npm - @contrast/assess - Versions diffs - 1.31.0 → 1.32.0 - Mend

@contrast/assess 1.31.0 → 1.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (154) hide show

package/lib/dataflow/sinks/install/mssql.test.js ADDED Viewed

@@ -0,0 +1,136 @@
+'use strict';
+const {
+  DataflowTag: { UNTRUSTED, SQL_ENCODED }
+} = require('@contrast/common');
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow sinks mssql', function () {
+  let core, simulateRequestScope, trackString, tracker, reportFindings, reportSafePositive;
+  class PreparedStatement {
+    prepare() { }
+  }
+  class Request {
+    batch() { }
+    query() { }
+  }
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
+    core.depHooks.resolve
+      .withArgs({ name: 'mssql', file: 'lib/base/prepared-statement.js' })
+      .yields(PreparedStatement);
+    core.depHooks.resolve
+      .withArgs({ name: 'mssql', file: 'lib/base/request.js' })
+      .yields(Request);
+    require('./mssql')(core).install();
+  });
+  [
+    { subject: PreparedStatement, method: 'prepare', name: 'mssql/lib/base/prepared-statement.prototype.prepare' },
+    { subject: Request, method: 'batch', name: 'mssql/lib/base/request.prototype.batch' },
+    { subject: Request, method: 'query', name: 'mssql/lib/base/request.prototype.query' },
+  ].forEach(({ subject, method, name }) => {
+    describe(`${subject.name}.prototype.${method}()`, function () {
+      it('skips instrumentation if assess store is missing', function () {
+        subject.prototype[method]();
+        expect(reportFindings).not.to.have.been.called;
+      });
+      it('skips instrumentation if no argument is provided', function () {
+        simulateRequestScope(function () {
+          subject.prototype[method]();
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+      it('skips instrumentation if the argument is not a string', function () {
+        simulateRequestScope(function () {
+          subject.prototype[method]({});
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+      it('skips instrumentation if the argument is not tracked', function () {
+        simulateRequestScope(function () {
+          subject.prototype[method]('hello');
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+      it('skips instrumentation if the argument is safe', function () {
+        simulateRequestScope(function () {
+          const extern = trackString(';drop table Foo--', {
+            tags: {
+              [SQL_ENCODED]: [0, 16],
+              [UNTRUSTED]: [0, 16],
+            },
+          });
+          subject.prototype[method](extern);
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+      it('reports an sql-injection', function () {
+        simulateRequestScope(function () {
+          const value = ';drop table Foo--';
+          const extern = trackString(value);
+          subject.prototype[method](extern);
+          expect(reportFindings).to.have.been.calledWithMatch({
+            ruleId: 'sql-injection',
+            sinkEvent: {
+              name,
+              moduleName: 'mssql',
+              methodName: `PreparedStatement.prototype.${method}`,
+              context: `mssql.PreparedStatement.${method}('${value}')`,
+              object: {
+                value: sinon.match(subject.name),
+                tracked: false,
+              },
+              args: [{ value, tracked: true }],
+              tags: { [UNTRUSTED]: [0, 16] },
+              source: 'P0',
+            },
+          });
+        });
+      });
+      it('reports safe positive', function () {
+        simulateRequestScope(function () {
+          const extern = trackString(';drop table Foo--', {
+            tags: {
+              [SQL_ENCODED]: [0, 16],
+              [UNTRUSTED]: [0, 16],
+            },
+          });
+          const strInfo = tracker.getData(extern);
+          subject.prototype[method](extern);
+          expect(reportSafePositive).to.have.been.calledWithMatch({
+            name,
+            ruleId: 'sql-injection',
+            safeTags: [
+              SQL_ENCODED,
+            ],
+            strInfo: {
+              tags: strInfo.tags,
+              value: strInfo.value,
+            }
+          });
+        });
+      });
+    });
+  });
+});

package/lib/dataflow/sinks/install/mysql.test.js ADDED Viewed

@@ -0,0 +1,233 @@
+'use strict';
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow sinks mysql', function () {
+  let Connection, connection, core, simulateRequestScope, trackString, tracker, reportFindings;
+  beforeEach(function () {
+    Connection = function () { };
+    Connection.prototype.query = sinon.stub();
+    connection = function () { };
+    connection.prototype.query = sinon.stub();
+    connection.prototype.execute = sinon.stub();
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    core.depHooks.resolve
+      .withArgs({ name: 'mysql', file: 'lib/Connection' })
+      .yields(Connection);
+    core.depHooks.resolve
+      .withArgs({ name: 'mysql2', file: 'lib/connection' })
+      .yields(connection);
+    core.depHooks.resolve
+      .withArgs({ name: 'mysql2', file: 'lib/connection' })
+      .yields(connection);
+    require('./mysql')(core).install();
+  });
+  describe('mysql', function () {
+    it('skips instrumentation if assess store is missing', function () {
+      const conn = new Connection();
+      conn.query('SELECT "foo"');
+      expect(reportFindings).not.to.have.been.called;
+    });
+    it('skips instrumentation if no argument is provided', function () {
+      simulateRequestScope(function () {
+        const conn = new Connection();
+        conn.query();
+        expect(reportFindings).not.to.have.been.called;
+      });
+    });
+    it('skips instrumentation if the argument is not a string', function () {
+      simulateRequestScope(function () {
+        const conn = new Connection();
+        conn.query({});
+        expect(reportFindings).not.to.have.been.called;
+      });
+    });
+    it('skips instrumentation if the argument is not tracked', function () {
+      simulateRequestScope(function () {
+        const conn = new Connection();
+        conn.query('SELECT "foo"');
+        expect(reportFindings).not.to.have.been.called;
+      });
+    });
+    it('skips instrumentation if the argument is safe', function () {
+      simulateRequestScope(function () {
+        const extern = trackString(';drop table Foo--', {
+          tags: {
+            SQL_ENCODED: [0, 16],
+            UNTRUSTED: [0, 16],
+          },
+        });
+        const conn = new Connection();
+        conn.query(extern);
+        expect(reportFindings).not.to.have.been.called;
+      });
+    });
+    it('reports an sql-injection (arg0 string)', function () {
+      simulateRequestScope(function () {
+        const value = ';drop table Foo--';
+        const extern = trackString(value);
+        const conn = new Connection();
+        conn.query(extern);
+        expect(reportFindings).to.have.been.calledWithMatch({
+          ruleId: 'sql-injection',
+          sinkEvent: {
+            name: 'mysql/lib/Connection.query',
+            moduleName: 'mysql',
+            methodName: 'prototype.query',
+            context: `mysql.query('${value}')`,
+            object: {
+              value: 'mysql.Connection',
+              tracked: false,
+            },
+            args: [{ value, tracked: true }],
+            tags: { UNTRUSTED: [0, 16] },
+            source: 'P0',
+          },
+        });
+      });
+    });
+    it('reports an sql-injection (arg0 obj)', function () {
+      simulateRequestScope(function () {
+        const value = ';drop table Foo--';
+        const extern = trackString(value);
+        const conn = new Connection();
+        conn.query({ sql: extern });
+        expect(reportFindings).to.have.been.calledWithMatch({
+          ruleId: 'sql-injection',
+          sinkEvent: {
+            name: 'mysql/lib/Connection.query',
+            moduleName: 'mysql',
+            methodName: 'prototype.query',
+            context: `mysql.query({ sql: '${value}' })`,
+            object: {
+              value: 'mysql.Connection',
+              tracked: false,
+            },
+            args: [{ value, tracked: true }],
+            tags: { UNTRUSTED: [0, 16] },
+            source: 'P0',
+          },
+        });
+      });
+    });
+  });
+  describe('mysql2', function () {
+    ['query', 'execute'].forEach((method) => {
+      describe(`${method}`, function () {
+        it('skips instrumentation if assess store is missing', function () {
+          const conn = new connection();
+          conn[method]('SELECT "foo"');
+          expect(reportFindings).not.to.have.been.called;
+        });
+        it('skips instrumentation if no argument is provided', function () {
+          simulateRequestScope(function () {
+            const conn = new connection();
+            conn[method]();
+            expect(reportFindings).not.to.have.been.called;
+          });
+        });
+        it('skips instrumentation if the argument is not a string', function () {
+          simulateRequestScope(function () {
+            const conn = new connection();
+            conn[method]({});
+            expect(reportFindings).not.to.have.been.called;
+          });
+        });
+        it('skips instrumentation if the argument is not tracked', function () {
+          simulateRequestScope(function () {
+            const conn = new connection();
+            conn[method]('SELECT "foo"');
+            expect(reportFindings).not.to.have.been.called;
+          });
+        });
+        it('skips instrumentation if the argument is safe', function () {
+          simulateRequestScope(function () {
+            const tracked = trackString(';drop table Foo--', {
+              tags: {
+                SQL_ENCODED: [0, 16],
+                UNTRUSTED: [0, 16],
+              },
+            });
+            const { extern } = tracker.getData(tracked);
+            const conn = new connection();
+            conn[method](extern);
+            expect(reportFindings).not.to.have.been.called;
+          });
+        });
+        it('reports an sql-injection (arg0 string)', function () {
+          simulateRequestScope(function () {
+            const value = ';drop table Foo--';
+            const extern = trackString(value);
+            const conn = new connection();
+            conn[method](extern);
+            expect(reportFindings).to.have.been.calledWithMatch({
+              ruleId: 'sql-injection',
+              sinkEvent: {
+                name: `mysql2/lib/connection.Connection.${method}`,
+                object: {
+                  value: 'mysql2.connection',
+                  tracked: false,
+                },
+                args: [{ value, tracked: true }],
+                tags: { UNTRUSTED: [0, 16] },
+                source: 'P0',
+              },
+            });
+          });
+        });
+        it('reports an sql-injection (arg0 obj)', function () {
+          simulateRequestScope(function () {
+            const value = ';drop table Foo--';
+            const extern = trackString(value);
+            const conn = new connection();
+            conn[method]({ sql: extern });
+            expect(reportFindings).to.have.been.calledWithMatch({
+              ruleId: 'sql-injection',
+              sinkEvent: {
+                name: `mysql2/lib/connection.Connection.${method}`,
+                object: {
+                  value: 'mysql2.connection',
+                  tracked: false,
+                },
+                args: [{ value, tracked: true }],
+                tags: { UNTRUSTED: [0, 16] },
+                source: 'P0',
+              },
+            });
+          });
+        });
+      });
+    });
+  });
+});

package/lib/dataflow/sinks/install/node-serialize.test.js ADDED Viewed

@@ -0,0 +1,85 @@
+'use strict';
+const sinon = require('sinon');
+const { expect } = require('chai');
+const serialize = require('node-serialize');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow sinks node-serialize', function () {
+  let core, simulateRequestScope, trackString, reportFindings, serializedObj;
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    core.depHooks.resolve
+      .withArgs({ name: 'node-serialize' })
+      .yields(serialize);
+    require('./node-serialize')(core).install();
+    serializedObj = '{"rce":"_$$ND_FUNC$$_function (){}()"}';
+  });
+  describe('node-serialize.unserialize', function() {
+    it('skips instrumentation if assess store is missing', function () {
+      serialize.unserialize(serializedObj);
+      expect(reportFindings).not.to.have.been.called;
+    });
+    it('skips instrumentation if no argument is provided', function () {
+      simulateRequestScope(function () {
+        serialize.unserialize(serializedObj);
+        expect(reportFindings).not.to.have.been.called;
+      });
+    });
+    it('skips instrumentation if instrumentation is locked', function () {
+      simulateRequestScope(function () {
+        core.scopes.instrumentation.run({ lock: true }, function () {
+          serialize.unserialize(serializedObj);
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+    });
+    it('skips instrumentation if the argument is not a string', function () {
+      simulateRequestScope(function () {
+        serialize.unserialize(true);
+        expect(reportFindings).not.to.have.been.called;
+      });
+    });
+    it('skips instrumentation if the argument is not tracked', function () {
+      simulateRequestScope(function () {
+        serialize.unserialize(serializedObj);
+        expect(reportFindings).not.to.have.been.called;
+      });
+    });
+    it('reports untrusted-deserialization', function () {
+      simulateRequestScope(function () {
+        const extern = trackString(serializedObj);
+        serialize.unserialize(extern);
+        expect(reportFindings).to.have.been.calledWithMatch({
+          ruleId: 'untrusted-deserialization',
+          sinkEvent: {
+            name: 'node-serialize.unserialize',
+            moduleName: 'node-serialize',
+            methodName: 'unserialize',
+            context: 'node-serialize.unserialize({"rce":"_$$ND_FUNC$$_function (){}()"})',
+            object: {
+              value: 'node-serialize',
+              tracked: false,
+            },
+            args: [{ value: serializedObj, tracked: true }],
+            tags: { UNTRUSTED: [0, 37] },
+            source: 'P0',
+          },
+        });
+      });
+    });
+  });
+});

package/lib/dataflow/sinks/install/postgres.test.js ADDED Viewed

@@ -0,0 +1,158 @@
+'use strict';
+const {
+  DataflowTag: { UNTRUSTED, SQL_ENCODED },
+  Rule: { SQL_INJECTION: ruleId },
+} = require('@contrast/common');
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow sinks postgres', function () {
+  let core, simulateRequestScope, trackString, reportFindings, reportSafePositive;
+  class Client {
+    query() { }
+  }
+  class NativeClient {
+    query() { }
+  }
+  class Pool {
+    query() { }
+  }
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
+    core.depHooks.resolve
+      .withArgs({ name: 'pg', file: 'lib/client.js' })
+      .yields(Client);
+    core.depHooks.resolve
+      .withArgs({ name: 'pg', file: 'lib/native/client.js' })
+      .yields(NativeClient);
+    core.depHooks.resolve.withArgs({ name: 'pg-pool' }).yields(Pool);
+    require('./postgres')(core).install();
+  });
+  [Client, NativeClient, Pool].forEach((client) => {
+    describe(`${client.name}.prototype.query()`, function () {
+      it('skips instrumentation if assess store is missing', function () {
+        client.prototype.query();
+        expect(reportFindings).to.not.have.been.called;
+      });
+      it('skips instrumentation if a query is not provided ', function () {
+        simulateRequestScope(function () {
+          client.prototype.query();
+          expect(reportFindings).to.not.have.been.called;
+        });
+      });
+      it('skips instrumentation if the query is not a string', function () {
+        simulateRequestScope(function () {
+          client.prototype.query({});
+          expect(reportFindings).to.not.have.been.called;
+        });
+      });
+      it('skips instrumentation if the query is not a tracked', function () {
+        simulateRequestScope(function () {
+          client.prototype.query('hello');
+          expect(reportFindings).to.not.have.been.called;
+        });
+      });
+      it('skips instrumentation if the query is safe', function() {
+        simulateRequestScope(function () {
+          const value = 'drop table';
+          const extern = trackString(value, {
+            tags: {
+              [SQL_ENCODED]: [0, 9],
+              [UNTRUSTED]: [0, 9],
+            },
+          });
+          client.prototype.query(extern);
+          expect(reportFindings).to.not.have.been.called;
+          expect(reportSafePositive).to.have.been.calledWithMatch({
+            name: sinon.match(/query$/),
+            ruleId,
+            safeTags: [SQL_ENCODED],
+            strInfo: {
+              tags: {
+                [SQL_ENCODED]: [0, 9],
+                [UNTRUSTED]: [0, 9],
+              },
+              value,
+            }
+          });
+        });
+      });
+      it('reports an sql-injection', function () {
+        simulateRequestScope(function () {
+          const value = 'drop table';
+          const extern = trackString(value, {
+            tags: {
+              [SQL_ENCODED]: [0, 4],
+              [UNTRUSTED]: [0, 9],
+            },
+          });
+          client.prototype.query(extern);
+          expect(reportFindings).to.have.been.calledWithMatch({
+            ruleId,
+            sinkEvent: {
+              name: sinon.match('query'),
+              moduleName: sinon.match('pg'),
+              methodName: 'Connection.prototype.query',
+              object: {
+                value: sinon.match('pg'),
+                tracked: false,
+              },
+              args: [{ value, tracked: true }],
+              tags: { [SQL_ENCODED]: [0, 4], [UNTRUSTED]: [0, 9] },
+              source: 'P0',
+            },
+          });
+        });
+      });
+    });
+  });
+  ['pg.native.Client.prototype.query', 'pg.Client.prototype.query'].forEach((clientType) => {
+    it(`skips calling the hook if the ${clientType} is already patched`, function () {
+      simulateRequestScope(function () {
+        const extern = trackString('drop table', {
+          tags: {
+            [SQL_ENCODED]: [0, 4],
+            [UNTRUSTED]: [0, 9],
+          },
+        });
+        Pool.prototype.Client = {
+          prototype: {
+            query: () => { }
+          }
+        };
+        core.patcher.patch(Pool.prototype.Client.prototype, 'query', {
+          name: clientType,
+          patchType: 'assess-dataflow-sink',
+          pre: () => { }
+        });
+        Pool.prototype.query(extern);
+        expect(reportFindings).to.not.have.been.called;
+      });
+    });
+  });
+});