npm - @contrast/assess - Versions diffs - 1.30.0 → 1.32.0 - Mend

@contrast/assess 1.30.0 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/lib/session-configuration/install/koa.js CHANGED Viewed

@@ -44,55 +44,61 @@ module.exports = function (core) {
           name: 'Koa.Application',
           patchType,
           pre(data) {
-            const origCtx = data.args[0];
-            data.args[0] = function(...args) {
-              patcher.patch(args[0].cookies, 'set', {
-                name: 'ctx.cookies',
-                patchType,
-                pre({ args }) {
-                  const sourceContext = getSourceContext();
-                  if (!sourceContext) return;
+            if (data.args?.length === 0) return;
+            const [origCtx] = data.args;
-                  const [name,, options] = args;
+            if (typeof origCtx !== 'function') return;
+            data.args[0] = patcher.patch(origCtx, {
+              name: 'ctx',
+              patchType,
+              pre({ args }) {
+                patcher.patch(args[0].cookies, 'set', {
+                  name: 'ctx.cookies',
+                  patchType,
+                  pre({ args }) {
+                    const sourceContext = getSourceContext();
+                    if (!sourceContext) return;
-                  const httpOnly = options?.httpOnly;
-                  const secure = options?.secure;
-                  if (httpOnly && secure) return;
+                    const [name,, options] = args;
-                  const displayArg = inspect(options);
-                  const sessionEvent = createSessionEvent({
-                    args: [{
-                      tracked: false,
-                      value: displayArg
-                    }],
-                    context: `ctx.cookies.set(${displayArg})`,
-                    history: [],
-                    name: 'koaCookie',
-                    moduleName: 'koa',
-                    methodName: '',
-                    object: {
-                      tracked: false,
-                      value: 'koa',
-                    },
-                    result: {
-                      tracked: false,
-                    },
-                    source: 'P',
-                    stack: [],
-                    tags: {},
-                    framework: 'koa',
-                  });
-                  if (!httpOnly) {
-                    handleHttpOnly(sourceContext, name, sessionEvent);
-                  }
+                    const httpOnly = options?.httpOnly;
+                    const secure = options?.secure;
+                    if (httpOnly && secure) return;
+                    const displayArg = inspect(options);
+                    const sessionEvent = createSessionEvent({
+                      args: [{
+                        tracked: false,
+                        value: displayArg
+                      }],
+                      context: `ctx.cookies.set(${displayArg})`,
+                      history: [],
+                      name: 'koaCookie',
+                      moduleName: 'koa',
+                      methodName: '',
+                      object: {
+                        tracked: false,
+                        value: 'koa',
+                      },
+                      result: {
+                        tracked: false,
+                      },
+                      source: 'P',
+                      stack: [],
+                      tags: {},
+                      framework: 'koa',
+                    });
+                    if (!httpOnly) {
+                      handleHttpOnly(sourceContext, name, sessionEvent);
+                    }
-                  if (!secure) {
-                    handleSecure(sourceContext, name, sessionEvent);
+                    if (!secure) {
+                      handleSecure(sourceContext, name, sessionEvent);
+                    }
                   }
-                }
-              });
-              return origCtx.apply(this, args);
-            };
+                });
+              }
+            });
           }
         });
       });

package/lib/session-configuration/install/koa.test.js ADDED Viewed

@@ -0,0 +1,92 @@
+'use strict';
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { SessionConfigurationRule } = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const { HTTPONLY, SECURE_FLAG_MISSING } = SessionConfigurationRule;
+describe('assess sessionConfiguration Koa', function () {
+  let core,
+    simulateRequestScope,
+    koaMock,
+    ctxMock,
+    patchedMiddleware;
+  beforeEach(function () {
+    ({ core, simulateRequestScope } = initAssessFixture());
+    koaMock = {
+      prototype: {
+        middleware: [],
+        use: (fn) => {
+          koaMock.prototype.middleware.push(fn);
+        },
+      }
+    };
+    ctxMock = function() {};
+    ctxMock.cookies = { set: sinon.stub() };
+    core.depHooks.resolve
+      .withArgs({ name: 'koa', version: '>=2.3.0' })
+      .yields(koaMock);
+    sinon.stub(core.assess.sessionConfiguration, 'reportFindings');
+    core.assess.sessionConfiguration.koa.install();
+    koaMock.prototype.use(ctxMock);
+    [patchedMiddleware] = koaMock.prototype.middleware;
+    patchedMiddleware(ctxMock);
+  });
+  it('will not report if instrumentation runs outside of request scope', function() {
+    patchedMiddleware(ctxMock);
+    ctxMock.cookies.set('cookie', 'foo', { secure: false });
+    expect(core.assess.sessionConfiguration.reportFindings).not.to.have.been.called;
+  });
+  it('will not report when both options are set to true', function() {
+    simulateRequestScope(() => {
+      ctxMock.cookies.set('cookie', 'foo', { httpOnly: true, secure: true });
+      expect(core.assess.sessionConfiguration.reportFindings).not.to.have.been.called;
+    });
+  });
+  it('reports httponly when option is set to false', function() {
+    simulateRequestScope(() => {
+      ctxMock.cookies.set('cookie', 'foo', { httpOnly: false });
+      expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
+        ruleId: HTTPONLY,
+        sinkEvent: sinon.match({
+          context: 'ctx.cookies.set({ httpOnly: false })',
+        }),
+      });
+    });
+  });
+  it('reports secure-flag-missing when option is set to false', function() {
+    simulateRequestScope(() => {
+      ctxMock.cookies.set('cookie', 'foo', { secure: false });
+      expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
+        ruleId: SECURE_FLAG_MISSING,
+        sinkEvent: sinon.match({
+          context: 'ctx.cookies.set({ secure: false })',
+        }),
+      });
+    });
+  });
+  it('reports httponly and secure-flag-missing when options are not set', function() {
+    simulateRequestScope(() => {
+      ctxMock.cookies.set('cookie', 'foo');
+      expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
+        ruleId: HTTPONLY
+      });
+      expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
+        ruleId: SECURE_FLAG_MISSING
+      });
+    });
+  });
+});

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.30.0",
+  "version": "1.32.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,7 +17,7 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.21.3",
+    "@contrast/common": "1.23.0",
     "@contrast/distringuish": "^5.0.0",
     "@contrast/scopes": "1.4.1"
   }