedResult: true
+      },
+      {
+        responseHeaders: {
+          'Content-Type': 'application/soap'
+        },
+        expectedResult: true
+      },
+      {
+        responseHeaders: {
+          'Content-Type': 'application/pdf'
+        },
+        expectedResult: true
+      }
+    ].forEach(({ responseHeaders, expectedResult }) => {
+      it('assess wheter the response is parsable correctly', function() {
+        expect(isParseableResponse(responseHeaders)).to.equal(expectedResult);
+      });
+    });
+  });
+
+  describe('checkCacheControlValue', function() {
+    [
+      {
+        value: 'no-cache; no-store',
+        expectedResult: [true, true]
+      },
+      {
+        value: 'no-cache',
+        expectedResult: [true, false]
+      },
+      {
+        value: 'no-store',
+        expectedResult: [false, true]
+      },
+      {
+        value: 'no-control-value',
+        expectedResult: [false, false]
+      },
+      {
+        value: ['no-cache', 'mock-directive', 'no-store'],
+        expectedResult: [true, true]
+      },
+      {
+        value: ['mock-directive', 'no-store'],
+        expectedResult: [false, true]
+      },
+      {
+        value: ['mock-directive'],
+        expectedResult: [false, false]
+      },
+      {
+        value: ['no-cache', 'mock-directive'],
+        expectedResult: [true, false]
+      },
+    ].forEach(({ value, expectedResult }) => {
+      it('checks the cache control values correctly', function() {
+        expect(checkCacheControlValue(value)).to.deep.equal(expectedResult);
+      });
+    });
+  });
+
+  describe('checkMetaTags', function() {
+    let instructions = [];
+
+    beforeEach(function() {
+      instructions = [];
+    });
+
+    [
+      {
+        body: '<meta http-equiv="cache-control">',
+        cacheControlHeader: '',
+        expectedInstructions: [{ name: 'cache-control', type: 'META tag', value: '<meta http-equiv="cache-control">' }]
+      },
+      {
+        body: '<meta http-equiv="pragma">',
+        cacheControlHeader: '',
+        expectedInstructions: [{ name: 'pragma', type: 'META tag', value: '<meta http-equiv="pragma">' }]
+      },
+      {
+        body: '<meta http-equiv="expires">',
+        cacheControlHeader: '',
+        expectedInstructions: [{ name: 'expires', type: 'META tag', value: '<meta http-equiv="expires">' }]
+      },
+      {
+        body: '<meta http-equiv="cache-control" content="no-cache; no-store">',
+        cacheControlHeader: '',
+        expectedInstructions: []
+      },
+      {
+        body: '<meta http-equiv="cache-control" content="no-store">',
+        cacheControlHeader: 'no-cache',
+        expectedInstructions: []
+      },
+      {
+        body: '<meta http-equiv="cache-control" content="no-cache">',
+        cacheControlHeader: 'no-store',
+        expectedInstructions: []
+      },
+    ].forEach(({ body, cacheControlHeader, expectedInstructions }) => {
+      it('checks the meta tags and adds metadata to instructions if needed', function() {
+        checkMetaTags({ body, cacheControlHeader, instructions });
+
+        expect(instructions).to.deep.equal(expectedInstructions);
+      });
+    });
+  });
+
+  describe('getCspHeaders', function() {
+    [
+      {
+        responseHeaders: {},
+        expectedResult: false
+      },
+      {
+        responseHeaders: {
+          'some-header': 'some-value',
+          'content-security-policy': 'default-src "self"'
+        },
+        expectedResult: 'default-src "self"'
+      },
+      {
+        responseHeaders: {
+          'some-header': 'some-value',
+        },
+        expectedResult: false
+      },
+      {
+        responseHeaders: {
+          'some-header': 'some-value',
+          'x-content-security-policy': 'default-src "self"'
+        },
+        expectedResult: 'default-src "self"'
+      },
+      {
+        responseHeaders: {
+          'some-header': 'some-value',
+          'x-webkit-csp': 'default-src "self"'
+        },
+        expectedResult: 'default-src "self"'
+      },
+    ].forEach(({ responseHeaders, expectedResult }) => {
+      it('returns the CSP header', function() {
+        expect(getCspHeaders(responseHeaders)).to.equal(expectedResult);
+      });
+    });
+  });
+
+  describe('checkCspSources', function() {
+    const defaultValues = {
+      baseUriSecure: false,
+      baseUriValue: '',
+      childSrcSecure: false,
+      childSrcValue: '',
+      connectSrcSecure: false,
+      connectSrcValue: '',
+      defaultSrcSecure: false,
+      defaultSrcValue: '',
+      formActionSecure: false,
+      formActionValue: '',
+      frameAncestorsSecure: false,
+      frameAncestorsValue: '',
+      frameSrcSecure: false,
+      frameSrcValue: '',
+      mediaSrcSecure: false,
+      mediaSrcValue: '',
+      objectSrcSecure: false,
+      objectSrcValue: '',
+      pluginTypesSecure: false,
+      pluginTypesValue: '',
+      referrerSecure: true,
+      referrerValue: '',
+      reflectedXssSecure: true,
+      reflectedXssValue: '',
+      scriptSrcSecure: false,
+      scriptSrcValue: '',
+      styleSrcSecure: false,
+      styleSrcValue: ''
+    };
+
+    [
+      {
+        policy: 'default-src *;',
+        expectedResult: {
+          ...defaultValues,
+          defaultSrcValue: '*',
+          insecure: true
+        }
+      },
+      {
+        policy: 'default-src foobar.com;',
+        expectedResult: {
+          ...defaultValues,
+          childSrcSecure: true,
+          connectSrcSecure: true,
+          defaultSrcSecure: true,
+          defaultSrcValue: 'foobar.com',
+          frameSrcSecure: true,
+          mediaSrcSecure: true,
+          objectSrcSecure: true,
+          scriptSrcSecure: true,
+          styleSrcSecure: true,
+          insecure: true
+        }
+      },
+      {
+        policy: 'media-src *;',
+        expectedResult: {
+          ...defaultValues,
+          mediaSrcValue: '*',
+          insecure: true
+        }
+      },
+      {
+        policy: 'media-src foobar.com',
+        expectedResult: {
+          ...defaultValues,
+          mediaSrcSecure: true,
+          mediaSrcValue: 'foobar.com',
+          insecure: true
+        }
+      },
+      {
+        policy: 'media-src foobar.com *; child-src *;',
+        expectedResult: {
+          ...defaultValues,
+          mediaSrcSecure: false,
+          mediaSrcValue: 'foobar.com *',
+          childSrcValue: '*',
+          insecure: true
+        }
+      },
+      {
+        policy: 'referrer *; reflected-xss 1;',
+        expectedResult: {
+          ...defaultValues,
+          reflectedXssValue: '1',
+          referrerSecure: false,
+          referrerValue: '*',
+          insecure: true
+        }
+      },
+      {
+        policy: 'referrer unsafe-url',
+        expectedResult: {
+          ...defaultValues,
+          referrerSecure: false,
+          referrerValue: 'unsafe-url',
+          insecure: true
+        }
+      },
+    ].forEach(({ policy, expectedResult }) => {
+      it('checks the CSP sources', function() {
+        expect(checkCspSources(policy)).to.deep.equal(expectedResult);
+      });
+    });
+  });
+});
+

package/lib/response-scanning/index.test.js

@@ -0,0 +1,41 @@
+'use strict';
+
+const { Event } = require('@contrast/common');
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+const mocks = require('@contrast/test/mocks');
+
+const moduleMock = (moduleName, mock) => (core) => {
+  core.assess.responseScanning[moduleName] = mock[moduleName];
+};
+
+describe('assess response-scanning', function () {
+  let core, responseScanningMock, responseScanningModule, modulesWithInstall, reportFindings;
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.scopes = mocks.scopes();
+    core.assess = mocks.assess();
+    responseScanningMock = core.assess.responseScanning;
+    responseScanningModule = proxyquire('.', {
+      './install/http': moduleMock('httpInstrumentation', responseScanningMock),
+    });
+    ({ reportFindings } = responseScanningModule(core));
+    modulesWithInstall = ['httpInstrumentation'];
+  });
+
+  it('installs the components', function () {
+    responseScanningModule(core).install();
+
+    modulesWithInstall.forEach((module) => {
+      expect(responseScanningMock[module].install).to.have.been.calledOnce;
+    });
+  });
+
+  it('reports findings through messages', function () {
+    reportFindings(null, 'some-metadata');
+
+    expect(core.messages.emit).to.have.been.calledOnceWith(Event.ASSESS_RESPONSE_SCANNING_FINDING, 'some-metadata');
+  });
+});
+

package/lib/response-scanning/install/http.test.js

@@ -0,0 +1,175 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess response scanning sinks http', function () {
+  const sc = {};
+  const store = { assess: sc };
+  const expectedArgs = [
+    {
+      header1: ['value1', 'value2', 'value3'],
+      header2: 'value1'
+    },
+    'test-body'
+  ];
+
+  const bodyHandlers = [
+    'handleAutoCompleteMissing',
+    'handleCacheControlsMissing',
+    'handleParameterPollution',
+    'handleXxsProtectionHeaderDisabled',
+  ];
+
+  const handlerMethods = [
+    'handleAutoCompleteMissing',
+    'handleCacheControlsMissing',
+    'handleClickJackingControlsMissing',
+    'handleParameterPollution',
+    'handleCspHeader',
+    'handleHstsHeaderMissing',
+    'handleXPoweredByHeader',
+    'handleXContentTypeHeaderMissing',
+    'handleXxsProtectionHeaderDisabled',
+  ];
+
+  let core,
+    responseScanning,
+    http,
+    httpModule,
+    http2Module,
+    ServerResponse,
+    Http2ServerResponse,
+    objInstances,
+    simulateRequestScope;
+
+  beforeEach(function () {
+    ({ core, simulateRequestScope } = initAssessFixture());
+
+    responseScanning = core.assess.responseScanning;
+    handlerMethods.forEach((method) => sinon.stub(core.assess.responseScanning, method));
+
+    ServerResponse = function () { };
+    Http2ServerResponse = function () { };
+    httpModule = {
+      ServerResponse,
+    };
+
+    http2Module = {
+      Http2ServerResponse,
+    };
+
+    httpModule.ServerResponse.prototype.end = function () {
+      return {
+        _header: 'header1: value1\r\n' +
+          'header1: value2\r\n' +
+          'header1: value3\r\n' +
+          'header2: value1\r\n\r\n'
+      };
+    };
+    httpModule.ServerResponse.prototype.write = function () {
+      return {
+        _header: 'header1: value1\r\n' +
+          'header1: value2\r\n' +
+          'header1: value3\r\n' +
+          'header2: value1\r\n\r\n'
+      };
+    };
+
+    const headersSymbol = Symbol('headers');
+
+    http2Module.Http2ServerResponse.prototype = {
+      end: () => ({
+        [headersSymbol]: {
+          header1: ['value1', 'value2', 'value3'],
+          header2: 'value1'
+        }
+      }),
+      write: () => { },
+      [headersSymbol]: {
+        header1: ['value1', 'value2', 'value3'],
+        header2: 'value1'
+      }
+    };
+
+    http = require('./http')(core);
+    core.depHooks.resolve
+      .withArgs({ name: 'http' })
+      .yields(httpModule);
+    core.depHooks.resolve
+      .withArgs({ name: 'http2' })
+      .yields(http2Module);
+
+    http.install();
+
+    objInstances = {
+      http: httpModule.ServerResponse.prototype,
+      http2: http2Module.Http2ServerResponse.prototype,
+    };
+  });
+
+  ['http', 'http2'].forEach((instanceName) => {
+    describe(instanceName, function () {
+      ['end', 'write'].forEach((method) => {
+        it(`skip instrumentation if assess store is missing - Server.Response.${method}`, function () {
+          objInstances[instanceName][method]('hello world');
+          handlerMethods.forEach((method) => {
+            expect(responseScanning[method]).to.not.have.been.called;
+          });
+        });
+      });
+
+      it('checks only the body related response scanning rules on .write method', function () {
+        simulateRequestScope(function () {
+          objInstances[instanceName].write('test-body');
+          objInstances[instanceName].write();
+          bodyHandlers.forEach((method) => {
+            const handler = responseScanning[method];
+            expect(handler).to.have.callCount(2);
+
+            if (['handleAutoCompleteMissing', 'handleCacheControlsMissing'].includes(method)) {
+              expect(responseScanning[method]).to.have.been.calledWith(sc, ...expectedArgs);
+            } else if (method === 'handleXxsProtectionHeaderDisabled') {
+              expect(responseScanning[method]).to.have.been.calledWith(sc, expectedArgs[0]);
+            } else if (method === 'handleParameterPollution') {
+              expect(responseScanning[method]).to.have.been.calledWith(sc, expectedArgs[1]);
+            }
+          });
+          handlerMethods.forEach((method) => {
+            if (!bodyHandlers.includes(method)) {
+              expect(responseScanning[method]).to.not.have.been.called;
+            }
+          });
+        }, store);
+      });
+
+      it('checks all response scanning rules on .end method', function () {
+        simulateRequestScope(function () {
+          objInstances[instanceName].end('test-body');
+          objInstances[instanceName].end();
+          handlerMethods.forEach((method) => {
+            expect(responseScanning[method]).to.have.callCount(2);
+            if ([
+              'handleAutoCompleteMissing',
+              'handleCacheControlsMissing',
+              'handleClickJackingControlsMissing',
+            ].includes(method)) {
+              expect(responseScanning[method]).to.have.been.calledWith(sc, ...expectedArgs);
+            } else if ([
+              'handleCspHeader',
+              'handleHstsHeaderMissing',
+              'handleXPoweredByHeader',
+              'handleXContentTypeHeaderMissing',
+              'handleXxsProtectionHeaderDisabled',
+            ].includes(method)) {
+              expect(responseScanning[method]).to.have.been.calledWith(sc, expectedArgs[0]);
+            } else if (method === 'handleParameterPollution') {
+              expect(responseScanning[method]).to.have.been.calledWith(sc, expectedArgs[1]);
+            }
+          });
+        }, store);
+      });
+    });
+  });
+});

package/lib/rule-scopes.test.js

@@ -0,0 +1,27 @@
+'use strict';
+
+const { expect } = require('chai');
+const { Rule } = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess rule-scopes', function () {
+  let core;
+
+  beforeEach(function () {
+    ({ core } = initAssessFixture());
+  });
+
+  it('isLocked(ruleId) returns false when not running in rule scope', function () {
+    for (const ruleId of Object.values(Rule)) {
+      expect(core.assess.ruleScopes.isLocked(ruleId)).to.be.false;
+    }
+  });
+
+  it('isLocked(ruleId) will return true when run in scope for ruleId', function (next) {
+    core.assess.ruleScopes.run(Rule.REFLECTED_XSS, () => {
+      expect(core.assess.ruleScopes.isLocked(Rule.REFLECTED_XSS)).to.be.true;
+      expect(core.assess.ruleScopes.isLocked(Rule.SQL_INJECTION)).to.be.false;
+      next();
+    });
+  });
+});