@contrast/assess 1.31.0 → 1.33.0

package/lib/get-source-context.test.js

@@ -0,0 +1,108 @@
+'use strict';
+
+const { expect } = require('chai');
+const { Event } = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const {
+  InstrumentationType: { SOURCE, PROPAGATOR, RULE }
+} = require('./constants');
+
+describe('assess getSourceContext', function () {
+  let core, simulateRequestScope;
+
+  beforeEach(function () {
+    ({ core, simulateRequestScope } = initAssessFixture());
+  });
+
+  function execStoreAssertions(assessStore) {
+    expect(assessStore).to.be.an('object').and.deep.include({
+      reqData: {
+        ip: '127.0.0.1',
+        httpVersion: '1.1',
+        method: 'get',
+        headers: {
+          'content-type': 'text/html',
+          language: 'en',
+          referer: 'http://fake.url.foo',
+        },
+        uriPath: '/index',
+        queries: '_id=123',
+        contentType: 'text/html'
+      },
+      responseData: {},
+      sourceEventsCount: 0,
+      propagationEventsCount: 0,
+    });
+    expect(assessStore.policy.enabledRules).to.have.length.greaterThan(5);
+  }
+
+  it('returns `null` when not in request scope', function() {
+    expect(core.assess.getSourceContext()).to.be.null;
+  });
+
+  describe('getSourceContext()', function() {
+    it('returns assess store when in request scope', function() {
+      simulateRequestScope(() => {
+        execStoreAssertions(core.assess.getSourceContext());
+      });
+    });
+  });
+
+  describe('.getSourceContext(SOURCE?)', function() {
+    it('returns assess store when max source event threshold is not met', function() {
+      simulateRequestScope(() => {
+        execStoreAssertions(core.assess.getSourceContext(SOURCE));
+      });
+    });
+
+    it('returns `null` when max source event threshold is exceeded', function() {
+      simulateRequestScope(() => {
+        core.config.setValue('assess.max_context_source_events', 10);
+        core.scopes.sources.getStore().assess.sourceEventsCount = 11;
+        expect(core.assess.getSourceContext(SOURCE)).to.be.null;
+      });
+    });
+  });
+
+  describe('.getSourceContext(PROPAGATOR?)', function() {
+    it('returns assess store when max propagation event threshold is not met', function() {
+      simulateRequestScope(() => {
+        execStoreAssertions(core.assess.getSourceContext(SOURCE));
+      });
+    });
+
+    it('returns `null` when max propagation event threshold is exceeded', function() {
+      simulateRequestScope(() => {
+        core.config.setValue('assess.max_propagation_events', 10);
+        core.scopes.sources.getStore().assess.propagationEventsCount = 11;
+        expect(core.assess.getSourceContext(PROPAGATOR)).to.be.null;
+      });
+    });
+  });
+
+  describe('.getSourceContext(SINK?, ruleId?)', function() {
+    it('returns assess store when ruleId is not passed', function() {
+      simulateRequestScope(() => {
+        execStoreAssertions(core.assess.getSourceContext(RULE));
+      });
+    });
+
+    it('returns assess store when ruleId provided is enabled in the policy', function() {
+      simulateRequestScope(() => {
+        execStoreAssertions(core.assess.getSourceContext(RULE, 'reflected-xss'));
+      });
+    });
+
+    it('returns `null` when ruleId provided is not enabled in the policy', function() {
+      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
+        assess: {
+          ['reflected-xss']: { enable: false },
+        }
+      });
+
+      simulateRequestScope(() => {
+        expect(core.assess.getSourceContext(RULE, 'reflected-xss')).to.be.null;
+      });
+    });
+  });
+});

package/lib/index.test.js

@@ -0,0 +1,41 @@
+'use strict';
+
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+const mocks = require('@contrast/test/mocks');
+
+const moduleMock = (moduleName, mock) => (deps) => {
+  deps.assess[moduleName] = mock[moduleName];
+};
+
+describe('assess', function () {
+  let core, assessMock, assessModule, modulesWithInstall;
+
+  beforeEach(function () {
+    assessMock = mocks.assess();
+    core = mocks.core();
+    core.config = mocks.config();
+    core.logger = mocks.logger();
+    core.rewriter = mocks.rewriter();
+    core.scopes = mocks.scopes();
+    core.config.assess.enable = true;
+
+    assessModule = proxyquire('.', {
+      './session-configuration': moduleMock('sessionConfiguration', assessMock),
+      './dataflow': moduleMock('dataflow', assessMock),
+      './response-scanning': moduleMock('responseScanning', assessMock),
+      './crypto-analysis': moduleMock('cryptoAnalysis', assessMock),
+    });
+    modulesWithInstall = ['sessionConfiguration', 'dataflow', 'responseScanning', 'cryptoAnalysis'];
+  });
+
+  it('installs the components', function () {
+    core.config.getEffectiveValue.withArgs('assess.enable').returns(true);
+
+    assessModule(core).install();
+    modulesWithInstall.forEach((module) => {
+      expect(assessMock[module].install).to.have.been.calledOnce;
+    });
+    expect(core.rewriter.install).to.have.been.calledWith('assess');
+  });
+});

package/lib/make-source-context.test.js

@@ -0,0 +1,50 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const mocks = require('@contrast/test/mocks');
+
+
+describe('assess makeSourceContext', function () {
+  let core;
+
+  beforeEach(function () {
+    ({ core } = initAssessFixture());
+  });
+
+  it('will return `null` and log error when passed insufficient parameters', function() {
+    const assessCtx = core.assess.makeSourceContext({}, {});
+    expect(assessCtx).to.be.null;
+    expect(core.logger.error).to.have.been.calledWithMatch({
+      err: sinon.match.has('message'),
+    }, 'unable to construct assess store. assess will be disabled for request.');
+  });
+
+  it('construct the store correctly given req and res', function() {
+    const req = mocks.incomingMessage();
+    const res = {};
+
+    const assessCtx = core.assess.makeSourceContext(req, res);
+
+    expect(assessCtx).to.deep.include({
+      propagationEventsCount: 0,
+      sourceEventsCount: 0,
+      reqData: {
+        contentType: 'text/html',
+        headers: {
+          'content-type': 'text/html',
+          referer: 'http://fake.url.foo',
+          language: 'en',
+        },
+        httpVersion: '1.1',
+        ip: '127.0.0.1',
+        method: 'get',
+        queries: '_id=123',
+        uriPath: '/index',
+      },
+      responseData: {},
+    });
+    expect(assessCtx.policy.enabledRules).to.have.length.greaterThan(5);
+  });
+});

package/lib/response-scanning/handlers/index.test.js

@@ -0,0 +1,425 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+const handlers = require('.');
+
+describe('assess response scanning handlers', function () {
+  let core,
+    simulateRequestScope,
+    reportFindings,
+    handleAutoCompleteMissing,
+    handleCacheControlsMissing,
+    handleClickJackingControlsMissing,
+    handleParameterPollution,
+    handleCspHeader,
+    handleHstsHeaderMissing,
+    handleXPoweredByHeader,
+    handleXContentTypeHeaderMissing,
+    handleXxsProtectionHeaderDisabled;
+
+  beforeEach(function () {
+    ({ core, simulateRequestScope } = initAssessFixture());
+
+    sinon.stub(core.assess.responseScanning, 'reportFindings');
+
+    ({
+      handleAutoCompleteMissing,
+      handleCacheControlsMissing,
+      handleClickJackingControlsMissing,
+      handleParameterPollution,
+      handleCspHeader,
+      handleHstsHeaderMissing,
+      handleXPoweredByHeader,
+      handleXContentTypeHeaderMissing,
+      handleXxsProtectionHeaderDisabled,
+      reportFindings,
+    } = handlers(core));
+  });
+
+  describe('handleAutoCompleteMissing', function () {
+    const responseHeaders = { 'content-type': 'text/html' };
+
+    it('returns undefined if we are not checking html content', function () {
+      simulateRequestScope(() => {
+        handleAutoCompleteMissing(core.assess.getSourceContext(), {
+          responseHeaders: { 'content-type': 'application/json' },
+          responseBody: 'test'
+        });
+
+        expect(reportFindings).to.not.have.been.called;
+      });
+    });
+
+    it('does not report anything if the auto-complete options is set to "off"', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+        handleAutoCompleteMissing(sc, { responseHeaders, responseBody: '<form autocomplete="off"></form>' });
+
+        expect(reportFindings).to.not.have.been.called;
+      });
+    });
+
+    it('reports when the auto-complete option is not set to "off"', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+        handleAutoCompleteMissing(
+          sc,
+          responseHeaders,
+          '<form autocomplete="off"></form><form></form><form autocomplete="o"></form>'
+        );
+
+        expect(reportFindings).to.have.been.calledOnceWith(sc, {
+          ruleId: 'autocomplete-missing',
+          vulnerabilityMetadata: {
+            attribute: undefined,
+            html: '&lt;form&gt;',
+            start: 0,
+            end: 6
+          }
+        });
+      });
+    });
+  });
+
+  describe('handleCacheControlsMissing', function () {
+    it('does not report anything if there is no body and the result is parsable', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+
+        handleCacheControlsMissing(sc, {}, '');
+
+        expect(reportFindings).to.not.have.been.called;
+      });
+    });
+
+    it('does not report if there are cache control headers', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+        handleCacheControlsMissing(
+          sc,
+          { 'cache-control': 'no-cache; no-store' },
+          'test'
+        );
+
+        expect(reportFindings).to.not.have.been.called;
+      });
+    });
+
+    it('reports if there is a pragma header', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+        handleCacheControlsMissing(
+          sc,
+          { pragma: 'no-cache' },
+          'test'
+        );
+
+        expect(reportFindings).to.have.been.calledOnceWith(sc, {
+          ruleId: 'cache-controls-missing',
+          vulnerabilityMetadata: {
+            data: JSON.stringify([{ type: 'Header', name: 'pragma', value: 'no-cache' }])
+          }
+        });
+      });
+    });
+
+    it('reports the cache-control header and the meta tags if they are not fully safe', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+        handleCacheControlsMissing(
+          sc,
+          { 'cache-control': 'no-store' },
+          '<meta http-equiv="cache-control">'
+        );
+
+        expect(reportFindings).to.have.been.calledOnceWith(sc, {
+          ruleId: 'cache-controls-missing',
+          vulnerabilityMetadata: {
+            data: JSON.stringify([
+              { type: 'Header', name: 'cache-control', value: 'no-store' },
+              { type: 'META tag', name: 'cache-control', value: '<meta http-equiv="cache-control">' },
+            ])
+          }
+        });
+      });
+    });
+  });
+
+  describe('handleClickJackingControlsMissing', function () {
+    it('does not report when we have the correct x-frame-options header', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+        handleClickJackingControlsMissing(sc, {
+          'x-frame-options': 'DENY'
+        });
+        handleClickJackingControlsMissing(sc, {
+          'x-frame-options': 'SAMEORIGIN'
+        });
+
+        expect(reportFindings).to.not.have.been.called;
+      });
+    });
+
+    it('reports when there is no x-frame-options header', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+        handleClickJackingControlsMissing(sc, {});
+
+        expect(reportFindings).to.have.been.calledOnceWith(sc, {
+          ruleId: 'clickjacking-control-missing'
+        });
+      });
+    });
+
+    it('reports when the x-frame-options header is with a not safe value', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+        handleClickJackingControlsMissing(sc, {
+          'x-frame-options': 'ALLOW-FROM origin'
+        });
+
+        expect(reportFindings).to.have.been.calledOnceWith(sc, {
+          ruleId: 'clickjacking-control-missing'
+        });
+      });
+    });
+  });
+
+  describe('handleParameterPollution', function () {
+    it('does not report if all form elements have an action attribute', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+
+        handleParameterPollution(sc, '<form action="foo.com"></form><form action="bar.com"></form>');
+
+        expect(reportFindings).to.not.have.been.called;
+      });
+    });
+
+    it('reports when one of the form elements does not have an acton attribute', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+        handleParameterPollution(sc, '<form action="foo.com"></form><form></form>');
+
+        expect(reportFindings).to.have.been.calledOnceWith(sc, {
+          ruleId: 'parameter-pollution',
+          vulnerabilityMetadata: {
+            attribute: undefined,
+            html: '&lt;form&gt;'
+          }
+        });
+      });
+    });
+  });
+
+  describe('handleCspHeader', function () {
+    it('does not report when we have a secure csp header', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+        handleCspHeader(sc, {
+          'content-security-policy': 'default-src "self"; base-uri "foobar"; form-action "foobar"; frame-ancestors "foobar"; plugin-types "foobar"'
+        });
+
+        expect(reportFindings).to.not.have.been.called;
+      });
+    });
+
+    it('reports when there are no csp headers', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+
+        handleCspHeader(sc, {});
+
+        expect(reportFindings).to.have.been.calledOnceWith(sc, {
+          ruleId: 'csp-header-missing'
+        });
+      });
+    });
+
+    it('reports whent the csp headers are not all secure', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+        handleCspHeader(sc, {
+          'content-security-policy': 'default-src "self"; form-action "foobar"; frame-ancestors "foobar"; plugin-types "foobar"'
+        });
+
+        expect(reportFindings).to.have.been.calledOnceWith(sc, {
+          ruleId: 'csp-header-insecure',
+          vulnerabilityMetadata: {
+            data: JSON.stringify({
+              defaultSrcSecure: true,
+              defaultSrcValue: '"self"',
+              baseUriSecure: false,
+              baseUriValue: '',
+              childSrcSecure: true,
+              childSrcValue: '',
+              connectSrcSecure: true,
+              connectSrcValue: '',
+              frameSrcSecure: true,
+              frameSrcValue: '',
+              mediaSrcSecure: true,
+              mediaSrcValue: '',
+              objectSrcSecure: true,
+              objectSrcValue: '',
+              scriptSrcSecure: true,
+              scriptSrcValue: '',
+              styleSrcSecure: true,
+              styleSrcValue: '',
+              formActionSecure: true,
+              formActionValue: '"foobar"',
+              frameAncestorsSecure: true,
+              frameAncestorsValue: '"foobar"',
+              pluginTypesSecure: true,
+              pluginTypesValue: '"foobar"',
+              reflectedXssSecure: true,
+              reflectedXssValue: '',
+              refererSecure: true,
+              refererValue: ''
+            })
+          }
+        });
+      });
+    });
+  });
+
+  describe('handleHstsHeaderMissing', function () {
+    it('does not report when the max age is set properly on the hsts header', function () {
+      const sc = core.assess.getSourceContext();
+      handleHstsHeaderMissing(sc, {
+        'strict-transport-security': 'max-age=1'
+      });
+
+      expect(reportFindings).to.not.have.been.called;
+    });
+
+    it('reports when the max age is not set properly on the hsts header', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+        handleHstsHeaderMissing(sc, {
+          'strict-transport-security': 'max-age=0;'
+        });
+
+        expect(reportFindings).to.have.been.calledOnceWith(sc, {
+          ruleId: 'hsts-header-missing',
+          vulnerabilityMetadata: { data: '0' }
+        });
+      });
+    });
+
+
+    it('reports when the hsts headers is not set at all', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+        handleHstsHeaderMissing(sc, {});
+
+        expect(reportFindings).to.have.been.calledOnceWith(sc, {
+          ruleId: 'hsts-header-missing',
+          vulnerabilityMetadata: { data: '' }
+        });
+      });
+    });
+  });
+
+  describe('handleXPoweredByHeader', function () {
+    it('does not report if the x-powered-by header is not set', function () {
+      simulateRequestScope(() => {
+        handleXPoweredByHeader(core.assess.getSourceContext(), {});
+
+        expect(reportFindings).to.not.have.been.called;
+      });
+    });
+
+    it('reports when the x-powered-by header is set', function () {
+      simulateRequestScope(() => {
+        const sc = core.assess.getSourceContext();
+        handleXPoweredByHeader(sc, {
+          'x-powered-by': 'nginx'
+        });
+
+        expect(reportFindings).to.have.been.calledOnceWith(sc, {
+          ruleId: 'x-powered-by-header',
+          vulnerabilityMetadata: { platform: 'nginx' }
+        });
+      });
+    });
+
+    describe('handleXContentTypeHeaderMissing', function () {
+      it('does not report if the x-content-type-options header is set to "nosniff"', function () {
+        simulateRequestScope(() => {
+          handleXContentTypeHeaderMissing(core.assess.getSourceContext(), {
+            'x-content-type-options': 'nosniff'
+          });
+
+          expect(reportFindings).to.not.have.been.called;
+        });
+      });
+
+      it('reports if the x-content-type-options header is set to an unsafe value', function () {
+        simulateRequestScope(() => {
+          const sc = core.assess.getSourceContext();
+          handleXContentTypeHeaderMissing(sc, {
+            'x-content-type-options': 'unsafe'
+          });
+
+          expect(reportFindings).to.have.been.calledOnceWith(sc, {
+            ruleId: 'xcontenttype-header-missing',
+            vulnerabilityMetadata: { data: 'unsafe' }
+          });
+        });
+      });
+
+      it('reports when the x-content-type-options header is not set', function () {
+        simulateRequestScope(() => {
+          const sc = core.assess.getSourceContext();
+          handleXContentTypeHeaderMissing(sc, {
+            responseHeaders: {}
+          });
+
+          expect(reportFindings).to.have.been.calledOnceWith(sc, {
+            ruleId: 'xcontenttype-header-missing',
+            vulnerabilityMetadata: { data: '' }
+          });
+        });
+      });
+    });
+
+    describe('handleXxsProtectionHeaderDisabled', function () {
+      it('does not report if the x-xss-protection header value starts with 1', function () {
+        simulateRequestScope(() => {
+          handleXxsProtectionHeaderDisabled(core.assess.getSourceContext(), {
+            responseHeaders: {
+              'x-xss-protection': '1'
+            }
+          });
+
+          expect(reportFindings).to.not.have.been.called;
+        });
+      });
+
+      it('reports if the x-xss-protection header is set to an unsafe value', function () {
+        simulateRequestScope(() => {
+          const sc = core.assess.getSourceContext();
+          handleXxsProtectionHeaderDisabled(sc, {
+            'x-xss-protection': '0'
+          });
+
+          expect(reportFindings).to.have.been.calledOnceWith(sc, {
+            ruleId: 'xxssprotection-header-disabled',
+            vulnerabilityMetadata: { data: '0' }
+          });
+        });
+      });
+
+      it('reports when the x-xss-protection header is not set', function () {
+        simulateRequestScope(() => {
+          const sc = core.assess.getSourceContext();
+          handleXxsProtectionHeaderDisabled(sc, {});
+
+          expect(reportFindings).not.to.have.been.called;
+        });
+      });
+    });
+  });
+});