npm - @contrast/assess - Versions diffs - 1.46.0 → 1.46.2 - Mend

@contrast/assess 1.46.0 → 1.46.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/lib/dataflow/tag-utils.test.js DELETED Viewed

@@ -1,192 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const utils = require('./tag-utils');
-describe('assess dataflow tag-utils', function() {
-  describe('createSubsetTags', function() {
-    it('creates subset tags for multiple tags', function() {
-      const ret = utils.createSubsetTags({
-        lowSpan: [0, 3],
-        span: [0, 7],
-        highSpan: [3, 7],
-        below: [0, 1],
-        above: [7, 10],
-      }, 2, 4);
-      expect(ret).to.deep.equal({
-        lowSpan: [0, 1],
-        span: [0, 3],
-        highSpan: [1, 3],
-      });
-    });
-    it('creates subset tags for multiple tag ranges', function() {
-      const ret = utils.createSubsetTags({
-        multiples: [1, 2, 4, 4],
-      }, 2, 10);
-      expect(ret).to.deep.equal({
-        multiples: [0, 0, 2, 2]
-      });
-    });
-    it('will not merge results since input ranges are expected to be merged', function() {
-      const ret = utils.createSubsetTags({
-        // correctly merged these would be [1, 3]
-        multiples: [1, 2, 3, 3],
-      }, 2, 10);
-      expect(ret).to.deep.equal({
-        multiples: [0, 0, 1, 1]
-      });
-    });
-  });
-  describe('createAppendTags', function() {
-    it('creates appended ranges from 2 tags #1', function() {
-      const ret = utils.createAppendTags(
-        { untrusted: [0, 3] },
-        { untrusted: [0, 3] },
-        3
-      );
-      expect(ret).to.deep.equal({
-        untrusted: [0, 6]
-      });
-    });
-    it('creates appended ranges from 2 tags #2', function() {
-      const ret = utils.createAppendTags(
-        { untrusted: [0, 3] },
-        { untrusted: [3, 6] },
-        3
-      );
-      expect(ret).to.deep.equal({
-        untrusted: [0, 3, 6, 9]
-      });
-    });
-  });
-  describe('createFullLengthCopyTags', function() {
-    it('creates tags with the full length of the result', function() {
-      const ret = utils.createFullLengthCopyTags(
-        {
-          untrusted: [0, 10],
-          'sql-encoded': [0, 20],
-          'custom-encoded': [0, 12]
-        },
-        13
-      );
-      expect(ret).to.deep.equal({
-        untrusted: [0, 12],
-        'sql-encoded': [0, 12],
-        'custom-encoded': [0, 12]
-      });
-    });
-    it('returns null in case of bad arguments', function() {
-      expect(utils.createFullLengthCopyTags({}, 1)).to.be.null;
-      expect(utils.createFullLengthCopyTags({ untrusted: [0, 2] }, 0)).to.be.null;
-      expect(utils.createFullLengthCopyTags({ untrusted: [0, 2] }, null)).to.be.null;
-      expect(utils.createFullLengthCopyTags({ untrusted: [0, 2] })).to.be.null;
-    });
-  });
-  describe('createMergedTags', function() {
-    it('creates merged ranges from 2 tags #1', function() {
-      const ret = utils.createMergedTags(
-        { untrusted: [0, 3] },
-        { untrusted: [3, 6] },
-      );
-      expect(ret).to.deep.equal({
-        untrusted: [0, 6]
-      });
-    });
-    it('creates merged ranges from 2 tags #2', function() {
-      const ret = utils.createMergedTags(
-        { untrusted: [0, 3] },
-        { untrusted: [5, 8] },
-      );
-      expect(ret).to.deep.equal({
-        untrusted: [0, 3, 5, 8]
-      });
-    });
-    it('creates merged ranges from 2 tags #3', function() {
-      const ret = utils.createMergedTags(
-        { untrusted: [0, 3, 9, 12, 21, 23] },
-        { untrusted: [5, 8, 14, 18] },
-      );
-      expect(ret).to.deep.equal({
-        untrusted: [0, 3, 5, 12, 14, 18, 21, 23]
-      });
-    });
-    it('returns null when trying to merge empty tag ranges', function() {
-      const ret = utils.createMergedTags(
-        { untrusted: [] },
-        { untrusted: [] },
-      );
-      expect(ret).to.equal(null);
-    });
-  });
-  describe('createOverlappingTags', function() {
-    it('should return overlapping tags', function() {
-      const result = utils.createOverlappingTags({
-        untrusted: [0, 20],
-        tag2: [2, 5],
-        tag3: [4, 9],
-        tag4: [6, 6]
-      }, 1, 5);
-      expect(result).to.eql({
-        untrusted: [[0, 20]],
-        tag2: [[2, 5]],
-        tag3: [[4, 9]],
-      });
-    });
-  });
-  describe('createEscapeTagRanges', function() {
-    it('should return empty object when no overlap exists', function() {
-      const result = utils.createEscapeTagRanges('foo', 'bar', { untrusted: [0, 2] });
-      expect(result).to.be.deep.equal({});
-    });
-    it('should carry over tag ranges when overlap exists', function() {
-      const result = utils.createEscapeTagRanges('<foo>', '&lt;foo&gt;', { untrusted: [1, 3] });
-      expect(result).to.be.deep.equal({ untrusted: [4, 6] });
-    });
-    it('should handle duplicate strings', function() {
-      const result = utils.createEscapeTagRanges('<foo><foo>', '&lt;foo&gt;&lt;foo&gt;', { untrusted: [1, 3, 6, 8] });
-      expect(result).to.be.deep.equal({ untrusted: [4, 6, 15, 17] });
-    });
-  });
-  describe('createTagsWithExclusion', function() {
-    const tests = [
-      { args: [{ untrusted: [0, 0] }, [0, 0]], expected: null },
-      { args: [{ untrusted: [0, 1] }, [0, 0]], expected: { untrusted: [1, 1] } },
-      { args: [{ untrusted: [0, 1] }, [1, 1]], expected: { untrusted: [0, 0] } },
-      { args: [{ untrusted: [0, 1] }, [0, 1]], expected: null },
-      { args: [{ untrusted: [0, 2] }, [0, 0]], expected: { untrusted: [1, 2] } },
-      { args: [{ untrusted: [0, 2] }, [1, 1]], expected: { untrusted: [0, 0, 2, 2] } },
-      { args: [{ untrusted: [0, 2] }, [2, 2]], expected: { untrusted: [0, 1] } },
-    ];
-    for (const test of tests) {
-      const { args, expected } = test;
-      const [tags, exclusion] = args;
-      const tagRange = tags.untrusted;
-      it(`should return ${expected} for ${tagRange} and ${exclusion}`, function() {
-        const result = utils.createTagsWithExclusion(tags, exclusion);
-        expect(result).to.deep.equal(expected);
-      });
-    }
-  });
-});

package/lib/dataflow/tracker.test.js DELETED Viewed

@@ -1,216 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { inspect } = require('util');
-const mocks = require('@contrast/test/mocks');
-const patcher = require('@contrast/patcher');
-const distringuish = require('@contrast/distringuish');
-describe('assess dataflow tracker', function () {
-  let core, tracker;
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.depHooks = mocks.depHooks();
-    core.patcher = patcher;
-    core.assess = mocks.assess();
-    tracker = require('./tracker')(core);
-  });
-  it('tracks strings', function () {
-    const str = 'foo';
-    const meta = {
-      source: 'query',
-      tags: {
-        userControlled: [0, 0, 2, 2],
-        urlEncoded: [[0, 2]],
-      }
-    };
-    tracker.track(str, meta);
-    const str2 = 'bar';
-    const strInfo = tracker.track(str2, {
-      parents: [meta],
-      tags: {
-        userControlled: [0, 2]
-      },
-    });
-    expect(tracker.getData(strInfo.extern)).to.deep.equal({
-      parents: [{
-        source: 'query',
-        tags: {
-          userControlled: [0, 0, 2, 2],
-          urlEncoded: [[0, 2]],
-        },
-        value: 'foo',
-      }],
-      tags: {
-        userControlled: [0, 2]
-      },
-      value: 'bar',
-    });
-  });
-  it('logs an error when the first argument is falsey', function () {
-    const result = tracker.track(null, { test: 'meta' });
-    expect(core.logger.error).to.have.been.calledOnceWith({ err: sinon.match.any, value: null }, 'tracker.track called with invalid argument: value is falsy');
-    expect(result).to.deep.equal({ extern: null });
-  });
-  it('logs an error when the second argument is falsey', function () {
-    const result = tracker.track('testString', null);
-    expect(core.logger.error).to.have.been.calledOnceWith({ err: sinon.match.any, metadata: null }, 'tracker.track called with invalid argument: metadata is falsy');
-    expect(result).to.deep.equal({ extern: null });
-  });
-  it('logs an error when the metadata is not validated through the factory function for it', function () {
-    core.assess.eventFactory.createdEvents.has = sinon.stub().returns(false);
-    const meta = { test: 'meta' };
-    const result = tracker.track('testString', meta);
-    expect(core.logger.error).to.have.been.calledOnceWith({ err: sinon.match.any, metadata: meta }, 'tracker.track called without validated metadata');
-    expect(result).to.deep.equal({ extern: null });
-  });
-  it('logs an error when the string is already tracked', function () {
-    const str = 'test';
-    const meta = { test: 'meta' };
-    const newMeta = { test: 'new meta' };
-    const trackedStr = tracker.track(str, meta).extern;
-    const result = tracker.track(trackedStr, newMeta);
-    expect(core.logger.error).to.have.been.calledOnceWith({ err: sinon.match.any, value: str }, 'tracker.track called with a string value that is already tracked');
-    expect(result).to.deep.equal({ extern: null });
-  });
-  [
-    { prop: 'val' },
-    [1, 'two']
-  ].forEach((obj) => {
-    it(`tracks objects ${inspect(obj)}`, function () {
-      const metadata = { foo: 'bar' };
-      tracker.track(obj, metadata);
-      expect(tracker.getData(obj)).to.deep.equal(metadata);
-    });
-  });
-  it('returns null for getData() if the object is not tracked', function () {
-    const obj = new String('foo');
-    const result = tracker.getData(obj);
-    expect(result).to.equal(null);
-  });
-  it('returns the metadata of on object that already have been tracked', function () {
-    const metadata = { foo: 'bar' };
-    const obj = new String('foo');
-    const returnedMetadata = tracker.track(obj, metadata);
-    expect(tracker.track(obj, metadata)).to.equal(returnedMetadata);
-  });
-  it('logs an error when the value is not trackable', function () {
-    const metadata = { foo: 'bar' };
-    const value = 123;
-    const result = tracker.track(value, metadata);
-    expect(core.logger.error).to.have.been.calledOnceWith({ err: sinon.match.any, value }, 'tracker.track called with a value type that is not trackable');
-    expect(result).to.be.null;
-  });
-  it('untracks strings', function () {
-    const str = 'foo';
-    const meta = {
-      source: 'query',
-      tags: {
-        userControlled: [0, 2],
-        urlEncoded: [[0, 2]],
-      },
-      history: [{ some: 'history' }],
-      resultTracked: true,
-    };
-    const trackedStr = tracker.track(str, meta).extern;
-    tracker.untrack(trackedStr);
-    expect(tracker.getData(trackedStr)).to.be.null;
-  });
-  it('untracks objects', function () {
-    const obj = new String('foo');
-    const meta = {
-      source: 'query',
-      tags: {
-        userControlled: [0, 2],
-        urlEncoded: [[0, 2]],
-      }
-    };
-    tracker.track(obj, meta);
-    tracker.untrack(obj);
-    expect(tracker.getData(obj)).to.be.null;
-  });
-  it('returns null if untrack() argument is not string or object)', function () {
-    expect(tracker.untrack(1)).to.be.null;
-  });
-  describe('error checks with mocked `externalize` method', function () {
-    const originalExternalize = distringuish.externalize;
-    beforeEach(function () {
-      distringuish.externalize = sinon.stub().callsFake((...a) => Number(a[0]));
-    });
-    afterEach(function () {
-      distringuish.externalize = originalExternalize;
-    });
-    it('error for zero-length string', function () {
-      const result = tracker.track('1', {});
-      expect(result).to.deep.equal({ extern: null });
-      expect(core.logger.error).to.have.been.calledOnceWith({ err: sinon.match.any, value: '1' }, 'tracker.track was unable to externalize because zero-length string was passed');
-    });
-    it('error for non-two-byte-encoded string', function () {
-      const result = tracker.track('2', {});
-      expect(result).to.deep.equal({ extern: null });
-      expect(core.logger.error).to.have.been.calledOnceWith({ err: sinon.match.any, value: '2' }, 'tracker.track was unable to externalize because non-two-byte encoded string was passed');
-    });
-    it('error for unsucessful conversion', function () {
-      const result = tracker.track('3', {});
-      expect(result).to.deep.equal({ extern: null });
-      expect(core.logger.error).to.have.been.calledOnceWith({ err: sinon.match.any, value: '3' }, 'tracker.track was unable to externalize because distringuish was unable to convert a MaybeLocal to Local');
-    });
-    it('error for isExternal returning false', function () {
-      const result = tracker.track('4', {});
-      expect(result).to.deep.equal({ extern: null });
-      expect(core.logger.error).to.have.been.calledOnceWith({ err: sinon.match.any, value: '4' }, 'tracker.track was unable to externalize because distinguish\'s isExternal call returned false');
-    });
-    it('error for unknown', function () {
-      const result = tracker.track('5', {});
-      expect(result).to.deep.equal({ extern: null });
-      expect(core.logger.error).to.have.been.calledOnceWith({ err: sinon.match.any, value: '5' }, 'tracker.track was unable to externalize because unknown error while trying to externalize the string was encountered');
-    });
-  });
-});

package/lib/dataflow/utils/is-safe-content-type.test.js DELETED Viewed

@@ -1,16 +0,0 @@
-'use strict';
-const { isSafeContentType, SAFE_XSS_CONTENT_TYPES } = require('./is-safe-content-type');
-const { expect } = require('chai');
-describe('assess dataflow utils isSafeContentType', function() {
-  SAFE_XSS_CONTENT_TYPES.forEach(type => {
-    it(`should returns true for when content type is ${type}`, function() {
-      expect(isSafeContentType(type)).to.be.true;
-    });
-  });
-  it('should return false when content type is not part of the safe types', function() {
-    expect(isSafeContentType('something')).to.be.false;
-  });
-});

package/lib/dataflow/utils/is-vulnerable.test.js DELETED Viewed

@@ -1,115 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const { isVulnerable } = require('./is-vulnerable');
-describe('assess dataflow utils isVulnerable', function() {
-  [
-    {
-      args: [
-        'untrusted',
-        ['ant'],
-        {
-          untrusted: [5, 10, 100, 102],
-          ant: [4, 104],
-        },
-      ],
-      desc: 'encompasses all',
-      expected: false,
-    },
-    {
-      args: [
-        'untrusted',
-        ['ant', 'cat'],
-        {
-          untrusted: [5, 10, 100, 102],
-          ant: [0, 0],
-          cat: [1, 1, 2, 2, 4, 8],
-        },
-      ],
-      desc: 'no overlaps',
-      expected: true,
-    },
-    {
-      args: [
-        'untrusted',
-        ['ant', 'cat'],
-        {
-          untrusted: [5, 10, 100, 102],
-          ant: [0, 0],
-          cat: [1, 1, 2, 2, 3, 8],
-        },
-      ],
-      desc: 'no overlaps',
-      expected: true,
-    },
-    {
-      args: [
-        'untrusted',
-        ['ant', 'cat'],
-        {
-          untrusted: [5, 10, 100, 102],
-          ant: [0, 0],
-          cat: [1, 5, 3, 8],
-        },
-      ],
-      desc: 'no overlaps',
-      expected: true,
-    },
-    {
-      args: [
-        'untrusted',
-        ['ant'],
-        {
-          untrusted: [5, 10, 100, 102],
-          ant: [4, 5],
-        },
-      ],
-      desc: 'no overlaps',
-      expected: true,
-    },
-    {
-      args: [
-        'untrusted',
-        ['ant', 'cat', 'dog'],
-        {
-          untrusted: [8, 14],
-          ant: [4, 5, 7, 10],
-          cat: [6, 9],
-          dog: [9, 18],
-        },
-      ],
-      desc: 'encompasses all',
-      expected: false,
-    },
-    {
-      args: [
-        'untrusted',
-        ['ant', 'cat', 'dog'],
-        {
-          ant: [4, 5, 7, 10],
-          cat: [6, 9],
-          dog: [9, 18],
-        },
-      ],
-      desc: 'when no target tags found',
-      expected: false,
-    },
-    {
-      args: [
-        'untrusted',
-        ['ant'],
-        {
-          untrusted: [4, 5, 7, 10],
-          ant: [4, 5, 7, 10],
-        },
-      ],
-      desc: 'when there are multiple ranges but they are all covered',
-      expected: false,
-    },
-  ].forEach(({ args, desc, expected }) => {
-    it(`${desc} returns ${expected}`, function() {
-      expect(isVulnerable(...args)).to.equal(expected);
-    });
-  });
-});