npm - @contrast/assess - Versions diffs - 1.34.0 → 1.36.0 - Mend

@contrast/assess 1.34.0 → 1.36.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (171) hide show

package/lib/dataflow/sources/install/multer1.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../constants');
 const { patchType } = require('../common');
 module.exports = (core) => {
@@ -23,12 +24,15 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: { sources }
+    },
     scopes,
   } = core;
   function handler(req, constructorOpt) {
-    const sourceContext = scopes.sources.getStore()?.assess;
+    const sourceContext = getSourceContext(SOURCE);
     if (!sourceContext) return;
     function handle(context, data, key) {

package/lib/dataflow/sources/install/qs6.js CHANGED Viewed

@@ -16,8 +16,8 @@
 'use strict';
 const { InputType: { QUERYSTRING: inputType } } = require('@contrast/common');
-const { patchType } = require('../common');
 const { InstrumentationType: { SOURCE } } = require('../../../constants');
+const { patchType } = require('../common');
 module.exports = (core) => {
   const {

package/lib/dataflow/sources/install/querystring.js CHANGED Viewed

@@ -16,8 +16,8 @@
 'use strict';
 const { InputType } = require('@contrast/common');
-const { patchType } = require('../common');
 const { InstrumentationType: { SOURCE } } = require('../../../constants');
+const { patchType } = require('../common');
 module.exports = (core) => {
   const {

package/lib/dataflow/sources/install/restify/fieldedTextBodyParser.js CHANGED Viewed

@@ -46,10 +46,7 @@ module.exports = function init(core) {
                 data.args[2] = function contrastNext(...args) {
                   const sourceContext = getSourceContext(SOURCE);
-                  if (!sourceContext) {
-                    logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
-                    return next(...args);
-                  }
+                  if (!sourceContext) return next(...args);
                   if (sourceContext.parsedBody) {
                     logger.trace({ funcKey }, 'values already tracked');

package/lib/dataflow/sources/install/restify/fieldedTextBodyParser.test.js CHANGED Viewed

@@ -29,20 +29,18 @@ describe('assess dataflow sources restify fieldedTextBodyParser', function () {
     middleware = fieldedTextBodyParserStub();
   });
-  it('does not call `handle` when not in context', function () {
+  it('does not call `handle` when there is no assess policy in request context', function () {
     simulateRequestScope(() => {
       middleware(req, res, next);
       expect(handle).not.to.have.been.called;
-      expect(core.logger.error).to.have.been.calledWith(
-        { funcKey: 'assess-dataflow-source:restify.plugins.fieldedTextBodyParser.parseFieldedText' },
-        'unable to handle source. Missing `sourceContext`'
-      );
-    }, {});
+    }, { assess: { policy: null } });
   });
-  it('does not call `handle` when body is already tracked', function () {
+  it('does not handle source when body is already tracked', function () {
     simulateRequestScope(() => {
+      core.scopes.sources.getStore().assess.parsedBody = true;
       middleware(req, res, next);
       expect(handle).not.to.have.been.called;
@@ -50,7 +48,7 @@ describe('assess dataflow sources restify fieldedTextBodyParser', function () {
         { funcKey: 'assess-dataflow-source:restify.plugins.fieldedTextBodyParser.parseFieldedText' },
         'values already tracked'
       );
-    }, { assess: { parsedBody: true } });
+    });
   });
   it('calls `handle` appropriately', function () {

package/lib/dataflow/sources/install/restify/jsonBodyParser.js CHANGED Viewed

@@ -51,7 +51,6 @@ module.exports = function init(core) {
                   const sourceContext = getSourceContext(SOURCE);
                   if (!sourceContext) {
-                    logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
                     return next(...args);
                   }

package/lib/dataflow/sources/install/restify/jsonBodyParser.test.js CHANGED Viewed

@@ -31,24 +31,20 @@ describe('assess dataflow sources restify jsonBodyParser', function () {
     init(core).install();
   });
-  it('does not call `handle` when not in context', function () {
+  it('does not handle source when there is no assess policy in request context', function () {
     const [, middleware] = jsonBodyParserStub();
     simulateRequestScope(() => {
       middleware(req, res, next);
       expect(handle).not.to.have.been.called;
-      expect(core.logger.error).to.have.been.calledWith(
-        { funcKey: 'assess-dataflow-source:restify.plugins.jsonBodyParser.parseJson' },
-        'unable to handle source. Missing `sourceContext`'
-      );
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('does not call `handle` when body is already tracked', function () {
     const [, middleware] = jsonBodyParserStub();
     simulateRequestScope(() => {
+      core.scopes.sources.getStore().assess.parsedBody = true;
       middleware(req, res, next);
       expect(handle).not.to.have.been.called;
@@ -56,7 +52,7 @@ describe('assess dataflow sources restify jsonBodyParser', function () {
         { funcKey: 'assess-dataflow-source:restify.plugins.jsonBodyParser.parseJson' },
         'values already tracked'
       );
-    }, { assess: { parsedBody: true } });
+    });
   });
   it('calls `handle` appropriately', function () {

package/lib/dataflow/sources/install/restify/router.test.js CHANGED Viewed

@@ -23,7 +23,7 @@ describe('assess dataflow sources restify router', function () {
     init(core).install();
   });
-  it('does not call `handle` when not in context', function () {
+  it('does not call `handle` when there is no assess policy in request context', function () {
     simulateRequestScope(() => {
       Router.prototype.lookup(req);
@@ -32,7 +32,7 @@ describe('assess dataflow sources restify router', function () {
         { funcKey: 'assess-dataflow-source:restify.Router.prototype.lookup' },
         'unable to handle source. Missing `sourceContext`'
       );
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('does not call `handle` when body is already tracked', function () {

package/lib/dataflow/tag-utils.js CHANGED Viewed

@@ -14,7 +14,7 @@
  */
 'use strict';
-const { StringPrototypeSplit } = require('@contrast/common');
+const { primordials: { StringPrototypeSplit } } = require('@contrast/common');
 //
 // This module implements tag range manipulation functions. There are generally

package/lib/dataflow/tracker.js CHANGED Viewed

@@ -16,7 +16,7 @@
 'use strict';
 const distringuish = require('@contrast/distringuish');
-const { BufferPrototypeToString, BufferFrom, isString } = require('@contrast/common');
+const { primordials: { BufferPrototypeToString, BufferFrom }, isString } = require('@contrast/common');
 module.exports = function tracker(core) {
   const {

package/lib/dataflow/utils/is-safe-content-type.js CHANGED Viewed

@@ -13,7 +13,7 @@
  * way not consistent with the End User License Agreement.
  */
 'use strict';
+const { primordials: { ArrayPrototypeJoin, RegExpPrototypeTest } } = require('@contrast/common');
 const SAFE_XSS_CONTENT_TYPES = [
   '/json',
   '/x-json',
@@ -22,9 +22,10 @@ const SAFE_XSS_CONTENT_TYPES = [
   '/pdf',
   '/csv'
 ];
+const SAFE_XSS_REGEX = new RegExp(ArrayPrototypeJoin.call(SAFE_XSS_CONTENT_TYPES, '|'));
 function isSafeContentType(contentType) {
-  return new RegExp(SAFE_XSS_CONTENT_TYPES.join('|')).test(contentType);
+  return RegExpPrototypeTest.call(SAFE_XSS_REGEX, contentType);
 }
 module.exports = { isSafeContentType, SAFE_XSS_CONTENT_TYPES };

package/lib/event-factory.js CHANGED Viewed

@@ -15,7 +15,7 @@
 'use strict';
-const { InputType, StringPrototypeMatch } = require('@contrast/common');
+const { InputType, primordials: { StringPrototypeMatch } } = require('@contrast/common');
 const ANNOTATION_REGEX = /^(A|O|R|P|P\d+)$/;
 const SOURCE_EVENT_MSG = 'Source event not created: %s';
 const PROPAGATION_EVENT_MSG = 'Propagation event not created: %s';
@@ -183,7 +183,7 @@ module.exports = function (core) {
       return null;
     }
     if (
-      (!source || !source.match(ANNOTATION_REGEX))
+      (!source || !StringPrototypeMatch.call(source, ANNOTATION_REGEX))
     ) {
       logger.debug({ name }, 'malformed or missing sink event source field');
       return null;
@@ -237,7 +237,7 @@ module.exports = function (core) {
     }
     if (
-      (!source || !source.match(ANNOTATION_REGEX))
+      (!source || !StringPrototypeMatch.call(source, ANNOTATION_REGEX))
     ) {
       logger.debug({ name }, 'malformed or missing sink event source field');
       return null;
@@ -299,7 +299,7 @@ module.exports = function (core) {
       return null;
     }
-    if (!source || !source.match(ANNOTATION_REGEX)) {
+    if (!source || !StringPrototypeMatch.call(source, ANNOTATION_REGEX)) {
       logger.debug({ name }, 'malformed or missing sink event source field');
       return null;
     }

package/lib/event-factory.test.js CHANGED Viewed

@@ -199,14 +199,16 @@ testMethod('assess event-factory', function () {
       });
     });
-    it('returns an event without stacktrace generator function when stacktraces option is not set to "ALL"', function () {
-      core.config.assess.stacktraces = 'SOME';
-      core.scopes.sources.run(validStore, function () {
-        const result = createPropagationEvent(validData);
+    ['SOME', 'SINK', 'NONE'].forEach((option) => {
+      it(`returns an event without stacktrace generator function when stacktraces option is not set to "ALL" and set to ${option}`, function () {
+        core.config.assess.stacktraces = option;
+        core.scopes.sources.run(validStore, function () {
+          const result = createPropagationEvent(validData);
-        expect(result).to.be.like(validResult);
-        expect(result.time).not.to.be.undefined;
-        expect(result.stack).to.deep.equal([]);
+          expect(result).to.be.like(validResult);
+          expect(result.time).not.to.be.undefined;
+          expect(result.stack).to.deep.equal([]);
+        });
       });
     });
   });
@@ -296,14 +298,17 @@ testMethod('assess event-factory', function () {
       });
     });
-    it('returns an event with stacktrace generator function when stacktraces option is not set to "NONE"', function () {
-      core.config.assess.stacktraces = 'ALL';
-      core.scopes.sources.run(validStore, function () {
-        const result = createSinkEvent(validData);
+    ['ALL', 'SOME', 'SINK'].forEach((option) => {
+      it(`returns an event with stacktrace generator function when stacktraces option is not set to "NONE" and set to ${option}`, function () {
+        core.config.assess.stacktraces = option;
+        core.scopes.sources.run(validStore, function () {
+          const result = createSinkEvent(validData);
-        expect(result).to.be.like(validResult);
-        expect(result.time).not.to.be.undefined;
-        expect(result.stack).to.be.instanceOf(Array);
+          expect(result).to.be.like(validResult);
+          expect(result.time).not.to.be.undefined;
+          expect(result.stack).to.be.instanceOf(Array);
+          expect(result.stack.length).to.be.greaterThan(0);
+        });
       });
     });

package/lib/get-policy.js CHANGED Viewed

@@ -22,7 +22,7 @@ const {
   Rule,
   ResponseScanningRule,
   SessionConfigurationRule,
-  ArrayPrototypeJoin,
+  primordials: { ArrayPrototypeJoin, RegExpPrototypeTest }
 } = require('@contrast/common');
 const ASSESS_RULES = Object.values({
@@ -323,7 +323,7 @@ class InputExclusion extends UrlExclusion {
   matchesInputName(name) {
     // BODY and QUERYSTRING always match since they apply broadly
     if (!this._inputName && !this._inputNameRegex) return true;
-    return this._inputNameRegex ? this._inputNameRegex.test(name) : this._inputName === name;
+    return this._inputNameRegex ? RegExpPrototypeTest.call(this._inputNameRegex, name) : this._inputName === name;
   }
 }

package/lib/index.d.ts CHANGED Viewed

@@ -12,17 +12,22 @@
  * engineered, modified, repackaged, sold, redistributed or otherwise used in a
  * way not consistent with the End User License Agreement.
  */
-import { IncomingMessage, ServerResponse } from 'node:http';
-import {
-  Rule,
-  SessionConfigurationRule,
-} from '@contrast/common';
+import { Rule, SessionConfigurationRule } from '@contrast/common';
+import { Config } from '@contrast/config';
 import { Core as _Core } from '@contrast/core';
+import { Deadzones } from '@contrast/deadzones';
+import { DepHooks } from '@contrast/dep-hooks';
+import { Logger } from '@contrast/logger';
+import { Patcher } from '@contrast/patcher';
+import { ReporterBus } from '@contrast/reporter';
+import { Rewriter } from '@contrast/rewriter';
+import { Scopes } from '@contrast/scopes';
+import { IncomingMessage, ServerResponse } from 'node:http';
 export interface Core extends _Core {
   config: Config;
   logger: Logger;
-  depHooks: RequireHook;
+  depHooks: DepHooks;
   patcher: Patcher
   rewriter: Rewriter;
   scopes: Scopes;

package/lib/index.js CHANGED Viewed

@@ -19,16 +19,22 @@ const { inspect } = require('util');
 const { callChildComponentMethodsSync } = require('@contrast/common');
 module.exports = function assess(core) {
-  const { scopes: { instrumentation } } = core;
+  const {
+    config,
+    sources,
+    scopes: { instrumentation }
+  } = core;
   const assess = core.assess = {
     install() {
-      if (!core.config.getEffectiveValue('assess.enable')) {
+      if (!config.getEffectiveValue('assess.enable')) {
         core.logger.debug('assess is disabled, skipping installation');
         return;
       }
+      // configure rewriter
       core.rewriter.install('assess');
+      // dispatch subcomponent installation
       callChildComponentMethodsSync(core.assess, 'install');
     },
   };
@@ -43,19 +49,24 @@ module.exports = function assess(core) {
       instrumentation.run(store, inspect, val, opts);
   };
-  require('./rule-scopes')(core);
+  // ancillary tools used by different features
+  require('./sampler')(core);
   require('./get-policy')(core);
   require('./make-source-context')(core);
+  require('./rule-scopes')(core);
   require('./get-source-context')(core);
   require('./event-factory')(core);
-  require('./crypto-analysis')(core);
+  // various Assess features
   require('./dataflow')(core);
+  require('./crypto-analysis')(core);
   require('./response-scanning')(core);
   require('./session-configuration')(core);
-  // todo
-  // crypto rule implementations
-  // static rule implementations in coordination with (CLI) rewriter
+  // append async state to sources store when request-scope sources are created
+  sources.addHook('onSource', (ctx) => {
+    ctx.store.assess = assess.makeSourceContext(ctx);
+  });
   return assess;
 };

package/lib/index.test.js CHANGED Viewed

@@ -1,6 +1,7 @@
 'use strict';
 const { expect } = require('chai');
+const sinon = require('sinon');
 const proxyquire = require('proxyquire');
 const mocks = require('@contrast/test/mocks');
@@ -19,6 +20,9 @@ describe('assess', function () {
     core.rewriter = mocks.rewriter();
     core.scopes = mocks.scopes();
     core.config.assess.enable = true;
+    core.sources = {
+      addHook: sinon.stub(),
+    };
     assessModule = proxyquire('.', {
       './session-configuration': moduleMock('sessionConfiguration', assessMock),

package/lib/make-source-context.js CHANGED Viewed

@@ -15,8 +15,7 @@
 'use strict';
-const { StringPrototypeToLowerCase } = require('@contrast/common');
+const { primordials: { StringPrototypeToLowerCase, StringPrototypeSlice } } = require('@contrast/common');
 /**
  * @param {{
  *  assess: import('@contrast/assess').Assess,
@@ -24,46 +23,56 @@ const { StringPrototypeToLowerCase } = require('@contrast/common');
  * }} core
  */
 module.exports = function(core) {
-  const {
-    assess: { getPolicy },
-    logger,
-  } = core;
+  const { assess, logger } = core;
   /**
    * @returns {import('@contrast/assess').SourceContext}
    */
-  return core.assess.makeSourceContext = function (req, res) {
-    let contentType, queries, uriPath;
+  return core.assess.makeSourceContext = function (sourceData) {
     try {
-      const ix = req.url.indexOf('?');
-      if (ix >= 0) {
-        uriPath = req.url.slice(0, ix);
-        queries = req.url.slice(ix + 1);
+      // todo: how to handle non-HTTP sources
+      const { incomingMessage: req } = sourceData;
+      // minimally process the request data for sampling and exclusions.
+      // more request fields will be appended in final result below.
+      let uriPath;
+      let queries;
+      const idx = req.url.indexOf('?');
+      if (idx >= 0) {
+        uriPath = StringPrototypeSlice.call(req.url, 0, idx);
+        queries = StringPrototypeSlice.call(req.url, idx + 1);
       } else {
         uriPath = req.url;
         queries = '';
       }
-      // copy to avoid storing tracked values
-      const headers = { ...req.headers };
-      if (headers['content-type']) {
-        contentType = StringPrototypeToLowerCase.call(headers['content-type']);
-      }
+      const ctx = sourceData.store.assess = {
+        // default policy to `null` until it is set later below. this will cause
+        // all instrumentation to short-circuit, see `./get-source-context.js`.
+        policy: null,
+        reqData: { uriPath, queries },
+      };
+      // check whether sampling allows processing
+      ctx.sampleInfo = assess.sampler?.getSampleInfo?.(sourceData) ?? null;
+      if (ctx.sampleInfo?.canSample === false) return ctx;
+      // set policy - can be returned as `null` if request is url-excluded.
+      ctx.policy = assess.getPolicy(ctx.reqData);
+      if (!ctx.policy) return ctx;
+      // build remaining reqData
+      ctx.reqData.headers = { ...req.headers }; // copy to avoid storing tracked values
+      ctx.reqData.ip = req.socket.remoteAddress;
+      ctx.reqData.httpVersion = req.httpVersion;
+      ctx.reqData.method = req.method;
+      if (ctx.reqData.headers['content-type'])
+        ctx.reqData.contentType = StringPrototypeToLowerCase.call(ctx.reqData.headers['content-type']);
       return {
+        ...ctx,
         propagationEventsCount: 0,
         sourceEventsCount: 0,
-        policy: getPolicy({ uriPath }),
-        reqData: {
-          ip: req.socket.remoteAddress,
-          httpVersion: req.httpVersion,
-          method: req.method,
-          headers,
-          uriPath,
-          queries,
-          contentType,
-        },
         responseData: {},
         ruleState: {},
       };

package/lib/make-source-context.test.js CHANGED Viewed

@@ -5,7 +5,6 @@ const sinon = require('sinon');
 const { initAssessFixture } = require('@contrast/test/fixtures');
 const mocks = require('@contrast/test/mocks');
 describe('assess makeSourceContext', function () {
   let core;
@@ -14,7 +13,7 @@ describe('assess makeSourceContext', function () {
   });
   it('will return `null` and log error when passed insufficient parameters', function() {
-    const assessCtx = core.assess.makeSourceContext({}, {});
+    const assessCtx = core.assess.makeSourceContext({});
     expect(assessCtx).to.be.null;
     expect(core.logger.error).to.have.been.calledWithMatch({
       err: sinon.match.has('message'),
@@ -22,13 +21,14 @@ describe('assess makeSourceContext', function () {
   });
   it('construct the store correctly given req and res', function() {
-    const req = mocks.incomingMessage();
-    const res = {};
-    const assessCtx = core.assess.makeSourceContext(req, res);
+    const mockSourceData = {
+      store: {},
+      incomingMessage: mocks.incomingMessage()
+    };
+    const assessCtx = core.assess.makeSourceContext(mockSourceData);
     expect(assessCtx).to.deep.include({
       propagationEventsCount: 0,
+      sampleInfo: null,
       sourceEventsCount: 0,
       reqData: {
         contentType: 'text/html',

package/lib/response-scanning/handlers/index.js CHANGED Viewed

@@ -16,10 +16,12 @@
 'use strict';
 const {
-  StringPrototypeToLowerCase,
-  JSONStringify,
-  StringPrototypeSubstring,
-  ResponseScanningRule
+  primordials: {
+    StringPrototypeToLowerCase,
+    JSONStringify,
+    StringPrototypeSubstring,
+  },
+  ResponseScanningRule,
 } = require('@contrast/common');
 const {
   escapeHtml,
@@ -201,7 +203,7 @@ module.exports = function(core) {
       reportFindings(sourceContext, {
         ruleId: ResponseScanningRule.CSP_HEADER_INSECURE,
-        vulnerabilityMetadata: { data: JSON.stringify(vulnerabilityMetadata) }
+        vulnerabilityMetadata: { data: JSONStringify(vulnerabilityMetadata) }
       });
     }
   };

package/lib/response-scanning/handlers/utils.js CHANGED Viewed

@@ -16,12 +16,15 @@
 'use strict';
 const {
-  ArrayPrototypeJoin,
-  StringPrototypeSubstring,
-  StringPrototypeToLowerCase,
-  StringPrototypeSplit,
-  StringPrototypeTrim,
-  StringPrototypeReplace
+  primordials: {
+    ArrayPrototypeJoin,
+    StringPrototypeSubstring,
+    StringPrototypeToLowerCase,
+    StringPrototypeSplit,
+    StringPrototypeTrim,
+    StringPrototypeReplace,
+    RegExpPrototypeTest
+  }
 } = require('@contrast/common');
 //
@@ -38,7 +41,7 @@ const reUnescapedHtml = /[&<>"']/g;
 const reHasUnescapedHtml = RegExp(reUnescapedHtml.source);
 function escapeHtml(string) {
-  return (string && reHasUnescapedHtml.test(string))
+  return (string && RegExpPrototypeTest.call(reHasUnescapedHtml, string))
     ? StringPrototypeReplace.call(string, reUnescapedHtml, (chr) => htmlEscapes[chr])
     : (string || '');
 }
@@ -257,7 +260,7 @@ function isSrcSecure(sources, defaultSources) {
 function isSourceSecure(sources) {
   return (
     sources.length > 0 &&
-    sources.every((source) => !!source && !/\*/.test(source))
+    sources.every((source) => !!source && !RegExpPrototypeTest.call(/\*/, source))
   );
 }

package/lib/response-scanning/install/http.js CHANGED Viewed

@@ -15,7 +15,7 @@
 'use strict';
-const { StringPrototypeSplit, StringPrototypeSubstring, StringPrototypeToLowerCase, StringPrototypeTrim } = require('@contrast/common');
+const { primordials: { StringPrototypeSplit, StringPrototypeSubstring, StringPrototypeToLowerCase, StringPrototypeTrim } } = require('@contrast/common');
 /**
  * @param {{