npm - @contrast/assess - Versions diffs - 1.30.0 → 1.32.0 - Mend

@contrast/assess 1.30.0 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/lib/session-configuration/handlers.test.js ADDED Viewed

@@ -0,0 +1,84 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const handlers = require('./handlers');
+const {
+  Event,
+  SessionConfigurationRule: {
+    HTTPONLY,
+    SECURE_FLAG_MISSING,
+  }
+} = require('@contrast/common');
+describe('assess session-configuration handlers', function () {
+  let sessionConfiguration, core, simulateRequestScope;
+  beforeEach(function () {
+    ({ core, simulateRequestScope } = initAssessFixture());
+    sessionConfiguration = handlers(core);
+    sinon.spy(core.messages, 'emit');
+  });
+  [
+    {
+      method: 'handleHttpOnly',
+      cookie: 'HttpOnly',
+      ruleId: HTTPONLY
+    },
+    {
+      method: 'handleSecure',
+      cookie: 'Secure',
+      ruleId: SECURE_FLAG_MISSING
+    }
+  ].forEach(function ({ method, cookie, ruleId }) {
+    it(`should not report findings if cookie includes ${cookie} - ${method}`, function () {
+      simulateRequestScope(() => {
+        const sourceContext = core.assess.getSourceContext();
+        sessionConfiguration[method](sourceContext, `foo; cookie; ${cookie};`);
+        expect(core.messages.emit).to.not.have.been.called;
+      });
+    });
+    it(`should report when ${cookie} is not part of the cookie - ${method}`, function () {
+      simulateRequestScope(() => {
+        const sourceContext = core.assess.getSourceContext();
+        const sessionEvent = { mock: 'sessionEvent' };
+        sessionConfiguration[method](sourceContext, 'foo; cookie', sessionEvent);
+        expect(core.messages.emit).to.have.been.calledWith(Event.ASSESS_SESSION_CONFIGURATION_FINDING, {
+          ruleId,
+          sinkEvent: sessionEvent,
+          properties: {
+            evidence: 'foo; cookie'
+          }
+        });
+      });
+    });
+    it(`should report when ${cookie} (an array) is not part of the cookie - ${method} `, function () {
+      simulateRequestScope(() => {
+        const sourceContext = core.assess.getSourceContext();
+        const sessionEvent = { mock: 'sessionEvent' };
+        sessionConfiguration[method](sourceContext, ['foo; cookie', 'hello; cookie3'], sessionEvent);
+        expect(core.messages.emit).to.have.been.calledWith(Event.ASSESS_SESSION_CONFIGURATION_FINDING, {
+          ruleId,
+          sinkEvent: sessionEvent,
+          properties: {
+            evidence: 'foo; cookie'
+          }
+        });
+        expect(core.messages.emit).not.to.have.been.calledWith(Event.ASSESS_SESSION_CONFIGURATION_FINDING, {
+          ruleId,
+          sinkEvent: sessionEvent,
+          properties: {
+            evidence: 'hello; cookie3'
+          }
+        });
+      });
+    });
+  });
+});

package/lib/session-configuration/index.test.js ADDED Viewed

@@ -0,0 +1,36 @@
+'use strict';
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+const mocks = require('@contrast/test/mocks');
+const moduleMock = (moduleName, mock) => (core) => {
+  core.assess.sessionConfiguration[moduleName] = mock[moduleName];
+};
+describe('assess session-configuration', function () {
+  let core, sessionConfigurationMock, sessionConfigurationModule, modulesWithInstall;
+  beforeEach(function () {
+    core = mocks.core();
+    core.scopes = mocks.scopes();
+    core.assess = mocks.assess();
+    sessionConfigurationMock = core.assess.sessionConfiguration;
+    sessionConfigurationModule = proxyquire('.', {
+      './install/express-session': moduleMock('expressSession', sessionConfigurationMock),
+      './install/hapi': moduleMock('hapiSession', sessionConfigurationMock),
+      './install/fastify-cookie': moduleMock('fastifyCookie', sessionConfigurationMock),
+      './install/koa': moduleMock('koaSession', sessionConfigurationMock),
+    });
+    modulesWithInstall = ['expressSession', 'hapiSession', 'fastifyCookie', 'koaSession'];
+  });
+  it('installs the components', function () {
+    sessionConfigurationModule(core).install();
+    modulesWithInstall.forEach((module) => {
+      expect(core.assess.sessionConfiguration[module].install).to.have.been.calledOnce;
+    });
+  });
+});

package/lib/session-configuration/install/express-session.test.js ADDED Viewed

@@ -0,0 +1,220 @@
+'use strict';
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const util = require('util');
+describe('assess session-configuration http', function () {
+  let core,
+    expressSession,
+    simulateRequestScope;
+  function ExpressSession(options) {
+    return (req, res) => true;
+  }
+  beforeEach(function () {
+    ({ core, simulateRequestScope } = initAssessFixture());
+    core.depHooks.resolve
+      .withArgs({ name: 'express-session' })
+      .yields(ExpressSession);
+    sinon.spy(core.assess.sessionConfiguration, 'handleHttpOnly');
+    sinon.spy(core.assess.sessionConfiguration, 'handleSecure');
+    expressSession = require('./express-session')(core).install();
+  });
+  it('skip instrumentation if options are set correctly', function () {
+    const options = {
+      secret: 'my-secret',
+      cookie: { httpOnly: true, secure: true },
+    };
+    expressSession(options);
+    expect(core.assess.sessionConfiguration.handleSecure).to.not.have.been.called;
+    expect(core.assess.sessionConfiguration.handleHttpOnly).to.not.have.been.called;
+  });
+  [
+    {
+      title: 'should instrument secure',
+      sessionOptions: [
+        undefined,
+        {},
+        { cookie: { httpOnly: undefined, secure: undefined } },
+        { cookie: { httpOnly: true } },
+      ],
+    },
+  ].forEach(({ title, sessionOptions }) => {
+    sessionOptions.forEach((options) => {
+      it(`${title} - ${util.inspect(options)}`, function () {
+        simulateRequestScope(() => {
+          const httpOnly = options?.cookie?.httpOnly;
+          const secure = options?.cookie?.secure;
+          const middleware = expressSession(options);
+          const request = {};
+          const response = {
+            setHeader: () => true,
+          };
+          middleware(request, response);
+          response.setHeader('Set-Cookie', 'hello');
+          // for code coverage
+          response.setHeader('custom-header', 'value');
+          const sourceContext = core.scopes.sources.getStore()?.assess;
+          expect(core.assess.sessionConfiguration.handleSecure).to.have.been.calledWith(
+            sourceContext,
+            'hello',
+            sinon.match({
+              args: [
+                {
+                  tracked: false,
+                  value: `{ cookie: { httpOnly: ${httpOnly}, secure: ${secure} } }`
+                },
+              ],
+              context: `expressSession({ cookie: { httpOnly: ${httpOnly}, secure: ${secure} } })`,
+              history: [],
+              name: 'express.hookedSessionConstructor',
+              moduleName: 'express-session',
+              methodName: '',
+              object: {
+                tracked: false,
+                value: 'Express.Response',
+              },
+              result: {
+                tracked: false,
+                value: undefined,
+              },
+              source: 'P0',
+              stack: [],
+              tags: {},
+              framework: 'express',
+              options: { cookie: { httpOnly, secure } },
+            })
+          );
+        });
+      });
+    });
+  });
+  [
+    {
+      title: 'should not instrument secure',
+      sessionOptions: [
+        { cookie: { secure: true } },
+      ],
+    },
+  ].forEach(({ title, sessionOptions }) => {
+    sessionOptions.forEach((options) => {
+      it(`${title} - ${util.inspect(options)}`, function () {
+        simulateRequestScope(() => {
+          const middleware = expressSession(options);
+          const request = {};
+          const response = {
+            setHeader: () => true,
+          };
+          middleware(request, response);
+          response.setHeader('Set-Cookie', 'hello');
+          expect(core.assess.sessionConfiguration.handleSecure).to.not.have.been.called;
+        });
+      });
+    });
+  });
+  [
+    {
+      title: 'should not instrument httpOnly',
+      sessionOptions: [
+        undefined,
+        {},
+        { cookie: {} },
+        { cookie: { httpOnly: true } },
+      ],
+    },
+  ].forEach(({ title, sessionOptions }) => {
+    sessionOptions.forEach((options) => {
+      it(`${title} - ${util.inspect(options)}`, function () {
+        simulateRequestScope(() => {
+          const middleware = expressSession(options);
+          const request = {};
+          const response = {
+            setHeader: () => true,
+          };
+          middleware(request, response);
+          response.setHeader('Set-Cookie', 'hello');
+          expect(core.assess.sessionConfiguration.handleHttpOnly).to.not.have.been.called;
+        });
+      });
+    });
+  });
+  [
+    {
+      title: 'should instrument httpOnly',
+      sessionOptions: [
+        { cookie: { httpOnly: false, secure: undefined } },
+      ],
+    },
+  ].forEach(({ title, sessionOptions }) => {
+    sessionOptions.forEach((options) => {
+      it(`${title} - ${util.inspect(options)}`, function () {
+        simulateRequestScope(() => {
+          const middleware = expressSession(options);
+          const request = {};
+          const response = {
+            setHeader: () => true,
+          };
+          middleware(request, response);
+          response.setHeader('Set-Cookie', 'hello');
+          const sourceContext = core.scopes.sources.getStore()?.assess;
+          expect(core.assess.sessionConfiguration.handleHttpOnly).to.have.been.calledWith(
+            sourceContext,
+            'hello',
+            sinon.match({
+              args: [
+                {
+                  tracked: false,
+                  value: util.inspect(options),
+                },
+              ],
+              context: `expressSession(${util.inspect(options)})`,
+              history: [],
+              name: 'express.hookedSessionConstructor',
+              moduleName: 'express-session',
+              methodName: '',
+              object: {
+                tracked: false,
+                value: 'Express.Response',
+              },
+              result: {
+                tracked: false,
+                value: undefined,
+              },
+              source: 'P0',
+              stack: [],
+              tags: {},
+              framework: 'express',
+              options,
+            })
+          );
+        });
+      });
+    });
+  });
+});

package/lib/session-configuration/install/fastify-cookie.test.js ADDED Viewed

@@ -0,0 +1,65 @@
+'use strict';
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { SessionConfigurationRule } = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const { HTTPONLY, SECURE_FLAG_MISSING } = SessionConfigurationRule;
+describe('assess session-configuration @fastify/cookie', function () {
+  let core,
+    simulateRequestScope,
+    serverMock,
+    mockFastifyCookie,
+    mockExport,
+    reply;
+  beforeEach(function () {
+    ({ core, simulateRequestScope } = initAssessFixture());
+    mockExport = function fastifyCookieMock(server, options) { };
+    mockExport.default = mockExport;
+    mockExport.fastifyCookie = mockExport;
+    reply = { header: sinon.stub() };
+    serverMock = {
+      addHook: sinon.stub().yields({}, reply),
+    };
+    core.depHooks.resolve
+      .withArgs({ name: '@fastify/cookie' })
+      .yields(mockExport);
+    sinon.stub(core.assess.sessionConfiguration, 'reportFindings');
+    core.assess.sessionConfiguration.fastifyCookie.install();
+    mockFastifyCookie = mockExport.fastifyCookie;
+  });
+  it('reports httponly and secure-flag-missing when both options are unset', function () {
+    mockFastifyCookie(serverMock, {});
+    simulateRequestScope(() => {
+      reply.header('Set-Cookie', 'bar');
+    });
+    expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
+      ruleId: HTTPONLY,
+      sinkEvent: sinon.match({
+        context: 'fastifyCookie({ parseOptions: { httpOnly: undefined, secure: undefined } })',
+      }),
+    });
+    expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
+      ruleId: SECURE_FLAG_MISSING,
+      sinkEvent: sinon.match({
+        context: 'fastifyCookie({ parseOptions: { httpOnly: undefined, secure: undefined } })',
+      }),
+    });
+  });
+  it('will not report if instrumentation runs outside of request scope', function () {
+    mockFastifyCookie(serverMock, {});
+    reply.header('Set-Cookie', 'bar');
+    expect(core.assess.sessionConfiguration.reportFindings).not.to.have.been.called;
+  });
+});

package/lib/session-configuration/install/hapi.test.js ADDED Viewed

@@ -0,0 +1,269 @@
+'use strict';
+const util = require('util');
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess session-configuration hapi', function () {
+  const hapi = {
+    server() {
+      return { state() { }, ext: sinon.stub() };
+    },
+    Server() {
+      return { state() { }, ext: sinon.stub() };
+    }
+  };
+  let core, hapiServer, simulateRequestScope;
+  beforeEach(function () {
+    ({ core, simulateRequestScope } = initAssessFixture());
+    core.depHooks.resolve
+      .withArgs({ name: '@hapi/hapi', version: '>=18 <22' })
+      .yields(hapi);
+    sinon.spy(core.assess.sessionConfiguration, 'handleHttpOnly');
+    sinon.spy(core.assess.sessionConfiguration, 'handleSecure');
+    require('./hapi')(core).install();
+  });
+  ['server', 'Server'].forEach((server) => {
+    describe(`${server}`, function () {
+      it('skips instrumentation if options are set correctly', function () {
+        simulateRequestScope(() => {
+          const options = {
+            isHttpOnly: true,
+            isSecure: true
+          };
+          hapiServer = hapi[server]();
+          hapiServer.state('data', options);
+          expect(core.assess.sessionConfiguration.handleSecure).to.not.have.been.called;
+          expect(core.assess.sessionConfiguration.handleHttpOnly).to.not.have.been.called;
+        });
+      });
+      it('does not call handlers when set-cookie is missing in headers', function () {
+        simulateRequestScope(() => {
+          const options = {
+            isHttpOnly: false,
+            isSecure: false
+          };
+          hapiServer = hapi[server]();
+          hapiServer.ext.withArgs('onPostResponse', sinon.match.func).callsFake((string, method) => {
+            method({
+              response: {
+                headers: {}
+              }
+            });
+          });
+          hapiServer.state('data', options);
+          expect(core.assess.sessionConfiguration.handleHttpOnly).to.not.have.been.called;
+          expect(core.assess.sessionConfiguration.handleSecure).to.not.have.been.called;
+        });
+      });
+      [
+        {
+          isSecure: false
+        },
+        {
+          isSecure: false,
+          isHttpOnly: true
+        }
+      ].forEach((options) => {
+        it('handles isSecure flag set to false', function () {
+          simulateRequestScope(() => {
+            hapiServer = hapi[server]();
+            hapiServer.ext.withArgs('onPostResponse', sinon.match.func).callsFake((string, method) => {
+              method({
+                response: {
+                  headers: {
+                    'set-cookie': ['foo']
+                  }
+                }
+              });
+            });
+            hapiServer.state('data', options);
+            const sourceContext = core.scopes.sources.getStore()?.assess;
+            expect(core.assess.sessionConfiguration.handleHttpOnly).to.not.have.been.called;
+            expect(core.assess.sessionConfiguration.handleSecure).to.have.been.calledWith(
+              sourceContext,
+              'set-cookie: foo',
+              sinon.match({
+                args: [
+                  {
+                    tracked: false,
+                    value: util.inspect(options),
+                  },
+                ],
+                context: `state(${util.inspect(['data', options])})`,
+                history: [],
+                name: `hapi.${server}.state`,
+                moduleName: 'hapi',
+                methodName: '',
+                object: {
+                  tracked: false,
+                  value: `hapi.${server}`,
+                },
+                result: {
+                  tracked: false,
+                  value: undefined,
+                },
+                source: 'P1',
+                framework: 'hapi',
+                options,
+              })
+            );
+          });
+        });
+      });
+      [
+        {
+          isHttpOnly: false
+        },
+        {
+          isSecure: true,
+          isHttpOnly: false
+        }
+      ].forEach((options) => {
+        it('handles isHttpOnly flag set to false', function () {
+          simulateRequestScope(() => {
+            hapiServer = hapi[server]();
+            hapiServer.ext.withArgs('onPostResponse', sinon.match.func).callsFake((string, method) => {
+              method({
+                response: {
+                  headers: {
+                    'set-cookie': ['foo']
+                  }
+                }
+              });
+            });
+            hapiServer.state('data', options);
+            const sourceContext = core.scopes.sources.getStore()?.assess;
+            expect(core.assess.sessionConfiguration.handleHttpOnly).to.have.been.calledWith(
+              sourceContext,
+              'set-cookie: foo',
+              sinon.match({
+                args: [
+                  {
+                    tracked: false,
+                    value: util.inspect(options),
+                  },
+                ],
+                context: `state(${util.inspect(['data', options])})`,
+                history: [],
+                name: `hapi.${server}.state`,
+                moduleName: 'hapi',
+                methodName: '',
+                object: {
+                  tracked: false,
+                  value: `hapi.${server}`,
+                },
+                result: {
+                  tracked: false,
+                  value: undefined,
+                },
+                source: 'P1',
+                framework: 'hapi',
+                options,
+              })
+            );
+          });
+        });
+      });
+      it('handles isHttpOnly flag and isSecure set to false', function () {
+        simulateRequestScope(() => {
+          const options = {
+            isSecure: false,
+            isHttpOnly: false
+          };
+          hapiServer = hapi[server]();
+          hapiServer.ext.withArgs('onPostResponse', sinon.match.func).callsFake((string, method) => {
+            method({
+              response: {
+                headers: {
+                  'set-cookie': ['foo']
+                }
+              }
+            });
+          });
+          hapiServer.state('data', options);
+          const sourceContext = core.scopes.sources.getStore()?.assess;
+          expect(core.assess.sessionConfiguration.handleHttpOnly).to.have.been.calledWith(
+            sourceContext,
+            'set-cookie: foo',
+            sinon.match({
+              args: [
+                {
+                  tracked: false,
+                  value: util.inspect(options),
+                },
+              ],
+              context: `state(${util.inspect(['data', options])})`,
+              history: [],
+              name: `hapi.${server}.state`,
+              moduleName: 'hapi',
+              methodName: '',
+              object: {
+                tracked: false,
+                value: `hapi.${server}`,
+              },
+              result: {
+                tracked: false,
+                value: undefined,
+              },
+              source: 'P1',
+              framework: 'hapi',
+              options,
+            })
+          );
+          expect(core.assess.sessionConfiguration.handleSecure).to.have.been.calledWith(
+            sourceContext,
+            'set-cookie: foo',
+            sinon.match({
+              args: [
+                {
+                  tracked: false,
+                  value: util.inspect(options),
+                },
+              ],
+              context: `state(${util.inspect(['data', options])})`,
+              history: [],
+              name: `hapi.${server}.state`,
+              moduleName: 'hapi',
+              methodName: '',
+              object: {
+                tracked: false,
+                value: `hapi.${server}`,
+              },
+              result: {
+                tracked: false,
+                value: undefined,
+              },
+              source: 'P1',
+              framework: 'hapi',
+              options,
+            })
+          );
+        });
+      });
+    });
+  });
+});