npm - @contrast/assess - Versions diffs - 1.35.0 → 1.36.0 - Mend

@contrast/assess 1.35.0 → 1.36.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (168) hide show

package/lib/dataflow/sources/install/express/params.js CHANGED Viewed

@@ -16,10 +16,16 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = function init(core) {
-  const { depHooks, patcher, logger } = core;
+  const {
+    logger,
+    patcher,
+    depHooks,
+    assess: { getSourceContext },
+  } = core;
   core.assess.dataflow.sources.expressInstrumentation.params = {
     install() {
@@ -31,20 +37,17 @@ module.exports = function init(core) {
             name,
             patchType,
             post({ obj: layer, result, orig, hooked, funcKey }) {
               // we can exit early if
               //  the layer doesn't match the request or
               //  the layer doesn't recognize any parameters
-              if (!result || !layer.keys || layer.keys.length === 0) {
-                return;
-              }
+              if (
+                !result ||
+                !layer.keys ||
+                layer.keys.length === 0
+              ) return;
-              const sourceContext = core.scopes.sources.getStore()?.assess;
-              if (!sourceContext) {
-                logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
-                return;
-              }
+              const sourceContext = getSourceContext(SOURCE)
+              if (!sourceContext) return;
               if (sourceContext.parsedParams) {
                 logger.trace({ funcKey }, 'values already tracked');

package/lib/dataflow/sources/install/express/params.test.js CHANGED Viewed

@@ -65,20 +65,18 @@ describe('assess dataflow sources express params', function () {
     });
   });
-  it('does not call `.handle` when not in context', function () {
+  it('does not handle when there is no assess policy in request context', function () {
     simulateRequestScope(() => {
       Reflect.apply(Layer.prototype.match, layer, ['/bar']);
       expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
-      expect(core.logger.error).to.have.been.calledWith(
-        { funcKey: 'assess-dataflow-source:Layer.prototype.match' },
-        'unable to handle source. Missing `sourceContext`'
-      );
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('does not call `.handle` when the values are already tracked', function () {
     simulateRequestScope(() => {
+      core.scopes.sources.getStore().assess.parsedParams = true;
       Reflect.apply(Layer.prototype.match, layer, ['/bar']);
       expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
@@ -86,7 +84,7 @@ describe('assess dataflow sources express params', function () {
         { funcKey: 'assess-dataflow-source:Layer.prototype.match' },
         'values already tracked'
       );
-    }, { assess: { parsedParams: true } });
+    });
   });
   it('handles a case with an error in the `.handle` method', function () {

package/lib/dataflow/sources/install/express/parsedUrl.js CHANGED Viewed

@@ -16,16 +16,17 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = function init(core) {
   const {
     assess: {
+      getSourceContext,
       dataflow: { sources }
     },
     depHooks,
     patcher,
-    scopes
   } = core;
   core.assess.dataflow.sources.expressInstrumentation.parsedUrl = {
@@ -48,7 +49,7 @@ module.exports = function init(core) {
                     name: 'express.middleware.init.expressInit.next',
                     patchType,
                     pre(data) {
-                      const sourceContext = scopes.sources.getStore()?.assess;
+                      const sourceContext = getSourceContext(SOURCE);
                       if (!sourceContext) return;
                       const sourceInfo = {

package/lib/dataflow/sources/install/fastify/fastify.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = function (core) {
@@ -23,7 +24,10 @@ module.exports = function (core) {
     logger,
     depHooks,
     patcher,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: { sources }
+    },
   } = core;
   const source = sources.fastifyInstrumentation.fastify = {
@@ -38,12 +42,9 @@ module.exports = function (core) {
               : typeof request.body == 'object'
                 ? InputType.PARAMETER_VALUE
                 : InputType.BODY;
-            const sourceContext = core.scopes.sources.getStore()?.assess;
+            const sourceContext = getSourceContext(SOURCE);
-            if (!sourceContext) {
-              logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
-              return;
-            }
+            if (!sourceContext) return;
             [
               { key: 'query', inputType: InputType.QUERYSTRING, alreadyTrackedFlag: 'parsedQuery' },

package/lib/dataflow/sources/install/fastify/fastify.test.js CHANGED Viewed

@@ -146,10 +146,10 @@ describe('assess dataflow sources fastify', function () {
       });
     });
-    it('does not call `.handle` when not in context', function () {
+    it('does not handle source when there is no assess policy in request context', function () {
       simulateRequestScope(() => {
         fastifyServerMock();
-      }, {});
+      }, { assess: { policy: null } });
       expect(sources.handle).not.to.have.been.called;
     });

package/lib/dataflow/sources/install/formidable1.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../constants');
 const { patchType } = require('../common');
 const inputType = InputType.MULTIPART_VALUE;
@@ -25,7 +26,10 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: { sources }
+    },
   } = core;
   const name = 'Formidable.IncomingForm.prototype.parse';
@@ -38,12 +42,9 @@ module.exports = (core) => {
         patchType,
         pre(data) {
           const { funcKey } = data;
-          const sourceContext = core.scopes.sources.getStore()?.assess;
+          const sourceContext = getSourceContext(SOURCE);
-          if (!sourceContext) {
-            logger.error({ inputType, funcKey }, 'unable to handle source. Missing `sourceContext`');
-            return;
-          }
+          if (!sourceContext) return;
           if (sourceContext.parsedBody) {
             logger.trace({ inputType, funcKey }, 'values already tracked');

package/lib/dataflow/sources/install/formidable1.test.js CHANGED Viewed

@@ -82,10 +82,10 @@ describe('assess dataflow sources formidable v1.x', function () {
     );
   });
-  it('does not call `.handle` when not in context', function () {
+  it('does not call `.handle` when there is no assess policy in request context', function () {
     simulateRequestScope(() => {
       patchedParse(req, cbStub);
-    }, {});
+    }, { assess: { policy: null } });
     expect(sources.handle).not.to.have.been.called;
     expect(cbStub).to.have.been.calledOnce;

package/lib/dataflow/sources/install/hapi/hapi.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = function (core) {
@@ -23,7 +24,10 @@ module.exports = function (core) {
     logger,
     depHooks,
     patcher,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: { sources }
+    },
   } = core;
   const source = sources.hapiInstrumentation.hapi = {
@@ -36,11 +40,8 @@ module.exports = function (core) {
             post({ result: server, funcKey, hooked, orig }) {
               server.ext('onRequest', (req, h) => {
-                const sourceContext = core.scopes.sources.getStore()?.assess;
-                if (!sourceContext) {
-                  logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
-                  return;
-                }
+                const sourceContext = getSourceContext(SOURCE);
+                if (!sourceContext) return;
                 [
                   { key: 'query', inputType: InputType.QUERYSTRING, trackedFlag: 'parsedQuery' },
@@ -72,10 +73,7 @@ module.exports = function (core) {
               });
               server.ext('onPostAuth', (req, h) => {
                 const sourceContext = core.scopes.sources.getStore()?.assess;
-                if (!sourceContext) {
-                  logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
-                  return;
-                }
+                if (!sourceContext) return;
                 [
                   { key: 'state', inputType: InputType.COOKIE_VALUE, trackedFlag: 'parsedCookies' },

package/lib/dataflow/sources/install/hapi/hapi.test.js CHANGED Viewed

@@ -6,7 +6,6 @@ const { InputType } = require('@contrast/common');
 const { initAssessFixture } = require('@contrast/test/fixtures');
 describe('assess dataflow sources hapi', function () {
   const hapi = {
     server(server) {
       return server;

package/lib/dataflow/sources/install/http.js CHANGED Viewed

@@ -14,8 +14,10 @@
  */
 'use strict';
+const { primordials: { StringPrototypeToLowerCase }, InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../constants');
 const { patchType } = require('../common');
-const { StringPrototypeToLowerCase, InputType } = require('@contrast/common');
 /**
  * @param {{
@@ -24,13 +26,15 @@ const { StringPrototypeToLowerCase, InputType } = require('@contrast/common');
  */
 module.exports = function (core) {
   const {
-    assess: { dataflow, makeSourceContext },
+    assess: {
+      getSourceContext,
+      dataflow,
+    },
     instrumentation: { instrument },
     patcher,
-    scopes,
   } = core;
-  const logger = core.logger.child('contrast:assess');
+  const logger = core.logger.child({ name: 'contrast:assess' });
   /**
    * The around hook for `emit` that
@@ -43,16 +47,12 @@ module.exports = function (core) {
     try {
       const [, req, res] = data.args;
-      const store = scopes.sources.getStore();
+      const sourceContext = getSourceContext(SOURCE);
-      if (!store) {
-        // this would indicate that sources did not install correctly
-        throw new Error('async request store not found');
+      if (!sourceContext?.policy) {
+        return next();
       }
-      store.assess = makeSourceContext(req, res);
-      if (!store.assess) return;
       patcher.patch(res, 'writeHead', {
         name: 'write-head',
         patchType,
@@ -66,13 +66,13 @@ module.exports = function (core) {
               const value = obj[i + 1];
               if (StringPrototypeToLowerCase.call(key) === 'content-type') {
-                store.assess.responseData.contentType = value;
+                sourceContext.responseData.contentType = value;
               }
             }
           } else if (typeof obj === 'object') {
             for (const [key, value] of Object.entries(obj)) {
               if (StringPrototypeToLowerCase.call(key) === 'content-type') {
-                store.assess.responseData.contentType = value;
+                sourceContext.responseData.contentType = value;
               }
             }
           }
@@ -85,8 +85,12 @@ module.exports = function (core) {
           patchType,
           pre(data) {
             const [name = '', value] = data.args;
-            if (StringPrototypeToLowerCase.call(name) === 'content-type' && scopes.sources.getStore()?.assess && value) {
-              store.assess.responseData.contentType = value;
+            if (
+              value &&
+              StringPrototypeToLowerCase.call(name) === 'content-type' &&
+              getSourceContext(SOURCE)
+            ) {
+              sourceContext.responseData.contentType = value;
             }
           }
         });
@@ -99,7 +103,7 @@ module.exports = function (core) {
           constructorOpt: data.hooked,
           prependFrames: [data.orig]
         },
-        sourceContext: store.assess
+        sourceContext,
       };
       // track the headers and the url.

package/lib/dataflow/sources/install/http.test.js CHANGED Viewed

@@ -4,6 +4,7 @@ const EventEmitter = require('events');
 const sinon = require('sinon');
 const { expect } = require('chai');
 const { initAssessFixture } = require('@contrast/test/fixtures');
+const mocks = require('@contrast/test/mocks');
 describe('assess dataflow sources http', function () {
   let core, simulateRequestScope, request, response, server;
@@ -11,21 +12,9 @@ describe('assess dataflow sources http', function () {
   beforeEach(function () {
     ({ core, simulateRequestScope } = initAssessFixture());
-    request = {
-      url: 'http://host:8080/index.html?param=foo',
-      httpVersion: 1,
-      method: 'GET',
-      socket: {
-        remoteAddress: '127.0.0.1'
-      },
-      rawHeaders: ['Content-Type', 'application/json'],
-      headers: {
-        'content-type': 'application/json'
-      }
-    };
-    response = new EventEmitter();
-    response.writeHead = function () { };
-    response.setHeader = function () { };
+    request = mocks.incomingMessage();
+    response = mocks.serverResponse();
     class Server extends EventEmitter { }
     core.depHooks.resolve.withArgs({ name: 'http' }).yields({ Server });
     core.logger.child = () => core.logger;
@@ -36,6 +25,7 @@ describe('assess dataflow sources http', function () {
   it('instantiates assess store with appropriate metadata and handles base sources', function (next) {
     simulateRequestScope(() => {
+      core.scopes.sources.getStore().assess.req
       server.on('request', test);
       server.emit('request', request, response);
     });
@@ -44,17 +34,22 @@ describe('assess dataflow sources http', function () {
       const store = core.scopes.sources.getStore()?.assess;
       // validate store
       expect(store).to.have.property('propagationEventsCount', 0);
-      // 3: url, headers, rawHeaders
-      expect(store).to.have.property('sourceEventsCount', 3);
+      // url(1), headers(3), rawHeaders(3)
+      expect(store).to.have.property('sourceEventsCount', 7);
       expect(store.policy.enabledRules).to.be.a('Set').and.length.greaterThan(5);
+      // should match the mock
       expect(store.reqData).to.deep.equal({
         ip: '127.0.0.1',
-        httpVersion: 1,
-        method: 'GET',
-        headers: { 'content-type': 'application/json' },
-        uriPath: 'http://host:8080/index.html',
-        queries: 'param=foo',
-        contentType: 'application/json'
+        httpVersion: '1.1',
+        method: 'get',
+        headers: {
+          'content-type': 'text/html',
+          language: 'en',
+          referer: 'http://fake.url.foo'
+        },
+        uriPath: '/index',
+        queries: '_id=123',
+        contentType: 'text/html'
       });
       expect(store.responseData).to.deep.equal({});
       // tracked inputs
@@ -101,11 +96,6 @@ describe('assess dataflow sources http', function () {
     function test(req, res) {
       const store = core.scopes.sources.getStore()?.assess;
-      // logging
-      expect(core.logger.error).to.have.been.calledWith(
-        { err: sinon.match.has('message', 'async request store not found'), funcKey: sinon.match.string },
-        'Error during Assess request handling'
-      );
       // validate store
       expect(store).to.be.undefined;
       // tracked inputs
@@ -135,12 +125,16 @@ describe('assess dataflow sources http', function () {
       expect(store.policy.enabledRules).to.be.a('Set').and.length.greaterThan(5);
       expect(store.reqData).to.deep.equal({
         ip: '127.0.0.1',
-        httpVersion: 1,
-        method: 'GET',
-        headers: { 'content-type': 'application/json' },
-        uriPath: 'http://host:8080/index.html',
-        queries: 'param=foo',
-        contentType: 'application/json'
+        httpVersion: '1.1',
+        method: 'get',
+        headers: {
+          'content-type': 'text/html',
+          language: 'en',
+          referer: 'http://fake.url.foo'
+        },
+        uriPath: '/index',
+        queries: '_id=123',
+        contentType: 'text/html'
       });
       expect(store.responseData).to.deep.equal({});
       // tracked inputs

package/lib/dataflow/sources/install/koa/koa-bodyparsers.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = (core) => {
@@ -23,7 +24,10 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: { sources }
+    },
   } = core;
   // Patch `koa-body` v4.x.x and `koa-bodyparser` v5.x.x packages
@@ -38,20 +42,16 @@ module.exports = (core) => {
             patchType,
             pre(data) {
               const { funcKey } = data;
-              const sourceContext = core.scopes.sources.getStore()?.assess;
               const [ctx, origNext] = data.args;
+              const sourceContext = getSourceContext(SOURCE);
-              if (!sourceContext) {
-                logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
-                return;
-              }
+              if (!sourceContext) return;
               if (sourceContext.parsedBody) {
                 logger.trace({ funcKey }, 'values already tracked');
                 return;
               }
               data.args[1] = async function contrastNext(origErr) {
                 const inputType = sourceContext.reqData.headers?.['content-type']?.includes('/json')
                   ? InputType.JSON_VALUE

package/lib/dataflow/sources/install/koa/koa-bodyparsers.test.js CHANGED Viewed

@@ -112,11 +112,11 @@ describe('assess dataflow sources koa-body v5.x.x and koa-bodyparser v4.x.x', fu
     });
   });
-  it('does not call `.handle` when not in context', function () {
+  it('does not call `.handle` when there is no assess policy in request context', function () {
     simulateRequestScope(() => {
       const cParser = patchedKoaBodyparser(body);
       cParser({ request: {} }, nextStub);
-    }, {});
+    }, { assess: { policy: null } });
     expect(sources.handle).not.to.have.been.called;
     expect(nextStub).to.have.been.calledOnce;
@@ -124,8 +124,7 @@ describe('assess dataflow sources koa-body v5.x.x and koa-bodyparser v4.x.x', fu
   it('does not call `.handle` when the values are already tracked', function () {
     simulateRequestScope(() => {
-      const sourceContext = core.scopes.sources.getStore()?.assess;
-      sourceContext.parsedBody = true;
+      core.scopes.sources.getStore().assess.parsedBody = true;
       const cParser = patchedKoaBodyparser(body);
       cParser({ request: {} }, nextStub);

package/lib/dataflow/sources/install/koa/koa-multer.js CHANGED Viewed

@@ -14,20 +14,24 @@
  */
 'use strict';
-const { patchType } = require('../../common');
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
+const { patchType } = require('../../common');
 module.exports = (core) => {
   const {
     depHooks,
     logger,
     patcher,
-    scopes,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: { sources }
+    },
   } = core;
   function handler(req, constructorOpt) {
-    const sourceContext = scopes.sources.getStore()?.assess;
+    const sourceContext = getSourceContext(SOURCE);
     if (!sourceContext) return;
     function handle(context, data, key) {

package/lib/dataflow/sources/install/koa/koa-routers.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = (core) => {
@@ -23,7 +24,10 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: { sources }
+    },
   } = core;
   // Patch `koa-router` and `@koa/router` to handle parsed params
@@ -36,13 +40,10 @@ module.exports = (core) => {
             name: `[${router}].layer.prototype`,
             patchType,
             post({ orig, hooked, result, name, funcKey }) {
-              const sourceContext = core.scopes.sources.getStore()?.assess;
+              const sourceContext = getSourceContext(SOURCE);
               const inputType = InputType.URL_PARAMETER;
-              if (!sourceContext) {
-                logger.error({ inputType, funcKey }, 'unable to handle source. Missing `sourceContext`');
-                return;
-              }
+              if (!sourceContext) return;
               if (sourceContext.parsedParams) {
                 logger.trace({ inputType, funcKey }, 'values already tracked');

package/lib/dataflow/sources/install/koa/koa-routers.test.js CHANGED Viewed

@@ -97,12 +97,12 @@ describe('assess dataflow sources koa-router and @koa/router', function () {
         });
       });
-      it(`[${router}] does not call \`.handle\` when there is no context`, function () {
+      it(`[${router}] does not call \`.handle\` when there is no assess policy in request context`, function () {
         const paramsFn = getParamsFn(router);
         simulateRequestScope(() => {
           paramsFn(params);
-        }, {});
+        }, { assess: { policy: null } });
         expect(sources.handle).not.to.have.been.called;
       });

package/lib/dataflow/sources/install/koa/koa2.js CHANGED Viewed

@@ -16,6 +16,8 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
 const { patchType } = require('../../common');
 const inputType = InputType.QUERYSTRING;
@@ -30,7 +32,10 @@ module.exports = (core) => {
     logger,
     depHooks,
     patcher,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: { sources }
+    },
   } = core;
   /**
@@ -40,10 +45,9 @@ module.exports = (core) => {
     depHooks.resolve({ name: 'koa', version: '>=2.3.0' }, (Koa) => {
       const createMiddleware = ({ name, funcKey }) => {
         const contrastStartMiddleware = function contrastStartMiddleware(ctx, next) {
-          const sourceContext = core.scopes.sources.getStore()?.assess;
+          const sourceContext = getSourceContext(SOURCE);
           if (!sourceContext) {
-            logger.error({ inputType, funcKey }, 'unable to handle Koa source. Missing `sourceContext`');
             return next();
           }

package/lib/dataflow/sources/install/koa/koa2.test.js CHANGED Viewed

@@ -113,7 +113,7 @@ describe('assess dataflow  koa v2.x', function () {
       simulateRequestScope(() => {
         contrastStartMiddleware({ query }, nextStub);
-      }, {});
+      }, { assess: { policy: null } });
       expect(nextStub).to.have.been.calledOnce;
       expect(sources.handle).not.to.have.been.called;