npm - @contrast/assess - Versions diffs - 1.31.0 → 1.33.0 - Mend

@contrast/assess 1.31.0 → 1.33.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/lib/dataflow/sinks/install/hapi/unvalidated-redirect.test.js ADDED Viewed

@@ -0,0 +1,130 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    URL_ENCODED,
+  }
+} = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const ruleId = 'unvalidated-redirect';
+describe('assess dataflow sinks hapi unvalidated-redirect', function () {
+  let core, simulateRequestScope, trackString, tracker, reportFindings, reportSafePositive;
+  class Response {
+    redirect() { }
+  }
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
+    core.depHooks.resolve.yields(Response);
+    require('./unvalidated-redirect')(core).install();
+  });
+  it('skips instrumentation if there is no assess store', function () {
+    Response.prototype.redirect('hello');
+    expect(reportFindings).to.not.have.been.called;
+  });
+  it('skips instrumentation if url does not exist', function () {
+    simulateRequestScope(function () {
+      Response.prototype.redirect();
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('skip sinstrumentation if url is not string', function () {
+    simulateRequestScope(function () {
+      Response.prototype.redirect(1, 2);
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('skips instrumentation if url is not tracked', function () {
+    simulateRequestScope(function () {
+      Response.prototype.redirect('url');
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+  it('reports a "safe positive" event when safe tags overlap UNTRUSTED', function () {
+    simulateRequestScope(function () {
+      const value = 'https%3A%2F%2Fhello.com';
+      const stop = value.length - 1;
+      const extern = trackString(value, {
+        tags: {
+          [URL_ENCODED]: [0, stop],
+          [UNTRUSTED]: [0, stop],
+        },
+      });
+      Response.prototype.redirect(extern);
+      expect(reportSafePositive).to.have.been.calledWithMatch({
+        name: 'hapi.Response.prototype.redirect',
+        ruleId,
+        safeTags: [URL_ENCODED],
+        strInfo: {
+          tags: { [URL_ENCODED]: [0, stop], [UNTRUSTED]: [0, stop] },
+          value
+        },
+      });
+    });
+  });
+  it('reports an unvalidated-redirect', function () {
+    simulateRequestScope(function () {
+      const value = 'https://hello.com/query?test=value';
+      const extern = trackString(value, {
+        tags: {
+          [URL_ENCODED]: [0, 2],
+          [UNTRUSTED]: [0, 16],
+        },
+      });
+      Response.prototype.redirect(extern);
+      expect(reportFindings).to.have.been.calledWithMatch({
+        ruleId,
+        sinkEvent: {
+          args: [{ value, tracked: true }],
+          context: 'response.redirect(\'https://hello.com/query?test=value\')',
+          name: 'hapi.Response.prototype.redirect',
+          moduleName: 'hapi',
+          methodName: 'Response.prototype.redirect',
+          object: {
+            value: 'hapi.Response',
+            tracked: false,
+          },
+          result: { value: undefined, tracked: false },
+          source: 'P0',
+          tags: { [URL_ENCODED]: [0, 2], [UNTRUSTED]: [0, 16] },
+        },
+      });
+    });
+  });
+  it('does not report an unvalidated-redirect if the tainted data is not in the URI path', function () {
+    simulateRequestScope(function () {
+      const url = 'https://hello.com/query?test=value';
+      const str = trackString(url, {
+        tags: {
+          [URL_ENCODED]: [0, 2],
+          [UNTRUSTED]: [24, 33],
+        },
+      });
+      const { extern } = tracker.getData(str);
+      Response.prototype.redirect(extern);
+      expect(reportFindings).to.not.have.been.called;
+    });
+  });
+});

package/lib/dataflow/sinks/install/http/index.test.js ADDED Viewed

@@ -0,0 +1,33 @@
+'use strict';
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+const sinon = require('sinon');
+const mocks = require('@contrast/test/mocks');
+const MODULES = ['request', 'serverResponse'];
+describe('assess dataflow sinks http', function () {
+  let core, http;
+  beforeEach(function () {
+    core = mocks.core();
+    core.assess = { dataflow: { sinks: {} } };
+    const moduleMock = (name) => (deps) => {
+      deps.assess.dataflow.sinks.http[name] = { install: sinon.stub() };
+    };
+    http = proxyquire('.', {
+      './request': moduleMock('request'),
+      './server-response': moduleMock('serverResponse'),
+    })(core);
+  });
+  it('installs its components', function () {
+    http.install();
+    MODULES.forEach((module) => {
+      expect(http[module].install).to.have.been.calledOnce;
+    });
+  });
+});

package/lib/dataflow/sinks/install/http/request.test.js ADDED Viewed

@@ -0,0 +1,184 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    LIMITED_CHARS
+  },
+  UtilInspect
+} = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const modules = {
+  http: {
+    request() { }
+  },
+  https: {
+    request() { }
+  }
+};
+const getReq = function (strOrObj, key, trackedString) {
+  if (strOrObj === 'str') {
+    if (key === 'protocol') {
+      return trackedString.concat('://foo.com');
+    } else {
+      return 'http://'.concat(trackedString).concat('.com');
+    }
+  } else {
+    const req = {};
+    req[key] = trackedString;
+    return req;
+  }
+};
+['http', 'https'].forEach((module) => {
+  describe(`assess dataflow sinks ${module}.request`, function () {
+    let core, simulateRequestScope, trackString, reportFindings;
+    beforeEach(function () {
+      ({ core, simulateRequestScope, trackString } = initAssessFixture());
+      reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+      core.assess.dataflow.propagation.stringInstrumentation.concat.install();
+      core.assess.dataflow.propagation.stringInstrumentation.substring.install();
+      core.assess.dataflow.propagation.stringInstrumentation.split.install();
+      core.assess.dataflow.propagation.urlInstrumentation.url.install();
+      core.depHooks.resolve.withArgs({ name: 'url' }).yield(require('url'));
+      core.depHooks.resolve.withArgs({ name: module }).yields(modules[module]);
+      require('./request')(core).install();
+    });
+    it('skips instrumentation if assess store is missing', function () {
+      modules[module].request({
+        protocol: `${module}:`,
+        hostname: 'foo',
+      });
+      expect(reportFindings).to.not.have.been.called;
+    });
+    it('skips instrumentation if payload is missing', function () {
+      simulateRequestScope(function () {
+        modules[module].request();
+        expect(reportFindings).to.not.have.been.called;
+      });
+    });
+    it('skips instrumentation if the string is not tracked', function () {
+      simulateRequestScope(function () {
+        modules[module].request({
+          protocol: `${module}:`,
+          hostname: 'foo',
+        });
+        expect(reportFindings).to.not.have.been.called;
+      });
+    });
+    it('skips instrumentation if the string is safe', function () {
+      simulateRequestScope(function() {
+        const extern = trackString('foo', {
+          tags: {
+            [UNTRUSTED]: [0, 2],
+            [LIMITED_CHARS]: [0, 2],
+          },
+        });
+        modules[module].request({
+          protocol: `${module}:`,
+          hostname: extern,
+        });
+        expect(reportFindings).to.not.have.been.called;
+      });
+    });
+    it('skips instrumentation if stack contains trusted lib', function () {
+      simulateRequestScope(function() {
+        const extern = trackString('foo', {
+          tags: {
+            [UNTRUSTED]: [0, 2],
+          },
+          stack: [
+            { file: 'path/http/file.js' }
+          ]
+        });
+        modules[module].request({
+          protocol: `${module}:`,
+          hostname: extern,
+        });
+        expect(reportFindings).to.not.have.been.called;
+      });
+    });
+    describe('request obj', function () {
+      ['protocol', 'host', 'localAddress', 'hostname'].forEach((key) => {
+        it(`reports a ssrf vulnerability when ${key} is tainted`, function () {
+          simulateRequestScope(function() {
+            const value = 'foo';
+            const extern = trackString('foo');
+            const req = getReq('obj', key, extern);
+            modules[module].request(req);
+            const strReq = UtilInspect(req);
+            const startIdx = strReq.indexOf(value);
+            expect(reportFindings).to.have.been.calledWithMatch({
+              ruleId: 'ssrf',
+              sinkEvent: {
+                name: `${module}.request`,
+                moduleName: module,
+                methodName: 'request',
+                context: `${module}.request(${strReq})`,
+                object: {
+                  value: module,
+                  tracked: false,
+                },
+                args: [{ value: strReq, tracked: true }],
+                tags: { [UNTRUSTED]: [startIdx, startIdx + value.length - 1] },
+                source: 'P0',
+              },
+            });
+          });
+        });
+      });
+    });
+    describe('request string', function () {
+      ['protocol', 'host', 'hostname'].forEach((key) => {
+        it(`reports a ssrf vulnerability when ${key} is tainted`, function () {
+          simulateRequestScope(function() {
+            const value = 'foo';
+            const extern = trackString(value);
+            const req = getReq('str', key, extern);
+            modules[module].request(req);
+            const startIdx = req.indexOf(value);
+            expect(reportFindings).to.have.been.calledWithMatch({
+              ruleId: 'ssrf',
+              sinkEvent: {
+                name: `${module}.request`,
+                moduleName: module,
+                methodName: 'request',
+                context: `${module}.request(${req})`,
+                object: {
+                  value: module,
+                  tracked: false,
+                },
+                args: [{ value: req, tracked: true }],
+                tags: { [UNTRUSTED]: [startIdx, startIdx + value.length - 1] },
+                source: 'P0',
+              },
+            });
+          });
+        });
+      });
+    });
+  });
+});

package/lib/dataflow/sinks/install/http/server-response.test.js ADDED Viewed

@@ -0,0 +1,162 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const {
+  DataflowTag: {
+    UNTRUSTED,
+    LIMITED_CHARS,
+  }
+} = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess dataflow sinks http, http2, spdy', function () {
+  let core, simulateRequestScope, trackString, tracker, reportFindings, reportSafePositive;
+  class ServerResponse {
+    end() { }
+    write() { }
+  }
+  class Http2ServerResponse {
+    end() { }
+    write() { }
+  }
+  const response = {
+    end: sinon.stub(),
+    spdyStream: {
+      once: sinon.stub()
+    }
+  };
+  beforeEach(function () {
+    ({ core, simulateRequestScope, trackString } = initAssessFixture());
+    tracker = core.assess.dataflow.tracker;
+    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
+    reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
+    core.depHooks.resolve.withArgs({ name: 'http' }).yields({ ServerResponse });
+    core.depHooks.resolve.withArgs({ name: 'http2' }).yields({ Http2ServerResponse });
+    core.depHooks.resolve.withArgs({ name: 'spdy', file: 'lib/spdy/response.js' }).yields(response);
+    require('./server-response')(core).install();
+  });
+  [
+    { moduleName: 'http', response: ServerResponse.prototype, responseName: 'ServerResponse' },
+    { moduleName: 'http2', response: Http2ServerResponse.prototype, responseName: 'Http2ServerResponse' },
+    { moduleName: 'spdy', response, responseName: 'response' },
+  ].forEach(({ moduleName, response, responseName }) => {
+    describe(moduleName, function() {
+      ['end', 'write'].forEach((method) => {
+        if (moduleName === 'spdy' && method === 'write') return;
+        const methodName = `${responseName + (moduleName !== 'spdy' ? '.prototype' : '')}.${method}`;
+        describe(method, function() {
+          it('skips instrumentation if assess store is missing', function () {
+            response[method]('hello world');
+            expect(reportFindings).to.not.have.been.called;
+          });
+          it('skips instrumentation if payload is missing', function () {
+            simulateRequestScope(function () {
+              response[method]();
+              expect(reportFindings).to.not.have.been.called;
+            });
+          });
+          it('skips instrumentation if the string is not tracked', function () {
+            simulateRequestScope(function () {
+              response[method]('hello world');
+              expect(reportFindings).to.not.have.been.called;
+            });
+          });
+          it('skips instrumentation if the content-type is safe', function () {
+            const store = {
+              assess: { responseData: { contentType: 'application/json' } },
+            };
+            simulateRequestScope(function () {
+              const str = trackString('hello world');
+              const { extern } = tracker.getData(str);
+              response[method](extern);
+              expect(reportFindings).to.not.have.been.called;
+            }, store);
+          });
+          it('skips instrumentation if the string is safe', function () {
+            simulateRequestScope(function () {
+              const extern = trackString('hello world', {
+                tags: {
+                  [UNTRUSTED]: [0, 10],
+                  [LIMITED_CHARS]: [0, 10],
+                },
+              });
+              response[method](extern);
+              expect(reportFindings).to.not.have.been.called;
+              expect(reportSafePositive).to.have.been.called;
+              expect(reportSafePositive).to.have.been.calledWith({
+                name: `${moduleName}.${methodName}`,
+                ruleId: 'reflected-xss',
+                safeTags: [LIMITED_CHARS],
+                strInfo: {
+                  value: 'hello world',
+                  tags: {
+                    UNTRUSTED: [0, 10],
+                    LIMITED_CHARS: [0, 10]
+                  }
+                }
+              });
+            });
+          });
+          it('skips instrumentation if the event is not created', function () {
+            sinon.stub(core.assess.eventFactory, 'createSinkEvent');
+            const store = {
+              assess: { responseData: { contentType: 'application/json' } },
+            };
+            simulateRequestScope(function () {
+              const extern = trackString('hello world');
+              response[method](extern);
+              expect(reportFindings).to.not.have.been.called;
+            }, store);
+          });
+          it('report a reflected-xss vulnerability', function () {
+            simulateRequestScope(function () {
+              const value = 'hello world';
+              const extern = trackString(value);
+              response[method](extern);
+              expect(reportFindings).to.have.been.calledWithMatch({
+                ruleId: 'reflected-xss',
+                sinkEvent: {
+                  name: `${moduleName}.${methodName}`,
+                  moduleName,
+                  methodName,
+                  context: `res.${method}('${extern}')`,
+                  object: {
+                    value: `${moduleName}.${responseName}`,
+                    tracked: false,
+                  },
+                  args: [{ value, tracked: true }],
+                  tags: { [UNTRUSTED]: [0, 10] },
+                  source: 'P0',
+                },
+              });
+            });
+          });
+        });
+      });
+    });
+  });
+});

package/lib/dataflow/sinks/install/koa/index.test.js ADDED Viewed

@@ -0,0 +1,32 @@
+'use strict';
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+const sinon = require('sinon');
+const mocks = require('@contrast/test/mocks');
+const MODULES = ['unvalidatedRedirect'];
+describe('assess dataflow sinks koa', function () {
+  let core, koa;
+  beforeEach(function () {
+    core = mocks.core();
+    core.assess = { dataflow: { sinks: {} } };
+    const moduleMock = (name) => (deps) => {
+      deps.assess.dataflow.sinks.koa[name] = { install: sinon.stub() };
+    };
+    koa = proxyquire('.', {
+      './unvalidated-redirect': moduleMock('unvalidatedRedirect'),
+    })(core);
+  });
+  it('installs its components', function () {
+    koa.install();
+    MODULES.forEach((module) => {
+      expect(koa[module].install).to.have.been.calledOnce;
+    });
+  });
+});