npm - @contrast/assess - Versions diffs - 1.30.0 → 1.32.0 - Mend

@contrast/assess 1.30.0 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/lib/dataflow/propagation/install/joi/boolean.test.js ADDED Viewed

@@ -0,0 +1,103 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const { DataflowTag } = require('@contrast/common');
+describe('assess dataflow propagation joi boolean', function() {
+  let core, joi, schema, tracker, createPropagationEvent, trackString, simulateRequestScope;
+  beforeEach(function() {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    createPropagationEvent = sinon.spy(
+      core.assess.eventFactory,
+      'createPropagationEvent'
+    );
+    core.depHooks.resolve
+      .withArgs({
+        name: 'joi',
+        file: 'lib/types/boolean.js',
+        version: '>=17.0.0',
+      })
+      .yields(require('joi-17/lib/types/boolean'));
+    require('./index')(core).install();
+    joi = require('joi-17');
+    schema = joi.boolean();
+  });
+  afterEach(function() {
+    Object.keys(require.cache).forEach((key) => {
+      if (key.includes('joi')) {
+        delete require.cache[key];
+      }
+    });
+    createPropagationEvent.restore();
+  });
+  it('should add alphanum-space-hyphen tag if value is a string and it was coerced', function() {
+    simulateRequestScope(() => {
+      const value = trackString('true');
+      schema.validate(value);
+      const trackData = tracker.getData(value);
+      expect(trackData.tags).to.deep.equal({
+        [DataflowTag.UNTRUSTED]: [0, 3],
+        [DataflowTag.ALPHANUM_SPACE_HYPHEN]: [0, 3],
+      });
+      expect(trackData).to.deep.include({
+        moduleName: 'joi',
+        methodName: 'boolean.coerce',
+      });
+    });
+  });
+  it('should not propagate anything if the argument is not tracked', function() {
+    simulateRequestScope(() => {
+      const value = 'true';
+      schema.validate(value);
+      const trackData = tracker.getData(value);
+      expect(trackData).to.be.null;
+      expect(createPropagationEvent).to.not.have.been.called;
+    });
+  });
+  it('should not add alphanum-space-hyphen tag if value was already tagged', function() {
+    simulateRequestScope(() => {
+      const value = trackString('true');
+      schema.validate(value);
+      schema.validate(value);
+      const trackData = tracker.getData(value);
+      expect(trackData.tags).to.deep.equal({
+        [DataflowTag.UNTRUSTED]: [0, 3],
+        [DataflowTag.ALPHANUM_SPACE_HYPHEN]: [0, 3],
+      });
+      expect(trackData).to.deep.include({
+        moduleName: 'joi',
+        methodName: 'boolean.coerce',
+      });
+    });
+  });
+  it('should not add alphanum-space-hyphen tag if value is a string and it was not coerced', function() {
+    simulateRequestScope(() => {
+      const value = trackString('foobar');
+      schema.validate(value);
+      const trackData = tracker.getData(value);
+      expect(trackData.tags).to.deep.equal({
+        [DataflowTag.UNTRUSTED]: [0, 5],
+      });
+    });
+  });
+});

package/lib/dataflow/propagation/install/joi/expression.test.js ADDED Viewed

@@ -0,0 +1,76 @@
+'use strict';
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const { DataflowTag } = require('@contrast/common');
+describe('assess dataflow propagation joi expression', function() {
+  let core, joi, tracker, trackString, simulateRequestScope;
+  beforeEach(function() {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    core.config.assess.trust_custom_validators = true;
+    core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/index.js', version: '>=17.0.0' }).yields(require('joi-17/lib/index'));
+    require('./index')(core).install();
+    joi = require('joi-17');
+  });
+  afterEach(function() {
+    Object.keys(require.cache).forEach((key) => {
+      if (key.includes('joi')) {
+        delete require.cache[key];
+      }
+    });
+  });
+  it('should add html-encoded tag if value is a template string using the template syntax (joi.expression)', function() {
+    simulateRequestScope(() => {
+      const value = trackString('{{foobar}}');
+      const expr = joi.expression(value);
+      const { tags } = tracker.getData(expr.rendered);
+      expect(tags).to.deep.equal({
+        [DataflowTag.UNTRUSTED]: [0, 9],
+        [DataflowTag.HTML_ENCODED]: [0, 9]
+      });
+    });
+  });
+  it('should add html-encoded tag if value is a template string using the template syntax (joi.x)', function() {
+    simulateRequestScope(() => {
+      const value = trackString('{{foobar}}');
+      const expr = joi.x(value);
+      const { tags } = tracker.getData(expr.rendered);
+      expect(tags).to.deep.equal({
+        [DataflowTag.UNTRUSTED]: [0, 9],
+        [DataflowTag.HTML_ENCODED]: [0, 9]
+      });
+    });
+  });
+  it('should not add html-encoded tag if value is not a template string (joi.expression)', function() {
+    simulateRequestScope(() => {
+      const value = trackString('foobar');
+      const expr = joi.expression(value);
+      const { tags } = tracker.getData(expr.rendered);
+      expect(tags).to.deep.equal({
+        [DataflowTag.UNTRUSTED]: [0, 5],
+      });
+    });
+  });
+  it('should not add html-encoded tag if value is not a template string (joi.x)', function() {
+    simulateRequestScope(() => {
+      const value = trackString('foobar');
+      const expr = joi.x(value);
+      const { tags } = tracker.getData(expr.rendered);
+      expect(tags).to.deep.equal({
+        [DataflowTag.UNTRUSTED]: [0, 5],
+      });
+    });
+  });
+});

package/lib/dataflow/propagation/install/joi/index.test.js ADDED Viewed

@@ -0,0 +1,39 @@
+'use strict';
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow propagation joi', function() {
+  let core, instr;
+  beforeEach(function() {
+    ({ core } = initAssessFixture());
+    instr = core.assess.dataflow.propagation.joiInstrumentation;
+  });
+  const instrumentationList = ['any', 'booleanCoerce', 'expression', 'keys', 'numberCoerce', 'object', 'stringSchema', 'values'];
+  it('composes different installers', function() {
+    instrumentationList.forEach((name) => {
+      expect(instr[name]).to.have.property('install').and.be.a('function');
+    });
+  });
+  it('dispatches installation to sub-components', function() {
+    const installs = [];
+    // stub these to prevent side effects
+    instrumentationList.forEach((name) => {
+      const instr = core.assess.dataflow.propagation.joiInstrumentation;
+      installs.push(sinon.stub(instr[name], 'install'));
+    });
+    instr.install();
+    expect(installs).to.have.lengthOf(8);
+    installs.forEach((installer) => {
+      expect(installer).to.have.been.called;
+    });
+  });
+});

package/lib/dataflow/propagation/install/joi/number.test.js ADDED Viewed

@@ -0,0 +1,103 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const { DataflowTag } = require('@contrast/common');
+describe('assess dataflow propagation joi number', function() {
+  let core, joi, schema, tracker, createPropagationEvent, trackString, simulateRequestScope;
+  beforeEach(function() {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    createPropagationEvent = sinon.spy(
+      core.assess.eventFactory,
+      'createPropagationEvent'
+    );
+    core.depHooks.resolve
+      .withArgs({
+        name: 'joi',
+        file: 'lib/types/number.js',
+        version: '>=17.0.0',
+      })
+      .yields(require('joi-17/lib/types/number'));
+    require('./index')(core).install();
+    joi = require('joi-17');
+    schema = joi.number();
+  });
+  afterEach(function() {
+    Object.keys(require.cache).forEach((key) => {
+      if (key.includes('joi')) {
+        delete require.cache[key];
+      }
+    });
+    createPropagationEvent.restore();
+  });
+  it('should add limited-chars tag if value is a string and it was coerced', function() {
+    simulateRequestScope(() => {
+      const value = trackString('1234');
+      schema.validate(value);
+      const trackData = tracker.getData(value);
+      expect(trackData.tags).to.deep.equal({
+        [DataflowTag.UNTRUSTED]: [0, 3],
+        [DataflowTag.LIMITED_CHARS]: [0, 3],
+      });
+      expect(trackData).to.deep.include({
+        moduleName: 'joi',
+        methodName: 'number.coerce',
+      });
+    });
+  });
+  it('should not propagate anything if the argument is not tracked', function() {
+    simulateRequestScope(() => {
+      const value = '1234';
+      schema.validate(value);
+      const trackData = tracker.getData(value);
+      expect(trackData).to.be.null;
+      expect(createPropagationEvent).to.not.have.been.called;
+    });
+  });
+  it('should not add limited-chars tag if value was already tagged', function() {
+    simulateRequestScope(() => {
+      const value = trackString('1234');
+      schema.validate(value);
+      schema.validate(value);
+      const trackData = tracker.getData(value);
+      expect(trackData.tags).to.deep.equal({
+        [DataflowTag.UNTRUSTED]: [0, 3],
+        [DataflowTag.LIMITED_CHARS]: [0, 3],
+      });
+      expect(trackData).to.deep.include({
+        moduleName: 'joi',
+        methodName: 'number.coerce',
+      });
+    });
+  });
+  it('should not add limited-chars tag if value is a string and it was coerced', function() {
+    simulateRequestScope(() => {
+      const value = trackString('foobar');
+      schema.validate(value);
+      const trackData = tracker.getData(value);
+      expect(trackData.tags).to.deep.equal({
+        [DataflowTag.UNTRUSTED]: [0, 5],
+      });
+    });
+  });
+});

package/lib/dataflow/propagation/install/joi/object.test.js ADDED Viewed

@@ -0,0 +1,119 @@
+'use strict';
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const { DataflowTag } = require('@contrast/common');
+describe('assess dataflow propagation joi object validator with custom or external fn', function() {
+  let core, joi, tracker, trackString, simulateRequestScope;
+  beforeEach(function() {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    core.config.assess.trust_custom_validators = true;
+    core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/object', version: '>=17.0.0' }).yields(require('joi-17/lib/types/object'));
+    require('./index')(core).install();
+    joi = require('joi-17');
+  });
+  afterEach(function() {
+    Object.keys(require.cache).forEach((key) => {
+      if (key.includes('joi')) {
+        delete require.cache[key];
+      }
+    });
+  });
+  ['custom', 'external'].forEach((method) => {
+    it(`objects with tracked values passing validation with ${method} validator will be tagged with ${DataflowTag.CUSTOM_VALIDATED}`, function(done) {
+      simulateRequestScope(() => {
+        const tracked = trackString('test');
+        const schema = joi.object()[method]((value, helper) => {
+          if (value.a === 'test' && value.b === 'test') {
+            return value;
+          }
+          return helper.message('Invalid value');
+        });
+        schema.validateAsync({
+          a: tracked,
+          b: tracked
+        })
+          .then((validated) => {
+            Object.values(validated).forEach((v) => {
+              const data = tracker.getData(v);
+              expect(data.tags).to.deep.equal({
+                [DataflowTag.UNTRUSTED]: [0, 3],
+                [DataflowTag.CUSTOM_VALIDATED]: [0, 3],
+              });
+              expect(data.moduleName).to.equal('joi');
+              expect(data.methodName).to.include(`object.${method}`);
+            });
+            done();
+          })
+          .catch(err => done(err));
+      });
+    });
+    it('tracked values not passing validation with an external validator won\'t be tagged', function(done) {
+      simulateRequestScope(() => {
+        const tracked = trackString('value');
+        const schema = joi.object({
+          v1: joi.object()[method]((value, helper) => {
+            if (value === 'test') {
+              return value;
+            }
+            return helper.message('Invalid value');
+          }),
+          v2: joi.object()[method]((value) => {
+            if (value === 'test') {
+              return value;
+            }
+            throw new Error('Invalid value');
+          }),
+          v3: joi.object()[method]((value) => {
+            if (value === 'test') {
+              return value;
+            }
+            return 'Invalid value';
+          }),
+        });
+        const obj = {
+          v1: tracked,
+          v2: tracked,
+          v3: tracked,
+        };
+        schema.validateAsync(obj, { abortEarly: false })
+          .then(() => {
+            done('The validation should not pass');
+          })
+          .catch(() => {
+            Object.values(obj).forEach((v) => {
+              const data = tracker.getData(v);
+              expect(data.tags).to.deep.equal({
+                [DataflowTag.UNTRUSTED]: [0, 4],
+              });
+              expect(data.name).to.equal('assess-dataflow-fixture');
+            });
+            done();
+          })
+          .catch(err => done(err));
+      });
+    });
+  });
+});