@contrast/assess 1.31.0 → 1.32.0

package/lib/dataflow/propagation/install/escape.test.js

@@ -0,0 +1,73 @@
+
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const {
+  DataflowTag: { UNTRUSTED, WEAK_URL_ENCODED }
+} = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess dataflow propagation escape', function () {
+  let core, trackString, simulateRequestScope, tracker;
+
+  beforeEach(function () {
+    ({
+      core,
+      simulateRequestScope,
+      trackString
+    } = initAssessFixture());
+
+    tracker = core.assess.dataflow.tracker;
+    core.assess.dataflow.propagation.escape.install();
+  });
+
+  afterEach(function () {
+    core.assess.dataflow.propagation.escape.uninstall();
+    sinon.resetHistory();
+  });
+
+  [
+    {
+      str: '?test=str',
+      tags: {
+        [UNTRUSTED]: [0, 8],
+      },
+      expected: {
+        [UNTRUSTED]: [0, 12],
+        [WEAK_URL_ENCODED]: [0, 12],
+      }
+    },
+    {
+      str: 'not-tracked',
+    }
+  ].forEach(({ str, tags, expected }) => {
+    it('propagates correctly', function () {
+      simulateRequestScope(function () {
+        const value = tags ? trackString(str, { tags }) : str;
+
+        const result = escape(value);
+        const strInfo = tracker.getData(result);
+        expect(strInfo?.tags).to.deep.equal(expected);
+      });
+    });
+  });
+
+  it('will not propagate if there is no assess context', function () {
+    simulateRequestScope(function () {
+      const value = trackString('?test=str');
+      const result = escape(value);
+      expect(tracker.getData(result)).to.be.null;
+    }, {});
+  });
+
+  it('will not propagate if there instrumentation is locked', function () {
+    simulateRequestScope(function () {
+      core.scopes.instrumentation.run({ lock: true }, function () {
+        const value = trackString('?test=str');
+        const result = escape(value);
+        expect(tracker.getData(result)).to.be.null;
+      });
+    });
+  });
+});

package/lib/dataflow/propagation/install/handlebars-utils-escape-expression.test.js

@@ -0,0 +1,71 @@
+'use strict';
+
+const {
+  DataflowTag: { UNTRUSTED, HTML_ENCODED }
+} = require('@contrast/common');
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess dataflow propagation handlebars.Utils.escapeExpression', function () {
+  let core, trackString, simulateRequestScope, tracker, mockHandlebars;
+
+  beforeEach(function () {
+    ({
+      core,
+      simulateRequestScope,
+      trackString
+    } = initAssessFixture());
+
+    mockHandlebars = {
+      Utils: {
+        escapeExpression: (str) => `mock-escape_${str}_mock-escape`
+      }
+    };
+
+    tracker = core.assess.dataflow.tracker;
+    core.assess.dataflow.propagation.handlebarsEscapeExpression.install();
+    core.depHooks.resolve.yield(mockHandlebars);
+  });
+
+  afterEach(function () {
+    sinon.resetHistory();
+  });
+
+  it('propagates correctly', function () {
+    simulateRequestScope(function () {
+      const notTrackedValue = 'foo';
+      const trackedValue = trackString('foo');
+
+      const notTrackedResult = mockHandlebars.Utils.escapeExpression(notTrackedValue);
+      const notTrackedStrInfo = tracker.getData(notTrackedResult);
+
+      const trackedResult = mockHandlebars.Utils.escapeExpression(trackedValue);
+      const trackedStrInfo = tracker.getData(trackedResult);
+
+      expect(notTrackedStrInfo).to.be.null;
+      expect(trackedStrInfo?.tags).to.deep.equal({
+        [UNTRUSTED]: [0, trackedStrInfo.value.length - 1],
+        [HTML_ENCODED]: [0, trackedStrInfo.value.length - 1]
+      });
+    });
+  });
+
+  it('will not propagate if there is no assess context', function () {
+    simulateRequestScope(function () {
+      const value = trackString('foo');
+      const result = mockHandlebars.Utils.escapeExpression(value);
+      expect(tracker.getData(result)).to.be.null;
+    }, {});
+  });
+
+  it('will not propagate if there instrumentation is locked', function () {
+    simulateRequestScope(function () {
+      core.scopes.instrumentation.run({ lock: true }, function () {
+        const value = trackString('foo');
+        const result = mockHandlebars.Utils.escapeExpression(value);
+        expect(tracker.getData(result)).to.be.null;
+      });
+    });
+  });
+});

package/lib/dataflow/propagation/install/isnumeric-0.test.js

@@ -0,0 +1,58 @@
+'use strict';
+
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess dataflow propagation isnumeric', function () {
+  let core, trackString, simulateRequestScope, tracker, mockIsNumeric, isNumeric, result;
+
+  beforeEach(function () {
+    ({
+      core,
+      simulateRequestScope,
+      trackString
+    } = initAssessFixture());
+
+    result = 1;
+    mockIsNumeric = function (value) {
+      return result;
+    };
+    tracker = core.assess.dataflow.tracker;
+    core.depHooks.resolve.callsFake(function (_e, cb) {
+      isNumeric = cb(mockIsNumeric, { version: '0.3.3' });
+    });
+    core.assess.dataflow.propagation.isnumericInstrumentation.install();
+  });
+
+  it('will not untrack when check returns falsey', function () {
+    simulateRequestScope(function () {
+      result = false;
+      const str = trackString('foo');
+      isNumeric(str);
+      expect(tracker.getData(str)).to.deep.include({
+        context: 'UNKNOWN.val',
+        name: 'assess-dataflow-fixture',
+        fieldName: 'val',
+        pathName: 'val',
+        stack: [],
+        inputType: 'UNKNOWN',
+        tags: { UNTRUSTED: [0, 2] },
+        result: { tracked: true, value: 'foo' },
+      });
+    });
+  });
+
+  it('untracks when check returns truthy', function () {
+    simulateRequestScope(function () {
+      result = true;
+      const str = trackString('30000');
+      isNumeric(str);
+      expect(tracker.getData(str)).to.be.null;
+      expect(core.logger.trace).to.have.been.calledWithMatch({
+        funcKey: 'assess-dataflow-propagator:isnumeric',
+        sanitizer: 'isnumeric@0.3.3',
+        value: '30000',
+      }, 'untracked a string value');
+    });
+  });
+});

package/lib/dataflow/propagation/install/joi/any.test.js

@@ -0,0 +1,270 @@
+'use strict';
+
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const { DataflowTag } = require('@contrast/common');
+
+describe('assess dataflow propagation joi object validator with custom or extern fn', function() {
+  let core, joi, tracker, trackString, simulateRequestScope;
+
+  beforeEach(function() {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    core.config.assess.trust_custom_validators = true;
+
+    core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/any', version: '>=17.0.0' }).yields(require('joi-17/lib/types/any'));
+
+    require('./index')(core).install();
+    joi = require('joi-17');
+  });
+
+  afterEach(function() {
+    Object.keys(require.cache).forEach((key) => {
+      if (key.includes('joi')) {
+        delete require.cache[key];
+      }
+    });
+  });
+
+  it(`tracked values passing validation with a custom validator will be tagged with ${DataflowTag.CUSTOM_VALIDATED}`, function() {
+    simulateRequestScope(() => {
+      const tracked = trackString('test');
+      const schema = joi.custom((value, helper) => {
+        if (value === 'test') {
+          return value;
+        }
+
+        return helper.message('Invalid value');
+      });
+
+      const validated = schema.validate(tracked);
+      const data = tracker.getData(validated.value);
+
+      expect(tracked).to.equal(validated.value);
+      expect(validated.error).to.be.undefined;
+      expect(data.tags).to.deep.equal({
+        [DataflowTag.UNTRUSTED]: [0, 3],
+        [DataflowTag.CUSTOM_VALIDATED]: [0, 3],
+      });
+
+      expect(data.moduleName).to.equal('joi');
+      expect(data.methodName).to.equal('any.custom.validate');
+    });
+  });
+
+  it(`tracked values passing validation with a custom validator will be tagged with ${DataflowTag.CUSTOM_VALIDATED}`, function() {
+    simulateRequestScope(() => {
+      const tracked = trackString('test');
+      const schema = joi.custom((value, helper) => {
+        if (value.a === 'test' && value.b === 'test') {
+          return value;
+        }
+
+        return helper.message('Invalid value');
+      });
+
+      const validated = schema.validate({
+        a: tracked,
+        b: tracked
+      });
+
+      expect(validated.error).to.be.undefined;
+      Object.values(validated.value).forEach((v) => {
+        const data = tracker.getData(v);
+
+        expect(data.tags).to.deep.equal({
+          [DataflowTag.UNTRUSTED]: [0, 3],
+          [DataflowTag.CUSTOM_VALIDATED]: [0, 3],
+        });
+
+        expect(data.moduleName).to.equal('joi');
+        expect(data.methodName).to.equal('any.custom.validate');
+      });
+    });
+  });
+
+  it(`objects with tracked values passing validation with an external validator will be tagged with ${DataflowTag.CUSTOM_VALIDATED}`, function(done) {
+    simulateRequestScope(() => {
+      const tracked = trackString('test');
+      const schema = joi.any().external((value, helper) => {
+        if (value === 'test') {
+          return value;
+        }
+
+        return helper.message('Invalid value');
+      });
+
+      schema.validateAsync(tracked)
+        .then((validated) => {
+
+          const data = tracker.getData(validated);
+
+          expect(data.tags).to.deep.equal({
+            [DataflowTag.UNTRUSTED]: [0, 3],
+            [DataflowTag.CUSTOM_VALIDATED]: [0, 3],
+          });
+
+          expect(data.moduleName).to.equal('joi');
+          expect(data.methodName).to.equal('any.external');
+          done();
+        })
+        .catch(err => done(err));
+    });
+  });
+
+  it(`objects with tracked values passing validation with an external validator will be tagged with ${DataflowTag.CUSTOM_VALIDATED}`, function(done) {
+    simulateRequestScope(() => {
+      const tracked = trackString('test');
+      const schema = joi.any().external((value, helper) => {
+        if (value.a === 'test' && value.b === 'test') {
+          return value;
+        }
+
+        return helper.message('Invalid value');
+      });
+
+      schema.validateAsync({
+        a: tracked,
+        b: tracked
+      })
+        .then((validated) => {
+
+          Object.values(validated).forEach((v) => {
+            const data = tracker.getData(v);
+
+            expect(data.tags).to.deep.equal({
+              [DataflowTag.UNTRUSTED]: [0, 3],
+              [DataflowTag.CUSTOM_VALIDATED]: [0, 3],
+            });
+
+            expect(data.moduleName).to.equal('joi');
+            expect(data.methodName).to.equal('any.external');
+          });
+          done();
+        })
+        .catch(err => done(err));
+    });
+  });
+
+  it('tracked values not passing validation with a custom validator won\'t be tagged', function() {
+    simulateRequestScope(() => {
+      const tracked = trackString('value');
+      const schema = joi.object({
+        v1: joi.custom((value, helper) => {
+          if (value === 'test') {
+            return value;
+          }
+
+          return helper.message('Invalid value');
+        }),
+        v2: joi.custom((value) => {
+          if (value === 'test') {
+            return value;
+          }
+
+          throw new Error('Invalid value');
+        }),
+        v3: joi.custom((value) => {
+          if (value === 'test') {
+            return value;
+          }
+
+          return 'Invalid value';
+        }),
+      });
+
+
+      const validated = schema.validate({
+        v1: tracked,
+        v2: tracked,
+        v3: tracked
+      }, { abortEarly: false });
+
+      expect(validated.error).to.not.be.undefined;
+      Object.values(validated.value).forEach((v) => {
+        const data = tracker.getData(v);
+
+        if (data) {
+          expect(data.tags).to.deep.equal({
+            [DataflowTag.UNTRUSTED]: [0, 4],
+          });
+          expect(data.name).to.equal('assess-dataflow-fixture');
+        } else {
+          expect(data).to.be.null;
+        }
+      });
+    });
+  });
+
+  it('tracked values not passing validation with an external validator won\'t be tagged', function(done) {
+    simulateRequestScope(() => {
+      const tracked = trackString('value');
+      const schema = joi.object({
+        v1: joi.any().external((value, helper) => {
+          if (value === 'test') {
+            return value;
+          }
+
+          return helper.message('Invalid value');
+        }),
+        v2: joi.any().external((value) => {
+          if (value === 'test') {
+            return value;
+          }
+
+          throw new Error('Invalid value');
+        }),
+        v3: joi.any().external((value) => {
+          if (value === 'test') {
+            return value;
+          }
+
+          return 'Invalid value';
+        }),
+      });
+
+      const obj = {
+        v1: tracked,
+        v2: tracked,
+        v3: tracked,
+      };
+
+      schema.validateAsync(obj, { abortEarly: false })
+        .then(() => {
+          done('The validation should not pass');
+        })
+        .catch(() => {
+          Object.values(obj).forEach((v) => {
+            const data = tracker.getData(v);
+
+            expect(data.tags).to.deep.equal({
+              [DataflowTag.UNTRUSTED]: [0, 4],
+            });
+            expect(data.name).to.equal('assess-dataflow-fixture');
+          });
+          done();
+        })
+        .catch(err => done(err));
+
+    });
+  });
+
+  it('should not track the result of custom validation if the value is not tracked', function() {
+    simulateRequestScope(() => {
+      const schema = joi.custom((value, helper) => {
+        if (value === 'test') {
+          return value;
+        }
+
+        return helper.message('Invalid value');
+      });
+
+      const validated = schema.validate('test');
+      const data = tracker.getData(validated.value);
+
+      expect(data).to.be.null;
+    });
+  });
+});
+
+