npm - @contrast/assess - Versions diffs - 1.31.0 → 1.33.0 - Mend

@contrast/assess 1.31.0 → 1.33.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

package/lib/dataflow/utils/is-safe-content-type.test.js ADDED Viewed

@@ -0,0 +1,16 @@
+'use strict';
+const { isSafeContentType, SAFE_XSS_CONTENT_TYPES } = require('./is-safe-content-type');
+const { expect } = require('chai');
+describe('assess dataflow utils isSafeContentType', function() {
+  SAFE_XSS_CONTENT_TYPES.forEach(type => {
+    it(`should returns true for when content type is ${type}`, function() {
+      expect(isSafeContentType(type)).to.be.true;
+    });
+  });
+  it('should return false when content type is not part of the safe types', function() {
+    expect(isSafeContentType('something')).to.be.false;
+  });
+});

package/lib/dataflow/utils/is-vulnerable.test.js ADDED Viewed

@@ -0,0 +1,115 @@
+'use strict';
+const { expect } = require('chai');
+const { isVulnerable } = require('./is-vulnerable');
+describe('assess dataflow utils isVulnerable', function() {
+  [
+    {
+      args: [
+        'untrusted',
+        ['ant'],
+        {
+          untrusted: [5, 10, 100, 102],
+          ant: [4, 104],
+        },
+      ],
+      desc: 'encompasses all',
+      expected: false,
+    },
+    {
+      args: [
+        'untrusted',
+        ['ant', 'cat'],
+        {
+          untrusted: [5, 10, 100, 102],
+          ant: [0, 0],
+          cat: [1, 1, 2, 2, 4, 8],
+        },
+      ],
+      desc: 'no overlaps',
+      expected: true,
+    },
+    {
+      args: [
+        'untrusted',
+        ['ant', 'cat'],
+        {
+          untrusted: [5, 10, 100, 102],
+          ant: [0, 0],
+          cat: [1, 1, 2, 2, 3, 8],
+        },
+      ],
+      desc: 'no overlaps',
+      expected: true,
+    },
+    {
+      args: [
+        'untrusted',
+        ['ant', 'cat'],
+        {
+          untrusted: [5, 10, 100, 102],
+          ant: [0, 0],
+          cat: [1, 5, 3, 8],
+        },
+      ],
+      desc: 'no overlaps',
+      expected: true,
+    },
+    {
+      args: [
+        'untrusted',
+        ['ant'],
+        {
+          untrusted: [5, 10, 100, 102],
+          ant: [4, 5],
+        },
+      ],
+      desc: 'no overlaps',
+      expected: true,
+    },
+    {
+      args: [
+        'untrusted',
+        ['ant', 'cat', 'dog'],
+        {
+          untrusted: [8, 14],
+          ant: [4, 5, 7, 10],
+          cat: [6, 9],
+          dog: [9, 18],
+        },
+      ],
+      desc: 'encompasses all',
+      expected: false,
+    },
+    {
+      args: [
+        'untrusted',
+        ['ant', 'cat', 'dog'],
+        {
+          ant: [4, 5, 7, 10],
+          cat: [6, 9],
+          dog: [9, 18],
+        },
+      ],
+      desc: 'when no target tags found',
+      expected: false,
+    },
+    {
+      args: [
+        'untrusted',
+        ['ant'],
+        {
+          untrusted: [4, 5, 7, 10],
+          ant: [4, 5, 7, 10],
+        },
+      ],
+      desc: 'when there are multiple ranges but they are all covered',
+      expected: false,
+    },
+  ].forEach(({ args, desc, expected }) => {
+    it(`${desc} returns ${expected}`, function() {
+      expect(isVulnerable(...args)).to.equal(expected);
+    });
+  });
+});

package/lib/event-factory.test.js ADDED Viewed

@@ -0,0 +1,321 @@
+'use strict';
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { InputType } = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const os = require('os');
+const testMethod = os.platform() === 'win32' ? describe.skip : describe;
+testMethod('assess event-factory', function () {
+  let core, createSourceEvent, createPropagationEvent, createSinkEvent;
+  beforeEach(function () {
+    ({ core } = initAssessFixture());
+    ({
+      createSourceEvent,
+      createPropagationEvent,
+      createSinkEvent
+    } = require('./event-factory')(core));
+  });
+  describe('createSourceEvent', function () {
+    [
+      {
+        data: {},
+        invalidProp: 'result',
+      },
+      {
+        data: { result: { tracked: true, value: 'foo' } },
+        invalidProp: 'name',
+      },
+      {
+        data: {
+          name: 'frogs',
+          result: { tracked: true, value: 'foo' },
+          inputType: 'bad-value',
+        },
+        invalidProp: 'inputType',
+      },
+      {
+        data: {
+          name: 'frogs',
+          result: { tracked: true, value: 'foo' },
+          inputType: InputType.QUERYSTRING,
+        },
+        invalidProp: 'tags',
+        message: 'event has no tags'
+      }
+    ].forEach(({
+      data,
+      invalidProp,
+      message = `invalid ${invalidProp}`,
+    }) => {
+      it(`will not create event when props are invalid: ${message}`, function () {
+        const event = createSourceEvent(data);
+        expect(event).to.equal(null);
+        expect(core.logger.debug).to.have.been.calledWith(
+          sinon.match.object,
+          'Source event not created: %s',
+          message
+        );
+      });
+    });
+    [
+      {
+        data: {
+          name: 'COOKIE_VALUE.frogs',
+          result: { tracked: true, value: 'foo' },
+          inputType: InputType.COOKIE_VALUE,
+          tags: {
+            untrusted: [0, 4],
+            cookie: [0, 4],
+          },
+          stack: [],
+        },
+      }
+    ].forEach(({ data, expected }) => {
+      it('returns the event data when validated', function () {
+        const event = createSourceEvent(data);
+        expect(event).to.equal(data);
+        expect(core.logger.debug).not.to.have.been.called;
+      });
+    });
+  });
+  describe('createPropagationEvent', function () {
+    const validData = {
+      name: 'String.prototype.concat',
+      history: [{ mock: 'SourceEvent' }],
+      object: {
+        value: 'test',
+        tracked: true
+      },
+      args: [{ value: '-another-test', tracked: false }],
+      result: {
+        value: 'test-another-test',
+        tracked: true
+      },
+      source: 'O',
+      target: 'R',
+      tags: { untrusted: [0, 3] }
+    };
+    const validStore = {
+      assess: {
+        propagationEventsCount: 0
+      }
+    };
+    const validResult = {
+      name: 'String.prototype.concat',
+      history: [{ mock: 'SourceEvent' }],
+      object: {
+        value: 'test',
+        tracked: true
+      },
+      args: [{ value: '-another-test', tracked: false }],
+      result: {
+        value: 'test-another-test',
+        tracked: true
+      },
+      tags: { untrusted: [0, 3] },
+      addedTags: [],
+      removedTags: [],
+      source: 'O',
+      target: 'R'
+    };
+    it('logs a debug statement for missing source context and returns null when executed in the wrong context', function () {
+      core.scopes.sources.run({}, function () {
+        const result = createPropagationEvent(validData);
+        expect(core.logger.debug).to.have.been.calledOnceWith(
+          sinon.match.object,
+          'No sourceContext found during Propagation event creation'
+        );
+        expect(result).to.be.null;
+      });
+    });
+    it('logs a debug statement for going above the maximum propagation events limit and returns null when we are above the said limit', function () {
+      core.scopes.sources.run({ assess: { propagationEventsCount: 500 } }, function () {
+        const result = createPropagationEvent(validData);
+        expect(core.logger.debug).to.have.been.calledOnceWith(
+          sinon.match.object,
+          'Maximum number of Propagation events reached. Event not created'
+        );
+        expect(result).to.be.null;
+      });
+    });
+    [
+      {
+        data: { ...validData, name: '' },
+        message: 'invalid name',
+      },
+      {
+        data: { ...validData, source: undefined },
+        message: 'invalid source',
+      },
+      {
+        data: { ...validData, history: [] },
+        message: 'invalid history',
+      },
+      {
+        data: { ...validData, source: 'S' },
+        message: 'invalid source',
+      },
+      {
+        data: { ...validData, target: 'T' },
+        message: 'invalid target',
+      },
+    ].forEach(({ data, message }) => {
+      it(`logs a debug statement when insufficient data is passed and returns null: ${message}`, function () {
+        core.scopes.sources.run(validStore, function () {
+          const result = createPropagationEvent(data);
+          expect(core.logger.debug).to.have.been.calledOnceWith(
+            sinon.match.object,
+            'Propagation event not created: %s',
+            message,
+          );
+          expect(result).to.be.null;
+        });
+      });
+    });
+    it('returns an event with stacktrace generator function when stacktraces option is set to "ALL"', function () {
+      core.config.assess.stacktraces = 'ALL';
+      core.scopes.sources.run(validStore, function () {
+        const result = createPropagationEvent(validData);
+        expect(result).to.be.like(validResult);
+        expect(result.time).not.to.be.undefined;
+        expect(result.stack).to.be.an('array');
+      });
+    });
+    it('returns an event without stacktrace generator function when stacktraces option is not set to "ALL"', function () {
+      core.config.assess.stacktraces = 'SOME';
+      core.scopes.sources.run(validStore, function () {
+        const result = createPropagationEvent(validData);
+        expect(result).to.be.like(validResult);
+        expect(result.time).not.to.be.undefined;
+        expect(result.stack).to.deep.equal([]);
+      });
+    });
+  });
+  describe('createSinkEvent', function () {
+    const validData = {
+      name: 'mysql/lib/Connection.query',
+      history: [{ mock: 'SourceEvent' }],
+      object: {
+        value: 'MySQL.Query#0001',
+        tracked: false
+      },
+      args: [{ value: 'malicious-value', tracked: true }],
+      result: {
+        value: null,
+        tracked: false
+      },
+      tags: { untrusted: [0, 14] },
+      source: 'P0'
+    };
+    const validStore = {
+      assess: {
+        propagationEventsCount: 0
+      }
+    };
+    const validResult = {
+      name: 'mysql/lib/Connection.query',
+      history: [{ mock: 'SourceEvent' }],
+      object: {
+        value: 'MySQL.Query#0001',
+        tracked: false
+      },
+      args: [{ value: 'malicious-value', tracked: true }],
+      result: {
+        value: null,
+        tracked: false
+      },
+      tags: { untrusted: [0, 14] },
+      source: 'P0',
+    };
+    it('logs a debug statement for missing source context and returns null when executed in the wrong context', function () {
+      core.scopes.sources.run({}, function () {
+        const result = createSinkEvent(validData);
+        expect(core.logger.debug).to.have.been.calledOnceWith(
+          sinon.match.object,
+          'no sourceContext found during sink event creation'
+        );
+        expect(result).to.be.null;
+      });
+    });
+    [
+      {
+        data: {
+          ...validData,
+          name: '',
+        },
+        message: 'no sink event name'
+      },
+      {
+        data: {
+          ...validData,
+          history: []
+        },
+        message: 'empty history for sink event'
+      },
+      {
+        data: {
+          ...validData,
+          source: 'S'
+        },
+        message: 'malformed or missing sink event source field',
+      },
+    ].forEach(({ data, message }) => {
+      it(`logs a debug statement when insufficient data is passed and returns null: ${message}`, function () {
+        core.scopes.sources.run(validStore, function () {
+          const result = createSinkEvent(data);
+          expect(core.logger.debug).to.have.been.calledWith(
+            sinon.match.object,
+            message
+          );
+          expect(result).to.be.null;
+        });
+      });
+    });
+    it('returns an event with stacktrace generator function when stacktraces option is not set to "NONE"', function () {
+      core.config.assess.stacktraces = 'ALL';
+      core.scopes.sources.run(validStore, function () {
+        const result = createSinkEvent(validData);
+        expect(result).to.be.like(validResult);
+        expect(result.time).not.to.be.undefined;
+        expect(result.stack).to.be.instanceOf(Array);
+      });
+    });
+    it('returns an event without stacktrace generator function when stacktraces option is set to "NONE"', function () {
+      core.config.assess.stacktraces = 'NONE';
+      core.scopes.sources.run(validStore, function () {
+        const result = createSinkEvent(validData);
+        expect(result).to.be.like(validResult);
+        expect(result.time).not.to.be.undefined;
+        expect(result.stack).to.deep.equal([]);
+      });
+    });
+  });
+});

package/lib/get-policy.test.js ADDED Viewed

@@ -0,0 +1,194 @@
+'use strict';
+const { expect } = require('chai');
+const { Event } = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+describe('assess getPolicy', function () {
+  let core, getPolicy;
+  beforeEach(function () {
+    ({ core } = initAssessFixture());
+    getPolicy = require('./get-policy')(core);
+  });
+  function assertPolicyOK(policy) {
+    expect(policy).to.have.property('enabledRules').and.be.a('Set').not.empty;
+    expect(policy).to.have.property('getInputPolicy').and.be.a('Function');
+  }
+  it('inits policy and will adjust according to TS settings updates', function() {
+    let policy = getPolicy();
+    expect(policy.enabledRules).to.have.length.greaterThan(1);
+    expect(policy.enabledRules).to.contain('reflected-xss');
+    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+      assess: {
+        ['sql-injection']: { enable: true },
+        ['reflected-xss']: { enable: false },
+      }
+    });
+    policy = getPolicy();
+    expect(policy.enabledRules).to.contain('sql-injection');
+    expect(policy.enabledRules).not.to.contain('reflected-xss');
+  });
+  it('url exclusions can disable all rules', function() {
+    const uriPath = '/exclude-all-rules';
+    let policy = getPolicy({ uriPath });
+    assertPolicyOK(policy);
+    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+      exclusions: {
+        url: [{
+          urls: ['/exclude-all-rules'],
+          matchStrategy: 'ONLY',
+          assessmentRules: [],
+          assess_rules: [],
+          protect_rules: [],
+          modes: ['assess', 'defend'],
+          name: 'UrlExclusionAllRules'
+        }]
+      }
+    });
+    policy = getPolicy({ uriPath });
+    expect(policy).to.be.null;
+  });
+  it('url exclusions can disable specific rules', function() {
+    const uriPath = '/exclude-some-rules';
+    let policy = getPolicy({ uriPath });
+    assertPolicyOK(policy);
+    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+      exclusions: {
+        url: [{
+          urls: ['/exclude-some-rules'],
+          matchStrategy: 'ONLY',
+          assessmentRules: [],
+          assess_rules: ['sql-injection'],
+          protect_rules: [],
+          modes: ['assess', 'defend'],
+          name: 'UrlExclusionAllRules'
+        }]
+      }
+    });
+    policy = getPolicy({ uriPath });
+    expect(policy.enabledRules).not.to.contain('sql-injection');
+  });
+  [
+    {
+      inputType: 'HEADER',
+      exclusionType: 'HEADER',
+    },
+    {
+      inputType: 'QUERYSTRING',
+      exclusionType: 'PARAMETER',
+    },
+    {
+      inputType: 'BODY',
+      exclusionType: 'PARAMETER',
+    },
+    {
+      inputType: 'URL_PARAMETER',
+      exclusionType: 'PARAMETER',
+    },
+    {
+      inputType: 'COOKIE_VALUE',
+      exclusionType: 'COOKIE',
+    },
+  ].forEach(({ inputType, exclusionType }) => {
+    it(`input exclusions can exclude specific rules (input: ${inputType}, exclusion:${exclusionType})`, function() {
+      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+        exclusions: {
+          input: [{
+            type: exclusionType,
+            urls: ['/exclude-some-inputs', '/exclude-some-inputs-.*'],
+            matchStrategy: 'ONLY',
+            assessmentRules: [],
+            assess_rules: ['sql-injection', 'nosql-injection'],
+            protect_rules: [],
+            modes: ['assess', 'defend'],
+            name: 'abc.*'
+          }]
+        }
+      });
+      const policy = getPolicy({ uriPath: '/exclude-some-inputs' });
+      let inputPolicy = policy.getInputPolicy(inputType, 'abcdef');
+      expect(inputPolicy).to.have.property('track', true);
+      expect(inputPolicy).to.have.property('excludedRules')
+        .to.be.a('Set')
+        .and.have.lengthOf(2)
+        .and.contain('nosql-injection')
+        .and.contain('sql-injection');
+      inputPolicy = policy.getInputPolicy(inputType, 'xyz');
+      expect(inputPolicy).to.have.property('track', true);
+      expect(inputPolicy).to.have.property('excludedRules')
+        .to.be.a('Set')
+        .and.have.lengthOf(0);
+    });
+  });
+  [
+    {
+      inputType: 'HEADER',
+      exclusionType: 'HEADER',
+    },
+    {
+      inputType: 'QUERYSTRING',
+      exclusionType: 'PARAMETER',
+    },
+    {
+      inputType: 'BODY',
+      exclusionType: 'PARAMETER',
+    },
+    {
+      inputType: 'URL_PARAMETER',
+      exclusionType: 'PARAMETER',
+    },
+    {
+      inputType: 'COOKIE_VALUE',
+      exclusionType: 'COOKIE',
+    },
+  ].forEach(({ inputType, exclusionType }) => {
+    it(`input exclusions can exclude specific rules (input: ${inputType}, exclusion:${exclusionType})`, function() {
+      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+        exclusions: {
+          input: [{
+            type: exclusionType,
+            urls: ['/exclude-some-inputs', '/exclude-some-inputs-.*'],
+            matchStrategy: 'ONLY',
+            assessmentRules: [],
+            assess_rules: [],
+            protect_rules: [],
+            modes: ['assess', 'defend'],
+            name: 'abc.*'
+          }]
+        }
+      });
+      const policy = getPolicy({ uriPath: '/exclude-some-inputs' });
+      let inputPolicy;
+      inputPolicy = policy.getInputPolicy(inputType, 'abcdef');
+      expect(inputPolicy).to.have.property('track', false);
+      expect(inputPolicy).not.to.have.property('excludedRules');
+      inputPolicy = policy.getInputPolicy(inputType, 'xyz');
+      expect(inputPolicy).to.have.property('track', true);
+      expect(inputPolicy).to.have.property('excludedRules')
+        .to.be.a('Set')
+        .and.have.lengthOf(0);
+    });
+  });
+});

package/lib/get-source-context.js CHANGED Viewed

@@ -37,9 +37,18 @@ module.exports = function(core) {
    */
   return core.assess.getSourceContext = function getSourceContext(type, ...rest) {
     const ctx = sources.getStore()?.assess;
+    // <unsafe>
+    // This method is expected to be called by all Assess instrumentation components prior to doing work.
+    // Until we check policy, and whether instrumentation is locked, any instrumentation that is called before
+    // the </unsafe> section below will result in infinite recursion.
+    //
+    // E.g. Uncommenting any line below will cause a stack overflow:
+    // 'asdf'.concat()
+    // console.log() // even though this is deadzoned, we haven't checked whether instrumentation is locked yet
+    //
     // policy will not exist if assess is altogether disabled for the active request e.g. url exclusion
     if (!ctx?.policy || instrumentation.isLocked()) return null;
+    // </unsafe> but still be careful
     switch (type) {
       case InstrumentationType.PROPAGATOR: {