@contrast/assess 1.39.0 → 1.41.0

package/lib/{sampler.test.js → sampler/index.test.js}

@@ -6,26 +6,29 @@ const { Event } = require('@contrast/common');
 const mocks = require('@contrast/test/mocks');
 const { devNull } = require('node:os');
 
+const initSampler = require('.');
+const { SamplingStrategies: { AssessTurnedOff, Probabilistic } } = require('./common');
+
 const TRIALS = 1000;
 const ZSCORE = 3.891; // 99.99% confidence
 
 describe('assess sampler', function() {
   it('sampling is disabled by default and assess.sampler is null', function() {
     const core = initMockCore();
-    require('./sampler')(core);
+    initSampler(core);
     expect(core.assess.sampler).to.be.null;
   });
 
-  it('samples at default rate of 0.01', function() {
+  it('samples at default rate of 0.10', function() {
     const core = initMockCore();
     core.config.setValue('assess.enable', true, 'CONTRAST_UI');
     core.config.setValue('assess.probabilistic_sampling.enable', true, 'CONTRAST_UI');
     // initialize after configs are set
-    const sampler = require('./sampler')(core);
+    const sampler = initSampler(core);
 
     // verify configs set in before setup
-    expect(sampler).to.have.property('strategy', 'probabilistic');
-    expect(sampler.opts).to.have.property('base_probability', 0.01);
+    expect(sampler).to.have.property('strategy', Probabilistic);
+    expect(sampler.opts).to.have.property('base_probability', 0.10);
     expect(sampler).to.have.property('getSampleInfo').to.be.a('function');
     // test behavior
     testProbabilisticSampler(sampler);
@@ -36,10 +39,10 @@ describe('assess sampler', function() {
     core.config.setValue('assess.probabilistic_sampling.enable', true, 'CONTRAST_UI');
     core.config.setValue('assess.probabilistic_sampling.base_probability', 0.25, 'CONTRAST_UI');
     // initialize after configs are set
-    const sampler = require('./sampler')(core);
+    const sampler = initSampler(core);
 
     // verify configs
-    expect(sampler).to.have.property('strategy', 'probabilistic');
+    expect(sampler).to.have.property('strategy', Probabilistic);
     expect(sampler.opts).to.have.property('base_probability', 0.25);
     expect(sampler).to.have.property('getSampleInfo').to.be.a('function');
     // test behavior
@@ -51,12 +54,12 @@ describe('assess sampler', function() {
     core.config.setValue('assess.probabilistic_sampling.enable', true, 'CONTRAST_UI');
     core.config.setValue('assess.probabilistic_sampling.base_probability', 0.25, 'CONTRAST_UI');
     // initialize after configs are set
-    require('./sampler')(core);
+    initSampler(core);
     // don't destructure to just { sampler } since the value of assess.sampler changes on update.
     const { assess } = core;
 
     // verify configs
-    expect(assess.sampler).to.have.property('strategy', 'probabilistic');
+    expect(assess.sampler).to.have.property('strategy', Probabilistic);
     expect(assess.sampler.opts).to.have.property('base_probability', 0.25);
     expect(assess.sampler).to.have.property('getSampleInfo').to.be.a('function');
     // test behavior
@@ -81,12 +84,12 @@ describe('assess sampler', function() {
     expect(core.logger.info.getCalls().map(c => c.args)).to.deep.equal([
       // when initialized
       [
-        { strategy: 'probabilistic', opts: { base_probability: 0.25 } },
+        { strategy: Probabilistic, opts: { base_probability: 0.25, route_monitor: { enable: true, ttl_ms: 1800000 } } },
         'updating assess sampler'
       ],
       // update 1
       [
-        { strategy: 'probabilistic', opts: { base_probability: 0.5 } },
+        { strategy: Probabilistic, opts: { base_probability: 0.5, route_monitor: { enable: true, ttl_ms: 1800000 } } },
         'updating assess sampler'
       ]
     ]);
@@ -98,12 +101,12 @@ describe('assess sampler', function() {
     core.config.setValue('assess.probabilistic_sampling.enable', true, 'CONTRAST_UI');
     core.config.setValue('assess.probabilistic_sampling.base_probability', 0.50, 'CONTRAST_UI');
     // initializes after configs are set
-    require('./sampler')(core);
+    initSampler(core);
     // don't destructure to just { sampler } since the value of assess.sampler changes on update.
     const { assess } = core;
 
     // verify configs set in before setup
-    expect(assess.sampler).to.have.property('strategy', 'probabilistic');
+    expect(assess.sampler).to.have.property('strategy', Probabilistic);
     expect(assess.sampler.opts).to.have.property('base_probability', 0.50);
     expect(assess.sampler).to.have.property('getSampleInfo').to.be.a('function');
     // test behavior
@@ -115,7 +118,7 @@ describe('assess sampler', function() {
     });
 
     // verify updated sampling strategy
-    expect(assess.sampler.strategy).to.equal('disabled');
+    expect(assess.sampler.strategy).to.equal(AssessTurnedOff);
     // test behavior
     testDisabledSampler(assess.sampler);
 
@@ -123,12 +126,12 @@ describe('assess sampler', function() {
     expect(core.logger.info.getCalls().map(c => c.args)).to.deep.equal([
       // when initialized
       [
-        { strategy: 'probabilistic', opts: { base_probability: 0.5 } },
+        { strategy: Probabilistic, opts: { base_probability: 0.5, route_monitor: { enable: true, ttl_ms: 1800000 } } },
         'updating assess sampler'
       ],
       // update 1
       [
-        { strategy: 'disabled', opts: undefined },
+        { strategy: AssessTurnedOff, opts: undefined },
         'updating assess sampler'
       ]
     ]);
@@ -142,11 +145,13 @@ describe('assess sampler', function() {
     process.env.CONTRAST_CONFIG_PATH = cfgPath;
 
     core.config.setValue('assess.enable', true, 'CONTRAST_UI');
-    core.config.setValue('assess.probabilistic_sampling.enable', false, 'DEFAULT_VALUE');
+    // core.config.setValue('assess.probabilistic_sampling.enable', true, 'DEFAULT_VALUE');
     core.config.setValue('assess.probabilistic_sampling.base_probability', 0.50, 'CONTRAST_UI');
+
     // initializes after configs are set
-    require('./sampler')(core);
-    // don't destructure to just { sampler } since the value of assess.sampler changes on update.
+    initSampler(core);
+
+    // don't destructure to just { sampler } since the value of assess.sampler changes on update
     const { assess } = core;
 
     // disabled by config
@@ -176,7 +181,7 @@ describe('assess sampler', function() {
     });
 
     // verify updated sampling strategy
-    expect(assess.sampler.strategy).to.equal('disabled');
+    expect(assess.sampler.strategy).to.equal(AssessTurnedOff);
     // test behavior
     testDisabledSampler(assess.sampler);
 
@@ -200,19 +205,19 @@ describe('assess sampler', function() {
     expect(core.logger.info.getCalls().map(c => c.args)).to.deep.equal([
       // update 1: env=PRODUCTION enables sampling
       [
-        { strategy: 'probabilistic', opts: { base_probability: 0.5 } },
+        { strategy: Probabilistic, opts: { base_probability: 0.5, route_monitor: { enable: true, ttl_ms: 1800000 } } },
         'updating assess sampler'
       ],
       // update 2: env = DEVELOPMENT disables sampling
       ['assess sampling disabled'],
       // update 3: assess.enable=false sets disabled sampling strategy
       [
-        { strategy: 'disabled', opts: undefined },
+        { strategy: AssessTurnedOff, opts: undefined },
         'updating assess sampler'
       ],
       // update 5: assess.enable=true and request_frequency=50 re-enables assess and new sampling probability
       [
-        { strategy: 'probabilistic', opts: { base_probability: 0.02 } },
+        { strategy: Probabilistic, opts: { base_probability: 0.02, route_monitor: { enable: true, ttl_ms: 1800000 } } },
         'updating assess sampler'
       ]
     ]);
@@ -236,6 +241,8 @@ function initMockCore() {
     // use actual config so we can get dynamic effective values with TS message
     // updates (mock doesn't). we can also test new effective config mappings.
     require('@contrast/config')(core);
+    require('@contrast/route-coverage')(core);
+
     core.config.setValue('assess.enable', true, 'CONTRAST_UI');
   } catch (err) {
     process.env.CONTRAST_CONFIG_PATH = CONTRAST_CONFIG_PATH;
@@ -274,15 +281,20 @@ function getStats(p) {
 
 function testProbabilisticSampler(sampler) {
   const { opts } = sampler;
+  const store = {
+    assess: {
+      reqData: { uriPath: '/foo' }
+    }
+  };
 
   // run trials and count how many times sampler says okay to analyze
   let observedSampleCount = 0;
   for (let n = 0; n < TRIALS; n++) {
-    const info = sampler.getSampleInfo();
+    const info = sampler.getSampleInfo({ store });
     if (info.canSample) observedSampleCount++;
   }
 
-  const stats = getStats(opts.base_probability, observedSampleCount);
+  const stats = getStats(opts.base_probability);
   const { confidenceInterval: [low, high] } = stats;
 
   // for debugging/visibility

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contrast/assess",
-  "version": "1.39.0",
+  "version": "1.41.0",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
@@ -18,15 +18,16 @@
   },
   "dependencies": {
     "@contrast/common": "1.26.0",
-    "@contrast/config": "1.35.0",
-    "@contrast/core": "1.40.0",
-    "@contrast/dep-hooks": "1.8.0",
+    "@contrast/config": "1.36.0",
+    "@contrast/core": "1.41.1",
+    "@contrast/dep-hooks": "1.10.0",
     "@contrast/distringuish": "^5.1.0",
-    "@contrast/instrumentation": "1.18.0",
-    "@contrast/logger": "1.13.0",
-    "@contrast/patcher": "1.12.0",
-    "@contrast/rewriter": "1.16.0",
-    "@contrast/scopes": "1.9.0",
+    "@contrast/instrumentation": "1.20.0",
+    "@contrast/logger": "1.14.0",
+    "@contrast/patcher": "1.13.0",
+    "@contrast/rewriter": "1.17.1",
+    "@contrast/route-coverage": "1.31.0",
+    "@contrast/scopes": "1.11.0",
     "semver": "^7.6.0"
   }
 }

package/lib/dataflow/sinks/install/fs-original.js

@@ -1,170 +0,0 @@
-/*
- * Copyright: 2024 Contrast Security, Inc
- * Contact: support@contrastsecurity.com
- * License: Commercial
-
- * NOTICE: This Software and the patented inventions embodied within may only be
- * used as part of Contrast Security’s commercial offerings. Even though it is
- * made available through public repositories, use of this Software is subject to
- * the applicable End User Licensing Agreement found at
- * https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
- * between Contrast Security and the End User. The Software may not be reverse
- * engineered, modified, repackaged, sold, redistributed or otherwise used in a
- * way not consistent with the End User License Agreement.
- */
-'use strict';
-const { patchType } = require('../common');
-
-const {
-  DataflowTag: {
-    URL_ENCODED,
-    LIMITED_CHARS,
-    ALPHANUM_SPACE_HYPHEN,
-    SAFE_PATH,
-    UNTRUSTED,
-  },
-  FS_METHODS,
-  Rule: { PATH_TRAVERSAL: ruleId },
-  isString,
-  ArrayPrototypeJoin,
-} = require('@contrast/common');
-const { InstrumentationType: { RULE } } = require('../../../constants');
-
-module.exports = function(core) {
-  const {
-    depHooks,
-    patcher,
-    assess: {
-      inspect, // TODO NODE-3455: remove
-      getSourceContext,
-      eventFactory: { createSinkEvent },
-      dataflow: {
-        tracker,
-        sinks: { isVulnerable, reportFindings },
-      },
-    },
-  } = core;
-
-  const safeTags = [
-    `excluded:${ruleId}`,
-    URL_ENCODED,
-    LIMITED_CHARS,
-    ALPHANUM_SPACE_HYPHEN,
-    SAFE_PATH,
-  ];
-
-  function getValues(indices, args) {
-    return indices.reduce((acc, idx) => {
-      const value = args[idx];
-      if (value && isString(value)) acc.push(value);
-      return acc;
-    }, []);
-  }
-
-  const pre = (name, method, moduleName = 'fs', fullMethodName = '') => (data) => {
-    const { name: methodName, indices } = method;
-    if (!getSourceContext(RULE, ruleId)) return;
-
-    const values = getValues(indices, data.args);
-    if (!values.length) return;
-
-    const args = values.map((v) => {
-      const strInfo = tracker.getData(v);
-      return {
-        value: strInfo ? strInfo.value : v,
-        tracked: !!strInfo,
-        strInfo
-      };
-    });
-    for (let i = 0; i < values.length; i++) {
-      const { strInfo } = args[i];
-
-      if (!strInfo || !isVulnerable(UNTRUSTED, safeTags, strInfo.tags)) {
-        continue;
-      }
-
-      const event = createSinkEvent({
-        name,
-        moduleName,
-        methodName: fullMethodName || methodName,
-        context: `${name}(${ArrayPrototypeJoin.call(
-          args.map((a) => inspect(a.value)),
-          ', '
-        )})`,
-        history: [strInfo],
-        object: {
-          value: 'fs',
-          tracked: false,
-        },
-        args: args.map(({ value, tracked }) => ({ value, tracked })),
-        tags: strInfo.tags,
-        source: `P${i}`,
-        stacktraceOpts: {
-          contructorOpt: data.hooked,
-          prependFrames: [data.orig],
-        },
-      });
-
-      if (event) {
-        reportFindings({
-          ruleId,
-          sinkEvent: event,
-        });
-      }
-    }
-  };
-
-  core.assess.dataflow.sinks.pathTraversal = {
-    install() {
-      depHooks.resolve({ name: 'fs' }, (fs) => {
-        for (const method of FS_METHODS) {
-          // not all methods are available on every OS or Node version.
-          if (fs[method.name]) {
-            const name = `fs.${method.name}`;
-            patcher.patch(fs, method.name, {
-              name,
-              patchType,
-              pre: pre(name, method),
-            });
-          }
-
-          if (method.sync) {
-            const syncName = `${method.name}Sync`;
-            if (fs[syncName]) {
-              const name = `fs.${syncName}`;
-              patcher.patch(fs, syncName, {
-                name,
-                patchType,
-                pre: pre(name, method, 'fs', syncName),
-              });
-            }
-          }
-
-          if (method.promises && fs.promises && fs.promises[method.name]) {
-            const name = `fs.promises.${method.name}`;
-            patcher.patch(fs.promises, method.name, {
-              name,
-              patchType,
-              pre: pre(name, method, 'fs.promises'),
-            });
-          }
-        }
-      });
-
-      depHooks.resolve({ name: 'fs/promises' }, (fsPromises) => {
-        for (const method of FS_METHODS) {
-          if (method.promises && fsPromises[method.name]) {
-            const name = `fsPromises.${method.name}`;
-            patcher.patch(fsPromises, method.name, {
-              name,
-              patchType,
-              pre: pre(name, method, 'fsPromises'),
-            });
-          }
-        }
-      });
-    },
-  };
-
-  return core.assess.dataflow.sinks.pathTraversal;
-};