@contrast/assess 1.31.0 → 1.32.0

package/lib/dataflow/propagation/install/url/searchParams.test.js

@@ -0,0 +1,538 @@
+'use strict';
+
+const url = require('url');
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess dataflow propagation url.URLSearchParams', function () {
+  let core, trackString, simulateRequestScope, tracker;
+
+  beforeEach(function () {
+    ({
+      core,
+      simulateRequestScope,
+      trackString
+    } = initAssessFixture());
+
+    tracker = core.assess.dataflow.tracker;
+    core.assess.dataflow.propagation.stringInstrumentation.split.install();
+    core.assess.dataflow.propagation.stringInstrumentation.concat.install();
+    core.assess.dataflow.propagation.stringInstrumentation.substring.install();
+    core.assess.dataflow.propagation.urlInstrumentation.searchParams.install();
+    core.depHooks.resolve.yield(url);
+  });
+
+  afterEach(function () {
+    sinon.resetHistory();
+    core.assess.dataflow.propagation.stringInstrumentation.split.uninstall();
+    core.assess.dataflow.propagation.stringInstrumentation.concat.uninstall();
+    core.assess.dataflow.propagation.stringInstrumentation.substring.uninstall();
+
+  });
+
+  it('will not propagate if nothing in the search params is tracked', function () {
+    simulateRequestScope(function () {
+      const result = new url.URLSearchParams('?query=foo');
+      const input = result.get('query');
+      expect(input).to.be.equal('foo');
+      expect(tracker.getData(input)).to.be.null;
+    });
+  });
+
+  it('will not propagate if there is no assess context', function () {
+    simulateRequestScope(function () {
+      const value = trackString('foo');
+      const result = new url.URLSearchParams('?query='.concat(value));
+      const input = result.get('query');
+      expect(input).to.be.equal('foo');
+      expect(tracker.getData(input)).to.be.null;
+    }, {});
+  });
+
+  it('will not propagate if instrumentation is locked', function () {
+    simulateRequestScope(function () {
+      core.scopes.instrumentation.run({ lock: true }, function () {
+        const value = trackString('foo');
+        const result = new url.URLSearchParams('?query='.concat(value));
+        const input = result.get('query');
+        expect(input).to.be.equal('foo');
+        expect(tracker.getData(input)).to.be.null;
+      });
+    });
+  });
+
+  it('does not break methods', function () {
+    simulateRequestScope(function () {
+      const result = new url.URLSearchParams('?query=foo');
+      const input = result.get('query');
+      expect(input).to.be.equal('foo');
+
+      result.set('query2', 'bar');
+      expect(result.get('query2')).to.be.equal('bar');
+
+      result.append('query3', 'fizz');
+      expect(result.get('query3')).to.be.equal('fizz');
+
+      result.delete('query2');
+      result.delete('query3');
+      expect(result.get('query2')).to.be.null;
+      expect(result.get('query3')).to.be.null;
+
+      for (const entry of result.entries()) {
+        expect(entry).to.be.deep.equal(['query', 'foo']);
+      }
+
+      result.forEach((val, key) => {
+        expect(val).to.be.equal('foo');
+        expect(key).to.be.equal('query');
+      });
+
+      result.append('query', 'bar');
+      expect(result.getAll('query')).to.be.deep.equal(['foo', 'bar']);
+
+      expect(result.has('query')).to.be.true;
+      expect(result.has('query', 'bar')).to.be.true;
+
+      for (const key of result.keys()) {
+        expect(key).to.be.equal('query');
+      }
+
+      result.append('input', 'fizz');
+      result.sort();
+      expect(result.toString()).to.be.equal('input=fizz&query=foo&query=bar');
+    });
+  });
+
+  it('keeps track of vulnerable params set', function () {
+    simulateRequestScope(function () {
+      const value = trackString('foo');
+      const result = new url.URLSearchParams();
+
+      result.set('query', value);
+      const input = result.get('query');
+      expect(input).to.be.equal('foo');
+      expect(tracker.getData(input).tags).to.be.deep.equal({
+        UNTRUSTED: [0, 2]
+      });
+    });
+  });
+
+  it('keeps track of vulnerable params appended', function () {
+    simulateRequestScope(function () {
+      const value = trackString('foo');
+      const result = new url.URLSearchParams();
+
+      result.append('query', value);
+      const input = result.get('query');
+      expect(input).to.be.equal('foo');
+      expect(tracker.getData(input).tags).to.be.deep.equal({
+        UNTRUSTED: [0, 2]
+      });
+    });
+  });
+
+  describe('params object', function () {
+
+    it('propagates through get', function () {
+      simulateRequestScope(function () {
+        const value = trackString('foo');
+        const result = new url.URLSearchParams({ query: value });
+
+        const input = result.get('query');
+        expect(input).to.be.equal('foo');
+        expect(tracker.getData(input).tags).to.deep.equal({
+          UNTRUSTED: [0, 2]
+        });
+      });
+    });
+
+    it('propagates through toString()', function () {
+      simulateRequestScope(function () {
+        const value = trackString('foo');
+        const result = new url.URLSearchParams({ query: value });
+
+        const input = result.toString();
+        expect(input).to.be.equal('query=foo');
+        expect(tracker.getData(input).tags).to.deep.equal({
+          UNTRUSTED: [6, 8]
+        });
+      });
+    });
+
+    it('propagates duplicates through toString()', function() {
+      simulateRequestScope(function() {
+        const value = trackString('foo');
+        const result = new url.URLSearchParams({ query: value });
+        result.append('query', value);
+
+        const input = result.toString();
+        expect(input).to.be.equal('query=foo&query=foo');
+        expect(tracker.getData(input).tags).to.deep.equal({
+          UNTRUSTED: [6, 8, 16, 18]
+        });
+      });
+    });
+
+    it('propagates spaces to pluses through toString()', function() {
+      simulateRequestScope(function() {
+        const value = trackString('foo bar');
+        const result = new url.URLSearchParams({ query: value });
+
+        const input = result.toString();
+        expect(input).to.be.equal('query=foo+bar');
+        expect(tracker.getData(input).tags).to.deep.equal({
+          UNTRUSTED: [6, 12]
+        });
+      });
+    });
+
+    it('propagates through entries', function () {
+      simulateRequestScope(function () {
+        const value = trackString('foo');
+        const result = new url.URLSearchParams({ query: value });
+
+        for (const entry of result.entries()) {
+          expect(entry).to.be.deep.equal(['query', 'foo']);
+          expect(tracker.getData(entry[1]).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 2]
+          });
+        }
+      });
+    });
+
+    it('propagates through forEach', function () {
+      simulateRequestScope(function () {
+        const value = trackString('foo');
+        const result = new url.URLSearchParams({ query: value });
+
+        result.forEach((val, key) => {
+          expect(key).to.be.equal('query');
+          expect(val).to.be.equal('foo');
+          expect(tracker.getData(val).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 2]
+          });
+        });
+      });
+    });
+
+    // eslint-disable-next-line
+    it.skip('keeps track of vulnerable keys', function () {
+      simulateRequestScope(function () {
+        const obj = {};
+        const value = trackString('query');
+        // TO DO: NODE-3067: Tracking lost on object keys
+        obj[value] = 'foo';
+        const result = new url.URLSearchParams(obj);
+
+        for (const [key, val] of result.entries()) {
+          expect(key).to.be.equal('query');
+          expect(val).to.be.equal('foo');
+          expect(tracker.getData(key).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 4]
+          });
+          expect(tracker.getData(val)).to.be.null;
+        }
+
+        result.forEach((val, key) => {
+          expect(key).to.be.equal('query');
+          expect(val).to.be.equal('foo');
+          expect(tracker.getData(key).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 4]
+          });
+          expect(tracker.getData(val)).to.be.null;
+        });
+
+        const input = result.toString();
+        expect(input).to.be.equal('query=foo');
+        expect(tracker.getData(input).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4]
+        });
+      });
+    });
+
+    it('keeps track of multiple vulnerable parameters', function () {
+      simulateRequestScope(function () {
+        const foo = trackString('foo');
+        const bar = trackString('bar');
+        const result = new url.URLSearchParams({ foo, bar });
+
+        const fizz = trackString('fizz');
+        const buzz = trackString('buzz');
+
+        result.set('fizz', fizz);
+        result.append('buzz', buzz);
+
+        const params1 = result.get('foo');
+        expect(params1).to.be.equal('foo');
+        expect(tracker.getData(params1).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2]
+        });
+
+        const params2 = result.get('bar');
+        expect(params2).to.be.equal('bar');
+        expect(tracker.getData(params2).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2]
+        });
+
+        const params3 = result.get('fizz');
+        expect(params3).to.be.equal('fizz');
+        expect(tracker.getData(params3).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3]
+        });
+
+        const params4 = result.get('buzz');
+        expect(params4).to.be.equal('buzz');
+        expect(tracker.getData(params4).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3]
+        });
+
+        const str = result.toString();
+        //                       0         1         2         3
+        //                       012 456 890 234 6789 1234 6789 1234
+        expect(str).to.be.equal('foo=foo&bar=bar&fizz=fizz&buzz=buzz');
+        expect(tracker.getData(str).tags).to.be.deep.equal({
+          UNTRUSTED: [4, 6, 12, 14, 21, 24, 31, 34]
+        });
+
+        result.sort();
+        const str2 = result.toString();
+        expect(str2).to.be.equal('bar=bar&buzz=buzz&fizz=fizz&foo=foo');
+        expect(tracker.getData(str2).tags).to.be.deep.equal({
+          UNTRUSTED: [4, 6, 13, 16, 23, 26, 32, 34]
+        });
+      });
+    });
+  });
+
+  describe('params string', function () {
+    it('propagates through get', function () {
+      simulateRequestScope(function () {
+        const value = trackString('?query=foo', { tags: { UNTRUSTED: [7, 9] } });
+        const result = new url.URLSearchParams(value);
+
+        const input = result.get('query');
+        expect(input).to.be.equal('foo');
+        expect(tracker.getData(input).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2]
+        });
+      });
+    });
+
+    it('propagates through toString', function () {
+      simulateRequestScope(function () {
+        const value = trackString('?query=foo', { tags: { UNTRUSTED: [7, 9] } });
+        const result = new url.URLSearchParams(value);
+
+        const input = result.toString();
+        expect(input).to.be.equal('query=foo');
+        expect(tracker.getData(input).tags).to.be.deep.equal({
+          UNTRUSTED: [6, 8]
+        });
+      });
+    });
+
+    it('propagates through entries', function () {
+      simulateRequestScope(function () {
+        const value = trackString('?query=foo', { tags: { UNTRUSTED: [7, 9] } });
+        const result = new url.URLSearchParams(value);
+
+        for (const [key, val] of result.entries()) {
+          expect(key).to.be.equal('query');
+          expect(val).to.be.equal('foo');
+          expect(tracker.getData(val).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 2]
+          });
+        }
+      });
+    });
+
+    it('propagates through forEach', function () {
+      simulateRequestScope(function () {
+        const value = trackString('?query=foo', { tags: { UNTRUSTED: [7, 9] } });
+        const result = new url.URLSearchParams(value);
+
+        result.forEach((val, key) => {
+          expect(key).to.be.equal('query');
+          expect(val).to.be.equal('foo');
+          expect(tracker.getData(val).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 2]
+          });
+        });
+      });
+    });
+
+    it('keeps track of vulnerable keys', function () {
+      simulateRequestScope(function () {
+        const value = trackString('?query=foo', { tags: { UNTRUSTED: [1, 5] } });
+        const result = new url.URLSearchParams(value);
+
+        for (const [key, val] of result.entries()) {
+          expect(key).to.be.equal('query');
+          expect(val).to.be.equal('foo');
+          expect(tracker.getData(key).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 4]
+          });
+          expect(tracker.getData(val)).to.be.null;
+        }
+
+        result.forEach((val, key) => {
+          expect(key).to.be.equal('query');
+          expect(val).to.be.equal('foo');
+          expect(tracker.getData(key).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 4]
+          });
+          expect(tracker.getData(val)).to.be.null;
+        });
+
+        const input = result.toString();
+        expect(input).to.be.equal('query=foo');
+        expect(tracker.getData(input).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4]
+        });
+      });
+    });
+
+    it('keeps track of multiple vulnerable parameters', function () {
+      simulateRequestScope(function () {
+        const value = trackString('?foo=foo&bar=bar', { tags: { UNTRUSTED: [5, 7, 13, 15] } });
+        const result = new url.URLSearchParams(value);
+
+        const fizz = trackString('fizz');
+        const buzz = trackString('buzz');
+
+        result.set('fizz', fizz);
+        result.append('buzz', buzz);
+
+        const params1 = result.get('foo');
+        expect(params1).to.be.equal('foo');
+        expect(tracker.getData(params1).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2]
+        });
+
+        const params2 = result.get('bar');
+        expect(params2).to.be.equal('bar');
+        expect(tracker.getData(params2).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2]
+        });
+
+        const params3 = result.get('fizz');
+        expect(params3).to.be.equal('fizz');
+        expect(tracker.getData(params3).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3]
+        });
+
+        const params4 = result.get('buzz');
+        expect(params4).to.be.equal('buzz');
+        expect(tracker.getData(params4).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3]
+        });
+
+        const str = result.toString();
+        expect(str).to.be.equal('foo=foo&bar=bar&fizz=fizz&buzz=buzz');
+        expect(tracker.getData(str).tags).to.be.deep.equal({
+          UNTRUSTED: [4, 6, 12, 14, 21, 24, 31, 34]
+        });
+
+        result.sort();
+        const str2 = result.toString();
+        expect(str2).to.be.equal('bar=bar&buzz=buzz&fizz=fizz&foo=foo');
+        expect(tracker.getData(str2).tags).to.be.deep.equal({
+          UNTRUSTED: [4, 6, 13, 16, 23, 26, 32, 34]
+        });
+      });
+    });
+  });
+
+  describe('params iterable', function () {
+    it('keeps tracking a matrix input', function () {
+      simulateRequestScope(function () {
+        const foo = trackString('foo');
+        const bar = trackString('bar');
+        const result = new url.URLSearchParams([
+          ['param1', foo],
+          ['param2', bar]
+        ]);
+
+        const str = result.toString();
+        expect(str).to.be.equal('param1=foo&param2=bar');
+        expect(tracker.getData(str).tags).to.be.deep.equal({
+          UNTRUSTED: [7, 9, 18, 20]
+        });
+
+        for (const [, val] of result.entries()) {
+          expect(tracker.getData(val).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 2]
+          });
+        }
+
+        result.forEach((val, key) => {
+          expect(tracker.getData(val).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 2]
+          });
+        });
+      });
+    });
+
+    it('keeps tracking a Map input', function () {
+      simulateRequestScope(function () {
+        const foo = trackString('foo');
+        const bar = trackString('bar');
+        const map = new Map();
+        map.set('param1', foo);
+        map.set('param2', bar);
+
+        const result = new url.URLSearchParams(map);
+
+        const str = result.toString();
+        expect(str).to.be.equal('param1=foo&param2=bar');
+        expect(tracker.getData(str).tags).to.be.deep.equal({
+          UNTRUSTED: [7, 9, 18, 20]
+        });
+
+        for (const [, val] of result.entries()) {
+          expect(tracker.getData(val).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 2]
+          });
+        }
+
+        result.forEach((val, key) => {
+          expect(tracker.getData(val).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 2]
+          });
+        });
+      });
+    });
+
+    it('keeps tracking a generator function input', function () {
+      simulateRequestScope(function () {
+        const foo = trackString('foo');
+        const bar = trackString('bar');
+
+        function* getQueryPairs() {
+          yield ['param1', foo];
+          yield ['param2', bar];
+        }
+        const result = new url.URLSearchParams(getQueryPairs());
+
+        const str = result.toString();
+        expect(str).to.be.equal('param1=foo&param2=bar');
+        expect(tracker.getData(str).tags).to.be.deep.equal({
+          UNTRUSTED: [7, 9, 18, 20]
+        });
+
+        for (const [, val] of result.entries()) {
+          expect(tracker.getData(val).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 2]
+          });
+        }
+
+        result.forEach((val, key) => {
+          expect(tracker.getData(val).tags).to.be.deep.equal({
+            UNTRUSTED: [0, 2]
+          });
+        });
+      });
+    });
+  });
+});