npm - @contrast/assess - Versions diffs - 1.31.0 → 1.32.0 - Mend

@contrast/assess 1.31.0 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (154) hide show

package/lib/dataflow/propagation/install/string/split.test.js ADDED Viewed

@@ -0,0 +1,500 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow propagation string split', function () {
+  let core, simulateRequestScope, trackString, tracker;
+  beforeEach(function () {
+    ({
+      core,
+      trackString,
+      simulateRequestScope
+    } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    sinon.spy(tracker, 'track');
+    core.assess.dataflow.propagation.stringInstrumentation.substring.install();
+    core.assess.dataflow.propagation.stringInstrumentation.split.install();
+  });
+  afterEach(function () {
+    tracker.track.restore();
+    core.assess.dataflow.propagation.stringInstrumentation.substring.uninstall();
+    core.assess.dataflow.propagation.stringInstrumentation.split.uninstall();
+  });
+  describe('base cases', function () {
+    it('normal split on non-tracked string', function () {
+      simulateRequestScope(() => {
+        const ret = 'foo?foo'.split('?');
+        expect(ret).to.deep.equal(['foo', 'foo']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str)).to.be.null;
+        });
+      });
+    });
+    it('regex split on non-tracked string', function () {
+      simulateRequestScope(() => {
+        const ret = 'foo?foo'.split(/\?/);
+        expect(ret).to.deep.equal(['foo', 'foo']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str)).to.be.null;
+        });
+      });
+    });
+    it('array split on non-tracked string', function () {
+      simulateRequestScope(() => {
+        const ret = 'foo?,?foo'.split(['?', '?']);
+        expect(ret).to.deep.equal(['foo', 'foo']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str)).to.be.null;
+        });
+      });
+    });
+    it('apply split on non-tracked string', function () {
+      simulateRequestScope(() => {
+        const ret = String.prototype.split.apply('foo?foo', ['?']);
+        expect(ret).to.deep.equal(['foo', 'foo']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str)).to.be.null;
+        });
+      });
+    });
+    it('limited split on non-tracked string', function () {
+      simulateRequestScope(() => {
+        const ret = 'foo?foo?foo'.split('?', 2);
+        expect(ret).to.deep.equal(['foo', 'foo']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str)).to.be.null;
+        });
+      });
+    });
+    it('split on empty string', function () {
+      simulateRequestScope(() => {
+        const ret = ''.split('?');
+        expect(ret).to.deep.equal(['']);
+        expect(tracker.getData(ret[0])).to.be.null;
+      });
+    });
+    it('split on object', function () {
+      simulateRequestScope(() => {
+        const ret = String.prototype.split.apply({ foo: 'foo' }, ['foo']);
+        expect(ret).to.deep.equal(['[object Object]']);
+        expect(tracker.getData(ret[0])).to.be.null;
+      });
+    });
+  });
+  describe('undefined/empty separators', function () {
+    [
+      [],
+      [undefined],
+      [null]
+    ].forEach((rest) => {
+      it(`handles ${rest[0]} separator`, function () {
+        simulateRequestScope(() => {
+          const extern = trackString('foo');
+          const ret = extern.split(rest[0]);
+          expect(ret).to.deep.equal(['foo']);
+          expect(tracker.getData(ret[0]).tags).to.deep.equal({
+            UNTRUSTED: [0, 2]
+          });
+        });
+      });
+    });
+    it('handles empty separator for a fully tracked string', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo');
+        const ret = extern.split('');
+        expect(ret).to.deep.equal(['f', 'o', 'o']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str).tags).to.deep.equal({
+            UNTRUSTED: [0, 0]
+          });
+        });
+      });
+    });
+    it('handles empty separator for a partially tracked string', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo', {
+          tags: {
+            UNTRUSTED: [1, 1]
+          }
+        });
+        const ret = extern.split('');
+        expect(ret).to.deep.equal(['f', 'o', 'o']);
+        expect(tracker.getData(ret[0])).to.be.null;
+        expect(tracker.getData(ret[1]).tags).to.deep.equal({
+          UNTRUSTED: [0, 0]
+        });
+        expect(tracker.getData(ret[2])).to.be.null;
+      });
+    });
+    it('handles empty separator for a tracked string with different named ranges', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo', {
+          tags: {
+            foo: [0, 0],
+            bar: [1, 2]
+          }
+        });
+        const ret = extern.split('');
+        expect(ret).to.deep.equal(['f', 'o', 'o']);
+        expect(tracker.getData(ret[0]).tags).to.deep.equal({
+          foo: [0, 0]
+        });
+        expect(tracker.getData(ret[1]).tags).to.deep.equal({
+          bar: [0, 0]
+        });
+        expect(tracker.getData(ret[2]).tags).to.deep.equal({
+          bar: [0, 0]
+        });
+      });
+    });
+  });
+  describe('string separators', function () {
+    it('keeps track of an unsplit string', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo', {
+          tags: {
+            untrusted: [0, 2]
+          }
+        });
+        const ret = extern.split('?');
+        expect(ret).to.deep.equal(['foo']);
+        expect(tracker.getData(ret[0]).tags).to.deep.equal({
+          untrusted: [0, 2]
+        });
+      });
+    });
+    it('handles split limit of 0', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo?foo?foo', {
+          tags: {
+            untrusted: [0, 10]
+          }
+        });
+        const ret = extern.split('?', 0);
+        expect(ret).to.deep.equal([]);
+      });
+    });
+    it('handles non-zero split limit', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo?foo?foo');
+        const ret = extern.split('?', 2);
+        expect(ret).to.deep.equal(['foo', 'foo']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str).tags).to.deep.equal({
+            UNTRUSTED: [0, 2]
+          });
+        });
+      });
+    });
+    it('keeps track of a tracked split string', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo?foo?foo');
+        const ret = extern.split('?');
+        expect(ret).to.deep.equal(['foo', 'foo', 'foo']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str).tags).to.deep.equal({
+            UNTRUSTED: [0, 2]
+          });
+        });
+      });
+    });
+    it('does not call tracker.track if the split result is the original string', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo?foo?foo');
+        tracker.track.resetHistory();
+        const ret = extern.split('!');
+        expect(ret).to.deep.equal(['foo?foo?foo']);
+        expect(tracker.getData(ret[0]).tags).to.deep.equal({
+          UNTRUSTED: [0, 10]
+        });
+        expect(tracker.track).to.not.have.been.called;
+      });
+    });
+    it('keeps track of a tracked split string (long separator)', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo?foo?foo');
+        const ret = extern.split('?foo?');
+        expect(ret).to.deep.equal(['foo', 'foo']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str).tags).to.deep.equal({
+            UNTRUSTED: [0, 2]
+          });
+        });
+      });
+    });
+    it('keeps track of a partially tracked split string', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo?foo?foo', {
+          tags: {
+            untrusted: [0, 2, 8, 10]
+          }
+        });
+        const ret = extern.split('?');
+        expect(ret).to.deep.equal(['foo', 'foo', 'foo']);
+        expect(tracker.getData(ret[0]).tags).to.deep.equal({
+          untrusted: [0, 2]
+        });
+        expect(tracker.getData(ret[1])).to.be.null;
+        expect(tracker.getData(ret[2]).tags).to.deep.equal({
+          untrusted: [0, 2]
+        });
+      });
+    });
+    it('keeps track of a tracked split string with different tag range names', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo?foo?foo', {
+          tags: {
+            untrusted: [0, 2, 8, 10],
+            foo: [0, 2],
+            bar: [4, 10]
+          }
+        });
+        const ret = extern.split('?');
+        expect(ret).to.deep.equal(['foo', 'foo', 'foo']);
+        expect(tracker.getData(ret[0]).tags).to.deep.equal({
+          untrusted: [0, 2],
+          foo: [0, 2]
+        });
+        expect(tracker.getData(ret[1]).tags).to.deep.equal({
+          bar: [0, 2]
+        });
+        expect(tracker.getData(ret[2]).tags).to.deep.equal({
+          untrusted: [0, 2],
+          bar: [0, 2]
+        });
+      });
+    });
+    it('keeps track of tracked separators', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo?foo', {
+          tags: {
+            untrusted: [0, 10]
+          }
+        });
+        const trackedSep = trackString('?', {
+          tags: {
+            untrusted: [0, 0]
+          }
+        });
+        const ret = extern.split(trackedSep);
+        expect(ret).to.deep.equal(['foo', 'foo']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str).args).to.deep.equal([{
+            value: '?', tracked: true
+          }]);
+        });
+      });
+    });
+    it('reports result as a comma delimited list', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo?foo?foo', {
+          tags: {
+            untrusted: [0, 10]
+          }
+        });
+        const ret = extern.split('?');
+        expect(ret).to.deep.equal(['foo', 'foo', 'foo']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str).result).to.deep.equal({
+            value: 'foo',
+            tracked: true
+          });
+        });
+      });
+    });
+  });
+  describe('regEx separators', function () {
+    it('keeps track of a tracked split string separated by a RegEx', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo?foo?foo', {
+          tags: {
+            untrusted: [0, 10]
+          }
+        });
+        const ret = extern.split(/\?/g);
+        expect(ret).to.deep.equal(['foo', 'foo', 'foo']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str).tags).to.deep.equal({
+            untrusted: [0, 2]
+          });
+        });
+      });
+    });
+    it('keeps track of a tracked split string separated by a more complex RegEx', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo1foo2foo', {
+          tags: {
+            untrusted: [0, 10]
+          }
+        });
+        const ret = extern.split(/\d/g);
+        expect(ret).to.deep.equal(['foo', 'foo', 'foo']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str).tags).to.deep.equal({
+            untrusted: [0, 2]
+          });
+        });
+      });
+    });
+    it('keeps track of a tracked split string separated by a RegEx containing capturing parentheses', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo?foo?foo', {
+          tags: {
+            untrusted: [0, 10]
+          }
+        });
+        const ret = extern.split(/(\?)/g);
+        expect(ret).to.deep.equal(['foo', '?', 'foo', '?', 'foo']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str).tags).to.deep.equal({
+            untrusted: [0, str.length - 1]
+          });
+        });
+      });
+    });
+  });
+  describe('complex/edge cases', function () {
+    it('handles non-english characters', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('fꙨꙨꙮፈar', {
+          tags: {
+            untrusted: [0, 10]
+          }
+        });
+        const ret = extern.split('ꙮ');
+        expect(ret).to.deep.equal(['fꙨꙨ', 'ፈar']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str).tags).to.deep.equal({
+            untrusted: [0, 2]
+          });
+        });
+      });
+    });
+    it('handles multiple calls to split and keeps track of tracked strings with different named ranges', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo?foo?foo', {
+          tags: {
+            untrusted: [0, 8],
+            foo: [0, 2],
+            bar: [0, 6],
+            foobar: [9, 10]
+          }
+        });
+        let [foo1, foo2, foo3] = [...extern.split('?')];
+        foo1 = foo1.split();
+        foo2 = foo2.split('');
+        foo3 = foo3.split(/(o)/g);
+        expect(foo1).to.deep.equal(['foo']);
+        expect(foo2).to.deep.equal(['f', 'o', 'o']);
+        expect(foo3).to.deep.equal(['f', 'o', '', 'o', '']);
+        expect(tracker.getData(foo1[0]).tags).to.deep.equal({
+          untrusted: [0, 2],
+          foo: [0, 2],
+          bar: [0, 2]
+        });
+        foo2.forEach((char) => {
+          expect(tracker.getData(char).tags).to.deep.equal({
+            untrusted: [0, 0],
+            bar: [0, 0]
+          });
+        });
+        expect(tracker.getData(foo3[0]).tags).to.deep.equal({
+          untrusted: [0, 0]
+        });
+        expect(tracker.getData(foo3[1]).tags).to.deep.equal({
+          foobar: [0, 0]
+        });
+        expect(tracker.getData(foo3[3]).tags).to.deep.equal({
+          foobar: [0, 0]
+        });
+      });
+    });
+    it('custom splitter returns tracked strings', function () {
+      simulateRequestScope(() => {
+        const customSplit = {
+          [Symbol.split](str) {
+            return [str, str];
+          }
+        };
+        const extern = trackString('foo', {
+          tags: {
+            untrusted: [0, 2]
+          }
+        });
+        const ret = extern.split(customSplit);
+        expect(ret).to.deep.equal(['foo', 'foo']);
+        ret.forEach((str) => {
+          expect(tracker.getData(str).tags).to.deep.equal({
+            untrusted: [0, 2]
+          });
+        });
+      });
+    });
+    it('custom splitter calls split', function () {
+      simulateRequestScope(() => {
+        const onlySplitFoo = {
+          [Symbol.split](str) {
+            if (str.includes('foo')) {
+              return str.split('?');
+            } else {
+              return [];
+            }
+          }
+        };
+        const extern = trackString('foo?bar', {
+          tags: {
+            untrusted: [0, 2]
+          }
+        });
+        const ret = extern.split(onlySplitFoo);
+        expect(ret).to.deep.equal(['foo', 'bar']);
+        expect(tracker.getData(ret[0]).tags).to.deep.equal({
+          untrusted: [0, 2]
+        });
+        expect(tracker.getData(ret[1])).to.be.null;
+      });
+    });
+  });
+});