npm - @contrast/assess - Versions diffs - 1.31.0 → 1.32.0 - Mend

@contrast/assess 1.31.0 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (154) hide show

package/lib/dataflow/propagation/install/util-format.test.js ADDED Viewed

@@ -0,0 +1,336 @@
+'use strict';
+const {
+  DataflowTag: { UNTRUSTED }
+} = require('@contrast/common');
+const util = require('util');
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow propagation util.format', function () {
+  let core, trackString, simulateRequestScope, tracker;
+  beforeEach(function () {
+    ({
+      core,
+      simulateRequestScope,
+      trackString
+    } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    core.assess.dataflow.propagation.utilFormat.install();
+    core.assess.dataflow.propagation.jsonInstrumentation.parse.install();
+    core.assess.dataflow.propagation.jsonInstrumentation.stringify.install();
+    core.depHooks.resolve.yield(util);
+  });
+  it('will not propagate if there is no assess context', function () {
+    simulateRequestScope(function () {
+      const value = trackString('foo');
+      const result = util.format('%s:%s', value, 'bar');
+      expect(tracker.getData(result)).to.be.null;
+    }, {});
+  });
+  it('will not propagate if there instrumentation is locked', function () {
+    simulateRequestScope(function () {
+      core.scopes.instrumentation.run({ lock: true }, function () {
+        const value = trackString('foo');
+        const result = util.format('%s:%s', value, 'bar');
+        expect(tracker.getData(result)).to.be.null;
+      });
+    });
+  });
+  it('will not propagate numbers', function () {
+    simulateRequestScope(function () {
+      const result = util.format(1, 2, 3);
+      expect(tracker.getData(result)).to.be.null;
+    });
+  });
+  ['%d', '%i', '%f'].forEach((frmt) => {
+    it(`will not propagate numbers using ${frmt} format string`, function () {
+      simulateRequestScope(function () {
+        const result = util.format(frmt, 1, 2, 3);
+        expect(tracker.getData(result)).to.be.null;
+      });
+    });
+  });
+  it('will not propagate untracked strings', function () {
+    simulateRequestScope(function () {
+      const result = util.format('%s', 'foo');
+      expect(tracker.getData(result)).to.be.null;
+    });
+  });
+  it('will not propagate tracked strings not in result', function () {
+    simulateRequestScope(function () {
+      const value = trackString('%s');
+      const result = util.format(value, 'foo');
+      expect(tracker.getData(result)).to.be.null;
+    });
+  });
+  it('will not propagate css', function () {
+    simulateRequestScope(function () {
+      const value = trackString('<!DOCTYPE html>');
+      const result = util.format('%c', value);
+      expect(tracker.getData(result)).to.be.null;
+    });
+  });
+  describe('%s', function() {
+    it('will propagate single tracked strings', function () {
+      simulateRequestScope(function () {
+        const value = trackString('foo');
+        const result = util.format(value);
+        expect(result).to.be.equal('foo');
+        expect(tracker.getData(result).tags).to.be.deep.equal({
+          [UNTRUSTED]: [0, 2]
+        });
+      });
+    });
+    it('will propagate basic tracked strings', function () {
+      simulateRequestScope(function () {
+        const value = trackString('foo');
+        const result = util.format('%s', value);
+        expect(result).to.be.equal('foo');
+        expect(tracker.getData(result).tags).to.be.deep.equal({
+          [UNTRUSTED]: [0, 2]
+        });
+      });
+    });
+    it('will propagate multiple tracked strings', function () {
+      simulateRequestScope(function () {
+        const foo = trackString('foo');
+        const bar = trackString('bar');
+        const buzz = trackString('buzz');
+        const result = util.format('%s:%s %s-%s', foo, bar, 'fizz', buzz);
+        expect(result).to.be.equal('foo:bar fizz-buzz');
+        expect(tracker.getData(result).tags).to.be.deep.equal({
+          [UNTRUSTED]: [0, 2, 4, 6, 13, 16]
+        });
+      });
+    });
+    it('will propagate multiple identical tracked strings', function () {
+      simulateRequestScope(function () {
+        const foo1 = trackString('foo');
+        const foo2 = trackString('foo');
+        const buzz = trackString('buzz');
+        const result = util.format('%s:%s %s-%s', foo1, foo2, 'fizz', buzz);
+        expect(result).to.be.equal('foo:foo fizz-buzz');
+        expect(tracker.getData(result).tags).to.be.deep.equal({
+          [UNTRUSTED]: [0, 2, 4, 6, 13, 16]
+        });
+      });
+    });
+    it('will propagate partially tracked strings', function () {
+      simulateRequestScope(function () {
+        const foobar = trackString('foobar', { tags: { UNTRUSTED: [0, 2] } });
+        const fizzbuzz = trackString('fizzbuzz', { tags: { UNTRUSTED: [4, 7] } });
+        const result = util.format('%s===%s', foobar, fizzbuzz);
+        expect(result).to.be.equal('foobar===fizzbuzz');
+        expect(tracker.getData(result).tags).to.be.deep.equal({
+          [UNTRUSTED]: [0, 2, 13, 16]
+        });
+      });
+    });
+    it('will propagate multiple tag ranges', function () {
+      simulateRequestScope(function () {
+        const foo = trackString('foo', { tags: { 'FOO': [0, 2] } });
+        const bar = trackString('bar', { tags: { 'BAR': [0, 2] } });
+        const fizz = trackString('fizz', { tags: { 'FIZZ': [0, 3] } });
+        const result = util.format('%s,%s,%s', foo, bar, fizz);
+        expect(result).to.be.equal('foo,bar,fizz');
+        expect(tracker.getData(result).tags).to.be.deep.equal({
+          ['FOO']: [0, 2],
+          ['BAR']: [4, 6],
+          ['FIZZ']: [8, 11]
+        });
+      });
+    });
+  });
+  describe('%j', function() {
+    it('will propagate JSON parsed string', function () {
+      simulateRequestScope(function () {
+        const foo = trackString('{"val":"foo"}', { tags: { UNTRUSTED: [8, 10] } });
+        const fooJSON = JSON.parse(foo);
+        const result = util.format('%j', fooJSON);
+        expect(result).to.be.equal('{"val":"foo"}');
+        expect(tracker.getData(result).tags).to.be.deep.equal({
+          [UNTRUSTED]: [8, 10]
+        });
+      });
+    });
+    it('will propagate JSON parseable object', function () {
+      simulateRequestScope(function () {
+        const foo = trackString('foo');
+        const bar = trackString('bar');
+        const result = util.format('%j', { val1: foo, val2: bar });
+        expect(result).to.be.equal('{"val1":"foo","val2":"bar"}');
+        expect(tracker.getData(result).tags).to.be.deep.equal({
+          [UNTRUSTED]: [9, 11, 22, 24]
+        });
+      });
+    });
+    it('will propagate multiple objects', function () {
+      simulateRequestScope(function () {
+        const foo = trackString('foo');
+        const bar = trackString('bar');
+        const result = util.format('%j===%j', { val1: foo }, { val2: bar });
+        expect(result).to.be.equal('{"val1":"foo"}==={"val2":"bar"}');
+        expect(tracker.getData(result).tags).to.be.deep.equal({
+          [UNTRUSTED]: [9, 11, 26, 28]
+        });
+      });
+    });
+    it('will propagate identical objects', function () {
+      simulateRequestScope(function () {
+        const foo = trackString('foo');
+        const result = util.format('%j===%j', { val1: foo }, { val2: foo });
+        expect(result).to.be.equal('{"val1":"foo"}==={"val2":"foo"}');
+        expect(tracker.getData(result).tags).to.be.deep.equal({
+          [UNTRUSTED]: [9, 11, 26, 28]
+        });
+      });
+    });
+    it('will propagate multiple tag ranges', function () {
+      simulateRequestScope(function () {
+        const foo = trackString('foo', { tags: { 'FOO': [0, 2] } });
+        const bar = trackString('bar', { tags: { 'BAR': [0, 2] } });
+        const fizz = trackString('fizz', { tags: { 'FIZZ': [0, 3] } });
+        const result = util.format('%j,%j,%j', { val: foo }, { val: bar }, { val: fizz });
+        expect(result).to.be.equal('{"val":"foo"},{"val":"bar"},{"val":"fizz"}');
+        expect(tracker.getData(result).tags).to.be.deep.equal({
+          ['FOO']: [8, 10],
+          ['BAR']: [22, 24],
+          ['FIZZ']: [36, 39]
+        });
+      });
+    });
+  });
+  describe('%o', function() {
+    //TO DO: NODE-3235
+    ['%o', '%O'].forEach((frmt) => {
+      it(`${frmt} works but does not propagate`, function() {
+        simulateRequestScope(function () {
+          const foo = trackString('foo');
+          const result = util.format(frmt, { val: foo });
+          expect(result).to.be.equal("{ val: 'foo' }");
+          expect(tracker.getData(result)).to.be.null;
+        });
+      });
+    });
+  });
+  it('will propagate special character % correctly', function() {
+    simulateRequestScope(function () {
+      const foo = trackString('foo');
+      const result = util.format('%%%s%%', foo);
+      expect(result).to.be.equal('%foo%');
+      expect(tracker.getData(result).tags).to.be.deep.equal({
+        [UNTRUSTED]: [1, 3]
+      });
+    });
+  });
+  it('will propagate strings without format strings', function() {
+    simulateRequestScope(function () {
+      const foo = trackString('foo');
+      const bar = trackString('bar');
+      const buzz = trackString('buzz');
+      const result = util.format(foo, bar, 'fizz', buzz);
+      expect(result).to.be.equal('foo bar fizz buzz');
+      expect(tracker.getData(result).tags).to.be.deep.equal({
+        [UNTRUSTED]: [0, 2, 4, 6, 13, 16]
+      });
+    });
+  });
+  it('will propagate mix of string and number format strings', function() {
+    simulateRequestScope(function () {
+      const foo = trackString('foo');
+      const bar = trackString('bar');
+      const result = util.format('%s===%d===%s===%i', foo, 42, bar, 1.3);
+      expect(result).to.be.equal('foo===42===bar===1');
+      expect(tracker.getData(result).tags).to.be.deep.equal({
+        [UNTRUSTED]: [0, 2, 11, 13]
+      });
+    });
+  });
+  it('will propagate mix of string and JSON format strings', function() {
+    simulateRequestScope(function () {
+      const foo = trackString('foo');
+      const bar = trackString('bar');
+      const fizz = trackString('fizz');
+      const result = util.format('%s===%j===%s===%j', foo, { value: bar }, fizz, { value: 'buzz' });
+      expect(result).to.be.equal('foo==={"value":"bar"}===fizz==={"value":"buzz"}');
+      expect(tracker.getData(result).tags).to.be.deep.equal({
+        [UNTRUSTED]: [0, 2, 16, 18, 24, 27]
+      });
+    });
+  });
+  it('will propagate when number of format strings > number of arguments', function() {
+    simulateRequestScope(function () {
+      const foo = trackString('foo');
+      const result = util.format('%s===%s', foo);
+      expect(result).to.be.equal('foo===%s');
+      expect(tracker.getData(result).tags).to.be.deep.equal({
+        [UNTRUSTED]: [0, 2]
+      });
+    });
+  });
+  it('will propagate when number of format strings < number of arguments', function() {
+    simulateRequestScope(function () {
+      const foo = trackString('foo');
+      const bar = trackString('bar');
+      const result = util.format('==%s==', foo, bar);
+      expect(result).to.be.equal('==foo== bar');
+      expect(tracker.getData(result).tags).to.be.deep.equal({
+        [UNTRUSTED]: [2, 4, 8, 10]
+      });
+    });
+  });
+  it('will not error when number of format strings < number of arguments (obj)', function() {
+    simulateRequestScope(function () {
+      const foo = trackString('foo');
+      const bar = trackString('bar');
+      const result = util.format('==%o==', { foo }, { bar });
+      expect(result).to.be.equal("=={ foo: 'foo' }== { bar: 'bar' }");
+    });
+  });
+});

package/lib/dataflow/propagation/install/validator/hooks.test.js ADDED Viewed

@@ -0,0 +1,211 @@
+'use strict';
+const sinon = require('sinon');
+const { expect } = require('chai');
+const {
+  DataflowTag: {
+    HTML_ENCODED,
+    LIMITED_CHARS,
+    UNTRUSTED,
+  }
+} = require('@contrast/common');
+const { validators, untrackers } = require('./methods');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow propagation validator', function () {
+  let core, simulateRequestScope, trackString, tracker, validatorFiles, validator;
+  // This setup is very expensive, so we only do it once.
+  before(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    core.config.assess.trust_custom_validators = true;
+    sinon.spy(core.patcher, 'patch');
+    tracker = core.assess.dataflow.tracker;
+    validatorFiles = {};
+    validator = {};
+    // most validator methods export a function with a circular default prop:
+    // <ref *1> [Function: escape] { default: [Circular *1] }
+    core.depHooks.resolve.callsFake((details, callback) => {
+      const [, method] = details.file.split('/');
+      validatorFiles[method] = sinon.stub().returns(true);
+      validatorFiles[method].default = validatorFiles[method];
+      validator[method] = callback(validatorFiles[method]);
+    });
+    // some, like isAlpha, export an object:
+    // { default: [Function: isAlpha], locales: [...] }
+    core.depHooks.resolve
+      .withArgs({ name: 'validator', file: 'lib/isAlpha' })
+      .callsFake((_, callback) => {
+        validatorFiles.isAlpha = { default: sinon.stub().returns(true) };
+        validator.isAlpha = callback(validatorFiles.isAlpha).default;
+      });
+    core.assess.dataflow.propagation.validatorInstrumentation.install();
+  });
+  it('patches every validator.js method', function () {
+    Object.keys(validators).forEach(method => {
+      expect(core.patcher.patch).to.have.been.calledWith(validatorFiles[method]);
+    });
+    untrackers.forEach(method => {
+      expect(core.patcher.patch).to.have.been.calledWith(validatorFiles[method]);
+    });
+    // sanitizers
+    expect(core.patcher.patch).to.have.been.calledWith(validatorFiles.escape);
+    // custom
+    expect(core.patcher.patch).to.have.been.calledWith(validatorFiles.isEmail);
+  });
+  describe('validators', function () {
+    Object.entries(validators).forEach(([method, tag]) => {
+      it(`${method}() tags with the correct tag`, function () {
+        simulateRequestScope(() => {
+          const extern = trackString('foo', {
+            tags: {
+              [UNTRUSTED]: [0, 2]
+            },
+            history: [{ mock: 'sourceEvent' }]
+          });
+          validator[method](extern);
+          expect(tracker.getData(extern).tags).to.deep.equal({
+            [UNTRUSTED]: [0, 2],
+            [tag]: [0, 2]
+          });
+        });
+      });
+      it(`${method}() does not tag if validator returns false`, function () {
+        // .default covers both function and object export files
+        validatorFiles[method].default.returns(false);
+        simulateRequestScope(() => {
+          const extern = trackString('foo', {
+            tags: {
+              [UNTRUSTED]: [0, 2]
+            },
+            history: [{ mock: 'sourceEvent' }]
+          });
+          validator[method](extern);
+          expect(tracker.getData(extern).tags).to.deep.equal({
+            [UNTRUSTED]: [0, 2],
+          });
+        });
+      });
+    });
+  });
+  describe('untrackers', function () {
+    it('equals() untracks tracked strings', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo', {
+          tags: {
+            [UNTRUSTED]: [0, 2]
+          },
+          history: [{ mock: 'sourceEvent' }]
+        });
+        validator.equals(extern);
+        expect(tracker.getData(extern)).to.be.null;
+      });
+    });
+    it('equals() does not untrack if validator returns false', function () {
+      validatorFiles.equals.returns(false);
+      simulateRequestScope(() => {
+        const extern = trackString('foo', {
+          tags: {
+            [UNTRUSTED]: [0, 2]
+          },
+          history: [{ mock: 'sourceEvent' }]
+        });
+        validator.equals(extern);
+        expect(tracker.getData(extern).tags).to.deep.equal({
+          [UNTRUSTED]: [0, 2]
+        });
+      });
+    });
+  });
+  describe('sanitizers', function () {
+    it('escape() adds correct tags to results if tracked ', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo', {
+          tags: {
+            [UNTRUSTED]: [0, 2]
+          },
+          history: [{ mock: 'sourceEvent' }]
+        });
+        validatorFiles.escape.returns(extern);
+        const ret = validator.escape(extern);
+        expect(tracker.getData(ret).tags).to.deep.equal({
+          [UNTRUSTED]: [0, 2],
+          [HTML_ENCODED]: [0, 2]
+        });
+      });
+    });
+    it('escape() tracks result if untracked', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('<script>', {
+          tags: {
+            [UNTRUSTED]: [0, 7]
+          },
+          history: [{ mock: 'sourceEvent' }]
+        });
+        validatorFiles.escape.returns('&lt;script&rt;');
+        const ret = validator.escape(extern);
+        expect(tracker.getData(ret).tags).to.deep.equal({
+          [UNTRUSTED]: [0, 7],
+          [HTML_ENCODED]: [0, 13]
+        });
+      });
+    });
+  });
+  describe('custom', function () {
+    it('isEmail() tags with the correct tag', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('foo@bar.com', {
+          tags: {
+            [UNTRUSTED]: [0, 10]
+          },
+          history: [{ mock: 'sourceEvent' }]
+        });
+        validator.isEmail(extern);
+        expect(tracker.getData(extern).tags).to.deep.equal({
+          [UNTRUSTED]: [0, 10],
+          [LIMITED_CHARS]: [0, 10]
+        });
+      });
+    });
+    it('isEmail() does not tag when require_display_name is true', function () {
+      simulateRequestScope(() => {
+        const extern = trackString('FOO <foo@bar.com>', {
+          tags: {
+            [UNTRUSTED]: [0, 10]
+          },
+          history: [{ mock: 'sourceEvent' }]
+        });
+        validator.isEmail(extern, { require_display_name: true });
+        expect(tracker.getData(extern).tags).to.deep.equal({
+          [UNTRUSTED]: [0, 10]
+        });
+      });
+    });
+  });
+});

package/lib/dataflow/sinks/index.test.js ADDED Viewed

@@ -0,0 +1,78 @@
+'use strict';
+const { Event } = require('@contrast/common');
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const MODULES = ['fastify', 'koa', 'postgres', 'http', 'mssql', 'marsdb', 'express', 'hapi'];
+describe('assess dataflow sinks', function () {
+  let core, sinks, simulateRequestScope;
+  beforeEach(function () {
+    ({ core, simulateRequestScope } = initAssessFixture());
+    sinon.spy(core.messages, 'emit');
+    const moduleMock = (name) => (deps) => {
+      deps.assess.dataflow.sinks[name] = { install: sinon.stub() };
+    };
+    sinks = proxyquire('.', {
+      './install/fastify': moduleMock('fastify'),
+      './install/hapi': moduleMock('hapi'),
+      './install/koa': moduleMock('koa'),
+      './install/child-process': moduleMock('child-process'),
+      './install/fs': moduleMock('fs'),
+      './install/postgres': moduleMock('postgres'),
+      './install/http': moduleMock('http'),
+      './install/mssql': moduleMock('mssql'),
+      './install/mysql': moduleMock('mysql'),
+      './install/mongodb': moduleMock('mongodb'),
+      './install/sqlite3': moduleMock('sqlite3'),
+      './install/sequelize': moduleMock('sequelize'),
+      './install/marsdb': moduleMock('marsdb'),
+      './install/express': moduleMock('express'),
+      './install/vm': moduleMock('vm'),
+      './install/function': moduleMock('function'),
+      './install/eval': moduleMock('eval'),
+      './install/libxmljs': moduleMock('libxmljs'),
+      './install/node-serialize': moduleMock('nodeSerialize')
+    })(core);
+  });
+  it('installs its components', function () {
+    expect(sinks).to.respondTo('isVulnerable');
+    expect(sinks).to.respondTo('isSafeContentType');
+    sinks.install();
+    MODULES.forEach((module) => {
+      expect(sinks[module].install).to.have.been.called;
+    });
+  });
+  it('reportFindings()', function () {
+    const data = { name: 'ivan' };
+    sinks.reportFindings(data);
+    expect(core.messages.emit).to.have.been.calledWith(
+      Event.ASSESS_DATAFLOW_FINDING,
+      sinon.match(data),
+    );
+    const anotherData = { name: 'petar' };
+    simulateRequestScope(function () {
+      const store = core.scopes.sources.getStore();
+      sinks.reportFindings(anotherData);
+      expect(core.messages.emit).to.have.been.calledWith(
+        Event.ASSESS_DATAFLOW_FINDING,
+        sinon.match({
+          sourceInfo: store.sourceInfo,
+          ...anotherData
+        })
+      );
+    });
+  });
+});