@contrast/assess 1.31.0 → 1.33.0

package/lib/session-configuration/install/koa.test.js

@@ -0,0 +1,92 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { SessionConfigurationRule } = require('@contrast/common');
+const { initAssessFixture } = require('@contrast/test/fixtures');
+
+const { HTTPONLY, SECURE_FLAG_MISSING } = SessionConfigurationRule;
+
+describe('assess sessionConfiguration Koa', function () {
+  let core,
+    simulateRequestScope,
+    koaMock,
+    ctxMock,
+    patchedMiddleware;
+
+  beforeEach(function () {
+    ({ core, simulateRequestScope } = initAssessFixture());
+
+    koaMock = {
+      prototype: {
+        middleware: [],
+        use: (fn) => {
+          koaMock.prototype.middleware.push(fn);
+        },
+      }
+    };
+
+    ctxMock = function() {};
+    ctxMock.cookies = { set: sinon.stub() };
+
+    core.depHooks.resolve
+      .withArgs({ name: 'koa', version: '>=2.3.0' })
+      .yields(koaMock);
+
+    sinon.stub(core.assess.sessionConfiguration, 'reportFindings');
+    core.assess.sessionConfiguration.koa.install();
+
+    koaMock.prototype.use(ctxMock);
+    [patchedMiddleware] = koaMock.prototype.middleware;
+    patchedMiddleware(ctxMock);
+  });
+
+  it('will not report if instrumentation runs outside of request scope', function() {
+    patchedMiddleware(ctxMock);
+    ctxMock.cookies.set('cookie', 'foo', { secure: false });
+    expect(core.assess.sessionConfiguration.reportFindings).not.to.have.been.called;
+  });
+
+  it('will not report when both options are set to true', function() {
+    simulateRequestScope(() => {
+      ctxMock.cookies.set('cookie', 'foo', { httpOnly: true, secure: true });
+      expect(core.assess.sessionConfiguration.reportFindings).not.to.have.been.called;
+    });
+  });
+
+  it('reports httponly when option is set to false', function() {
+    simulateRequestScope(() => {
+      ctxMock.cookies.set('cookie', 'foo', { httpOnly: false });
+      expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
+        ruleId: HTTPONLY,
+        sinkEvent: sinon.match({
+          context: 'ctx.cookies.set({ httpOnly: false })',
+        }),
+      });
+    });
+  });
+
+  it('reports secure-flag-missing when option is set to false', function() {
+    simulateRequestScope(() => {
+      ctxMock.cookies.set('cookie', 'foo', { secure: false });
+      expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
+        ruleId: SECURE_FLAG_MISSING,
+        sinkEvent: sinon.match({
+          context: 'ctx.cookies.set({ secure: false })',
+        }),
+      });
+    });
+  });
+
+  it('reports httponly and secure-flag-missing when options are not set', function() {
+    simulateRequestScope(() => {
+      ctxMock.cookies.set('cookie', 'foo');
+      expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
+        ruleId: HTTPONLY
+      });
+      expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
+        ruleId: SECURE_FLAG_MISSING
+      });
+    });
+  });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.31.0",
+  "version": "1.33.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -17,7 +17,7 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/common": "1.22.0",
+    "@contrast/common": "1.24.0",
     "@contrast/distringuish": "^5.0.0",
     "@contrast/scopes": "1.4.1"
   }