@contrast/assess 1.31.0 → 1.32.0

package/lib/dataflow/utils/is-vulnerable.test.js

@@ -0,0 +1,115 @@
+'use strict';
+
+const { expect } = require('chai');
+const { isVulnerable } = require('./is-vulnerable');
+
+describe('assess dataflow utils isVulnerable', function() {
+  [
+    {
+      args: [
+        'untrusted',
+        ['ant'],
+        {
+          untrusted: [5, 10, 100, 102],
+          ant: [4, 104],
+        },
+      ],
+      desc: 'encompasses all',
+      expected: false,
+    },
+    {
+      args: [
+        'untrusted',
+        ['ant', 'cat'],
+        {
+          untrusted: [5, 10, 100, 102],
+          ant: [0, 0],
+          cat: [1, 1, 2, 2, 4, 8],
+        },
+      ],
+      desc: 'no overlaps',
+      expected: true,
+    },
+    {
+      args: [
+        'untrusted',
+        ['ant', 'cat'],
+        {
+          untrusted: [5, 10, 100, 102],
+          ant: [0, 0],
+          cat: [1, 1, 2, 2, 3, 8],
+        },
+      ],
+      desc: 'no overlaps',
+      expected: true,
+    },
+    {
+      args: [
+        'untrusted',
+        ['ant', 'cat'],
+        {
+          untrusted: [5, 10, 100, 102],
+          ant: [0, 0],
+          cat: [1, 5, 3, 8],
+        },
+      ],
+      desc: 'no overlaps',
+      expected: true,
+    },
+    {
+      args: [
+        'untrusted',
+        ['ant'],
+        {
+          untrusted: [5, 10, 100, 102],
+          ant: [4, 5],
+        },
+      ],
+      desc: 'no overlaps',
+      expected: true,
+    },
+    {
+      args: [
+        'untrusted',
+        ['ant', 'cat', 'dog'],
+        {
+          untrusted: [8, 14],
+          ant: [4, 5, 7, 10],
+          cat: [6, 9],
+          dog: [9, 18],
+        },
+      ],
+      desc: 'encompasses all',
+      expected: false,
+    },
+    {
+      args: [
+        'untrusted',
+        ['ant', 'cat', 'dog'],
+        {
+          ant: [4, 5, 7, 10],
+          cat: [6, 9],
+          dog: [9, 18],
+        },
+      ],
+      desc: 'when no target tags found',
+      expected: false,
+    },
+    {
+      args: [
+        'untrusted',
+        ['ant'],
+        {
+          untrusted: [4, 5, 7, 10],
+          ant: [4, 5, 7, 10],
+        },
+      ],
+      desc: 'when there are multiple ranges but they are all covered',
+      expected: false,
+    },
+  ].forEach(({ args, desc, expected }) => {
+    it(`${desc} returns ${expected}`, function() {
+      expect(isVulnerable(...args)).to.equal(expected);
+    });
+  });
+});

package/lib/event-factory.test.js

@@ -0,0 +1,321 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { InputType } = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+const os = require('os');
+
+const testMethod = os.platform() === 'win32' ? describe.skip : describe;
+
+testMethod('assess event-factory', function () {
+  let core, createSourceEvent, createPropagationEvent, createSinkEvent;
+
+  beforeEach(function () {
+    ({ core } = initAssessFixture());
+    ({
+      createSourceEvent,
+      createPropagationEvent,
+      createSinkEvent
+    } = require('./event-factory')(core));
+  });
+
+  describe('createSourceEvent', function () {
+    [
+      {
+        data: {},
+        invalidProp: 'result',
+      },
+      {
+        data: { result: { tracked: true, value: 'foo' } },
+        invalidProp: 'name',
+      },
+      {
+        data: {
+          name: 'frogs',
+          result: { tracked: true, value: 'foo' },
+          inputType: 'bad-value',
+        },
+        invalidProp: 'inputType',
+      },
+      {
+        data: {
+          name: 'frogs',
+          result: { tracked: true, value: 'foo' },
+          inputType: InputType.QUERYSTRING,
+        },
+        invalidProp: 'tags',
+        message: 'event has no tags'
+      }
+    ].forEach(({
+      data,
+      invalidProp,
+      message = `invalid ${invalidProp}`,
+    }) => {
+      it(`will not create event when props are invalid: ${message}`, function () {
+        const event = createSourceEvent(data);
+        expect(event).to.equal(null);
+        expect(core.logger.debug).to.have.been.calledWith(
+          sinon.match.object,
+          'Source event not created: %s',
+          message
+        );
+      });
+    });
+
+    [
+      {
+        data: {
+          name: 'COOKIE_VALUE.frogs',
+          result: { tracked: true, value: 'foo' },
+          inputType: InputType.COOKIE_VALUE,
+          tags: {
+            untrusted: [0, 4],
+            cookie: [0, 4],
+          },
+          stack: [],
+        },
+      }
+    ].forEach(({ data, expected }) => {
+      it('returns the event data when validated', function () {
+        const event = createSourceEvent(data);
+        expect(event).to.equal(data);
+        expect(core.logger.debug).not.to.have.been.called;
+      });
+    });
+  });
+
+  describe('createPropagationEvent', function () {
+    const validData = {
+      name: 'String.prototype.concat',
+      history: [{ mock: 'SourceEvent' }],
+      object: {
+        value: 'test',
+        tracked: true
+      },
+      args: [{ value: '-another-test', tracked: false }],
+      result: {
+        value: 'test-another-test',
+        tracked: true
+      },
+      source: 'O',
+      target: 'R',
+      tags: { untrusted: [0, 3] }
+    };
+    const validStore = {
+      assess: {
+        propagationEventsCount: 0
+      }
+    };
+    const validResult = {
+      name: 'String.prototype.concat',
+      history: [{ mock: 'SourceEvent' }],
+      object: {
+        value: 'test',
+        tracked: true
+      },
+      args: [{ value: '-another-test', tracked: false }],
+      result: {
+        value: 'test-another-test',
+        tracked: true
+      },
+      tags: { untrusted: [0, 3] },
+      addedTags: [],
+      removedTags: [],
+      source: 'O',
+      target: 'R'
+    };
+
+    it('logs a debug statement for missing source context and returns null when executed in the wrong context', function () {
+      core.scopes.sources.run({}, function () {
+        const result = createPropagationEvent(validData);
+
+        expect(core.logger.debug).to.have.been.calledOnceWith(
+          sinon.match.object,
+          'No sourceContext found during Propagation event creation'
+        );
+        expect(result).to.be.null;
+      });
+    });
+
+    it('logs a debug statement for going above the maximum propagation events limit and returns null when we are above the said limit', function () {
+      core.scopes.sources.run({ assess: { propagationEventsCount: 500 } }, function () {
+        const result = createPropagationEvent(validData);
+
+        expect(core.logger.debug).to.have.been.calledOnceWith(
+          sinon.match.object,
+          'Maximum number of Propagation events reached. Event not created'
+        );
+        expect(result).to.be.null;
+      });
+
+    });
+
+    [
+      {
+        data: { ...validData, name: '' },
+        message: 'invalid name',
+      },
+      {
+        data: { ...validData, source: undefined },
+        message: 'invalid source',
+      },
+      {
+        data: { ...validData, history: [] },
+        message: 'invalid history',
+      },
+      {
+        data: { ...validData, source: 'S' },
+        message: 'invalid source',
+      },
+      {
+        data: { ...validData, target: 'T' },
+        message: 'invalid target',
+      },
+    ].forEach(({ data, message }) => {
+      it(`logs a debug statement when insufficient data is passed and returns null: ${message}`, function () {
+        core.scopes.sources.run(validStore, function () {
+          const result = createPropagationEvent(data);
+
+          expect(core.logger.debug).to.have.been.calledOnceWith(
+            sinon.match.object,
+            'Propagation event not created: %s',
+            message,
+          );
+          expect(result).to.be.null;
+        });
+      });
+    });
+
+    it('returns an event with stacktrace generator function when stacktraces option is set to "ALL"', function () {
+      core.config.assess.stacktraces = 'ALL';
+      core.scopes.sources.run(validStore, function () {
+        const result = createPropagationEvent(validData);
+
+        expect(result).to.be.like(validResult);
+        expect(result.time).not.to.be.undefined;
+        expect(result.stack).to.be.an('array');
+      });
+    });
+
+    it('returns an event without stacktrace generator function when stacktraces option is not set to "ALL"', function () {
+      core.config.assess.stacktraces = 'SOME';
+      core.scopes.sources.run(validStore, function () {
+        const result = createPropagationEvent(validData);
+
+        expect(result).to.be.like(validResult);
+        expect(result.time).not.to.be.undefined;
+        expect(result.stack).to.deep.equal([]);
+      });
+    });
+  });
+
+  describe('createSinkEvent', function () {
+    const validData = {
+      name: 'mysql/lib/Connection.query',
+      history: [{ mock: 'SourceEvent' }],
+      object: {
+        value: 'MySQL.Query#0001',
+        tracked: false
+      },
+      args: [{ value: 'malicious-value', tracked: true }],
+      result: {
+        value: null,
+        tracked: false
+      },
+      tags: { untrusted: [0, 14] },
+      source: 'P0'
+    };
+    const validStore = {
+      assess: {
+        propagationEventsCount: 0
+      }
+    };
+    const validResult = {
+      name: 'mysql/lib/Connection.query',
+      history: [{ mock: 'SourceEvent' }],
+      object: {
+        value: 'MySQL.Query#0001',
+        tracked: false
+      },
+      args: [{ value: 'malicious-value', tracked: true }],
+      result: {
+        value: null,
+        tracked: false
+      },
+      tags: { untrusted: [0, 14] },
+      source: 'P0',
+    };
+
+    it('logs a debug statement for missing source context and returns null when executed in the wrong context', function () {
+      core.scopes.sources.run({}, function () {
+        const result = createSinkEvent(validData);
+
+        expect(core.logger.debug).to.have.been.calledOnceWith(
+          sinon.match.object,
+          'no sourceContext found during sink event creation'
+        );
+        expect(result).to.be.null;
+      });
+    });
+
+    [
+      {
+        data: {
+          ...validData,
+          name: '',
+        },
+        message: 'no sink event name'
+      },
+      {
+        data: {
+          ...validData,
+          history: []
+        },
+        message: 'empty history for sink event'
+      },
+      {
+        data: {
+          ...validData,
+          source: 'S'
+        },
+        message: 'malformed or missing sink event source field',
+      },
+    ].forEach(({ data, message }) => {
+      it(`logs a debug statement when insufficient data is passed and returns null: ${message}`, function () {
+        core.scopes.sources.run(validStore, function () {
+          const result = createSinkEvent(data);
+
+          expect(core.logger.debug).to.have.been.calledWith(
+            sinon.match.object,
+            message
+          );
+          expect(result).to.be.null;
+        });
+      });
+    });
+
+    it('returns an event with stacktrace generator function when stacktraces option is not set to "NONE"', function () {
+      core.config.assess.stacktraces = 'ALL';
+      core.scopes.sources.run(validStore, function () {
+        const result = createSinkEvent(validData);
+
+        expect(result).to.be.like(validResult);
+        expect(result.time).not.to.be.undefined;
+        expect(result.stack).to.be.instanceOf(Array);
+      });
+    });
+
+    it('returns an event without stacktrace generator function when stacktraces option is set to "NONE"', function () {
+      core.config.assess.stacktraces = 'NONE';
+      core.scopes.sources.run(validStore, function () {
+        const result = createSinkEvent(validData);
+
+        expect(result).to.be.like(validResult);
+        expect(result.time).not.to.be.undefined;
+        expect(result.stack).to.deep.equal([]);
+      });
+    });
+  });
+});

package/lib/get-policy.test.js

@@ -0,0 +1,194 @@
+'use strict';
+
+const { expect } = require('chai');
+const { Event } = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess getPolicy', function () {
+  let core, getPolicy;
+
+  beforeEach(function () {
+    ({ core } = initAssessFixture());
+    getPolicy = require('./get-policy')(core);
+  });
+
+  function assertPolicyOK(policy) {
+    expect(policy).to.have.property('enabledRules').and.be.a('Set').not.empty;
+    expect(policy).to.have.property('getInputPolicy').and.be.a('Function');
+  }
+
+  it('inits policy and will adjust according to TS settings updates', function() {
+    let policy = getPolicy();
+
+    expect(policy.enabledRules).to.have.length.greaterThan(1);
+    expect(policy.enabledRules).to.contain('reflected-xss');
+
+    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+      assess: {
+        ['sql-injection']: { enable: true },
+        ['reflected-xss']: { enable: false },
+      }
+    });
+
+    policy = getPolicy();
+
+    expect(policy.enabledRules).to.contain('sql-injection');
+    expect(policy.enabledRules).not.to.contain('reflected-xss');
+  });
+
+  it('url exclusions can disable all rules', function() {
+    const uriPath = '/exclude-all-rules';
+    let policy = getPolicy({ uriPath });
+
+    assertPolicyOK(policy);
+
+    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+      exclusions: {
+        url: [{
+          urls: ['/exclude-all-rules'],
+          matchStrategy: 'ONLY',
+          assessmentRules: [],
+          assess_rules: [],
+          protect_rules: [],
+          modes: ['assess', 'defend'],
+          name: 'UrlExclusionAllRules'
+        }]
+      }
+    });
+
+    policy = getPolicy({ uriPath });
+    expect(policy).to.be.null;
+  });
+
+  it('url exclusions can disable specific rules', function() {
+    const uriPath = '/exclude-some-rules';
+    let policy = getPolicy({ uriPath });
+
+    assertPolicyOK(policy);
+
+    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+      exclusions: {
+        url: [{
+          urls: ['/exclude-some-rules'],
+          matchStrategy: 'ONLY',
+          assessmentRules: [],
+          assess_rules: ['sql-injection'],
+          protect_rules: [],
+          modes: ['assess', 'defend'],
+          name: 'UrlExclusionAllRules'
+        }]
+      }
+    });
+
+    policy = getPolicy({ uriPath });
+    expect(policy.enabledRules).not.to.contain('sql-injection');
+  });
+
+  [
+    {
+      inputType: 'HEADER',
+      exclusionType: 'HEADER',
+    },
+    {
+      inputType: 'QUERYSTRING',
+      exclusionType: 'PARAMETER',
+    },
+    {
+      inputType: 'BODY',
+      exclusionType: 'PARAMETER',
+    },
+    {
+      inputType: 'URL_PARAMETER',
+      exclusionType: 'PARAMETER',
+    },
+    {
+      inputType: 'COOKIE_VALUE',
+      exclusionType: 'COOKIE',
+    },
+  ].forEach(({ inputType, exclusionType }) => {
+    it(`input exclusions can exclude specific rules (input: ${inputType}, exclusion:${exclusionType})`, function() {
+      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+        exclusions: {
+          input: [{
+            type: exclusionType,
+            urls: ['/exclude-some-inputs', '/exclude-some-inputs-.*'],
+            matchStrategy: 'ONLY',
+            assessmentRules: [],
+            assess_rules: ['sql-injection', 'nosql-injection'],
+            protect_rules: [],
+            modes: ['assess', 'defend'],
+            name: 'abc.*'
+          }]
+        }
+      });
+
+      const policy = getPolicy({ uriPath: '/exclude-some-inputs' });
+      let inputPolicy = policy.getInputPolicy(inputType, 'abcdef');
+      expect(inputPolicy).to.have.property('track', true);
+      expect(inputPolicy).to.have.property('excludedRules')
+        .to.be.a('Set')
+        .and.have.lengthOf(2)
+        .and.contain('nosql-injection')
+        .and.contain('sql-injection');
+
+      inputPolicy = policy.getInputPolicy(inputType, 'xyz');
+      expect(inputPolicy).to.have.property('track', true);
+      expect(inputPolicy).to.have.property('excludedRules')
+        .to.be.a('Set')
+        .and.have.lengthOf(0);
+    });
+  });
+
+  [
+    {
+      inputType: 'HEADER',
+      exclusionType: 'HEADER',
+    },
+    {
+      inputType: 'QUERYSTRING',
+      exclusionType: 'PARAMETER',
+    },
+    {
+      inputType: 'BODY',
+      exclusionType: 'PARAMETER',
+    },
+    {
+      inputType: 'URL_PARAMETER',
+      exclusionType: 'PARAMETER',
+    },
+    {
+      inputType: 'COOKIE_VALUE',
+      exclusionType: 'COOKIE',
+    },
+  ].forEach(({ inputType, exclusionType }) => {
+    it(`input exclusions can exclude specific rules (input: ${inputType}, exclusion:${exclusionType})`, function() {
+      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+        exclusions: {
+          input: [{
+            type: exclusionType,
+            urls: ['/exclude-some-inputs', '/exclude-some-inputs-.*'],
+            matchStrategy: 'ONLY',
+            assessmentRules: [],
+            assess_rules: [],
+            protect_rules: [],
+            modes: ['assess', 'defend'],
+            name: 'abc.*'
+          }]
+        }
+      });
+
+      const policy = getPolicy({ uriPath: '/exclude-some-inputs' });
+      let inputPolicy;
+
+      inputPolicy = policy.getInputPolicy(inputType, 'abcdef');
+      expect(inputPolicy).to.have.property('track', false);
+      expect(inputPolicy).not.to.have.property('excludedRules');
+
+      inputPolicy = policy.getInputPolicy(inputType, 'xyz');
+      expect(inputPolicy).to.have.property('track', true);
+      expect(inputPolicy).to.have.property('excludedRules')
+        .to.be.a('Set')
+        .and.have.lengthOf(0);
+    });
+  });
+});