@contrast/assess 1.31.0 → 1.32.0

package/lib/dataflow/propagation/install/joi/string-schema.test.js

@@ -0,0 +1,513 @@
+'use strict';
+
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const { DataflowTag } = require('@contrast/common');
+
+describe('assess dataflow propagation joi string', function() {
+  let core, joi, tracker, trackString, simulateRequestScope, strInstr;
+
+  beforeEach(function() {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+
+    core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/string.js', version: '>=17.0.0' }).yields(require('joi-17/lib/types/string'));
+    core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/keys.js', version: '>=17.0.0' }).yields(require('joi-17/lib/types/keys'));
+    core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/validator', version: '>=17.0.0' }).yields(require('joi-17/lib/validator'));
+    core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/values.js', version: '>=17.0.0' }).yields(require('joi-17/lib/values'));
+
+    require('./index')(core).install();
+    strInstr = require('../string')(core);
+    strInstr.install();
+    joi = require('joi-17');
+  });
+
+  afterEach(function() {
+    Object.keys(require.cache).forEach((key) => {
+      if (key.includes('joi')) {
+        delete require.cache[key];
+      }
+    });
+    strInstr.uninstall();
+  });
+
+  describe('Joi string-schema validator tests', function() {
+    const stringValidatorExamples = [
+      {
+        ruleNames: ['base64'],
+        validInput: 'VE9PTUFOWVNFQ1JFVFM=',
+        invalidInput: 'VE9PTUFOWVNFQ1JFVFM',
+        expectedTags: DataflowTag.ALPHANUM_SPACE_HYPHEN,
+      },
+      {
+        ruleNames: ['guid'],
+        validInput: '8594cc30-171E-4a21-99ce-BC0DC55EDEE8',
+        invalidInput: '1',
+        expectedTags: DataflowTag.ALPHANUM_SPACE_HYPHEN,
+      },
+      {
+        ruleNames: ['alphanum'],
+        validInput: 'abc123ABC',
+        invalidInput: '_&*"a',
+        expectedTags: DataflowTag.ALPHANUM_SPACE_HYPHEN,
+      },
+      {
+        ruleNames: ['hex'],
+        validInput: '54455354',
+        invalidInput: 'z',
+        expectedTags: DataflowTag.ALPHANUM_SPACE_HYPHEN,
+      },
+      {
+        ruleNames: ['isoDate'],
+        validInput: '2018-11-28T18:25:32.000Z',
+        invalidInput: '2018-28-11',
+        expectedTags: DataflowTag.ALPHANUM_SPACE_HYPHEN,
+      },
+      {
+        ruleNames: ['isoDuration'],
+        validInput: 'P3Y6M4DT12H30M5S',
+        invalidInput: '2020/10/03',
+        expectedTags: DataflowTag.ALPHANUM_SPACE_HYPHEN,
+      },
+      {
+        ruleNames: ['isoDuration'],
+        validInput: 'P3Y6M4DT12H30M5S',
+        invalidInput: 'P2020-08-06T12:30:00', // valid ISO 8061 format, but not supported in Joi
+        expectedTags: DataflowTag.ALPHANUM_SPACE_HYPHEN,
+      },
+      {
+        ruleNames: ['creditCard'],
+        validInput: '4111111111111111',
+        invalidInput: '0000000000000000',
+        expectedTags: DataflowTag.LIMITED_CHARS,
+      },
+      {
+        ruleNames: ['ip'],
+        validInput: '0.0.0.0',
+        invalidInput: '256.258.301.1',
+        expectedTags: DataflowTag.LIMITED_CHARS,
+      },
+      {
+        ruleNames: ['token'],
+        validInput: '_azAZ09',
+        invalidInput: '(-.-)Zzz...',
+        expectedTags: DataflowTag.ALPHANUM_SPACE_HYPHEN,
+      },
+      {
+        ruleNames: ['hostname'],
+        validInput: 'www.contrastsecurity.com',
+        invalidInput: 'localhost:8000',
+        expectedTags: DataflowTag.ALPHANUM_SPACE_HYPHEN,
+      },
+      {
+        ruleNames: ['domain'],
+        validInput: 'www.contrastsecurity.com',
+        invalidInput: 'localhost:8000',
+        expectedTags: DataflowTag.ALPHANUM_SPACE_HYPHEN,
+      },
+    ];
+
+    // Testing individually rules and expected tags here, but keeping array structure for consistency
+    stringValidatorExamples.forEach(
+      ({ validInput, invalidInput = 'foo', expectedTags, ruleNames }) => {
+        const methodNames = ruleNames.map((n) => `${n}()`).join('.');
+
+        it(`tracked values passing validation for ${methodNames} will be tagged with ${expectedTags}`, function(done) {
+          simulateRequestScope(() => {
+            const tracked = trackString(validInput);
+            let schema = joi.string();
+            schema = schema[ruleNames[0]]();
+
+            // One check with validateAsync to make sure it works too
+            schema.validateAsync(tracked)
+              .then((validated) => {
+                const data = tracker.getData(validated);
+
+                expect(validInput).to.equal(validated);
+
+                expect(data.tags).to.deep.equal({
+                  [DataflowTag.UNTRUSTED]: [0, validInput.length - 1],
+                  [DataflowTag.STRING_TYPE_CHECKED]: [0, validInput.length - 1],
+                  [expectedTags]: [0, validInput.length - 1]
+                });
+
+                expect(data.moduleName).to.equal('joi');
+                expect(data.methodName).to.equal(`string.${ruleNames[0]}`);
+                done();
+              })
+              .catch(err => done(err));
+          });
+        });
+
+        it(`tracked values for ${methodNames} should not be tagged if not validated`, function() {
+          simulateRequestScope(() => {
+            const tracked = trackString(invalidInput);
+            let schema = joi.string();
+            schema = schema[ruleNames[0]]();
+
+            const validated = schema.validate(tracked);
+            const data = tracker.getData(validated.value);
+
+            expect(data.tags).to.deep.equal({
+              [DataflowTag.UNTRUSTED]: [0, invalidInput.length - 1],
+              [DataflowTag.STRING_TYPE_CHECKED]: [0, invalidInput.length - 1],
+            });
+          });
+        });
+
+        it(`should not track the result of ${methodNames} if value is not tracked`, function() {
+          simulateRequestScope(() => {
+            let schema = joi.string();
+            schema = schema[ruleNames[0]]();
+
+            const validated = schema.validate(validInput);
+            const data = tracker.getData(validated.value);
+
+            expect(data).to.be.null;
+          });
+        });
+      }
+    );
+
+    ['custom', 'external'].forEach((method) => {
+      it(`should custom validate the result when ${method} validation passes with the same value`, function(done) {
+        simulateRequestScope(() => {
+          core.config.assess.trust_custom_validators = true;
+          const joiSchema = joi.string()[method](() => trackString('1234'));
+
+          const value = trackString('1234');
+
+          joiSchema.validateAsync(value)
+            .then((data) => {
+              const argInfo = tracker.getData(value);
+              const resInfo = tracker.getData(data);
+              expect(argInfo.methodName).to.include(`string.${method}`);
+              expect(argInfo.tags).to.deep.equal({
+                [DataflowTag.UNTRUSTED]: [0, 3],
+                [DataflowTag.STRING_TYPE_CHECKED]: [0, 3],
+                [DataflowTag.CUSTOM_VALIDATED]: [0, 3],
+              });
+              // with .external() the result is the original
+              // arg string instance when they are equal
+              if (method === 'external') {
+                expect(tracker.getData(data)).to.equal(argInfo);
+              } else {
+                expect(resInfo.methodName).to.include(`string.${method}`);
+                expect(resInfo.tags).to.deep.equal({
+                  [DataflowTag.UNTRUSTED]: [0, 3],
+                  [DataflowTag.CUSTOM_VALIDATED]: [0, 3],
+                });
+              }
+              done();
+            })
+            .catch(err => done(err));
+        });
+      });
+
+      it(`should custom validate only the result if it passes ${method} validation with a different value`, function(done) {
+        simulateRequestScope(() => {
+          core.config.assess.trust_custom_validators = true;
+          const joiSchema = joi.string()[method](() => trackString('5'));
+
+          const value = trackString('1234');
+
+          joiSchema.validateAsync(value)
+            .then((result) => {
+              const argInfo = tracker.getData(value);
+              const resultInfo = tracker.getData(result);
+
+              expect(argInfo.methodName).to.equal('string.validate');
+              expect(argInfo.tags).to.deep.equal({
+                [DataflowTag.UNTRUSTED]: [0, 3],
+                [DataflowTag.STRING_TYPE_CHECKED]: [0, 3],
+              });
+              expect(resultInfo.methodName).to.include(`string.${method}`);
+              expect(resultInfo.tags).to.deep.equal({
+                [DataflowTag.UNTRUSTED]: [0, 0],
+                [DataflowTag.CUSTOM_VALIDATED]: [0, 0],
+              });
+              done();
+            })
+            .catch(err => done(err));
+        });
+      });
+
+      it('should not propagate if the result is not tracked and different', function(done) {
+        simulateRequestScope(() => {
+          core.config.assess.trust_custom_validators = true;
+          const joiSchema = joi.string()[method](() => '5');
+
+          const value = trackString('1234');
+
+          joiSchema.validateAsync(value)
+            .then((result) => {
+              const argInfo = tracker.getData(value);
+              const resultInfo = tracker.getData(result);
+
+              expect(argInfo.methodName).to.equal('string.validate');
+              expect(argInfo.tags).to.deep.equal({
+                [DataflowTag.UNTRUSTED]: [0, 3],
+                [DataflowTag.STRING_TYPE_CHECKED]: [0, 3],
+              });
+              expect(resultInfo).to.be.null;
+              done();
+            })
+            .catch(err => done(err));
+        });
+      });
+    });
+
+    const stringCoercingExamples = [
+      {
+        ruleNames: ['lowercase'],
+        validInput: 'lorem ipsum',
+        invalidInput: 'Lorem Ipsum',
+        expectedTags: DataflowTag.UNTRUSTED,
+      },
+      {
+        ruleNames: ['uppercase'],
+        validInput: 'LOREM IPSUM',
+        invalidInput: 'Lorem Ipsum',
+        expectedTags: DataflowTag.UNTRUSTED,
+      },
+      {
+        ruleNames: ['isoDate'],
+        validInput: '2018-11-28T18:25:32.000Z',
+        invalidInput: '2018-28-11',
+        expectedTags: DataflowTag.ALPHANUM_SPACE_HYPHEN,
+      },
+    ];
+
+    stringCoercingExamples.forEach(
+      ({ validInput, invalidInput = 'foo', expectedTags, ruleNames }) => {
+        const methodNames = ruleNames.map((n) => `${n}()`).join('.');
+
+        it(`tracked values passing validation for ${methodNames} with coercion will be tagged with ${expectedTags}`, function() {
+          simulateRequestScope(() => {
+            const tracked = trackString(validInput);
+            let schema = joi.string();
+            schema = schema[ruleNames[0]]();
+
+            const validated = schema.validate(tracked, { convert: true });
+            const data = tracker.getData(validated.value);
+
+            expect(validated.value).to.equal(validInput);
+            expect(data.tags).to.deep.equal({
+              [DataflowTag.UNTRUSTED]: [0, validInput.length - 1],
+              [DataflowTag.STRING_TYPE_CHECKED]: [0, validInput.length - 1],
+              [expectedTags]: [0, validInput.length - 1]
+            });
+          });
+        });
+
+        it(`tracked values passing validation for ${methodNames} without coercion will be tagged with ${expectedTags}`, function() {
+          simulateRequestScope(() => {
+            const tracked = trackString(validInput);
+            let schema = joi.string();
+            schema = schema[ruleNames[0]]();
+
+            const validated = schema.validate(tracked, { convert: false });
+            const data = tracker.getData(validated.value);
+
+            expect(validInput).to.equal(validated.value);
+            expect(data.tags).to.deep.equal({
+              [DataflowTag.UNTRUSTED]: [0, validInput.length - 1],
+              [DataflowTag.STRING_TYPE_CHECKED]: [0, validInput.length - 1],
+              [expectedTags]: [0, validInput.length - 1]
+            });
+          });
+        });
+
+        it(`tracked values for ${methodNames} without coercion should not be tagged if not valid`, function() {
+          simulateRequestScope(() => {
+            const tracked = trackString(invalidInput);
+            let schema = joi.string();
+            schema = schema[ruleNames[0]]();
+
+            const validated = schema.validate(tracked, { convert: false });
+            const data = tracker.getData(validated.value);
+
+            expect(data.tags).to.deep.equal({
+              [DataflowTag.UNTRUSTED]: [0, invalidInput.length - 1],
+              [DataflowTag.STRING_TYPE_CHECKED]: [0, invalidInput.length - 1],
+            });
+          });
+        });
+
+        it(`should not track the result of ${methodNames} if input value is not tracked`, function() {
+          simulateRequestScope(() => {
+            const schema = joi.string();
+
+            const validated = schema.validate(validInput);
+            const data = tracker.getData(validated.value);
+
+            expect(data).to.be.null;
+          });
+        });
+      }
+    );
+
+    [
+      {
+        ruleNames: ['isoDate'],
+        validInput: '2018-11-28T18:25:32.000Z',
+        invalidInput: '2018-28-11',
+      },
+      {
+        ruleNames: ['isoDate'],
+        validInput: '2018-11-28T18:25:32',
+        invalidInput: '002013-06-07T14:21:46.295Z',
+      },
+      {
+        ruleNames: ['isoDate'],
+        validInput: '2013-06-07T14:21:46.295+07:00',
+        invalidInput: '+2013-06-07T14:21:46.295Z',
+      },
+      {
+        ruleNames: ['isoDate'],
+        validInput: '+002013-06-07T14:21:46.295Z',
+        invalidInput: '2018-28-11T',
+      },
+      {
+        ruleNames: ['isoDate'],
+        validInput: '2013-06-07T24:00',
+        invalidInput: '2013-06-07T24:21',
+      },
+    ].forEach(({ validInput, invalidInput }) => {
+      it('should track isoDate when coercing', function() {
+        simulateRequestScope(() => {
+          const tracked = trackString(validInput);
+          let schema = joi.string();
+          schema = schema.isoDate();
+
+          const validated = schema.validate(tracked, { convert: true });
+          const data = tracker.getData(validated.value);
+
+          expect(data.tags).to.deep.equal({
+            [DataflowTag.UNTRUSTED]: [0, 23], // coerced isoDate has fixed size
+            [DataflowTag.STRING_TYPE_CHECKED]: [0, 23],
+            [DataflowTag.ALPHANUM_SPACE_HYPHEN]: [0, 23]
+          });
+        });
+      });
+
+      it('should not track, nor tag isoDate values if not validated', function() {
+        simulateRequestScope(() => {
+          const tracked = trackString(invalidInput);
+          let schema = joi.string();
+          schema = schema.isoDate();
+
+          const validated = schema.validate(tracked);
+          const data = tracker.getData(validated.value);
+
+          expect(data.tags).to.deep.equal({
+            [DataflowTag.UNTRUSTED]: [0, validated.value.length - 1], // coerced isoDate has fixed size
+            [DataflowTag.STRING_TYPE_CHECKED]: [0, validated.value.length - 1],
+          });
+        });
+      });
+    });
+
+    const chainedExamples = [
+      {
+        ruleNames: ['lowercase', 'guid'],
+        validInput: '8594cc30-171e-4a21-99ce-bc0dc55edee8',
+        invalidInput: '8594cc30',
+        expectedTags: [DataflowTag.ALPHANUM_SPACE_HYPHEN],
+      },
+      {
+        ruleNames: ['hex', 'alphanum'],
+        validInput: '8594cc30',
+        invalidInput: 'z~',
+        expectedTags: [DataflowTag.ALPHANUM_SPACE_HYPHEN],
+      },
+      {
+        ruleNames: ['creditCard', 'alphanum'],
+        validInput: '4111111111111111',
+        invalidInput: '0000000000000000',
+        expectedTags: [DataflowTag.LIMITED_CHARS, DataflowTag.ALPHANUM_SPACE_HYPHEN],
+      },
+      {
+        ruleNames: ['alphanum', 'creditCard'],
+        validInput: '4111111111111111',
+        invalidInput: '0000000000000000a',
+        expectedTags: [DataflowTag.LIMITED_CHARS, DataflowTag.ALPHANUM_SPACE_HYPHEN],
+        onFailureExpectedTags: [DataflowTag.ALPHANUM_SPACE_HYPHEN],
+      },
+      {
+        ruleNames: ['lowercase', 'token', 'alphanum'],
+        validInput: 'lowercharsonly',
+        invalidInput: 'valid_lowercase_alphanum_but_with_underscores',
+        expectedTags: [DataflowTag.ALPHANUM_SPACE_HYPHEN],
+        onFailureExpectedTags: [DataflowTag.ALPHANUM_SPACE_HYPHEN],
+      },
+      {
+        ruleNames: ['alphanum', 'lowercase', 'token'],
+        validInput: 'lowercharsonly',
+        invalidInput: 'valid_lowercase_alphanum_but_with_underscores',
+        expectedTags: [DataflowTag.ALPHANUM_SPACE_HYPHEN],
+      },
+    ];
+
+    chainedExamples.forEach(
+      ({
+        validInput,
+        invalidInput = 'foo',
+        expectedTags,
+        ruleNames,
+        onFailureExpectedTags = [],
+      }) => {
+        const methodNames = ruleNames.map((n) => `${n}()`).join('.');
+        const createTagsObj = (str, tags) => tags.reduce((acc, curr) => {
+          acc[curr] = [0, str.length - 1];
+
+          return acc;
+        }, {});
+
+        it(`tracked values passing validation for ${methodNames} chain will be tagged with ${expectedTags.join(', ')}`, function() {
+          simulateRequestScope(() => {
+            const tracked = trackString(validInput);
+            let schema = joi.string();
+
+            for (const name of ruleNames) {
+              schema = schema[name]();
+            }
+
+            const validated = schema.validate(tracked, { convert: false });
+            const data = tracker.getData(validated.value);
+
+            expect(validInput).to.equal(validated.value);
+
+            expect(data.tags).to.deep.equal({
+              [DataflowTag.UNTRUSTED]: [0, validated.value.length - 1],
+              [DataflowTag.STRING_TYPE_CHECKED]: [0, validated.value.length - 1],
+              ...createTagsObj(validated.value, expectedTags)
+            });
+          });
+        });
+
+        it(`tracked values in ${methodNames} should not be tagged with failed chain validation`, function() {
+          simulateRequestScope(() => {
+            const tracked = trackString(invalidInput);
+            let schema = joi.string();
+
+            for (const name of ruleNames) {
+              schema = schema[name]();
+            }
+
+            const validated = schema.validate(tracked);
+            const data = tracker.getData(validated.value);
+
+            expect(data.tags).to.deep.equal({
+              [DataflowTag.UNTRUSTED]: [0, validated.value.length - 1],
+              [DataflowTag.STRING_TYPE_CHECKED]: [0, validated.value.length - 1],
+              ...createTagsObj(validated.value, onFailureExpectedTags)
+            });
+          });
+        });
+      }
+    );
+  });
+});
+
+

package/lib/dataflow/propagation/install/mongoose/index.test.js

@@ -0,0 +1,42 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+describe('assess dataflow propagation mongoose', function () {
+  let core, instr;
+
+  beforeEach(function () {
+    ({ core } = initAssessFixture());
+    instr = core.assess.dataflow.propagation.mongooseInstrumentation;
+  });
+
+  const propagatorList = [
+    'schemaMap',
+    'schemaMixed',
+    'schemaString'
+  ];
+
+  it('composes different installers', function () {
+    propagatorList.forEach((name) => {
+      expect(instr[name]).to.have.property('install').and.be.a('function');
+    });
+  });
+
+  it('dispatches installation to sub-components', function () {
+    const installs = [];
+    propagatorList.forEach((name) => {
+      const instr = core.assess.dataflow.propagation.mongooseInstrumentation;
+      installs.push(sinon.stub(instr[name], 'install'));
+    });
+
+    instr.install();
+
+    expect(installs).to.have.lengthOf(propagatorList.length);
+    installs.forEach((installer) => {
+      expect(installer).to.have.been.called;
+    });
+  });
+});
+