npm - @contrast/assess - Versions diffs - 1.31.0 → 1.33.0 - Mend

@contrast/assess 1.31.0 → 1.33.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/lib/dataflow/sinks/install/child-process.test.js ADDED Viewed

@@ -0,0 +1,338 @@
+'use strict';
+const {
+  DataflowTag: { UNTRUSTED }
+} = require('@contrast/common');
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const { UtilInspect } = require('@contrast/common');
+describe('assess dataflow sinks child_process', function () {
+  let core, child_process, simulateRequestScope, trackString, tracker, reportFindings;
+  beforeEach(function () {
+    child_process = {
+      exec() { },
+      execSync() { },
+      spawn() { },
+      spawnSync() { },
+      execFile() { },
+      execFileSync() { }
+    };
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    const origCreateSinkEvent = core.assess.eventFactory.createSinkEvent;
+    core.assess.eventFactory.createSinkEvent = function (data) {
+      if (data.tags['do-not-create-an-event']) {
+        return null;
+      }
+      return origCreateSinkEvent(data);
+    };
+    core.depHooks.resolve.yields(child_process);
+    require('./child-process')(core).install();
+  });
+  ['execFile', 'execFileSync', 'execSync', 'spawn', 'spawnSync'].forEach((method) => {
+    describe(`skips instrumentation in faulty cases for child_process.${method}()`, function () {
+      it('skips instrumentation if assess store is missing', function () {
+        child_process[method]('test &whoami');
+        expect(reportFindings).not.to.have.been.called;
+      });
+      it('skips instrumentation if a command value is not provided ', function () {
+        simulateRequestScope(function () {
+          child_process[method]();
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+      it('skips instrumentation if the command value is not a string', function () {
+        simulateRequestScope(function () {
+          child_process[method]({});
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+    });
+  });
+  ['spawn', 'spawnSync'].forEach((method) => {
+    describe(`instrumentation specific for child_process.${method}`, function () {
+      it('skips instrumentation if neither the command nor the args are tracked', function () {
+        simulateRequestScope(function () {
+          child_process[method]('test', ['whoami'], { shell: true });
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+      it('skips instrumentation if only the args are tracked and shell option is set to false', function () {
+        simulateRequestScope(function () {
+          const str = trackString('whoami', {
+            tags: {
+              [UNTRUSTED]: [0, 11],
+            },
+          });
+          const { extern } = tracker.getData(str);
+          child_process[method]('test', [extern], { shell: false });
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+      it('reports an cmd-injection from the command argument', function () {
+        simulateRequestScope(function () {
+          const value = 'test &whoami';
+          const extern = trackString(value, {
+            tags: {
+              [UNTRUSTED]: [0, 11],
+            },
+          });
+          child_process[method](extern);
+          child_process[method](extern, ['untracked-arg']);
+          child_process[method](extern, ['untracked-arg'], { shell: true });
+          expect(reportFindings).to.have.been.calledThrice;
+          expect(reportFindings).to.have.been.calledWithMatch({
+            ruleId: 'cmd-injection',
+            sinkEvent: {
+              name: `child_process.${method}`,
+              moduleName: 'child_process',
+              methodName: method,
+              context: `child_process.${method}('${extern}')`,
+              object: {
+                value: 'child_process',
+                tracked: false,
+              },
+              args: [{ value, tracked: true }],
+              tags: { [UNTRUSTED]: [0, 11] },
+              source: 'P0',
+            },
+          });
+          expect(reportFindings).to.have.been.calledWithMatch({
+            ruleId: 'cmd-injection',
+            sinkEvent: {
+              name: `child_process.${method}`,
+              moduleName: 'child_process',
+              methodName: method,
+              context: `child_process.${method}('${extern}', [ 'untracked-arg' ])`,
+              object: {
+                value: 'child_process',
+                tracked: false,
+              },
+              args: [
+                { value, tracked: true },
+                { value: UtilInspect(['untracked-arg']), tracked: false }
+              ],
+              tags: { [UNTRUSTED]: [0, 11] },
+              source: 'P0',
+            },
+          });
+          expect(reportFindings).to.have.been.calledWithMatch({
+            ruleId: 'cmd-injection',
+            sinkEvent: {
+              name: `child_process.${method}`,
+              moduleName: 'child_process',
+              methodName: method,
+              context: `child_process.${method}('${extern}', [ 'untracked-arg' ], { shell: true })`,
+              object: {
+                value: 'child_process',
+                tracked: false,
+              },
+              args: [
+                { value, tracked: true },
+                { value: UtilInspect(['untracked-arg']), tracked: false },
+                { value: UtilInspect({ shell: true }), tracked: false }
+              ],
+              tags: { [UNTRUSTED]: [0, 11] },
+              source: 'P0',
+            },
+          });
+        });
+      });
+      it('reports an cmd-injection from the args for the command with the shell option set to true', function () {
+        simulateRequestScope(function () {
+          const value = '; whoami';
+          const extern = trackString(value, {
+            tags: {
+              [UNTRUSTED]: [0, 7],
+            },
+          });
+          child_process[method]('test', [extern], { shell: true });
+          expect(reportFindings).to.have.been.calledWithMatch({
+            ruleId: 'cmd-injection',
+            sinkEvent: {
+              name: `child_process.${method}`,
+              moduleName: 'child_process',
+              methodName: method,
+              context: `child_process.${method}('test', [ '${extern}' ], { shell: true })`,
+              object: {
+                value: 'child_process',
+                tracked: false,
+              },
+              args: [
+                { value: 'test', tracked: false },
+                { value: UtilInspect([value]), tracked: true },
+                { value: UtilInspect({ shell: true }), tracked: false },
+              ],
+              tags: { [UNTRUSTED]: [0, 7] },
+              source: 'P1',
+            },
+          });
+        });
+      });
+      it('reports an cmd-injection from the args for the command with the shell option set to true even with an error in the first event creation', function () {
+        simulateRequestScope(function () {
+          const cmd = trackString('test', {
+            tags: {
+              [UNTRUSTED]: [0, 3],
+              'do-not-create-an-event': [0, 3],
+            },
+          });
+          const value = '; whoami';
+          const extern = trackString(value, {
+            tags: {
+              [UNTRUSTED]: [0, 7],
+            },
+          });
+          child_process[method](cmd, [extern], { shell: true });
+          expect(reportFindings).to.have.been.calledWithMatch({
+            ruleId: 'cmd-injection',
+            sinkEvent: {
+              name: `child_process.${method}`,
+              object: {
+                value: 'child_process',
+                tracked: false,
+              },
+              args: [
+                { value: 'test', tracked: true },
+                { value: UtilInspect([value]), tracked: true },
+                { value: UtilInspect({ shell: true }), tracked: false },
+              ],
+              tags: { [UNTRUSTED]: [0, 7] },
+              source: 'P1',
+            },
+          });
+        });
+      });
+    });
+  });
+  ['exec', 'execSync'].forEach((method) => {
+    describe(`instrumentation specific for child_process.${method}`, function () {
+      it('reports an cmd-injection from the command argument', function () {
+        simulateRequestScope(function() {
+          const value = 'test &whoami';
+          const extern = trackString(value, {
+            tags: {
+              [UNTRUSTED]: [0, 11],
+            },
+          });
+          child_process[method](extern);
+          child_process[method](extern, ['untracked-arg']);
+          child_process[method](extern, ['untracked-arg'], { shell: true });
+          expect(reportFindings).to.have.been.calledThrice;
+          expect(reportFindings).to.have.been.calledWithMatch({
+            ruleId: 'cmd-injection',
+            sinkEvent: {
+              name: `child_process.${method}`,
+              object: {
+                value: 'child_process',
+                tracked: false,
+              },
+              args: [{ value, tracked: true }],
+              tags: { [UNTRUSTED]: [0, 11] },
+              source: 'P0',
+            },
+          });
+          expect(reportFindings).to.have.been.calledWithMatch({
+            ruleId: 'cmd-injection',
+            sinkEvent: {
+              name: `child_process.${method}`,
+              object: {
+                value: 'child_process',
+                tracked: false,
+              },
+              args: [
+                { value, tracked: true },
+                { value: UtilInspect(['untracked-arg']), tracked: false }
+              ],
+              tags: { [UNTRUSTED]: [0, 11] },
+              source: 'P0',
+            },
+          });
+          expect(reportFindings).to.have.been.calledWithMatch({
+            ruleId: 'cmd-injection',
+            sinkEvent: {
+              name: `child_process.${method}`,
+              object: {
+                value: 'child_process',
+                tracked: false,
+              },
+              args: [
+                { value, tracked: true },
+                { value: UtilInspect(['untracked-arg']), tracked: false },
+                { value: UtilInspect({ shell: true }), tracked: false }
+              ],
+              tags: { [UNTRUSTED]: [0, 11] },
+              source: 'P0',
+            },
+          });
+        });
+      });
+    });
+  });
+  ['execFile', 'execFileSync'].forEach((method) => {
+    describe(`instrumentation specific for child_process.${method}`, function () {
+      it('does not report if the second argument is not an Array, or is an empty Array', function () {
+        simulateRequestScope(function () {
+          child_process[method]('test', { shell: true });
+          child_process[method]('test', [], { shell: true });
+          child_process[method]('test', 'test', { shell: true });
+          expect(reportFindings).to.not.have.been.called;
+        });
+      });
+      it('reports an cmd-injection from the args for the command with the shell option set to true', function () {
+        simulateRequestScope(function () {
+          const value = '; showami';
+          const extern = trackString(value, {
+            tags: {
+              [UNTRUSTED]: [0, 7],
+            },
+          });
+          child_process[method]('test', [extern], { shell: true });
+          expect(reportFindings).to.have.been.calledWithMatch({
+            ruleId: 'cmd-injection',
+            sinkEvent: {
+              name: `child_process.${method}`,
+              object: {
+                value: 'child_process',
+                tracked: false,
+              },
+              args: [
+                { value: 'test', tracked: false },
+                { value: UtilInspect([value]), tracked: true },
+                { value: UtilInspect({ shell: true }), tracked: false },
+              ],
+              tags: { [UNTRUSTED]: [0, 7] },
+              source: 'P1',
+            },
+          });
+        });
+      });
+    });
+  });
+});

package/lib/dataflow/sinks/install/eval.test.js ADDED Viewed

@@ -0,0 +1,95 @@
+'use strict';
+const {
+  DataflowTag: { UNTRUSTED, CUSTOM_VALIDATED },
+  Rule: { UNSAFE_CODE_EXECUTION },
+} = require('@contrast/common');
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow sinks eval', function () {
+  let core, simulateRequestScope, trackString, reportFindings, reportSafePositive;
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
+    core.contrastMethods.install();
+    require('./eval')(core).install();
+  });
+  it('skips instrumentation if assess store is missing', function () {
+    global.ContrastMethods.eval('test');
+    expect(reportFindings).not.to.have.been.called;
+  });
+  it('skips instrumentation if a value is not provided ', function () {
+    simulateRequestScope(function () {
+      global.ContrastMethods.eval();
+      expect(reportFindings).not.to.have.been.called;
+    });
+  });
+  it('skips instrumentation if the argument is not a tracked', function () {
+    simulateRequestScope(function () {
+      global.ContrastMethods.eval('not-tracked');
+      expect(reportFindings).not.to.have.been.called;
+    });
+  });
+  it('skips instrumentation if the argument is sanitized', function () {
+    simulateRequestScope(function () {
+      const value = 'test';
+      const extern = trackString(value, {
+        tags: {
+          [UNTRUSTED]: [0, 3],
+          [CUSTOM_VALIDATED]: [0, 3]
+        }
+      });
+      global.ContrastMethods.eval(extern);
+      expect(reportFindings).not.to.have.been.called;
+      expect(reportSafePositive).to.have.been.calledWith({
+        name: 'eval',
+        ruleId: UNSAFE_CODE_EXECUTION,
+        safeTags: [CUSTOM_VALIDATED],
+        strInfo: { value, tags: { [UNTRUSTED]: [0, 3], [CUSTOM_VALIDATED]: [0, 3] } }
+      });
+    });
+  });
+  it('reports an unsafe-code-execution', function () {
+    simulateRequestScope(function () {
+      const value = 'test';
+      const extern = trackString(value, {
+        tags: {
+          [UNTRUSTED]: [0, 3],
+        }
+      });
+      global.ContrastMethods.eval(extern);
+      expect(reportFindings).to.have.been.calledWithMatch({
+        ruleId: UNSAFE_CODE_EXECUTION,
+        sinkEvent: {
+          args: [{ value, tracked: true }],
+          context: 'eval(\'test\')',
+          name: 'eval',
+          moduleName: 'global',
+          methodName: 'eval',
+          object: { value: 'global', tracked: false },
+          source: 'P0',
+          tags: { [UNTRUSTED]: [0, 3] }
+        }
+      });
+    });
+  });
+});

package/lib/dataflow/sinks/install/express/index.test.js ADDED Viewed

@@ -0,0 +1,33 @@
+'use strict';
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+const sinon = require('sinon');
+const mocks = require('@contrast/test/mocks');
+const MODULES = ['unvalidatedRedirect'];
+describe('assess dataflow sinks express', function () {
+  let core, express;
+  beforeEach(function () {
+    core = mocks.core();
+    core.assess = { dataflow: { sinks: {} } };
+    const moduleMock = (name) => (deps) => {
+      deps.assess.dataflow.sinks.express[name] = { install: sinon.stub() };
+    };
+    express = proxyquire('.', {
+      './reflected-xss': moduleMock('reflectedXss'),
+      './unvalidated-redirect': moduleMock('unvalidatedRedirect'),
+    })(core);
+  });
+  it('installs its components', function () {
+    express.install();
+    MODULES.forEach((module) => {
+      expect(express[module].install).to.have.been.calledOnce;
+    });
+  });
+});

package/lib/dataflow/sinks/install/express/reflected-xss.js CHANGED Viewed

@@ -73,72 +73,70 @@ module.exports = function(core) {
   reflectedXss.install = function() {
     depHooks.resolve({ name: 'express', file: 'lib/response' }, (Response) => {
-      ['send', 'push'].forEach((method) => {
-        const name = `Express.Response.${method}`;
-        patcher.patch(Response, method, {
-          name,
-          patchType,
-          around: (next, data) => {
-            const sourceContext = getSourceContext(RULE, ruleId);
-            if (!sourceContext) return next();
+      const name = 'Express.Response.send';
+      patcher.patch(Response, 'send', {
+        name,
+        patchType,
+        around: (next, data) => {
+          const sourceContext = getSourceContext(RULE, ruleId);
+          if (!sourceContext) return next();
-            const { contentType } = sourceContext.responseData;
-            if (contentType && isSafeContentType(contentType)) return next();
+          const { contentType } = sourceContext.responseData;
+          if (contentType && isSafeContentType(contentType)) return next();
-            const [str] = data.args;
+          const [str] = data.args;
-            if (!str || !isString(str)) return next();
+          if (!str || !isString(str)) return next();
-            const strInfo = tracker.getData(str);
-            if (!strInfo) return next();
+          const strInfo = tracker.getData(str);
+          if (!strInfo) return next();
-            if (strInfo.tags && isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
-              const sinkEvent = createSinkEvent({
-                args: [{
-                  tracked: true,
-                  value: strInfo.value,
-                }],
-                context: `response.${method}('${strInfo.value}')`,
-                history: [strInfo],
-                name,
-                moduleName: 'express',
-                methodName: `Response.${method}`,
-                object: {
-                  tracked: false,
-                  value: 'Express.Response',
-                },
-                result: {
-                  tracked: false,
-                  value: undefined,
-                },
-                tags: strInfo.tags,
-                source: 'P0',
-                stacktraceOpts: {
-                  constructorOpt: data.hooked,
-                  prependFrames: [data.orig]
-                },
-              });
+          if (strInfo.tags && isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
+            const sinkEvent = createSinkEvent({
+              args: [{
+                tracked: true,
+                value: strInfo.value,
+              }],
+              context: `response.send('${strInfo.value}')`,
+              history: [strInfo],
+              name,
+              moduleName: 'express',
+              methodName: 'Response.send',
+              object: {
+                tracked: false,
+                value: 'Express.Response',
+              },
+              result: {
+                tracked: false,
+                value: undefined,
+              },
+              tags: strInfo.tags,
+              source: 'P0',
+              stacktraceOpts: {
+                constructorOpt: data.hooked,
+                prependFrames: [data.orig]
+              },
+            });
-              if (sinkEvent) {
-                reportFindings({
-                  ruleId,
-                  sinkEvent
-                });
-              }
-            } else if (config.assess.safe_positives.enable) {
-              reportSafePositive({
-                name,
+            if (sinkEvent) {
+              reportFindings({
                 ruleId,
-                safeTags: filterSafeTags(safeTags, strInfo),
-                strInfo: {
-                  tags: strInfo.tags,
-                  value: strInfo.value,
-                }
+                sinkEvent
               });
             }
-            return ruleScopes.run(ruleId, next);
-          },
-        });
+          } else if (config.assess.safe_positives.enable) {
+            reportSafePositive({
+              name,
+              ruleId,
+              safeTags: filterSafeTags(safeTags, strInfo),
+              strInfo: {
+                tags: strInfo.tags,
+                value: strInfo.value,
+              }
+            });
+          }
+          return ruleScopes.run(ruleId, next);
+        },
       });
     });
   };