npm - @contrast/assess - Versions diffs - 1.31.0 → 1.32.0 - Mend

@contrast/assess 1.31.0 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (154) hide show

package/lib/dataflow/propagation/install/url/url.test.js ADDED Viewed

@@ -0,0 +1,466 @@
+'use strict';
+const url = require('url');
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const keys = [
+  'hash',
+  'host',
+  'hostname',
+  'href',
+  'origin',
+  'password',
+  'pathname',
+  'port',
+  'protocol',
+  'search',
+  'username'
+];
+describe('assess dataflow propagation url.URL', function () {
+  let core, trackString, simulateRequestScope, tracker, matchURL;
+  beforeEach(function () {
+    ({
+      core,
+      simulateRequestScope,
+      trackString
+    } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    core.assess.dataflow.propagation.stringInstrumentation.concat.install();
+    core.assess.dataflow.propagation.stringInstrumentation.substring.install();
+    core.assess.dataflow.propagation.stringInstrumentation.split.install();
+    core.assess.dataflow.propagation.urlInstrumentation.searchParams.install();
+    core.assess.dataflow.propagation.urlInstrumentation.url.install();
+    core.depHooks.resolve.yield(url);
+    matchURL = {
+      href: 'https://user:pass@foo.com:3000/path?query=input#hash',
+      origin: 'https://foo.com:3000',
+      protocol: 'https:',
+      username: 'user',
+      password: 'pass',
+      host: 'foo.com:3000',
+      hostname: 'foo.com',
+      port: '3000',
+      pathname: '/path',
+      search: '?query=input',
+      hash: '#hash'
+    };
+  });
+  afterEach(function () {
+    sinon.resetHistory();
+    core.assess.dataflow.propagation.stringInstrumentation.concat.uninstall();
+    core.assess.dataflow.propagation.stringInstrumentation.substring.uninstall();
+  });
+  it('will not propagate if nothing in url is tracked', function () {
+    simulateRequestScope(function () {
+      const result = new url.URL('http://foo:3000/path');
+      keys.forEach((key) => {
+        expect(tracker.getData(result[key])).to.be.null;
+      });
+    });
+  });
+  it('will not propagate if there is no assess context', function () {
+    simulateRequestScope(function () {
+      const value = trackString('foo');
+      const result = new url.URL('http://'.concat(value, ':3000/path'));
+      keys.forEach((key) => {
+        expect(tracker.getData(result[key])).to.be.null;
+      });
+    }, {});
+  });
+  it('will not propagate if there instrumentation is locked', function () {
+    simulateRequestScope(function () {
+      core.scopes.instrumentation.run({ lock: true }, function () {
+        const value = trackString('foo');
+        const result = new url.URL('http://'.concat(value, ':3000/path'));
+        keys.forEach((key) => {
+          expect(tracker.getData(result[key])).to.be.null;
+        });
+      });
+    });
+  });
+  describe('URL properties', function () {
+    it('propagates vulnerable protocol', function () {
+      simulateRequestScope(function () {
+        const value = trackString('https');
+        const result = new url.URL(value.concat('://user:pass@foo.com:3000/path?query=input#hash'));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4]
+        });
+        expect(tracker.getData(result.origin).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4]
+        });
+        expect(tracker.getData(result.protocol).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4]
+        });
+        ['username', 'password', 'host', 'hostname', 'port', 'pathname', 'search', 'hash'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates vulnerable username', function () {
+      simulateRequestScope(function () {
+        const value = trackString('user');
+        const result = new url.URL('https://'.concat(value, ':pass@foo.com:3000/path?query=input#hash'));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [8, 11]
+        });
+        expect(tracker.getData(result.username).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3]
+        });
+        ['origin', 'protocol', 'password', 'host', 'hostname', 'port', 'pathname', 'search', 'hash'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates vulnerable password', function () {
+      simulateRequestScope(function () {
+        const value = trackString('pass');
+        const result = new url.URL('https://user:'.concat(value, '@foo.com:3000/path?query=input#hash'));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [13, 16]
+        });
+        expect(tracker.getData(result.password).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3]
+        });
+        ['protocol', 'origin', 'username', 'host', 'hostname', 'port', 'pathname', 'search', 'hash'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates vulnerable hostname', function () {
+      simulateRequestScope(function () {
+        const value = trackString('foo');
+        const result = new url.URL('https://user:pass@'.concat(value, '.com:3000/path?query=input#hash'));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [18, 20]
+        });
+        expect(tracker.getData(result.origin).tags).to.be.deep.equal({
+          UNTRUSTED: [8, 10]
+        });
+        expect(tracker.getData(result.hostname).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2]
+        });
+        expect(tracker.getData(result.host).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2]
+        });
+        ['protocol', 'username', 'password', 'port', 'pathname', 'search', 'hash'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates vulnerable port', function () {
+      simulateRequestScope(function () {
+        const value = trackString('3000');
+        const result = new url.URL('https://user:pass@foo.com:'.concat(value, '/path?query=input#hash'));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [26, 29]
+        });
+        expect(tracker.getData(result.origin).tags).to.be.deep.equal({
+          UNTRUSTED: [16, 19]
+        });
+        expect(tracker.getData(result.host).tags).to.be.deep.equal({
+          UNTRUSTED: [8, 11]
+        });
+        expect(tracker.getData(result.port).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3]
+        });
+        ['protocol', 'username', 'password', 'hostname', 'pathname', 'search', 'hash'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates vulnerable pathname', function () {
+      simulateRequestScope(function () {
+        const value = trackString('path');
+        const result = new url.URL('https://user:pass@foo.com:3000/'.concat(value, '?query=input#hash'));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [31, 34]
+        });
+        expect(tracker.getData(result.pathname).tags).to.be.deep.equal({
+          UNTRUSTED: [1, 4]
+        });
+        ['protocol', 'origin', 'username', 'password', 'host', 'hostname', 'port', 'search', 'hash'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates vulnerable search', function () {
+      simulateRequestScope(function () {
+        const value = trackString('input');
+        const result = new url.URL('https://user:pass@foo.com:3000/path?query='.concat(value, '#hash'));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [42, 46]
+        });
+        expect(tracker.getData(result.search).tags).to.be.deep.equal({
+          UNTRUSTED: [7, 11]
+        });
+        ['protocol', 'origin', 'username', 'password', 'host', 'hostname', 'port', 'pathname', 'hash'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates vulnerable hash', function () {
+      simulateRequestScope(function () {
+        const value = trackString('hash');
+        const result = new url.URL('https://user:pass@foo.com:3000/path?query=input#'.concat(value));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [48, 51]
+        });
+        expect(tracker.getData(result.hash).tags).to.be.deep.equal({
+          UNTRUSTED: [1, 4]
+        });
+        ['protocol', 'origin', 'username', 'password', 'host', 'hostname', 'port', 'pathname', 'search'].forEach((prop) => {
+          expect(tracker.getData(result[prop])).to.be.null;
+        });
+      });
+    });
+    it('propagates multiple vulnerable properties', function () {
+      simulateRequestScope(function () {
+        const protocol = trackString('https');
+        const user = trackString('user');
+        const pass = trackString('pass');
+        const hostname = trackString('foo');
+        const port = trackString('3000');
+        const path = trackString('path');
+        const query = trackString('input');
+        const hash = trackString('hash');
+        const result = new url.URL(protocol.concat('://', user, ':', pass, '@', hostname, '.com:', port, '/', path, '?query=', query, '#', hash));
+        keys.forEach((key) => {
+          expect(result[key]).to.be.equal(matchURL[key]);
+        });
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4, 8, 11, 13, 16, 18, 20, 26, 29, 31, 34, 42, 46, 48, 51]
+        });
+        expect(tracker.getData(result.origin).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4, 8, 10, 16, 19]
+        });
+        expect(tracker.getData(result.protocol).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4]
+        });
+        expect(tracker.getData(result.username).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3]
+        });
+        expect(tracker.getData(result.password).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3]
+        });
+        expect(tracker.getData(result.host).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2, 8, 11]
+        });
+        expect(tracker.getData(result.hostname).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2]
+        });
+        expect(tracker.getData(result.port).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 3]
+        });
+        expect(tracker.getData(result.pathname).tags).to.be.deep.equal({
+          UNTRUSTED: [1, 4]
+        });
+        expect(tracker.getData(result.search).tags).to.be.deep.equal({
+          UNTRUSTED: [7, 11]
+        });
+        expect(tracker.getData(result.hash).tags).to.be.deep.equal({
+          UNTRUSTED: [1, 4]
+        });
+      });
+    });
+  });
+  describe('searchParams', function () {
+    it('maintains correct setters and getters for searchParams', function () {
+      simulateRequestScope(function () {
+        const result = new url.URL('https://user:pass@foo.com:3000/path?query1=input1&query2=input2');
+        expect(result.searchParams.get('query1')).to.be.equal('input1');
+        expect(result.searchParams.get('query2')).to.be.equal('input2');
+        result.searchParams.set('query1', 'input2');
+        result.searchParams.set('query2', 'input1');
+        expect(result.searchParams.get('query1')).to.be.equal('input2');
+        expect(result.searchParams.get('query2')).to.be.equal('input1');
+      });
+    });
+    it('propagates to searchParams', function () {
+      simulateRequestScope(function () {
+        const value1 = trackString('input1');
+        const value2 = trackString('input2');
+        const result = new url.URL('https://user:pass@foo.com:3000/path?query1='.concat(value1).concat('&query2=', value2, '#hash'));
+        expect(tracker.getData(result.searchParams.get('query1')).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 5]
+        });
+        expect(tracker.getData(result.searchParams.get('query2')).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 5]
+        });
+      });
+    });
+  });
+  describe('basename', function () {
+    it('does not include basename in result if input is absolute', function () {
+      simulateRequestScope(function () {
+        const result = new url.URL('https://foo.com', 'http://bar.org');
+        expect(result.toString()).to.be.equal('https://foo.com/');
+      });
+    });
+    it('concatenates basename if input is not absolute', function () {
+      simulateRequestScope(function () {
+        const result = new url.URL('/foo', 'http://bar.org');
+        expect(result.toString()).to.be.equal('http://bar.org/foo');
+      });
+    });
+    it('concatenates basename protocol if input is absolute but missing protocol', function () {
+      simulateRequestScope(function () {
+        const result = new url.URL('//foo', 'http://bar.org');
+        expect(result.toString()).to.be.equal('http://foo/');
+      });
+    });
+    it('concatenates basename protocol if input is absolute but missing protocol (leading slashes)', function () {
+      simulateRequestScope(function () {
+        const result = new url.URL('//////foo', 'http://bar.org');
+        expect(result.toString()).to.be.equal('http://foo/');
+      });
+    });
+    it('does not propagate tracked basename if input is absolute', function () {
+      simulateRequestScope(function () {
+        const value = trackString('bar');
+        const result = new url.URL('https://foo.com', 'http://'.concat(value, 'org'));
+        expect(result.toString()).to.be.equal('https://foo.com/');
+        keys.forEach((key) => {
+          expect(tracker.getData(result[key])).to.be.null;
+        });
+      });
+    });
+    it('propagates tracked basename if input is not absolute', function () {
+      simulateRequestScope(function () {
+        const value = trackString('bar');
+        const result = new url.URL('/foo', 'http://'.concat(value, '.org'));
+        expect(result.toString()).to.be.equal('http://bar.org/foo');
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [7, 9]
+        });
+        expect(tracker.getData(result.origin).tags).to.be.deep.equal({
+          UNTRUSTED: [7, 9]
+        });
+        expect(tracker.getData(result.host).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2]
+        });
+        expect(tracker.getData(result.hostname).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 2]
+        });
+      });
+    });
+    it('propagates tracked protocol from basename if input is absolute but missing protocol', function () {
+      simulateRequestScope(function () {
+        const protocol = trackString('https');
+        const value = trackString('bar');
+        const result = new url.URL('//foo', protocol.concat('://', value, '.org'));
+        expect(result.toString()).to.be.equal('https://foo/');
+        expect(tracker.getData(result.href).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4]
+        });
+        expect(tracker.getData(result.origin).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4]
+        });
+        expect(tracker.getData(result.protocol).tags).to.be.deep.equal({
+          UNTRUSTED: [0, 4]
+        });
+      });
+    });
+  });
+});