@contrast/assess 1.46.0 → 1.46.2

package/lib/response-scanning/handlers/utils.test.js

@@ -1,380 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const {
-  escapeHtml,
-  isHtmlContent,
-  getElements,
-  getAttribute,
-  isParseableResponse,
-  checkCacheControlValue,
-  checkMetaTags,
-  getCspHeaders,
-  checkCspSources
-} = require('./utils');
-
-describe('assess response scanning handlers utils', function() {
-  describe('escapeHtml', function() {
-    it('returns the original string when there are no characters to be escaped', function() {
-      expect(escapeHtml('test')).to.equal('test');
-    });
-
-    it('returns empty string when called with falsy value', function() {
-      expect(escapeHtml()).to.equal('');
-    });
-
-    it('retrurns the string with escaped characters where necessary', function() {
-      expect(escapeHtml('<input type="text">Test&Go<input type=\'text\'>'))
-        .to.equal('&lt;input type=&quot;text&quot;&gt;Test&amp;Go&lt;input type=&#39;text&#39;&gt;');
-    });
-  });
-
-  describe('isHtmlContent', function() {
-    it('returns true if the passed argument is falsy', function() {
-      expect(isHtmlContent()).to.be.true;
-      expect(isHtmlContent('')).to.be.true;
-    });
-
-    it('returns true if the passed headers does not have specified content type', function() {
-      expect(isHtmlContent({ 'content-type': '' })).to.be.true;
-      expect(isHtmlContent({ 'test-header': 'some-value' })).to.be.true;
-    });
-
-    it('returns true if the passed headers have the right content type for html content', function() {
-      expect(isHtmlContent({ 'content-type': 'text/css' })).to.be.true;
-      expect(isHtmlContent({ 'Content-Type': '*/html' })).to.be.true;
-    });
-  });
-
-  describe('getElements', function() {
-    [
-      {
-        tag: 'p',
-        content: undefined,
-        expectedResult: []
-      },
-      {
-        tag: 'p',
-        content: '<div><form><input type="text"></form><div>',
-        expectedResult: []
-      },
-      {
-        tag: 'input',
-        content: '<div><form><input type="text"></form><div>',
-        expectedResult: ['<input type="text">']
-      },
-      {
-        tag: 'label',
-        content: '<form><label for="fname">First Name</label><label for="lname">Last Name</label><form>',
-        expectedResult: ['<label for="fname">', '<label for="lname">']
-      },
-    ].forEach(({ tag, content, expectedResult }) => {
-      it('gets the correct elements', function() {
-        expect(getElements(tag, content)).to.deep.equal(expectedResult);
-      });
-    });
-  });
-
-  describe('getAttribute', function() {
-    it('returns undefined if the attribute is not found', function() {
-      expect(getAttribute('method', '<label for="fname">')).to.be.undefined;
-    });
-
-    it('returns undefined if there is an empty space after the attr assignment', function() {
-      expect(getAttribute('for', '<label for= "fname">')).to.be.undefined;
-    });
-
-    [
-      '<label for="fname">',
-      "<label for='fname'>",
-      '<label for=fname >',
-      '<label for=fname>',
-      '<label for=fname/>',
-    ].forEach((htmlTag) => {
-      it('returns the correct attribute', function() {
-        expect(getAttribute('for', htmlTag)).to.equal('fname');
-      });
-    });
-  });
-
-  describe('isParseableResponse', function() {
-    it('returns true if the passed argument is falsy', function() {
-      expect(isParseableResponse()).to.be.true;
-    });
-
-    [
-      {
-        responseHeaders: {},
-        expectedResult: true
-      },
-      {
-        responseHeaders: {
-          'content-type': 'multipart/form-data'
-        },
-        expectedResult: false
-      },
-      {
-        responseHeaders: {
-          'Content-Type': 'text/css'
-        },
-        expectedResult: true
-      },
-      {
-        responseHeaders: {
-          'Content-Type': '*/html'
-        },
-        expectedResult: true
-      },
-      {
-        responseHeaders: {
-          'Content-Type': 'application/xml'
-        },
-        expectedResult: true
-      },
-      {
-        responseHeaders: {
-          'Content-Type': 'application/soap'
-        },
-        expectedResult: true
-      },
-      {
-        responseHeaders: {
-          'Content-Type': 'application/pdf'
-        },
-        expectedResult: true
-      }
-    ].forEach(({ responseHeaders, expectedResult }) => {
-      it('assess wheter the response is parsable correctly', function() {
-        expect(isParseableResponse(responseHeaders)).to.equal(expectedResult);
-      });
-    });
-  });
-
-  describe('checkCacheControlValue', function() {
-    [
-      {
-        value: 'no-cache; no-store',
-        expectedResult: [true, true]
-      },
-      {
-        value: 'no-cache',
-        expectedResult: [true, false]
-      },
-      {
-        value: 'no-store',
-        expectedResult: [false, true]
-      },
-      {
-        value: 'no-control-value',
-        expectedResult: [false, false]
-      },
-      {
-        value: ['no-cache', 'mock-directive', 'no-store'],
-        expectedResult: [true, true]
-      },
-      {
-        value: ['mock-directive', 'no-store'],
-        expectedResult: [false, true]
-      },
-      {
-        value: ['mock-directive'],
-        expectedResult: [false, false]
-      },
-      {
-        value: ['no-cache', 'mock-directive'],
-        expectedResult: [true, false]
-      },
-    ].forEach(({ value, expectedResult }) => {
-      it('checks the cache control values correctly', function() {
-        expect(checkCacheControlValue(value)).to.deep.equal(expectedResult);
-      });
-    });
-  });
-
-  describe('checkMetaTags', function() {
-    let instructions = [];
-
-    beforeEach(function() {
-      instructions = [];
-    });
-
-    [
-      {
-        body: '<meta http-equiv="cache-control">',
-        cacheControlHeader: '',
-        expectedInstructions: [{ name: 'cache-control', type: 'META tag', value: '<meta http-equiv="cache-control">' }]
-      },
-      {
-        body: '<meta http-equiv="pragma">',
-        cacheControlHeader: '',
-        expectedInstructions: [{ name: 'pragma', type: 'META tag', value: '<meta http-equiv="pragma">' }]
-      },
-      {
-        body: '<meta http-equiv="expires">',
-        cacheControlHeader: '',
-        expectedInstructions: [{ name: 'expires', type: 'META tag', value: '<meta http-equiv="expires">' }]
-      },
-      {
-        body: '<meta http-equiv="cache-control" content="no-cache; no-store">',
-        cacheControlHeader: '',
-        expectedInstructions: []
-      },
-      {
-        body: '<meta http-equiv="cache-control" content="no-store">',
-        cacheControlHeader: 'no-cache',
-        expectedInstructions: []
-      },
-      {
-        body: '<meta http-equiv="cache-control" content="no-cache">',
-        cacheControlHeader: 'no-store',
-        expectedInstructions: []
-      },
-    ].forEach(({ body, cacheControlHeader, expectedInstructions }) => {
-      it('checks the meta tags and adds metadata to instructions if needed', function() {
-        checkMetaTags({ body, cacheControlHeader, instructions });
-
-        expect(instructions).to.deep.equal(expectedInstructions);
-      });
-    });
-  });
-
-  describe('getCspHeaders', function() {
-    [
-      {
-        responseHeaders: {},
-        expectedResult: false
-      },
-      {
-        responseHeaders: {
-          'some-header': 'some-value',
-          'content-security-policy': 'default-src "self"'
-        },
-        expectedResult: 'default-src "self"'
-      },
-      {
-        responseHeaders: {
-          'some-header': 'some-value',
-        },
-        expectedResult: false
-      },
-      {
-        responseHeaders: {
-          'some-header': 'some-value',
-          'x-content-security-policy': 'default-src "self"'
-        },
-        expectedResult: 'default-src "self"'
-      },
-      {
-        responseHeaders: {
-          'some-header': 'some-value',
-          'x-webkit-csp': 'default-src "self"'
-        },
-        expectedResult: 'default-src "self"'
-      },
-    ].forEach(({ responseHeaders, expectedResult }) => {
-      it('returns the CSP header', function() {
-        expect(getCspHeaders(responseHeaders)).to.equal(expectedResult);
-      });
-    });
-  });
-
-  describe('checkCspSources', function() {
-    const defaultValues = {
-      baseUriSecure: false,
-      baseUriValue: '',
-      childSrcSecure: false,
-      childSrcValue: '',
-      connectSrcSecure: false,
-      connectSrcValue: '',
-      defaultSrcSecure: false,
-      defaultSrcValue: '',
-      formActionSecure: false,
-      formActionValue: '',
-      frameAncestorsSecure: false,
-      frameAncestorsValue: '',
-      frameSrcSecure: false,
-      frameSrcValue: '',
-      mediaSrcSecure: false,
-      mediaSrcValue: '',
-      objectSrcSecure: false,
-      objectSrcValue: '',
-      scriptSrcSecure: false,
-      scriptSrcValue: '',
-      styleSrcSecure: false,
-      styleSrcValue: ''
-    };
-
-    [
-      {
-        policy: 'default-src *;',
-        expectedResult: {
-          ...defaultValues,
-          defaultSrcValue: '*',
-          insecure: true
-        }
-      },
-      {
-        policy: 'default-src foobar.com;',
-        expectedResult: {
-          ...defaultValues,
-          childSrcSecure: true,
-          connectSrcSecure: true,
-          defaultSrcSecure: true,
-          defaultSrcValue: 'foobar.com',
-          frameSrcSecure: true,
-          mediaSrcSecure: true,
-          objectSrcSecure: true,
-          scriptSrcSecure: true,
-          styleSrcSecure: true,
-          insecure: true
-        }
-      },
-      {
-        policy: 'media-src *;',
-        expectedResult: {
-          ...defaultValues,
-          mediaSrcValue: '*',
-          insecure: true
-        }
-      },
-      {
-        policy: 'media-src foobar.com',
-        expectedResult: {
-          ...defaultValues,
-          mediaSrcSecure: true,
-          mediaSrcValue: 'foobar.com',
-          insecure: true
-        }
-      },
-      {
-        policy: 'media-src foobar.com *; child-src *;',
-        expectedResult: {
-          ...defaultValues,
-          mediaSrcSecure: false,
-          mediaSrcValue: 'foobar.com *',
-          childSrcValue: '*',
-          insecure: true
-        }
-      },
-      {
-        policy: 'referrer *; reflected-xss 1;',
-        expectedResult: {
-          ...defaultValues,
-          insecure: true
-        }
-      },
-      {
-        policy: 'referrer unsafe-url',
-        expectedResult: {
-          ...defaultValues,
-          insecure: true
-        }
-      },
-    ].forEach(({ policy, expectedResult }) => {
-      it('checks the CSP sources', function() {
-        expect(checkCspSources(policy)).to.deep.equal(expectedResult);
-      });
-    });
-  });
-});
-

package/lib/response-scanning/index.test.js

@@ -1,41 +0,0 @@
-'use strict';
-
-const { Event } = require('@contrast/common');
-const { expect } = require('chai');
-const proxyquire = require('proxyquire');
-const mocks = require('@contrast/test/mocks');
-
-const moduleMock = (moduleName, mock) => (core) => {
-  core.assess.responseScanning[moduleName] = mock[moduleName];
-};
-
-describe('assess response-scanning', function () {
-  let core, responseScanningMock, responseScanningModule, modulesWithInstall, reportFindings;
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.scopes = mocks.scopes();
-    core.assess = mocks.assess();
-    responseScanningMock = core.assess.responseScanning;
-    responseScanningModule = proxyquire('.', {
-      './install/http': moduleMock('httpInstrumentation', responseScanningMock),
-    });
-    ({ reportFindings } = responseScanningModule(core));
-    modulesWithInstall = ['httpInstrumentation'];
-  });
-
-  it('installs the components', function () {
-    responseScanningModule(core).install();
-
-    modulesWithInstall.forEach((module) => {
-      expect(responseScanningMock[module].install).to.have.been.calledOnce;
-    });
-  });
-
-  it('reports findings through messages', function () {
-    reportFindings(null, 'some-metadata');
-
-    expect(core.messages.emit).to.have.been.calledOnceWith(Event.ASSESS_RESPONSE_SCANNING_FINDING, 'some-metadata');
-  });
-});
-

package/lib/response-scanning/install/http.test.js

@@ -1,175 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-
-describe('assess response scanning sinks http', function () {
-  const sc = {};
-  const store = { assess: sc };
-  const expectedArgs = [
-    {
-      header1: ['value1', 'value2', 'value3'],
-      header2: 'value1'
-    },
-    'test-body'
-  ];
-
-  const bodyHandlers = [
-    'handleAutoCompleteMissing',
-    'handleCacheControlsMissing',
-    'handleParameterPollution',
-    'handleXxsProtectionHeaderDisabled',
-  ];
-
-  const handlerMethods = [
-    'handleAutoCompleteMissing',
-    'handleCacheControlsMissing',
-    'handleClickJackingControlsMissing',
-    'handleParameterPollution',
-    'handleCspHeader',
-    'handleHstsHeaderMissing',
-    'handleXPoweredByHeader',
-    'handleXContentTypeHeaderMissing',
-    'handleXxsProtectionHeaderDisabled',
-  ];
-
-  let core,
-    responseScanning,
-    http,
-    httpModule,
-    http2Module,
-    ServerResponse,
-    Http2ServerResponse,
-    objInstances,
-    simulateRequestScope;
-
-  beforeEach(function () {
-    ({ core, simulateRequestScope } = initAssessFixture());
-
-    responseScanning = core.assess.responseScanning;
-    handlerMethods.forEach((method) => sinon.stub(core.assess.responseScanning, method));
-
-    ServerResponse = function () { };
-    Http2ServerResponse = function () { };
-    httpModule = {
-      ServerResponse,
-    };
-
-    http2Module = {
-      Http2ServerResponse,
-    };
-
-    httpModule.ServerResponse.prototype.end = function () {
-      return {
-        _header: 'header1: value1\r\n' +
-          'header1: value2\r\n' +
-          'header1: value3\r\n' +
-          'header2: value1\r\n\r\n'
-      };
-    };
-    httpModule.ServerResponse.prototype.write = function () {
-      return {
-        _header: 'header1: value1\r\n' +
-          'header1: value2\r\n' +
-          'header1: value3\r\n' +
-          'header2: value1\r\n\r\n'
-      };
-    };
-
-    const headersSymbol = Symbol('headers');
-
-    http2Module.Http2ServerResponse.prototype = {
-      end: () => ({
-        [headersSymbol]: {
-          header1: ['value1', 'value2', 'value3'],
-          header2: 'value1'
-        }
-      }),
-      write: () => { },
-      [headersSymbol]: {
-        header1: ['value1', 'value2', 'value3'],
-        header2: 'value1'
-      }
-    };
-
-    http = require('./http')(core);
-    core.depHooks.resolve
-      .withArgs(sinon.match({ name: 'http' }))
-      .yields(httpModule);
-    core.depHooks.resolve
-      .withArgs(sinon.match({ name: 'http2' }))
-      .yields(http2Module);
-
-    http.install();
-
-    objInstances = {
-      http: httpModule.ServerResponse.prototype,
-      http2: http2Module.Http2ServerResponse.prototype,
-    };
-  });
-
-  ['http', 'http2'].forEach((instanceName) => {
-    describe(instanceName, function () {
-      ['end', 'write'].forEach((method) => {
-        it(`skip instrumentation if assess store is missing - Server.Response.${method}`, function () {
-          objInstances[instanceName][method]('hello world');
-          handlerMethods.forEach((method) => {
-            expect(responseScanning[method]).to.not.have.been.called;
-          });
-        });
-      });
-
-      it('checks only the body related response scanning rules on .write method', function () {
-        simulateRequestScope(function () {
-          objInstances[instanceName].write('test-body');
-          objInstances[instanceName].write();
-          bodyHandlers.forEach((method) => {
-            const handler = responseScanning[method];
-            expect(handler).to.have.callCount(2);
-
-            if (['handleAutoCompleteMissing', 'handleCacheControlsMissing'].includes(method)) {
-              expect(responseScanning[method]).to.have.been.calledWith(sc, ...expectedArgs);
-            } else if (method === 'handleXxsProtectionHeaderDisabled') {
-              expect(responseScanning[method]).to.have.been.calledWith(sc, expectedArgs[0]);
-            } else if (method === 'handleParameterPollution') {
-              expect(responseScanning[method]).to.have.been.calledWith(sc, expectedArgs[1]);
-            }
-          });
-          handlerMethods.forEach((method) => {
-            if (!bodyHandlers.includes(method)) {
-              expect(responseScanning[method]).to.not.have.been.called;
-            }
-          });
-        }, store);
-      });
-
-      it('checks all response scanning rules on .end method', function () {
-        simulateRequestScope(function () {
-          objInstances[instanceName].end('test-body');
-          objInstances[instanceName].end();
-          handlerMethods.forEach((method) => {
-            expect(responseScanning[method]).to.have.callCount(2);
-            if ([
-              'handleAutoCompleteMissing',
-              'handleCacheControlsMissing',
-              'handleClickJackingControlsMissing',
-            ].includes(method)) {
-              expect(responseScanning[method]).to.have.been.calledWith(sc, ...expectedArgs);
-            } else if ([
-              'handleCspHeader',
-              'handleHstsHeaderMissing',
-              'handleXPoweredByHeader',
-              'handleXContentTypeHeaderMissing',
-              'handleXxsProtectionHeaderDisabled',
-            ].includes(method)) {
-              expect(responseScanning[method]).to.have.been.calledWith(sc, expectedArgs[0]);
-            } else if (method === 'handleParameterPollution') {
-              expect(responseScanning[method]).to.have.been.calledWith(sc, expectedArgs[1]);
-            }
-          });
-        }, store);
-      });
-    });
-  });
-});

package/lib/rule-scopes.test.js

@@ -1,27 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const { Rule } = require('@contrast/common');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-
-describe('assess rule-scopes', function () {
-  let core;
-
-  beforeEach(function () {
-    ({ core } = initAssessFixture());
-  });
-
-  it('isLocked(ruleId) returns false when not running in rule scope', function () {
-    for (const ruleId of Object.values(Rule)) {
-      expect(core.assess.ruleScopes.isLocked(ruleId)).to.be.false;
-    }
-  });
-
-  it('isLocked(ruleId) will return true when run in scope for ruleId', function (next) {
-    core.assess.ruleScopes.run(Rule.REFLECTED_XSS, () => {
-      expect(core.assess.ruleScopes.isLocked(Rule.REFLECTED_XSS)).to.be.true;
-      expect(core.assess.ruleScopes.isLocked(Rule.SQL_INJECTION)).to.be.false;
-      next();
-    });
-  });
-});