npm - @contrast/assess - Versions diffs - 1.31.0 → 1.33.0 - Mend

@contrast/assess 1.31.0 → 1.33.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/lib/dataflow/sinks/install/express/reflected-xss.test.js ADDED Viewed

@@ -0,0 +1,109 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    URL_ENCODED,
+  }
+} = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow sinks express reflected-xss', function () {
+  let core, Response, simulateRequestScope, trackString, reportFindings, reportSafePositive;
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
+    Response = {
+      send: () => { }
+    };
+    core.depHooks.resolve.yields(Response);
+    require('./reflected-xss')(core).install();
+  });
+  it('skips instrumentation if there is no assess store', function () {
+    Response.send('hello');
+    expect(reportFindings).to.not.have.been.called;
+  });
+  it('skips instrumentation if chunk does not exist', function () {
+    simulateRequestScope(function () {
+      Response.send();
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('skip instrumentation if chunk is not string', function () {
+    simulateRequestScope(function () {
+      Response.send(true);
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('skips instrumentation if chunk is not tracked', function () {
+    simulateRequestScope(function () {
+      Response.send('foo');
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('reports a "safe positive" event when safe tags overlap UNTRUSTED', function () {
+    simulateRequestScope(function () {
+      const value = 'foo';
+      const extern = trackString(value, {
+        tags: {
+          [URL_ENCODED]: [0, 2],
+          [UNTRUSTED]: [0, 2],
+        },
+      });
+      Response.send(extern);
+      expect(reportSafePositive).to.have.been.calledWithMatch({
+        name: 'Express.Response.send',
+        ruleId: 'reflected-xss',
+        safeTags: [URL_ENCODED],
+        strInfo: {
+          tags: { [URL_ENCODED]: [0, 2], [UNTRUSTED]: [0, 2] },
+          value
+        },
+      });
+    });
+  });
+  it('reports a reflected-xss', function () {
+    simulateRequestScope(function () {
+      const value = 'foo';
+      const extern = trackString(value, {
+        tags: {
+          [UNTRUSTED]: [0, 2]
+        },
+      });
+      Response.send(extern);
+      expect(reportFindings).to.have.been.calledWithMatch({
+        ruleId: 'reflected-xss',
+        sinkEvent: {
+          args: [{ value, tracked: true }],
+          context: "response.send('foo')",
+          name: 'Express.Response.send',
+          moduleName: 'express',
+          methodName: 'Response.send',
+          object: {
+            value: 'Express.Response',
+            tracked: false,
+          },
+          result: { value: undefined, tracked: false },
+          source: 'P0',
+          tags: {
+            [UNTRUSTED]: [0, 2],
+          },
+        },
+      });
+    });
+  });
+});

package/lib/dataflow/sinks/install/express/unvalidated-redirect.test.js ADDED Viewed

@@ -0,0 +1,144 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    URL_ENCODED,
+  }
+} = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow sinks express unvalidated-redirect', function () {
+  let core, Response, simulateRequestScope, trackString, reportFindings, reportSafePositive;
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
+    const headers = {};
+    const req = {
+      headers,
+      get: (key) => headers[key]
+    };
+    Response = {
+      location: () => { },
+      req
+    };
+    core.depHooks.resolve.yields(Response);
+    require('./unvalidated-redirect')(core).install();
+  });
+  it('skips instrumentation if there is no assess store', function () {
+    Response.location('hello');
+    expect(reportFindings).to.not.have.been.called;
+  });
+  it('skips instrumentation if url does not exist', function () {
+    simulateRequestScope(function () {
+      Response.location();
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('skip instrumentation if url is not string', function () {
+    simulateRequestScope(function () {
+      Response.location(1, 2);
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('skips instrumentation if url is not tracked', function () {
+    simulateRequestScope(function () {
+      Response.location('url');
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('skips instrumentation when location in "back"', function () {
+    simulateRequestScope(function () {
+      const extern = trackString('back');
+      Response.location(extern);
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('reports a "safe positive" event when safe tags overlap UNTRUSTED', function () {
+    simulateRequestScope(function () {
+      const value = 'https%3A%2F%2Fhello.com';
+      const stop = value.length - 1;
+      const extern = trackString(value, {
+        tags: {
+          [URL_ENCODED]: [0, stop],
+          [UNTRUSTED]: [0, stop],
+        },
+      });
+      Response.location(extern);
+      expect(reportSafePositive).to.have.been.calledWithMatch({
+        name: 'Express.Response.location',
+        ruleId: 'unvalidated-redirect',
+        safeTags: [URL_ENCODED],
+        strInfo: {
+          tags: { [URL_ENCODED]: [0, stop], [UNTRUSTED]: [0, stop] },
+          value
+        },
+      });
+    });
+  });
+  it('reports an unvalidated-redirect', function () {
+    simulateRequestScope(function () {
+      const value = 'https://hello.com';
+      const extern = trackString(value, {
+        tags: {
+          [URL_ENCODED]: [0, 2],
+          [UNTRUSTED]: [0, 16],
+        },
+      });
+      Response.location(extern);
+      expect(reportFindings).to.have.been.calledWithMatch({
+        ruleId: 'unvalidated-redirect',
+        sinkEvent: {
+          args: [{ value, tracked: true }],
+          context: 'response.location(\'https://hello.com\')',
+          name: 'Express.Response.location',
+          moduleName: 'express',
+          methodName: 'Response.location',
+          object: {
+            value: 'Express.Response',
+            tracked: false,
+          },
+          result: { value: undefined, tracked: false },
+          source: 'P0',
+          tags: {
+            [UNTRUSTED]: [0, 16],
+            [URL_ENCODED]: [0, 2],
+          },
+        },
+      });
+    });
+  });
+  it('does not report an unvalidated-redirect if the tainted data is not in the URI path', function () {
+    simulateRequestScope(function () {
+      const value = 'https://hello.com/query?test=value';
+      const extern = trackString(value, {
+        tags: {
+          [URL_ENCODED]: [0, 2],
+          [UNTRUSTED]: [24, 33],
+        },
+      });
+      Response.location(extern);
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+});

package/lib/dataflow/sinks/install/fastify/index.test.js ADDED Viewed

@@ -0,0 +1,32 @@
+'use strict';
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+const sinon = require('sinon');
+const mocks = require('@contrast/test/mocks');
+const MODULES = ['unvalidatedRedirect'];
+describe('assess dataflow sinks fastify', function () {
+  let core, fastify;
+  beforeEach(function () {
+    core = mocks.core();
+    core.assess = { dataflow: { sinks: {} } };
+    const moduleMock = (name) => (deps) => {
+      deps.assess.dataflow.sinks.fastify[name] = { install: sinon.stub() };
+    };
+    fastify = proxyquire('.', {
+      './unvalidated-redirect': moduleMock('unvalidatedRedirect'),
+    })(core);
+  });
+  it('installs its components', function () {
+    fastify.install();
+    MODULES.forEach((module) => {
+      expect(fastify[module].install).to.have.been.calledOnce;
+    });
+  });
+});

package/lib/dataflow/sinks/install/fastify/unvalidated-redirect.test.js ADDED Viewed

@@ -0,0 +1,130 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    URL_ENCODED,
+  }
+} = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const ruleId = 'unvalidated-redirect';
+describe('assess dataflow sinks fastify unvalidated-redirect', function () {
+  let core, simulateRequestScope, trackString, tracker, reportFindings, reportSafePositive;
+  class Reply {
+    redirect() { }
+  }
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
+    core.depHooks.resolve.yields(Reply);
+    require('./unvalidated-redirect')(core).install();
+  });
+  it('skips instrumentation if there is no assess store', function () {
+    Reply.prototype.redirect('hello');
+    expect(reportFindings).to.not.have.been.called;
+  });
+  it('skips instrumentation if url does not exist', function () {
+    simulateRequestScope(function () {
+      Reply.prototype.redirect();
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('skip sinstrumentation if url is not string', function () {
+    simulateRequestScope(function () {
+      Reply.prototype.redirect(1, 2);
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('skips instrumentation if url is not tracked', function () {
+    simulateRequestScope(function () {
+      Reply.prototype.redirect('url');
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('reports a "safe positive" event when safe tags overlap UNTRUSTED', function () {
+    simulateRequestScope(function () {
+      const value = 'https%3A%2F%2Fhello.com';
+      const stop = value.length - 1;
+      const extern = trackString(value, {
+        tags: {
+          [URL_ENCODED]: [0, stop],
+          [UNTRUSTED]: [0, stop],
+        },
+      });
+      Reply.prototype.redirect(extern);
+      expect(reportSafePositive).to.have.been.calledWithMatch({
+        name: 'fastify.Reply.prototype.redirect',
+        ruleId,
+        safeTags: [URL_ENCODED],
+        strInfo: {
+          tags: { [URL_ENCODED]: [0, stop], [UNTRUSTED]: [0, stop] },
+          value
+        },
+      });
+    });
+  });
+  it('reports an unvalidated-redirect', function () {
+    simulateRequestScope(function () {
+      const value = 'https://hello.com';
+      const extern = trackString(value, {
+        tags: {
+          [URL_ENCODED]: [0, 2],
+          [UNTRUSTED]: [0, 16],
+        },
+      });
+      Reply.prototype.redirect(extern);
+      expect(reportFindings).to.have.been.calledWithMatch({
+        ruleId,
+        sinkEvent: {
+          args: [{ value, tracked: true }],
+          context: 'reply.redirect(\'https://hello.com\')',
+          name: 'fastify.Reply.prototype.redirect',
+          moduleName: 'fastify',
+          methodName: 'reply.redirect',
+          object: {
+            value: 'fastify.Reply',
+            tracked: false,
+          },
+          result: { value: undefined, tracked: false },
+          source: 'P0',
+          tags: { [URL_ENCODED]: [0, 2], [UNTRUSTED]: [0, 16] },
+        },
+      });
+    });
+  });
+  it('does not report an unvalidated-redirect if the tainted data is not in the URI path', function () {
+    simulateRequestScope(function () {
+      const url = 'https://hello.com/query?test=value';
+      const str = trackString(url, {
+        tags: {
+          [URL_ENCODED]: [0, 2],
+          [UNTRUSTED]: [24, 33],
+        },
+      });
+      const { extern } = tracker.getData(str);
+      Reply.prototype.redirect(extern);
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+});

package/lib/dataflow/sinks/install/fs.test.js ADDED Viewed

@@ -0,0 +1,138 @@
+'use strict';
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { FS_METHODS, ArrayPrototypeJoin, UtilInspect } = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow sinks path-traversal', function () {
+  let fs,
+    fsPromises,
+    core,
+    simulateRequestScope,
+    trackString,
+    reportFindings;
+  beforeEach(function () {
+    fs = {
+      promises: {},
+    };
+    fsPromises = {};
+    for (const { name, promises, sync } of FS_METHODS) {
+      fs[name] = sinon.stub();
+      if (sync) {
+        fs[`${name}Sync`] = sinon.stub();
+      }
+      if (promises) {
+        fsPromises[name] = sinon.stub();
+        fs.promises[name] = sinon.stub();
+      }
+    }
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    core.depHooks.resolve.withArgs({ name: 'fs' }).yields(fs);
+    core.depHooks.resolve.withArgs({ name: 'fs/promises' }).yields(fsPromises);
+    require('./fs')(core).install();
+  });
+  it('skips instrumentation if assess store is missing', function () {
+    fs.readFile('.../.../path');
+    expect(reportFindings).not.to.have.been.called;
+  });
+  it('skips instrumentation if a value is not provided ', function () {
+    simulateRequestScope(function () {
+      fs.readFile();
+      expect(reportFindings).not.to.have.been.called;
+    });
+  });
+  it('skips instrumentation if the value is not a string', function () {
+    simulateRequestScope(function () {
+      fs.readFile([]);
+      expect(reportFindings).not.to.have.been.called;
+    });
+  });
+  it('skips instrumentation if the value is not tracked', function () {
+    simulateRequestScope(function () {
+      fs.readFile('.../.../path');
+      expect(reportFindings).not.to.have.been.called;
+    });
+  });
+  for (const { name, promises, sync, indices } of FS_METHODS) {
+    const methodsUnderTest = [
+      { name: `fs.${name}`, getFn: () => fs[name], methodName: name },
+    ];
+    if (sync) {
+      methodsUnderTest.push({
+        name: `fs.${name}Sync`,
+        getFn: () => fs[`${name}Sync`],
+        methodName: `${name}Sync`,
+      });
+    }
+    if (promises) {
+      methodsUnderTest.push({
+        name: `fsPromises.${name}`,
+        getFn: () => fsPromises[name],
+        moduleName: 'fsPromises',
+        methodName: name,
+      });
+      methodsUnderTest.push({
+        name: `fs.promises.${name}`,
+        getFn: () => fs.promises[name],
+        moduleName: 'fs.promises',
+        methodName: name,
+      });
+    }
+    for (const { name, getFn, methodName, moduleName = 'fs' } of methodsUnderTest) {
+      describe(name, function () {
+        it('reports path-traversal', function () {
+          simulateRequestScope(function () {
+            const path = trackString('.../.../path', {
+              tags: {
+                UNTRUSTED: [0, 11],
+              },
+            });
+            const method = getFn();
+            const methodArgs =
+              indices.length === 2 ? [path, path] : [path];
+            method(...methodArgs);
+            for (const idx of indices) {
+              expect(reportFindings).to.have.been.calledWithMatch({
+                ruleId: 'path-traversal',
+                sinkEvent: {
+                  name,
+                  moduleName,
+                  methodName,
+                  context: `${name}(${ArrayPrototypeJoin.call(
+                    methodArgs.map((a) => UtilInspect(a)),
+                    ', '
+                  )})`,
+                  object: {
+                    value: 'fs',
+                    tracked: false,
+                  },
+                  args: methodArgs.map((value) => ({
+                    value,
+                    tracked: true,
+                  })),
+                  tags: { UNTRUSTED: [0, 11] },
+                  source: `P${idx}`,
+                },
+              });
+            }
+          });
+        });
+      });
+    }
+  }
+});

package/lib/dataflow/sinks/install/function.test.js ADDED Viewed

@@ -0,0 +1,103 @@
+'use strict';
+const {
+  DataflowTag: { UNTRUSTED, CUSTOM_VALIDATED },
+  Rule: { UNSAFE_CODE_EXECUTION },
+} = require('@contrast/common');
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow sinks function', function () {
+  let core,
+    simulateRequestScope,
+    trackString,
+    reportFindings,
+    reportSafePositive;
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    reportSafePositive = sinon.stub(
+      core.assess.dataflow.sinks,
+      'reportSafePositive'
+    );
+    core.contrastMethods.install();
+    require('./function')(core).install();
+  });
+  it('skips instrumentation if assess store is missing', function () {
+    global.ContrastMethods.Function('test');
+    expect(reportFindings).not.to.have.been.called;
+  });
+  it('skips instrumentation if a value is not provided ', function () {
+    simulateRequestScope(function () {
+      global.ContrastMethods.Function();
+      expect(reportFindings).not.to.have.been.called;
+    });
+  });
+  it('skips instrumentation if the argument is not a tracked', function () {
+    simulateRequestScope(function () {
+      global.ContrastMethods.Function('not-tracked');
+      expect(reportFindings).not.to.have.been.called;
+    });
+  });
+  it('skips instrumentation if the argument is sanitized', function () {
+    simulateRequestScope(function () {
+      const value = 'test';
+      const extern = trackString('test', {
+        tags: {
+          [UNTRUSTED]: [0, 3],
+          [CUSTOM_VALIDATED]: [0, 3],
+        },
+      });
+      global.ContrastMethods.Function(extern);
+      expect(reportFindings).not.to.have.been.called;
+      expect(reportSafePositive).to.have.been.calledWith({
+        name: 'global.ContrastMethods.Function',
+        ruleId: UNSAFE_CODE_EXECUTION,
+        safeTags: [CUSTOM_VALIDATED],
+        strInfo: {
+          value,
+          tags: { [UNTRUSTED]: [0, 3], CUSTOM_VALIDATED: [0, 3] },
+        },
+      });
+    });
+  });
+  it('reports an unsafe-code-execution', function () {
+    simulateRequestScope(function () {
+      const value = 'test';
+      const extern = trackString('test', {
+        tags: {
+          [UNTRUSTED]: [0, 3],
+        },
+      });
+      global.ContrastMethods.Function(extern);
+      expect(reportFindings).to.have.been.calledWithMatch({
+        ruleId: UNSAFE_CODE_EXECUTION,
+        sinkEvent: {
+          args: [{ value, tracked: true }],
+          context: "global.ContrastMethods.Function('test')",
+          name: 'global.ContrastMethods.Function',
+          moduleName: 'global.ContrastMethods',
+          methodName: 'Function',
+          object: { value: 'global.ContrastMethods', tracked: false },
+          source: 'P0',
+          tags: { [UNTRUSTED]: [0, 3] },
+        },
+      });
+    });
+  });
+});

package/lib/dataflow/sinks/install/hapi/index.test.js ADDED Viewed

@@ -0,0 +1,32 @@
+'use strict';
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+const sinon = require('sinon');
+const mocks = require('@contrast/test/mocks');
+const MODULES = ['unvalidatedRedirect'];
+describe('assess dataflow sinks hapi', function () {
+  let core, hapi;
+  beforeEach(function () {
+    core = mocks.core();
+    core.assess = { dataflow: { sinks: {} } };
+    const moduleMock = (name) => (deps) => {
+      deps.assess.dataflow.sinks.hapi[name] = { install: sinon.stub() };
+    };
+    hapi = proxyquire('.', {
+      './unvalidated-redirect': moduleMock('unvalidatedRedirect'),
+    })(core);
+  });
+  it('installs its components', function () {
+    hapi.install();
+    MODULES.forEach((module) => {
+      expect(hapi[module].install).to.have.been.calledOnce;
+    });
+  });
+});