npm - @contrast/assess - Versions diffs - 1.35.0 → 1.37.0 - Mend

@contrast/assess 1.35.0 → 1.37.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/lib/dataflow/sinks/install/vm.test.js CHANGED Viewed

@@ -5,7 +5,7 @@ const { expect } = require('chai');
 const {
   DataflowTag: { UNTRUSTED, CUSTOM_VALIDATED },
   Rule: { UNSAFE_CODE_EXECUTION },
-  UtilInspect,
+  primordials: { UtilInspect },
 } = require('@contrast/common');
 const { initAssessFixture } = require('@contrast/test/fixtures');

package/lib/dataflow/sources/handler.js CHANGED Viewed

@@ -19,7 +19,10 @@ const {
   InputType,
   DataflowTag,
   isString,
-  ArrayPrototypeJoin,
+  primordials: {
+    ArrayPrototypeJoin,
+    StringPrototypeToLowerCase
+  }
 } = require('@contrast/common');
 module.exports = function (core) {
@@ -55,7 +58,7 @@ module.exports = function (core) {
       }
     }
-    if (inputType === InputType.HEADER && fieldName.toLowerCase() === 'referer') {
+    if (inputType === InputType.HEADER && StringPrototypeToLowerCase.call(fieldName) === 'referer') {
       tags[DataflowTag.HEADER] = [0, stop];
     }

package/lib/dataflow/sources/install/body-parser1.test.js CHANGED Viewed

@@ -105,7 +105,7 @@ describe('assess dataflow sources body-parser v1', function () {
       });
     });
-    it('does not handle the request when not in context', function () {
+    it('does not handle the request when there is no assess policy in request context', function () {
       const middleware = bodyParser('text');
       simulateRequestScope(() => {
@@ -116,7 +116,7 @@ describe('assess dataflow sources body-parser v1', function () {
           { funcKey: 'assess-dataflow-source:body-parser.bodyParser' },
           'unable to handle source. Missing `sourceContext`'
         );
-      }, {});
+      }, { assess: { policy: null } });
     });
     it('does not handle the request when already tracked', function () {
@@ -205,7 +205,7 @@ describe('assess dataflow sources body-parser v1', function () {
         });
       });
-      it('does not handle the request when not in context', function () {
+      it('does not handle the request when there is  in context', function () {
         simulateRequestScope(() => {
           middleware(req, res, next);
@@ -214,7 +214,7 @@ describe('assess dataflow sources body-parser v1', function () {
             { funcKey: `assess-dataflow-source:body-parser.${method}.${method}Parser` },
             'unable to handle source. Missing `sourceContext`',
           );
-        }, {});
+        }, { assess: { policy: null } });
       });
       it('does not handle the request when already tracked', function () {

package/lib/dataflow/sources/install/busboy.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../constants');
 const { patchType } = require('../common');
 const inputType = InputType.MULTIPART_VALUE;
@@ -26,16 +27,20 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: {
+        sources,
+      }
+    },
   } = core;
   function createPreHook(finalEventName) {
     return function (data) {
       const { orig, hooked, funcKey } = data;
-      const sourceContext = core.scopes.sources.getStore()?.assess;
+      const sourceContext = getSourceContext(SOURCE);
       if (!sourceContext) {
-        logger.error({ inputType, funcKey }, 'unable to handle source. Missing `sourceContext`');
         return;
       }

package/lib/dataflow/sources/install/busboy.test.js CHANGED Viewed

@@ -110,12 +110,12 @@ describe('assess dataflow sources busboy', function () {
         );
       });
-      it('does not call `.handle` when not in context', function () {
+      it('does not call `.handle` when there is no assess policy in request context', function () {
         simulateRequestScope(() => {
           emitMethodVersions[version]('field', 'field1', 'value1');
           emitMethodVersions[version]('field', 'field2', 'value2');
           emitMethodVersions[version](finalEvent);
-        }, {});
+        }, { assess: { policy: null } });
         expect(sources.handle).not.to.have.been.called;
       });

package/lib/dataflow/sources/install/cookie-parser1.test.js CHANGED Viewed

@@ -67,7 +67,7 @@ describe('assess dataflow sources cookie-parser v1', function () {
     });
   });
-  it('does not handle the request when not in context', function () {
+  it('does not handle when there is no assess policy in request context', function () {
     const middleware = cookieParser();
     simulateRequestScope(() => {
@@ -78,7 +78,7 @@ describe('assess dataflow sources cookie-parser v1', function () {
         { funcKey: 'assess-dataflow-source:cookie-parser.cookieParser' },
         'unable to handle source. Missing `sourceContext`',
       );
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('does not handle the request when cookies already tracked', function () {

package/lib/dataflow/sources/install/express/params.js CHANGED Viewed

@@ -16,10 +16,16 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = function init(core) {
-  const { depHooks, patcher, logger } = core;
+  const {
+    logger,
+    patcher,
+    depHooks,
+    assess: { getSourceContext },
+  } = core;
   core.assess.dataflow.sources.expressInstrumentation.params = {
     install() {
@@ -31,20 +37,17 @@ module.exports = function init(core) {
             name,
             patchType,
             post({ obj: layer, result, orig, hooked, funcKey }) {
               // we can exit early if
               //  the layer doesn't match the request or
               //  the layer doesn't recognize any parameters
-              if (!result || !layer.keys || layer.keys.length === 0) {
-                return;
-              }
+              if (
+                !result ||
+                !layer.keys ||
+                layer.keys.length === 0
+              ) return;
-              const sourceContext = core.scopes.sources.getStore()?.assess;
-              if (!sourceContext) {
-                logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
-                return;
-              }
+              const sourceContext = getSourceContext(SOURCE)
+              if (!sourceContext) return;
               if (sourceContext.parsedParams) {
                 logger.trace({ funcKey }, 'values already tracked');

package/lib/dataflow/sources/install/express/params.test.js CHANGED Viewed

@@ -65,20 +65,18 @@ describe('assess dataflow sources express params', function () {
     });
   });
-  it('does not call `.handle` when not in context', function () {
+  it('does not handle when there is no assess policy in request context', function () {
     simulateRequestScope(() => {
       Reflect.apply(Layer.prototype.match, layer, ['/bar']);
       expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
-      expect(core.logger.error).to.have.been.calledWith(
-        { funcKey: 'assess-dataflow-source:Layer.prototype.match' },
-        'unable to handle source. Missing `sourceContext`'
-      );
-    }, {});
+    }, { assess: { policy: null } });
   });
   it('does not call `.handle` when the values are already tracked', function () {
     simulateRequestScope(() => {
+      core.scopes.sources.getStore().assess.parsedParams = true;
       Reflect.apply(Layer.prototype.match, layer, ['/bar']);
       expect(core.assess.dataflow.sources.handle).not.to.have.been.called;
@@ -86,7 +84,7 @@ describe('assess dataflow sources express params', function () {
         { funcKey: 'assess-dataflow-source:Layer.prototype.match' },
         'values already tracked'
       );
-    }, { assess: { parsedParams: true } });
+    });
   });
   it('handles a case with an error in the `.handle` method', function () {

package/lib/dataflow/sources/install/express/parsedUrl.js CHANGED Viewed

@@ -16,16 +16,17 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = function init(core) {
   const {
     assess: {
+      getSourceContext,
       dataflow: { sources }
     },
     depHooks,
     patcher,
-    scopes
   } = core;
   core.assess.dataflow.sources.expressInstrumentation.parsedUrl = {
@@ -48,7 +49,7 @@ module.exports = function init(core) {
                     name: 'express.middleware.init.expressInit.next',
                     patchType,
                     pre(data) {
-                      const sourceContext = scopes.sources.getStore()?.assess;
+                      const sourceContext = getSourceContext(SOURCE);
                       if (!sourceContext) return;
                       const sourceInfo = {

package/lib/dataflow/sources/install/fastify/fastify.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = function (core) {
@@ -23,7 +24,10 @@ module.exports = function (core) {
     logger,
     depHooks,
     patcher,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: { sources }
+    },
   } = core;
   const source = sources.fastifyInstrumentation.fastify = {
@@ -38,12 +42,9 @@ module.exports = function (core) {
               : typeof request.body == 'object'
                 ? InputType.PARAMETER_VALUE
                 : InputType.BODY;
-            const sourceContext = core.scopes.sources.getStore()?.assess;
+            const sourceContext = getSourceContext(SOURCE);
-            if (!sourceContext) {
-              logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
-              return;
-            }
+            if (!sourceContext) return;
             [
               { key: 'query', inputType: InputType.QUERYSTRING, alreadyTrackedFlag: 'parsedQuery' },

package/lib/dataflow/sources/install/fastify/fastify.test.js CHANGED Viewed

@@ -146,10 +146,10 @@ describe('assess dataflow sources fastify', function () {
       });
     });
-    it('does not call `.handle` when not in context', function () {
+    it('does not handle source when there is no assess policy in request context', function () {
       simulateRequestScope(() => {
         fastifyServerMock();
-      }, {});
+      }, { assess: { policy: null } });
       expect(sources.handle).not.to.have.been.called;
     });

package/lib/dataflow/sources/install/formidable1.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../constants');
 const { patchType } = require('../common');
 const inputType = InputType.MULTIPART_VALUE;
@@ -25,7 +26,10 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: { sources }
+    },
   } = core;
   const name = 'Formidable.IncomingForm.prototype.parse';
@@ -38,12 +42,9 @@ module.exports = (core) => {
         patchType,
         pre(data) {
           const { funcKey } = data;
-          const sourceContext = core.scopes.sources.getStore()?.assess;
+          const sourceContext = getSourceContext(SOURCE);
-          if (!sourceContext) {
-            logger.error({ inputType, funcKey }, 'unable to handle source. Missing `sourceContext`');
-            return;
-          }
+          if (!sourceContext) return;
           if (sourceContext.parsedBody) {
             logger.trace({ inputType, funcKey }, 'values already tracked');

package/lib/dataflow/sources/install/formidable1.test.js CHANGED Viewed

@@ -82,10 +82,10 @@ describe('assess dataflow sources formidable v1.x', function () {
     );
   });
-  it('does not call `.handle` when not in context', function () {
+  it('does not call `.handle` when there is no assess policy in request context', function () {
     simulateRequestScope(() => {
       patchedParse(req, cbStub);
-    }, {});
+    }, { assess: { policy: null } });
     expect(sources.handle).not.to.have.been.called;
     expect(cbStub).to.have.been.calledOnce;

package/lib/dataflow/sources/install/hapi/hapi.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = function (core) {
@@ -23,7 +24,10 @@ module.exports = function (core) {
     logger,
     depHooks,
     patcher,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: { sources }
+    },
   } = core;
   const source = sources.hapiInstrumentation.hapi = {
@@ -36,11 +40,8 @@ module.exports = function (core) {
             post({ result: server, funcKey, hooked, orig }) {
               server.ext('onRequest', (req, h) => {
-                const sourceContext = core.scopes.sources.getStore()?.assess;
-                if (!sourceContext) {
-                  logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
-                  return;
-                }
+                const sourceContext = getSourceContext(SOURCE);
+                if (!sourceContext) return;
                 [
                   { key: 'query', inputType: InputType.QUERYSTRING, trackedFlag: 'parsedQuery' },
@@ -72,10 +73,7 @@ module.exports = function (core) {
               });
               server.ext('onPostAuth', (req, h) => {
                 const sourceContext = core.scopes.sources.getStore()?.assess;
-                if (!sourceContext) {
-                  logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
-                  return;
-                }
+                if (!sourceContext) return;
                 [
                   { key: 'state', inputType: InputType.COOKIE_VALUE, trackedFlag: 'parsedCookies' },

package/lib/dataflow/sources/install/hapi/hapi.test.js CHANGED Viewed

@@ -6,7 +6,6 @@ const { InputType } = require('@contrast/common');
 const { initAssessFixture } = require('@contrast/test/fixtures');
 describe('assess dataflow sources hapi', function () {
   const hapi = {
     server(server) {
       return server;

package/lib/dataflow/sources/install/http.js CHANGED Viewed

@@ -14,8 +14,10 @@
  */
 'use strict';
+const { primordials: { StringPrototypeToLowerCase }, InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../constants');
 const { patchType } = require('../common');
-const { StringPrototypeToLowerCase, InputType } = require('@contrast/common');
 /**
  * @param {{
@@ -24,13 +26,15 @@ const { StringPrototypeToLowerCase, InputType } = require('@contrast/common');
  */
 module.exports = function (core) {
   const {
-    assess: { dataflow, makeSourceContext },
+    assess: {
+      getSourceContext,
+      dataflow,
+    },
     instrumentation: { instrument },
     patcher,
-    scopes,
   } = core;
-  const logger = core.logger.child('contrast:assess');
+  const logger = core.logger.child({ name: 'contrast:assess' });
   /**
    * The around hook for `emit` that
@@ -43,16 +47,12 @@ module.exports = function (core) {
     try {
       const [, req, res] = data.args;
-      const store = scopes.sources.getStore();
+      const sourceContext = getSourceContext(SOURCE);
-      if (!store) {
-        // this would indicate that sources did not install correctly
-        throw new Error('async request store not found');
+      if (!sourceContext?.policy) {
+        return next();
       }
-      store.assess = makeSourceContext(req, res);
-      if (!store.assess) return;
       patcher.patch(res, 'writeHead', {
         name: 'write-head',
         patchType,
@@ -66,13 +66,13 @@ module.exports = function (core) {
               const value = obj[i + 1];
               if (StringPrototypeToLowerCase.call(key) === 'content-type') {
-                store.assess.responseData.contentType = value;
+                sourceContext.responseData.contentType = value;
               }
             }
           } else if (typeof obj === 'object') {
             for (const [key, value] of Object.entries(obj)) {
               if (StringPrototypeToLowerCase.call(key) === 'content-type') {
-                store.assess.responseData.contentType = value;
+                sourceContext.responseData.contentType = value;
               }
             }
           }
@@ -85,8 +85,12 @@ module.exports = function (core) {
           patchType,
           pre(data) {
             const [name = '', value] = data.args;
-            if (StringPrototypeToLowerCase.call(name) === 'content-type' && scopes.sources.getStore()?.assess && value) {
-              store.assess.responseData.contentType = value;
+            if (
+              value &&
+              StringPrototypeToLowerCase.call(name) === 'content-type' &&
+              getSourceContext(SOURCE)
+            ) {
+              sourceContext.responseData.contentType = value;
             }
           }
         });
@@ -99,7 +103,7 @@ module.exports = function (core) {
           constructorOpt: data.hooked,
           prependFrames: [data.orig]
         },
-        sourceContext: store.assess
+        sourceContext,
       };
       // track the headers and the url.

package/lib/dataflow/sources/install/http.test.js CHANGED Viewed

@@ -4,6 +4,7 @@ const EventEmitter = require('events');
 const sinon = require('sinon');
 const { expect } = require('chai');
 const { initAssessFixture } = require('@contrast/test/fixtures');
+const mocks = require('@contrast/test/mocks');
 describe('assess dataflow sources http', function () {
   let core, simulateRequestScope, request, response, server;
@@ -11,21 +12,9 @@ describe('assess dataflow sources http', function () {
   beforeEach(function () {
     ({ core, simulateRequestScope } = initAssessFixture());
-    request = {
-      url: 'http://host:8080/index.html?param=foo',
-      httpVersion: 1,
-      method: 'GET',
-      socket: {
-        remoteAddress: '127.0.0.1'
-      },
-      rawHeaders: ['Content-Type', 'application/json'],
-      headers: {
-        'content-type': 'application/json'
-      }
-    };
-    response = new EventEmitter();
-    response.writeHead = function () { };
-    response.setHeader = function () { };
+    request = mocks.incomingMessage();
+    response = mocks.serverResponse();
     class Server extends EventEmitter { }
     core.depHooks.resolve.withArgs({ name: 'http' }).yields({ Server });
     core.logger.child = () => core.logger;
@@ -36,6 +25,7 @@ describe('assess dataflow sources http', function () {
   it('instantiates assess store with appropriate metadata and handles base sources', function (next) {
     simulateRequestScope(() => {
+      core.scopes.sources.getStore().assess.req
       server.on('request', test);
       server.emit('request', request, response);
     });
@@ -44,17 +34,22 @@ describe('assess dataflow sources http', function () {
       const store = core.scopes.sources.getStore()?.assess;
       // validate store
       expect(store).to.have.property('propagationEventsCount', 0);
-      // 3: url, headers, rawHeaders
-      expect(store).to.have.property('sourceEventsCount', 3);
+      // url(1), headers(3), rawHeaders(3)
+      expect(store).to.have.property('sourceEventsCount', 7);
       expect(store.policy.enabledRules).to.be.a('Set').and.length.greaterThan(5);
+      // should match the mock
       expect(store.reqData).to.deep.equal({
         ip: '127.0.0.1',
-        httpVersion: 1,
-        method: 'GET',
-        headers: { 'content-type': 'application/json' },
-        uriPath: 'http://host:8080/index.html',
-        queries: 'param=foo',
-        contentType: 'application/json'
+        httpVersion: '1.1',
+        method: 'get',
+        headers: {
+          'content-type': 'text/html',
+          language: 'en',
+          referer: 'http://fake.url.foo'
+        },
+        uriPath: '/index',
+        queries: '_id=123',
+        contentType: 'text/html'
       });
       expect(store.responseData).to.deep.equal({});
       // tracked inputs
@@ -101,11 +96,6 @@ describe('assess dataflow sources http', function () {
     function test(req, res) {
       const store = core.scopes.sources.getStore()?.assess;
-      // logging
-      expect(core.logger.error).to.have.been.calledWith(
-        { err: sinon.match.has('message', 'async request store not found'), funcKey: sinon.match.string },
-        'Error during Assess request handling'
-      );
       // validate store
       expect(store).to.be.undefined;
       // tracked inputs
@@ -135,12 +125,16 @@ describe('assess dataflow sources http', function () {
       expect(store.policy.enabledRules).to.be.a('Set').and.length.greaterThan(5);
       expect(store.reqData).to.deep.equal({
         ip: '127.0.0.1',
-        httpVersion: 1,
-        method: 'GET',
-        headers: { 'content-type': 'application/json' },
-        uriPath: 'http://host:8080/index.html',
-        queries: 'param=foo',
-        contentType: 'application/json'
+        httpVersion: '1.1',
+        method: 'get',
+        headers: {
+          'content-type': 'text/html',
+          language: 'en',
+          referer: 'http://fake.url.foo'
+        },
+        uriPath: '/index',
+        queries: '_id=123',
+        contentType: 'text/html'
       });
       expect(store.responseData).to.deep.equal({});
       // tracked inputs

package/lib/dataflow/sources/install/koa/koa-bodyparsers.js CHANGED Viewed

@@ -16,6 +16,7 @@
 'use strict';
 const { InputType } = require('@contrast/common');
+const { InstrumentationType: { SOURCE } } = require('../../../../constants');
 const { patchType } = require('../../common');
 module.exports = (core) => {
@@ -23,7 +24,10 @@ module.exports = (core) => {
     depHooks,
     patcher,
     logger,
-    assess: { dataflow: { sources } },
+    assess: {
+      getSourceContext,
+      dataflow: { sources }
+    },
   } = core;
   // Patch `koa-body` v4.x.x and `koa-bodyparser` v5.x.x packages
@@ -38,20 +42,16 @@ module.exports = (core) => {
             patchType,
             pre(data) {
               const { funcKey } = data;
-              const sourceContext = core.scopes.sources.getStore()?.assess;
               const [ctx, origNext] = data.args;
+              const sourceContext = getSourceContext(SOURCE);
-              if (!sourceContext) {
-                logger.error({ funcKey }, 'unable to handle source. Missing `sourceContext`');
-                return;
-              }
+              if (!sourceContext) return;
               if (sourceContext.parsedBody) {
                 logger.trace({ funcKey }, 'values already tracked');
                 return;
               }
               data.args[1] = async function contrastNext(origErr) {
                 const inputType = sourceContext.reqData.headers?.['content-type']?.includes('/json')
                   ? InputType.JSON_VALUE

package/lib/dataflow/sources/install/koa/koa-bodyparsers.test.js CHANGED Viewed

@@ -112,11 +112,11 @@ describe('assess dataflow sources koa-body v5.x.x and koa-bodyparser v4.x.x', fu
     });
   });
-  it('does not call `.handle` when not in context', function () {
+  it('does not call `.handle` when there is no assess policy in request context', function () {
     simulateRequestScope(() => {
       const cParser = patchedKoaBodyparser(body);
       cParser({ request: {} }, nextStub);
-    }, {});
+    }, { assess: { policy: null } });
     expect(sources.handle).not.to.have.been.called;
     expect(nextStub).to.have.been.calledOnce;
@@ -124,8 +124,7 @@ describe('assess dataflow sources koa-body v5.x.x and koa-bodyparser v4.x.x', fu
   it('does not call `.handle` when the values are already tracked', function () {
     simulateRequestScope(() => {
-      const sourceContext = core.scopes.sources.getStore()?.assess;
-      sourceContext.parsedBody = true;
+      core.scopes.sources.getStore().assess.parsedBody = true;
       const cParser = patchedKoaBodyparser(body);
       cParser({ request: {} }, nextStub);