npm - @contrast/assess - Versions diffs - 1.46.0 → 1.46.2 - Mend

@contrast/assess 1.46.0 → 1.46.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/lib/dataflow/sinks/install/restify.test.js DELETED Viewed

@@ -1,140 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow restify sinks', function () {
-  let core,
-    simulateRequestScope,
-    trackString,
-    reportFindings,
-    getRes,
-    patchMock;
-  function next() {}
-  beforeEach(function () {
-    ({ core, simulateRequestScope, trackString } = initAssessFixture());
-    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
-    // this represents mock of what restify does here: https://github.com/restify/node-restify/blob/master/lib/response.js
-    function patch(Orig) {
-      Orig.prototype.redirect = function() {
-        return 'canary';
-      };
-    }
-    function Response() {}
-    getRes = () => {
-      // this mimics running of restify's patch, and our it will trigger out instrumentation
-      patchMock(Response);
-      return new Response();
-    };
-    core.depHooks.resolve.callsFake((desc, cb) => {
-      patchMock = cb(patch);
-    });
-    require('./restify')(core).install();
-  });
-  describe('res.redirect(String, Function)', function() {
-    it('reports when string is tracked', function() {
-      simulateRequestScope(() => {
-        const res = getRes();
-        res.redirect(trackString('/fargs'), next);
-        expect(reportFindings).to.have.been.calledWithMatch({
-          ruleId: 'unvalidated-redirect',
-          sinkEvent: sinon.match({
-            args: [
-              { tracked: true, value: '\'/fargs\'' },
-              { tracked: false, value: 'Function' }
-            ],
-            context: 'res.redirect(\'/fargs\',Function)',
-            tags: { UNTRUSTED: [1, 6] },
-            source: 'P0',
-          }),
-        });
-      });
-    });
-    it('does not report if string arg is untracked or safely tagged', function() {
-      simulateRequestScope(() => {
-        const res = getRes();
-        const str = trackString('/fargs', { tags: { UNTRUSTED: [0, 5], URL_ENCODED: [0, 5] } });
-        res.redirect(str, next);
-        res.redirect('/fargs', next);
-        expect(reportFindings.getCalls()).to.have.lengthOf(0);
-      });
-    });
-  });
-  describe('res.redirect(Number, String, Function)', function() {
-    it('reports when string is tracked', function() {
-      simulateRequestScope(() => {
-        const res = getRes();
-        res.redirect(301, trackString('/fargs'), next);
-        expect(reportFindings).to.have.been.calledWithMatch({
-          ruleId: 'unvalidated-redirect',
-          sinkEvent: sinon.match({
-            args: [
-              { tracked: false, value: 'Number' },
-              { tracked: true, value: '\'/fargs\'' },
-              { tracked: false, value: 'Function' }
-            ],
-            context: 'res.redirect(Number,\'/fargs\',Function)',
-            tags: { UNTRUSTED: [1, 6] },
-            source: 'P1',
-          }),
-        });
-      });
-    });
-    it('does not report if string arg is untracked or safely tagged', function() {
-      simulateRequestScope(() => {
-        const res = getRes();
-        const str = trackString('/fargs', { tags: { UNTRUSTED: [0, 5], URL_ENCODED: [0, 5] } });
-        res.redirect(301, str, next);
-        res.redirect('/fargs', next);
-        expect(reportFindings.getCalls()).to.have.lengthOf(0);
-      });
-    });
-  });
-  describe('res.redirect(Object, Function)', function() {
-    it('reports when string options are tracked', function() {
-      simulateRequestScope(() => {
-        const res = getRes();
-        res.redirect({ pathname: trackString('/fargs') }, next);
-        expect(reportFindings).to.have.been.calledWithMatch({
-          ruleId: 'unvalidated-redirect',
-          sinkEvent: sinon.match({
-            args: [
-              { tracked: true, value: '{...\'pathname\':\'/fargs\'...}' },
-              { tracked: false, value: 'Function' }
-            ],
-            context: 'res.redirect({...\'pathname\':\'/fargs\'...},Function)',
-            tags: { UNTRUSTED: [16, 21] },
-            source: 'P0',
-          }),
-        });
-      });
-    });
-    it('does not report if string arg is untracked or safely tagged', function() {
-      simulateRequestScope(() => {
-        const res = getRes();
-        const str = trackString('/fargs', { tags: { UNTRUSTED: [0, 5], URL_ENCODED: [0, 5] } });
-        res.redirect({ pathname: str }, next);
-        res.redirect({ pathname: '/fargs' }, next);
-        expect(reportFindings.getCalls()).to.have.lengthOf(0);
-      });
-    });
-  });
-});

package/lib/dataflow/sinks/install/sequelize.test.js DELETED Viewed

@@ -1,100 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { inspect } = require('util');
-const {
-  DataflowTag: { SQL_ENCODED, UNTRUSTED },
-} = require('@contrast/common');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow sinks sequelize', function () {
-  let core, simulateRequestScope, trackString, tracker, reportFindings;
-  class Sequelize {
-    query() { }
-  }
-  beforeEach(function () {
-    ({ core, simulateRequestScope, trackString } = initAssessFixture());
-    tracker = core.assess.dataflow.tracker;
-    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
-    core.depHooks.resolve.yields(Sequelize);
-    require('./sequelize')(core).install();
-  });
-  it('skips instrumentation if assess store is missing', function () {
-    Sequelize.prototype.query();
-    expect(reportFindings).to.not.have.been.called;
-  });
-  it('skips instrumentation if a query is not provided ', function () {
-    simulateRequestScope(function () {
-      Sequelize.prototype.query();
-      expect(reportFindings).to.not.have.been.called;
-    });
-  });
-  it('skips instrumentation if the query is not a string', function () {
-    simulateRequestScope(function () {
-      Sequelize.prototype.query({});
-      expect(reportFindings).to.not.have.been.called;
-    });
-  });
-  it('skips instrumentation if the query is not a tracked', function () {
-    simulateRequestScope(function () {
-      Sequelize.prototype.query('hello');
-      expect(reportFindings).to.not.have.been.called;
-    });
-  });
-  it('skips instrumentation if the query is safe', function () {
-    simulateRequestScope(function () {
-      const str = trackString('drop table', {
-        tags: {
-          [SQL_ENCODED]: [0, 9],
-          [UNTRUSTED]: [0, 9],
-        },
-      });
-      const { extern } = tracker.getData(str);
-      Sequelize.prototype.query(extern);
-      expect(reportFindings).to.not.have.been.called;
-    });
-  });
-  it('reports an sql-injection', function () {
-    simulateRequestScope(function () {
-      const str = trackString('drop table', {
-        tags: {
-          [SQL_ENCODED]: [0, 4],
-          [UNTRUSTED]: [0, 9],
-        },
-      });
-      const { value } = tracker.getData(str);
-      const options = { dialect: 'mysql' };
-      Sequelize.prototype.query(str, options);
-      expect(reportFindings).to.have.been.calledWithMatch({
-        ruleId: 'sql-injection',
-        sinkEvent: {
-          name: 'sequelize.prototype.query',
-          moduleName: 'sequelize',
-          methodName: 'prototype.query',
-          context: `sequelize.prototype.query('${value}', { dialect: 'mysql' })`,
-          object: {
-            value: sinon.match('sequelize'),
-            tracked: false,
-          },
-          args: [{ value, tracked: true }, { value: inspect(options), tracked: false }],
-          tags: { [SQL_ENCODED]: [0, 4], [UNTRUSTED]: [0, 9] },
-          source: 'P0',
-        },
-      });
-    });
-  });
-});

package/lib/dataflow/sinks/install/sqlite3.test.js DELETED Viewed

@@ -1,118 +0,0 @@
-'use strict';
-const sinon = require('sinon');
-const { expect } = require('chai');
-const {
-  DataflowTag: { UNTRUSTED, SQL_ENCODED },
-} = require('@contrast/common');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow sinks sqlite3', function () {
-  let core, sqlite3, simulateRequestScope, trackString, tracker, reportFindings;
-  beforeEach(function () {
-    sqlite3 = {
-      // eslint-disable-next-line object-shorthand
-      Database: function () { }
-    };
-    sqlite3.Database.prototype = {
-      all: sinon.stub(),
-      run: sinon.stub(),
-      get: sinon.stub(),
-      each: sinon.stub(),
-      exec: sinon.stub(),
-      prepare: sinon.stub()
-    };
-    ({ core, simulateRequestScope, trackString } = initAssessFixture());
-    tracker = core.assess.dataflow.tracker;
-    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
-    core.depHooks.resolve.yields(sqlite3);
-    require('./sqlite3')(core).install();
-  });
-  ['all', 'run', 'get', 'each', 'exec', 'prepare'].forEach((method) => {
-    describe(`instruments connection.${method}()`, function () {
-      it('skips instrumentation if assess store is missing', function () {
-        const db = new sqlite3.Database();
-        db[method]('SELECT "foo"');
-        expect(reportFindings).not.to.have.been.called;
-      });
-      it('skips instrumentation if a value is not provided ', function () {
-        simulateRequestScope(function () {
-          const db = new sqlite3.Database();
-          db[method]();
-          expect(reportFindings).not.to.have.been.called;
-        });
-      });
-      it('skips instrumentation if the value is not a string', function () {
-        simulateRequestScope(function () {
-          const db = new sqlite3.Database();
-          db[method]({});
-          expect(reportFindings).not.to.have.been.called;
-        });
-      });
-      it('skips instrumentation if the query is not a tracked', function () {
-        simulateRequestScope(function () {
-          const db = new sqlite3.Database();
-          db[method]('SELECT "foo"');
-          expect(reportFindings).not.to.have.been.called;
-        });
-      });
-      it('skips instrumentation if the query is safe', function () {
-        simulateRequestScope(function () {
-          const str = trackString('SELECT "foo"', {
-            tags: {
-              [SQL_ENCODED]: [0, 11],
-              [UNTRUSTED]: [0, 11],
-            },
-          });
-          const { extern } = tracker.getData(str);
-          const db = new sqlite3.Database();
-          db[method](extern);
-          expect(reportFindings).not.to.have.been.called;
-        });
-      });
-      it('reports an sql-injection', function() {
-        simulateRequestScope(function () {
-          const value = 'SELECT "foo"';
-          const extern = trackString(value, {
-            tags: {
-              [UNTRUSTED]: [0, 11],
-            },
-          });
-          const db = new sqlite3.Database();
-          db[method](extern);
-          expect(reportFindings).to.have.been.calledWithMatch({
-            ruleId: 'sql-injection',
-            sinkEvent: {
-              name: `sqlite3.Database.prototype.${method}`,
-              moduleName: 'sqlite3',
-              methodName: `Database.prototype.${method}`,
-              context: `db.${method}('${extern}')`,
-              object: {
-                value: '[Module<sqlite3>].Database',
-                tracked: false,
-              },
-              args: [{ value, tracked: true }],
-              tags: { [UNTRUSTED]: [0, 11] },
-              source: 'P0',
-            },
-          });
-        });
-      });
-    });
-  });
-});

package/lib/dataflow/sinks/install/vm.test.js DELETED Viewed

@@ -1,326 +0,0 @@
-'use strict';
-const sinon = require('sinon');
-const { expect } = require('chai');
-const {
-  DataflowTag: { UNTRUSTED, CUSTOM_VALIDATED },
-  Rule: { UNSAFE_CODE_EXECUTION },
-  primordials: { UtilInspect },
-} = require('@contrast/common');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow sinks vm', function () {
-  let vm, core, simulateRequestScope, trackString, reportFindings, reportSafePositive;
-  beforeEach(function () {
-    ({ core, simulateRequestScope, trackString } = initAssessFixture());
-    vm = require('vm');
-    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
-    reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
-    core.depHooks.resolve.yields(vm);
-    require('./vm')(core).install();
-  });
-  [
-    {
-      method: 'Script',
-      vulnerableArgs: [{ type: 'string', index: 0 }],
-      args: () => ['val = "test"'],
-      sanitizedArgs: () => [trackString('val = "test"', {
-        tags: {
-          [UNTRUSTED]: [0, 11],
-          [CUSTOM_VALIDATED]: [0, 11]
-        }
-      })],
-      isConstructor: true,
-      expectedSafeReportInfo: [{
-        value: UtilInspect('val = "test"'),
-        strValues: ['val = "test"'],
-        tags: [{ [UNTRUSTED]: [0, 11], [CUSTOM_VALIDATED]: [0, 11] }]
-      }],
-      expectedSinkEvent: [{
-        args: [{ value: 'val = "test"', tracked: true }],
-        context: 'vm.Script("val = "test"")',
-        name: 'vm.Script',
-        moduleName: 'vm',
-        methodName: 'Script',
-        object: { value: 'vm', tracked: false },
-        source: 'P0',
-        tags: { [UNTRUSTED]: [0, 11] }
-      }]
-    },
-    {
-      method: 'createScript',
-      vulnerableArgs: [{ type: 'string', index: 0 }],
-      args: () => ['val = "test"'],
-      sanitizedArgs: () => [trackString('val = "test"', {
-        tags: {
-          [UNTRUSTED]: [0, 11],
-          [CUSTOM_VALIDATED]: [0, 11]
-        }
-      })],
-      expectedSafeReportInfo: [{
-        value: UtilInspect('val = "test"'),
-        strValues: ['val = "test"'],
-        tags: [{ [UNTRUSTED]: [0, 11], [CUSTOM_VALIDATED]: [0, 11] }]
-      }],
-      expectedSinkEvent: [{
-        args: [{ value: 'val = "test"', tracked: true }],
-        context: 'vm.createScript("val = "test"")',
-        name: 'vm.createScript',
-        moduleName: 'vm',
-        methodName: 'createScript',
-        object: { value: 'vm', tracked: false },
-        source: 'P0',
-        tags: { [UNTRUSTED]: [0, 11] }
-      }]
-    },
-    {
-      method: 'runInContext',
-      vulnerableArgs: [{ type: 'string', index: 0 }],
-      args: () => ['val = "test"', vm.createContext({ val: '' })],
-      sanitizedArgs: () => [trackString('val = "test"', {
-        tags: {
-          [UNTRUSTED]: [0, 11],
-          [CUSTOM_VALIDATED]: [0, 11]
-        }
-      }),
-      vm.createContext({ val: '' })],
-      missingArgs: () => ['', vm.createContext({})],
-      expectedSafeReportInfo: [{
-        value: UtilInspect('val = "test"'),
-        strValues: ['val = "test"'],
-        tags: [{ [UNTRUSTED]: [0, 11], [CUSTOM_VALIDATED]: [0, 11] }]
-      }],
-      expectedSinkEvent: [{
-        args: [{ value: 'val = "test"', tracked: true }, { value: UtilInspect({ val: '' }), tracked: false }],
-        context: 'vm.runInContext("val = "test"", { val: \'\' })',
-        name: 'vm.runInContext',
-        moduleName: 'vm',
-        methodName: 'runInContext',
-        object: { value: 'vm', tracked: false },
-        source: 'P0',
-        tags: { [UNTRUSTED]: [0, 11] }
-      }]
-    },
-    {
-      method: 'runInThisContext',
-      vulnerableArgs: [{ type: 'string', index: 0 }],
-      sanitizedArgs: () => [trackString('val = "test"', {
-        tags: {
-          [UNTRUSTED]: [0, 11],
-          [CUSTOM_VALIDATED]: [0, 11]
-        }
-      })],
-      args: () => ['val = "test"'],
-      expectedSafeReportInfo: [{
-        value: UtilInspect('val = "test"'),
-        strValues: ['val = "test"'],
-        tags: [{ [UNTRUSTED]: [0, 11], [CUSTOM_VALIDATED]: [0, 11] }]
-      }],
-      expectedSinkEvent: [{
-        args: [{ value: 'val = "test"', tracked: true }],
-        context: 'vm.runInThisContext("val = "test"")',
-        name: 'vm.runInThisContext',
-        moduleName: 'vm',
-        methodName: 'runInThisContext',
-        object: { value: 'vm', tracked: false },
-        source: 'P0',
-        tags: { [UNTRUSTED]: [0, 11] }
-      }]
-    },
-    {
-      method: 'createContext',
-      vulnerableArgs: [{ type: 'object', index: 0 }],
-      sanitizedArgs: () => [{
-        val: trackString('value', {
-          tags: {
-            [UNTRUSTED]: [0, 4],
-            [CUSTOM_VALIDATED]: [0, 4]
-          }
-        })
-      }],
-      args: () => [{ val: 'value' }],
-      expectedSafeReportInfo: [{
-        value: UtilInspect({ val: 'value' }),
-        strValues: ['value'],
-        tags: [{ [UNTRUSTED]: [8, 12], [CUSTOM_VALIDATED]: [8, 12] }]
-      }],
-      expectedSinkEvent: [{
-        args: [{ value: UtilInspect({ val: 'value' }), tracked: false }],
-        context: 'vm.createContext({ val: \'value\' })',
-        name: 'vm.createContext',
-        moduleName: 'vm',
-        methodName: 'createContext',
-        object: { value: 'vm', tracked: false },
-        source: 'P0',
-        tags: { [UNTRUSTED]: [8, 12] }
-      }]
-    },
-    {
-      method: 'runInNewContext',
-      vulnerableArgs: [{ type: 'string', index: 0 }, { type: 'object', index: 1 }],
-      sanitizedArgs: () => [trackString('val = "test"', {
-        tags: {
-          [UNTRUSTED]: [0, 11],
-          [CUSTOM_VALIDATED]: [0, 11]
-        }
-      }), {
-        val: trackString('SAFE', {
-          tags: {
-            [UNTRUSTED]: [0, 3],
-            [CUSTOM_VALIDATED]: [0, 3]
-          }
-        })
-      }],
-      args: () => ['val = "test"', { val: 'value' }],
-      expectedSafeReportInfo: [
-        {
-          value: UtilInspect('val = "test"'),
-          strValues: ['val = "test"'],
-          tags: [{ [UNTRUSTED]: [0, 11], [CUSTOM_VALIDATED]: [0, 11] }]
-        },
-        {
-          value: UtilInspect({ val: 'SAFE' }),
-          strValues: ['SAFE'],
-          tags: [{ [UNTRUSTED]: [8, 11], [CUSTOM_VALIDATED]: [8, 11] }]
-        }
-      ],
-      expectedSinkEvent: [{
-        args: [{ value: 'val = "test"', tracked: true }, { value: UtilInspect({ val: 'value' }), tracked: false }],
-        context: 'vm.runInNewContext("val = "test"", { val: \'value\' })',
-        name: 'vm.runInNewContext',
-        moduleName: 'vm',
-        methodName: 'runInNewContext',
-        object: { value: 'vm', tracked: false },
-        source: 'P0',
-        tags: { [UNTRUSTED]: [0, 11] }
-      },
-      {
-        args: [{ value: 'val = "test"', tracked: false }, { value: UtilInspect({ val: 'value' }), tracked: false }],
-        context: 'vm.runInNewContext("val = "test"", { val: \'value\' })',
-        name: 'vm.runInNewContext',
-        moduleName: 'vm',
-        methodName: 'runInNewContext',
-        object: { value: 'vm', tracked: false },
-        source: 'P1',
-        tags: { [UNTRUSTED]: [8, 12] }
-      }]
-    },
-    {
-      method: 'runInNewContext',
-      vulnerableArgs: [{ type: 'object', index: 0 }],
-      args: () => [{ val: 'value' }],
-      sanitizedArgs: () => [{
-        val: trackString('SAFE', {
-          tags: {
-            [UNTRUSTED]: [0, 3],
-            [CUSTOM_VALIDATED]: [0, 3]
-          }
-        })
-      }],
-      scriptEntity: true,
-      expectedSafeReportInfo: [
-        {
-          value: UtilInspect({ val: 'SAFE' }),
-          strValues: ['SAFE'],
-          tags: [{ [UNTRUSTED]: [8, 11], [CUSTOM_VALIDATED]: [8, 11] }]
-        }
-      ],
-      expectedSinkEvent: [{
-        args: [{ value: UtilInspect({ val: 'value' }), tracked: false }],
-        context: 'vm.Script.prototype.runInNewContext({ val: \'value\' })',
-        name: 'vm.Script.prototype.runInNewContext',
-        moduleName: 'vm',
-        methodName: 'runInNewContext',
-        object: { value: 'vm.Script.prototype', tracked: false },
-        source: 'P0',
-        tags: { [UNTRUSTED]: [8, 12] }
-      }]
-    }
-  ].forEach(({ method, args, missingArgs = () => [], vulnerableArgs, sanitizedArgs, isConstructor, scriptEntity, expectedSafeReportInfo, expectedSinkEvent }) => {
-    describe(`vm.${method}`, function () {
-      let fn;
-      if (scriptEntity) {
-        fn = () => {
-          const scr = new vm.Script('val = "test"');
-          return scr;
-        };
-      } else {
-        fn = () => vm[method];
-      }
-      function makeAVmMethodCall(args) {
-        const vmMethod = fn();
-        if (isConstructor) {
-          new vmMethod(...args());
-        } else if (scriptEntity) {
-          vmMethod.runInNewContext(...args());
-        } else {
-          vmMethod(...args());
-        }
-      }
-      it('skips instrumentation if assess store is missing', function () {
-        makeAVmMethodCall(args);
-        expect(reportFindings).not.to.have.been.called;
-      });
-      it('skips instrumentation if a value is not provided ', function () {
-        simulateRequestScope(function () {
-          makeAVmMethodCall(missingArgs);
-          expect(reportFindings).not.to.have.been.called;
-        });
-      });
-      it('skips instrumentation if the argument is not a tracked', function () {
-        simulateRequestScope(function () {
-          makeAVmMethodCall(args);
-          expect(reportFindings).not.to.have.been.called;
-        });
-      });
-      it('skips instrumentation if the argument is sanitized', function () {
-        simulateRequestScope(function () {
-          makeAVmMethodCall(sanitizedArgs);
-          expect(reportFindings).not.to.have.been.called;
-          expect(reportSafePositive).to.have.been.calledOnce;
-          expect(reportSafePositive).to.have.been.calledWith({
-            name: scriptEntity ? `vm.Script.prototype.${method}` : `vm.${method}`,
-            ruleId: UNSAFE_CODE_EXECUTION,
-            safeTags: [CUSTOM_VALIDATED],
-            strInfo: expectedSafeReportInfo
-          });
-        });
-      });
-      it('reports an unsafe-code-execution', function () {
-        simulateRequestScope(function () {
-          vulnerableArgs.forEach((arg, idx) => {
-            const argsCopy = [...args()];
-            const extern = arg.type === 'string' ? trackString(argsCopy[arg.index]) : trackString(argsCopy[arg.index].val);
-            argsCopy[arg.index] = arg.type === 'string' ? extern : { val: extern };
-            makeAVmMethodCall(() => argsCopy);
-            expect(reportFindings).to.have.been.calledOnce;
-            expect(reportFindings).to.have.been.calledWithMatch({
-              ruleId: UNSAFE_CODE_EXECUTION,
-              sinkEvent: expectedSinkEvent[idx],
-            });
-            reportFindings.resetHistory();
-          });
-        });
-      });
-    });
-  });
-});