@contrast/assess 1.46.0 → 1.46.2

package/lib/event-factory.test.js

@@ -1,326 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { InputType } = require('@contrast/common');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-
-const os = require('os');
-
-const testMethod = os.platform() === 'win32' ? describe.skip : describe;
-
-testMethod('assess event-factory', function () {
-  let core, createSourceEvent, createPropagationEvent, createSinkEvent;
-
-  beforeEach(function () {
-    ({ core } = initAssessFixture());
-    ({
-      createSourceEvent,
-      createPropagationEvent,
-      createSinkEvent
-    } = require('./event-factory')(core));
-  });
-
-  describe('createSourceEvent', function () {
-    [
-      {
-        data: {},
-        invalidProp: 'result',
-      },
-      {
-        data: { result: { tracked: true, value: 'foo' } },
-        invalidProp: 'name',
-      },
-      {
-        data: {
-          name: 'frogs',
-          result: { tracked: true, value: 'foo' },
-          inputType: 'bad-value',
-        },
-        invalidProp: 'inputType',
-      },
-      {
-        data: {
-          name: 'frogs',
-          result: { tracked: true, value: 'foo' },
-          inputType: InputType.QUERYSTRING,
-        },
-        invalidProp: 'tags',
-        message: 'event has no tags'
-      }
-    ].forEach(({
-      data,
-      invalidProp,
-      message = `invalid ${invalidProp}`,
-    }) => {
-      it(`will not create event when props are invalid: ${message}`, function () {
-        const event = createSourceEvent(data);
-        expect(event).to.equal(null);
-        expect(core.logger.debug).to.have.been.calledWith(
-          sinon.match.object,
-          'Source event not created: %s',
-          message
-        );
-      });
-    });
-
-    [
-      {
-        data: {
-          name: 'COOKIE_VALUE.frogs',
-          result: { tracked: true, value: 'foo' },
-          inputType: InputType.COOKIE_VALUE,
-          tags: {
-            untrusted: [0, 4],
-            cookie: [0, 4],
-          },
-          stack: [],
-        },
-      }
-    ].forEach(({ data, expected }) => {
-      it('returns the event data when validated', function () {
-        const event = createSourceEvent(data);
-        expect(event).to.equal(data);
-        expect(core.logger.debug).not.to.have.been.called;
-      });
-    });
-  });
-
-  describe('createPropagationEvent', function () {
-    const validData = {
-      name: 'String.prototype.concat',
-      history: [{ mock: 'SourceEvent' }],
-      object: {
-        value: 'test',
-        tracked: true
-      },
-      args: [{ value: '-another-test', tracked: false }],
-      result: {
-        value: 'test-another-test',
-        tracked: true
-      },
-      source: 'O',
-      target: 'R',
-      tags: { untrusted: [0, 3] }
-    };
-    const validStore = {
-      assess: {
-        propagationEventsCount: 0
-      }
-    };
-    const validResult = {
-      name: 'String.prototype.concat',
-      history: [{ mock: 'SourceEvent' }],
-      object: {
-        value: 'test',
-        tracked: true
-      },
-      args: [{ value: '-another-test', tracked: false }],
-      result: {
-        value: 'test-another-test',
-        tracked: true
-      },
-      tags: { untrusted: [0, 3] },
-      addedTags: [],
-      removedTags: [],
-      source: 'O',
-      target: 'R'
-    };
-
-    it('logs a debug statement for missing source context and returns null when executed in the wrong context', function () {
-      core.scopes.sources.run({}, function () {
-        const result = createPropagationEvent(validData);
-
-        expect(core.logger.debug).to.have.been.calledOnceWith(
-          sinon.match.object,
-          'No sourceContext found during Propagation event creation'
-        );
-        expect(result).to.be.null;
-      });
-    });
-
-    it('logs a debug statement for going above the maximum propagation events limit and returns null when we are above the said limit', function () {
-      core.scopes.sources.run({ assess: { propagationEventsCount: 500 } }, function () {
-        const result = createPropagationEvent(validData);
-
-        expect(core.logger.debug).to.have.been.calledOnceWith(
-          sinon.match.object,
-          'Maximum number of Propagation events reached. Event not created'
-        );
-        expect(result).to.be.null;
-      });
-
-    });
-
-    [
-      {
-        data: { ...validData, name: '' },
-        message: 'invalid name',
-      },
-      {
-        data: { ...validData, source: undefined },
-        message: 'invalid source',
-      },
-      {
-        data: { ...validData, history: [] },
-        message: 'invalid history',
-      },
-      {
-        data: { ...validData, source: 'S' },
-        message: 'invalid source',
-      },
-      {
-        data: { ...validData, target: 'T' },
-        message: 'invalid target',
-      },
-    ].forEach(({ data, message }) => {
-      it(`logs a debug statement when insufficient data is passed and returns null: ${message}`, function () {
-        core.scopes.sources.run(validStore, function () {
-          const result = createPropagationEvent(data);
-
-          expect(core.logger.debug).to.have.been.calledOnceWith(
-            sinon.match.object,
-            'Propagation event not created: %s',
-            message,
-          );
-          expect(result).to.be.null;
-        });
-      });
-    });
-
-    it('returns an event with stacktrace generator function when stacktraces option is set to "ALL"', function () {
-      core.config.assess.stacktraces = 'ALL';
-      core.scopes.sources.run(validStore, function () {
-        const result = createPropagationEvent(validData);
-
-        expect(result).to.be.like(validResult);
-        expect(result.time).not.to.be.undefined;
-        expect(result.stack).to.be.an('array');
-      });
-    });
-
-    ['SOME', 'SINK', 'NONE'].forEach((option) => {
-      it(`returns an event without stacktrace generator function when stacktraces option is not set to "ALL" and set to ${option}`, function () {
-        core.config.assess.stacktraces = option;
-        core.scopes.sources.run(validStore, function () {
-          const result = createPropagationEvent(validData);
-
-          expect(result).to.be.like(validResult);
-          expect(result.time).not.to.be.undefined;
-          expect(result.stack).to.deep.equal([]);
-        });
-      });
-    });
-  });
-
-  describe('createSinkEvent', function () {
-    const validData = {
-      name: 'mysql/lib/Connection.query',
-      history: [{ mock: 'SourceEvent' }],
-      object: {
-        value: 'MySQL.Query#0001',
-        tracked: false
-      },
-      args: [{ value: 'malicious-value', tracked: true }],
-      result: {
-        value: null,
-        tracked: false
-      },
-      tags: { untrusted: [0, 14] },
-      source: 'P0'
-    };
-    const validStore = {
-      assess: {
-        propagationEventsCount: 0
-      }
-    };
-    const validResult = {
-      name: 'mysql/lib/Connection.query',
-      history: [{ mock: 'SourceEvent' }],
-      object: {
-        value: 'MySQL.Query#0001',
-        tracked: false
-      },
-      args: [{ value: 'malicious-value', tracked: true }],
-      result: {
-        value: null,
-        tracked: false
-      },
-      tags: { untrusted: [0, 14] },
-      source: 'P0',
-    };
-
-    it('logs a debug statement for missing source context and returns null when executed in the wrong context', function () {
-      core.scopes.sources.run({}, function () {
-        const result = createSinkEvent(validData);
-
-        expect(core.logger.debug).to.have.been.calledOnceWith(
-          sinon.match.object,
-          'no sourceContext found during sink event creation'
-        );
-        expect(result).to.be.null;
-      });
-    });
-
-    [
-      {
-        data: {
-          ...validData,
-          name: '',
-        },
-        message: 'no sink event name'
-      },
-      {
-        data: {
-          ...validData,
-          history: []
-        },
-        message: 'empty history for sink event'
-      },
-      {
-        data: {
-          ...validData,
-          source: 'S'
-        },
-        message: 'malformed or missing sink event source field',
-      },
-    ].forEach(({ data, message }) => {
-      it(`logs a debug statement when insufficient data is passed and returns null: ${message}`, function () {
-        core.scopes.sources.run(validStore, function () {
-          const result = createSinkEvent(data);
-
-          expect(core.logger.debug).to.have.been.calledWith(
-            sinon.match.object,
-            message
-          );
-          expect(result).to.be.null;
-        });
-      });
-    });
-
-    ['ALL', 'SOME', 'SINK'].forEach((option) => {
-      it(`returns an event with stacktrace generator function when stacktraces option is not set to "NONE" and set to ${option}`, function () {
-        core.config.assess.stacktraces = option;
-        core.scopes.sources.run(validStore, function () {
-          const result = createSinkEvent(validData);
-
-          expect(result).to.be.like(validResult);
-          expect(result.time).not.to.be.undefined;
-          expect(result.stack).to.be.instanceOf(Array);
-          expect(result.stack.length).to.be.greaterThan(0);
-        });
-      });
-    });
-
-    it('returns an event without stacktrace generator function when stacktraces option is set to "NONE"', function () {
-      core.config.assess.stacktraces = 'NONE';
-      core.scopes.sources.run(validStore, function () {
-        const result = createSinkEvent(validData);
-
-        expect(result).to.be.like(validResult);
-        expect(result.time).not.to.be.undefined;
-        expect(result.stack).to.deep.equal([]);
-      });
-    });
-  });
-});

package/lib/get-policy.test.js

@@ -1,194 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const { Event } = require('@contrast/common');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-
-describe('assess getPolicy', function () {
-  let core, getPolicy;
-
-  beforeEach(function () {
-    ({ core } = initAssessFixture());
-    getPolicy = require('./get-policy')(core);
-  });
-
-  function assertPolicyOK(policy) {
-    expect(policy).to.have.property('enabledRules').and.be.a('Set').not.empty;
-    expect(policy).to.have.property('getInputPolicy').and.be.a('Function');
-  }
-
-  it('inits policy and will adjust according to TS settings updates', function() {
-    let policy = getPolicy();
-
-    expect(policy.enabledRules).to.have.length.greaterThan(1);
-    expect(policy.enabledRules).to.contain('reflected-xss');
-
-    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-      assess: {
-        ['sql-injection']: { enable: true },
-        ['reflected-xss']: { enable: false },
-      }
-    });
-
-    policy = getPolicy();
-
-    expect(policy.enabledRules).to.contain('sql-injection');
-    expect(policy.enabledRules).not.to.contain('reflected-xss');
-  });
-
-  it('url exclusions can disable all rules', function() {
-    const uriPath = '/exclude-all-rules';
-    let policy = getPolicy({ uriPath });
-
-    assertPolicyOK(policy);
-
-    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-      exclusions: {
-        url: [{
-          urls: ['/exclude-all-rules'],
-          matchStrategy: 'ONLY',
-          assessmentRules: [],
-          assess_rules: [],
-          protect_rules: [],
-          modes: ['assess', 'defend'],
-          name: 'UrlExclusionAllRules'
-        }]
-      }
-    });
-
-    policy = getPolicy({ uriPath });
-    expect(policy).to.be.null;
-  });
-
-  it('url exclusions can disable specific rules', function() {
-    const uriPath = '/exclude-some-rules';
-    let policy = getPolicy({ uriPath });
-
-    assertPolicyOK(policy);
-
-    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-      exclusions: {
-        url: [{
-          urls: ['/exclude-some-rules'],
-          matchStrategy: 'ONLY',
-          assessmentRules: [],
-          assess_rules: ['sql-injection'],
-          protect_rules: [],
-          modes: ['assess', 'defend'],
-          name: 'UrlExclusionAllRules'
-        }]
-      }
-    });
-
-    policy = getPolicy({ uriPath });
-    expect(policy.enabledRules).not.to.contain('sql-injection');
-  });
-
-  [
-    {
-      inputType: 'HEADER',
-      exclusionType: 'HEADER',
-    },
-    {
-      inputType: 'QUERYSTRING',
-      exclusionType: 'PARAMETER',
-    },
-    {
-      inputType: 'BODY',
-      exclusionType: 'PARAMETER',
-    },
-    {
-      inputType: 'URL_PARAMETER',
-      exclusionType: 'PARAMETER',
-    },
-    {
-      inputType: 'COOKIE_VALUE',
-      exclusionType: 'COOKIE',
-    },
-  ].forEach(({ inputType, exclusionType }) => {
-    it(`input exclusions can exclude specific rules (input: ${inputType}, exclusion:${exclusionType})`, function() {
-      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-        exclusions: {
-          input: [{
-            type: exclusionType,
-            urls: ['/exclude-some-inputs', '/exclude-some-inputs-.*'],
-            matchStrategy: 'ONLY',
-            assessmentRules: [],
-            assess_rules: ['sql-injection', 'nosql-injection'],
-            protect_rules: [],
-            modes: ['assess', 'defend'],
-            name: 'abc.*'
-          }]
-        }
-      });
-
-      const policy = getPolicy({ uriPath: '/exclude-some-inputs' });
-      let inputPolicy = policy.getInputPolicy(inputType, 'abcdef');
-      expect(inputPolicy).to.have.property('track', true);
-      expect(inputPolicy).to.have.property('excludedRules')
-        .to.be.a('Set')
-        .and.have.lengthOf(2)
-        .and.contain('nosql-injection')
-        .and.contain('sql-injection');
-
-      inputPolicy = policy.getInputPolicy(inputType, 'xyz');
-      expect(inputPolicy).to.have.property('track', true);
-      expect(inputPolicy).to.have.property('excludedRules')
-        .to.be.a('Set')
-        .and.have.lengthOf(0);
-    });
-  });
-
-  [
-    {
-      inputType: 'HEADER',
-      exclusionType: 'HEADER',
-    },
-    {
-      inputType: 'QUERYSTRING',
-      exclusionType: 'PARAMETER',
-    },
-    {
-      inputType: 'BODY',
-      exclusionType: 'PARAMETER',
-    },
-    {
-      inputType: 'URL_PARAMETER',
-      exclusionType: 'PARAMETER',
-    },
-    {
-      inputType: 'COOKIE_VALUE',
-      exclusionType: 'COOKIE',
-    },
-  ].forEach(({ inputType, exclusionType }) => {
-    it(`input exclusions can exclude specific rules (input: ${inputType}, exclusion:${exclusionType})`, function() {
-      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-        exclusions: {
-          input: [{
-            type: exclusionType,
-            urls: ['/exclude-some-inputs', '/exclude-some-inputs-.*'],
-            matchStrategy: 'ONLY',
-            assessmentRules: [],
-            assess_rules: [],
-            protect_rules: [],
-            modes: ['assess', 'defend'],
-            name: 'abc.*'
-          }]
-        }
-      });
-
-      const policy = getPolicy({ uriPath: '/exclude-some-inputs' });
-      let inputPolicy;
-
-      inputPolicy = policy.getInputPolicy(inputType, 'abcdef');
-      expect(inputPolicy).to.have.property('track', false);
-      expect(inputPolicy).not.to.have.property('excludedRules');
-
-      inputPolicy = policy.getInputPolicy(inputType, 'xyz');
-      expect(inputPolicy).to.have.property('track', true);
-      expect(inputPolicy).to.have.property('excludedRules')
-        .to.be.a('Set')
-        .and.have.lengthOf(0);
-    });
-  });
-});

package/lib/get-source-context.test.js

@@ -1,161 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const { Event } = require('@contrast/common');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-const sinon = require('sinon');
-
-function execStoreAssertions(assessStore) {
-  expect(assessStore).to.be.an('object').and.deep.include({
-    reqData: {
-      ip: '127.0.0.1',
-      httpVersion: '1.1',
-      method: 'get',
-      headers: {
-        'content-type': 'text/html',
-        language: 'en',
-        referer: 'http://fake.url.foo',
-      },
-      uriPath: '/index',
-      queries: '_id=123',
-      contentType: 'text/html'
-    },
-    responseData: {},
-    sourceEventsCount: 0,
-    propagationEventsCount: 0,
-  });
-  expect(assessStore.policy.enabledRules).to.have.length.greaterThan(5);
-}
-
-describe('assess getSourceContext', function () {
-  let core, simulateRequestScope;
-
-  beforeEach(function () {
-    ({ core, simulateRequestScope } = initAssessFixture());
-  });
-
-  describe('getPropagatorContext()', function() {
-    it('returns null when instrumentation is locked', function () {
-      sinon.stub(core.scopes.instrumentation, 'isLocked').returns(true);
-
-      simulateRequestScope(() => {
-        expect(core.assess.getPropagatorContext()).to.be.null;
-      });
-    });
-
-    it('returns null when not in request scope', function() {
-      expect(core.assess.getPropagatorContext()).to.be.null;
-    });
-
-    it('returns null when assess is disabled by policy', function() {
-      simulateRequestScope(() => {
-        expect(core.assess.getPropagatorContext()).to.be.null;
-        expect(core.logger.trace).to.have.been.calledWith('Assess intentionally disabled for this request');
-      }, { assess: { policy: undefined } });
-    });
-
-    it('returns assess store when max propagation event threshold is not met', function() {
-      simulateRequestScope(() => {
-        execStoreAssertions(core.assess.getPropagatorContext());
-      });
-    });
-
-    it('returns null when max propagation event threshold is exceeded', function() {
-      core.config.setValue('assess.max_propagation_events', 10);
-
-      simulateRequestScope(() => {
-        expect(core.assess.getPropagatorContext()).to.be.null;
-      }, { assess: { propagationEventsCount: 11 } });
-    });
-  });
-
-  describe('getSinkContext()', function() {
-    it('returns null when instrumentation is locked', function () {
-      sinon.stub(core.scopes.instrumentation, 'isLocked').returns(true);
-
-      simulateRequestScope(() => {
-        expect(core.assess.getSinkContext()).to.be.null;
-      });
-    });
-
-    it('returns null when not in request scope', function() {
-      expect(core.assess.getSinkContext()).to.be.null;
-    });
-
-    it('returns null when assess is disabled by policy', function() {
-      simulateRequestScope(() => {
-        expect(core.assess.getSinkContext()).to.be.null;
-        expect(core.logger.trace).to.have.been.calledWith('Assess intentionally disabled for this request');
-      }, { assess: { policy: undefined } });
-    });
-
-    it('returns assess store when ruleId is not passed', function() {
-      simulateRequestScope(() => {
-        execStoreAssertions(core.assess.getSourceContext());
-      });
-    });
-
-    it('returns assess store when ruleId provided is enabled in the policy', function() {
-      simulateRequestScope(() => {
-        execStoreAssertions(core.assess.getSinkContext('reflected-xss'));
-      });
-    });
-
-    it('returns null when ruleId provided is not enabled in the policy', function() {
-      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-        assess: {
-          ['reflected-xss']: { enable: false },
-        }
-      });
-
-      simulateRequestScope(() => {
-        expect(core.assess.getSinkContext('reflected-xss')).to.be.null;
-      });
-    });
-  });
-
-  describe('getSourceContext()', function() {
-    it('returns null when instrumentation is locked', function () {
-      sinon.stub(core.scopes.instrumentation, 'isLocked').returns(true);
-
-      simulateRequestScope(() => {
-        expect(core.assess.getSourceContext()).to.be.null;
-      });
-    });
-
-    it('returns null when not in request scope', function() {
-      expect(core.assess.getSourceContext()).to.be.null;
-      expect(core.logger.warn).to.have.been.calledWithMatch(
-        sinon.match.object,
-        'assess running outside of request scope',
-      );
-    });
-
-    it('returns null when assess is disabled by policy', function() {
-      simulateRequestScope(() => {
-        expect(core.assess.getSourceContext()).to.be.null;
-        expect(core.logger.trace).to.have.been.calledWith('Assess intentionally disabled for this request');
-      }, { assess: { policy: undefined } });
-    });
-
-    it('returns assess store when in request scope', function() {
-      simulateRequestScope(() => {
-        execStoreAssertions(core.assess.getSourceContext());
-      });
-    });
-
-    it('returns assess store when max source event threshold is not met', function() {
-      simulateRequestScope(() => {
-        execStoreAssertions(core.assess.getSourceContext());
-      });
-    });
-
-    it('returns null when max source event threshold is exceeded', function() {
-      core.config.setValue('assess.max_context_source_events', 10);
-
-      simulateRequestScope(() => {
-        expect(core.assess.getSourceContext()).to.be.null;
-      }, { assess: { sourceEventsCount: 11 } });
-    });
-  });
-});