npm - @contrast/assess - Versions diffs - 1.46.1 → 1.46.2 - Mend

@contrast/assess 1.46.1 → 1.46.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/package.json CHANGED Viewed

@@ -1,11 +1,14 @@
 {
   "name": "@contrast/assess",
-  "version": "1.46.1",
+  "version": "1.46.2",
   "description": "Contrast service providing framework-agnostic Assess support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
   "files": [
-    "lib/"
+    "lib/",
+    "!*.test.*",
+    "!tsconfig.*",
+    "!*.map"
   ],
   "main": "lib/index.js",
   "types": "lib/index.d.ts",
@@ -18,16 +21,16 @@
   },
   "dependencies": {
     "@contrast/common": "1.29.1",
-    "@contrast/config": "1.40.1",
-    "@contrast/core": "1.45.1",
-    "@contrast/dep-hooks": "1.14.1",
+    "@contrast/config": "1.40.2",
+    "@contrast/core": "1.45.2",
+    "@contrast/dep-hooks": "1.14.2",
     "@contrast/distringuish": "^5.1.0",
-    "@contrast/instrumentation": "1.24.1",
-    "@contrast/logger": "1.18.1",
-    "@contrast/patcher": "1.17.1",
-    "@contrast/rewriter": "1.21.2",
-    "@contrast/route-coverage": "1.35.1",
-    "@contrast/scopes": "1.15.1",
+    "@contrast/instrumentation": "1.24.2",
+    "@contrast/logger": "1.18.2",
+    "@contrast/patcher": "1.17.2",
+    "@contrast/rewriter": "1.21.3",
+    "@contrast/route-coverage": "1.35.2",
+    "@contrast/scopes": "1.15.2",
     "semver": "^7.6.0"
   }
 }

package/lib/crypto-analysis/install/crypto.test.js DELETED Viewed

@@ -1,146 +0,0 @@
-'use strict';
-const sinon = require('sinon');
-const semver = require('semver');
-const { expect } = require('chai');
-const { Rule } = require('@contrast/common');
-const { ConfigSource } = require('@contrast/config');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess crypto-analysis node:crypto', function () {
-  let core, simulateRequestScope, mockCrypto;
-  beforeEach(function () {
-    ({ core, simulateRequestScope } = initAssessFixture());
-    mockCrypto = {
-      createHash: sinon.stub(),
-      createCipher: sinon.stub(),
-      createCipheriv: sinon.stub(),
-    };
-    core.depHooks.resolve.yields(mockCrypto);
-    sinon.spy(core.assess.cryptoAnalysis, 'report');
-    core.assess.cryptoAnalysis.installers.crypto.install();
-  });
-  describe('crypto.createHash()', function() {
-    [
-      'sha2-224',
-      'Sha224',
-      'rsa-sha256',
-      'sha256withrsaencryption',
-      'sha-384',
-      'SHA384WITHRSAENCRYPTION',
-      'sha-512',
-      'sha2-512',
-      'sha512',
-      'ShA512WiThRsAeNcRyPtIoN',
-    ].forEach((alg) => {
-      it(`doesn't report when algorithm is safe: ${alg}`, function () {
-        simulateRequestScope(() => {
-          mockCrypto.createHash(alg);
-          expect(core.assess.cryptoAnalysis.report).not.to.have.been.called;
-        });
-      });
-    });
-    [
-      'RSA-SHA1-2',
-      'MD4',
-      'md5',
-      'MD5-SHA1',
-    ].forEach((alg) => {
-      it(`reports when algorithm is unsafe: ${alg}`, function () {
-        simulateRequestScope(() => {
-          mockCrypto.createHash(alg);
-          expect(core.assess.cryptoAnalysis.report).to.have.been.calledWithMatch({
-            ruleId: Rule.CRYPTO_BAD_MAC,
-            finding: sinon.match({
-              args: [{ tracked: false, value: alg }],
-              methodName: 'createHash',
-              moduleName: 'crypto',
-              object: { tracked: false, value: 'crypto' },
-              result: { tracked: false, value: 'Hash' },
-              source: 'P0',
-              stack: sinon.match.array,
-              stacktraceOpts: {
-                constructorOpt: sinon.match.func,
-              }
-            }),
-          });
-        });
-      });
-    });
-    [
-      'etag',
-      'browserify',
-      'deps-sort'
-    ].forEach((lib) => {
-      [
-        'ALL',
-        'SOME'
-      ].forEach((stacktraceConfig) => {
-        it('will not report when library is trusted', function() {
-          core.config.setValue('assess.stacktraces', stacktraceConfig, ConfigSource.ENVIRONMENT_VARIABLE);
-          simulateRequestScope(() => {
-            sinon.stub(core.assess.eventFactory, 'createCryptoAnalysisEvent').returns({
-              stack: [{ file: `node_modules/${lib}/index.js` }]
-            });
-            mockCrypto.createHash('MD4', 'foo');
-            expect(core.assess.cryptoAnalysis.report).not.to.have.been.called;
-          });
-        });
-      });
-    });
-  });
-  const methods = ['createCipheriv'];
-  if (semver.lt(process.version, '22.0.0')) methods.push('createCipher');
-  methods.forEach((method) => {
-    describe(`crypto.${method}()`, function() {
-      [
-        'des-ede',
-        'DES-EDE-CBC',
-        'aes128',
-        'rsa',
-        'id-aes128-wrap',
-      ].forEach((alg) => {
-        it(`doesn't report when algorithm is safe: ${alg}`, function () {
-          simulateRequestScope(() => {
-            mockCrypto[method](alg, 'foo');
-            expect(core.assess.cryptoAnalysis.report).not.to.have.been.called;
-          });
-        });
-      });
-      [
-        'RC2-64',
-        'rc2-64',
-        'SM4-OFB',
-      ].forEach((alg) => {
-        it(`reports when algorithm is unsafe: ${alg}`, function () {
-          simulateRequestScope(() => {
-            mockCrypto[method](alg, 'foo');
-            expect(core.assess.cryptoAnalysis.report).to.have.been.calledWithMatch({
-              ruleId: Rule.CRYPTO_BAD_CIPHERS,
-              finding: sinon.match({
-                args: [{ tracked: false, value: alg }],
-                methodName: method,
-                moduleName: 'crypto',
-                object: { tracked: false, value: 'crypto' },
-                result: { tracked: false, value: 'Cipher' },
-                source: 'P0',
-                stack: sinon.match.array,
-                stacktraceOpts: {
-                  constructorOpt: sinon.match.func,
-                }
-              }),
-            });
-          });
-        });
-      });
-    });
-  });
-});

package/lib/crypto-analysis/install/math.test.js DELETED Viewed

@@ -1,65 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const { Rule } = require('@contrast/common');
-const sinon = require('sinon');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess cryptographic analysis Math instrumentation', function () {
-  let core, simulateRequestScope;
-  beforeEach(function () {
-    ({ core, simulateRequestScope } = initAssessFixture());
-    sinon.spy(core.assess.cryptoAnalysis, 'report');
-    core.assess.cryptoAnalysis.installers.math.install();
-  });
-  afterEach(function () {
-    core.assess.cryptoAnalysis.installers.math.uninstall();
-  });
-  describe('Math.random()', function () {
-    it('reports when', function () {
-      simulateRequestScope(() => {
-        Math.random();
-        expect(core.assess.cryptoAnalysis.report).to.have.been.calledWithMatch({
-          ruleId: Rule.CRYPTO_WEAK_RANDOMNESS,
-          finding: sinon.match({
-            args: [],
-            methodName: 'random',
-            moduleName: 'global.Math',
-            object: { tracked: false, value: 'global.Math' },
-            result: { tracked: false, value: sinon.match.string },
-            source: 'A',
-            stack: sinon.match.array,
-            stacktraceOpts: {
-              constructorOpt: sinon.match.func,
-            },
-          })
-        });
-      });
-    });
-    [
-      'node_modules/node-uuid/',
-      'browserify'
-    ].forEach((lib) => {
-      it('will not report when library is trusted', function () {
-        core.config.setValue('assess.stacktraces', 'ALL');
-        sinon.stub(core.assess.eventFactory, 'createCryptoAnalysisEvent').returns({
-          stack: [{ file: `${lib}/index.js` }],
-        });
-        simulateRequestScope(() => {
-          Math.random();
-          expect(core.logger.trace).to.have.been.calledWith(
-            { funcKey: 'assess-cryptographic-analysis:global.Math.random' },
-            'skipping reporting for %s - trusting %s',
-            'crypto-weak-randomness',
-            lib,
-          );
-          expect(core.assess.cryptoAnalysis.report).not.to.have.been.called;
-        });
-      });
-    });
-  });
-});

package/lib/dataflow/index.test.js DELETED Viewed

@@ -1,36 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const proxyquire = require('proxyquire');
-const mocks = require('@contrast/test/mocks');
-const moduleMock = (moduleName, mock) => (deps) => {
-  deps.assess.dataflow[moduleName] = mock[moduleName];
-};
-describe('assess dataflow', function () {
-  let core, dataflowMock, dataflowModule, modulesWithInstall;
-  beforeEach(function () {
-    core = mocks.core();
-    core.scopes = mocks.scopes();
-    core.assess = mocks.assess();
-    dataflowMock = core.assess.dataflow;
-    dataflowModule = proxyquire('.', {
-      './tracker': moduleMock('tracker', dataflowMock),
-      './sources': moduleMock('sources', dataflowMock),
-      './sinks': moduleMock('sinks', dataflowMock),
-      './propagation': moduleMock('propagation', dataflowMock),
-    });
-    modulesWithInstall = ['sources', 'sinks', 'propagation'];
-  });
-  it('installs the components', function () {
-    dataflowModule(core).install();
-    modulesWithInstall.forEach((module) => {
-      expect(dataflowMock[module].install).to.have.been.calledOnce;
-    });
-  });
-});

package/lib/dataflow/propagation/index.test.js DELETED Viewed

@@ -1,103 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const proxyquire = require('proxyquire');
-const mocks = require('@contrast/test/mocks');
-const moduleMock = (moduleName, mock) => (deps) => {
-  deps.assess.dataflow.propagation[moduleName] = mock[moduleName];
-};
-describe('assess dataflow propagation', function () {
-  let core, propagationMock, propagationModule, modulesWithInstall, modulesWithUninstall;
-  beforeEach(function () {
-    core = mocks.core();
-    core.assess = mocks.assess();
-    core.depHooks = mocks.depHooks();
-    core.patcher = mocks.patcher();
-    core.scopes = mocks.scopes();
-    propagationMock = core.assess.dataflow.propagation;
-    propagationModule = proxyquire('.', {
-      './install/contrast-methods': moduleMock('contrastMethodsInstrumentation', propagationMock),
-      './install/buffer': moduleMock('bufferInstrumentation', propagationMock),
-      './install/ejs': moduleMock('ejsInstrumentation', propagationMock),
-      './install/pug': moduleMock('pugInstrumentation', propagationMock),
-      './install/string': moduleMock('stringInstrumentation', propagationMock),
-      './install/url': moduleMock('urlInstrumentation', propagationMock),
-      './install/validator': moduleMock('validatorInstrumentation', propagationMock),
-      './install/array-prototype-join': moduleMock('arrayJoin', propagationMock),
-      './install/decode-uri-component': moduleMock('decodeURIComponent', propagationMock),
-      './install/encode-uri': moduleMock('encodeURI', propagationMock),
-      './install/escape-html': moduleMock('escapeHtml', propagationMock),
-      './install/escape': moduleMock('escape', propagationMock),
-      './install/handlebars-utils-escape-expression': moduleMock('handlebarsEscapeExpression', propagationMock),
-      './install/mongoose': moduleMock('mongooseInstrumentation', propagationMock),
-      './install/mustache-escape': moduleMock('mustacheEscape', propagationMock),
-      './install/mysql-connection-escape': moduleMock('mysqlEscape', propagationMock),
-      './install/pug-runtime-escape': moduleMock('pugRuntimeEscape', propagationMock),
-      './install/sql-template-strings': moduleMock('sqlTemplateStrings', propagationMock),
-      './install/unescape': moduleMock('unescape', propagationMock),
-      './install/querystring': moduleMock('querystringInstrumentation', propagationMock),
-      './install/sequelize': moduleMock('sequelizeInstrumentation', propagationMock),
-      './install/JSON': moduleMock('jsonInstrumentation', propagationMock),
-      './install/reg-exp-prototype-exec': moduleMock('regExpExec', propagationMock),
-      './install/joi': moduleMock('joiInstrumentation', propagationMock),
-      './install/util-format': moduleMock('utilFormatInstrumentation', propagationMock)
-    });
-    modulesWithInstall = [
-      'contrastMethodsInstrumentation',
-      'ejsInstrumentation',
-      'pugInstrumentation',
-      'stringInstrumentation',
-      'urlInstrumentation',
-      'validatorInstrumentation',
-      'arrayJoin',
-      'encodeURI',
-      'decodeURIComponent',
-      'escapeHtml',
-      'escape',
-      'handlebarsEscapeExpression',
-      'mongooseInstrumentation',
-      'mustacheEscape',
-      'mysqlEscape',
-      'pugRuntimeEscape',
-      'sqlTemplateStrings',
-      'unescape',
-      'querystringInstrumentation',
-      'jsonInstrumentation',
-      'regExpExec',
-      'joiInstrumentation'
-    ];
-    modulesWithUninstall = [
-      'contrastMethodsInstrumentation',
-      'stringInstrumentation',
-      'arrayJoin',
-      'encodeURI',
-      'decodeURIComponent',
-      'escape',
-      'unescape',
-      'jsonInstrumentation',
-      'regExpExec'
-    ];
-  });
-  it('installs the components', function () {
-    propagationModule(core).install();
-    modulesWithInstall.forEach((module) => {
-      expect(propagationMock[module].install).to.have.been.calledOnce;
-    });
-  });
-  it('uninstalls the components', function () {
-    propagationModule(core).uninstall();
-    modulesWithUninstall.forEach((module) => {
-      if (propagationMock[module].uninstall) {
-        expect(propagationMock[module].uninstall).to.have.been.calledOnce;
-      }
-    });
-  });
-});

package/lib/dataflow/propagation/install/JSON/index.test.js DELETED Viewed

@@ -1,50 +0,0 @@
-'use strict';
-const sinon = require('sinon');
-const { expect } = require('chai');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow propagation JSON', function () {
-  let core, instr;
-  beforeEach(function () {
-    ({ core } = initAssessFixture());
-    instr = core.assess.dataflow.propagation.jsonInstrumentation;
-  });
-  const propagatorList = [
-    'stringify',
-    'parse'
-  ];
-  it('composes different installers', function () {
-    propagatorList.forEach((name) => {
-      expect(instr[name]).to.have.property('install').and.be.a('function');
-      expect(instr[name]).to.have.property('uninstall').and.be.a('function');
-    });
-  });
-  it('dispatches installation to sub-components', function () {
-    const installs = [];
-    const uninstalls = [];
-    // stub these to prevent side effects
-    propagatorList.forEach((name) => {
-      const instr = core.assess.dataflow.propagation.jsonInstrumentation;
-      installs.push(sinon.stub(instr[name], 'install'));
-      uninstalls.push(sinon.stub(instr[name], 'uninstall'));
-    });
-    instr.install();
-    instr.uninstall();
-    expect(installs).to.have.lengthOf(2);
-    installs.forEach((installer) => {
-      expect(installer).to.have.been.called;
-    });
-    expect(uninstalls).to.have.lengthOf(2);
-    uninstalls.forEach((installer) => {
-      expect(installer).to.have.been.called;
-    });
-  });
-});

package/lib/dataflow/propagation/install/JSON/parse-fn.test.js DELETED Viewed

@@ -1,232 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const { getKeyValueIndices } = require('./parse-fn');
-describe('assess dataflow propagation JSON getValueIndexes', function () {
-  const obj = {
-    prop1: 'test',
-    prop2: 'test2',
-    test2: '',
-    arr: [{ name: { prop3: 'test3' } }, 2, 'test4'],
-    nested: { prop4: 'prop' },
-    prop5: 'test5',
-    obj: {
-      name: 'john',
-      0: ['0', -1, -10, '-10'],
-      '': { '&&': '{{', '{}': ',,' },
-    },
-  };
-  it('should parse a string', function () {
-    const result = getKeyValueIndices('"hello"');
-    expect(result).to.eql([{ key: '', value: [1, 5] }]);
-  });
-  it('should parse a string without quotation marks', function () {
-    const result = getKeyValueIndices('hello');
-    expect(result).to.eql([{ key: '', value: [0, 4] }]);
-  });
-  it('should parse true', function () {
-    const result = getKeyValueIndices('true');
-    expect(result).to.eql([{ key: '', value: [0, 3] }]);
-  });
-  it('should parse false', function () {
-    const result = getKeyValueIndices('false');
-    expect(result).to.eql([{ key: '', value: [0, 4] }]);
-  });
-  it('should parse a number', function () {
-    const result = getKeyValueIndices('1231');
-    expect(result).to.eql([{ key: '', value: [0, 3] }]);
-  });
-  it('should parse a negative number', function () {
-    const result = getKeyValueIndices('-1231');
-    expect(result).to.eql([{ key: '', value: [0, 4] }]);
-  });
-  it('should parse an array', function () {
-    const result = getKeyValueIndices(
-      '[1, 2, 3, null, true, false, {}, [], ["a"]]');
-    expect(result).to.eql([
-      { key: [null, null], value: [1, 1] },
-      { key: [null, null], value: [4, 4] },
-      { key: [null, null], value: [7, 7] },
-      { key: [null, null], value: [10, 13] },
-      { key: [null, null], value: [16, 19] },
-      { key: [null, null], value: [22, 26] },
-      { key: [null, null], value: [29, 30] },
-      { key: [null, null], value: [33, 34] },
-      { key: [null, null], value: [39, 39] },
-      { key: [null, null], value: [37, 41] },
-      { key: '', value: [0, 42] },
-    ]);
-  });
-  it('should parse an object', function () {
-    const result = getKeyValueIndices(JSON.stringify(obj));
-    expect(result).to.eql([
-      { key: [2, 6], value: [10, 13] },
-      { key: [17, 21], value: [25, 29] },
-      { key: [33, 37], value: [null, null] },
-      { key: [60, 64], value: [68, 72] },
-      { key: [52, 55], value: [58, 74] },
-      { key: [null, null], value: [50, 75] },
-      { key: [null, null], value: [77, 77] },
-      { key: [null, null], value: [80, 84] },
-      { key: [44, 46], value: [49, 86] },
-      { key: [99, 103], value: [107, 110] },
-      { key: [89, 94], value: [97, 112] },
-      { key: [115, 119], value: [123, 127] },
-      { key: [null, null], value: [143, 143] },
-      { key: [null, null], value: [146, 147] },
-      { key: [null, null], value: [149, 151] },
-      { key: [null, null], value: [154, 156] },
-      { key: [138, 138], value: [141, 158] },
-      { key: [161, 164], value: [168, 171] },
-      { key: [179, 180], value: [184, 185] },
-      { key: [189, 190], value: [194, 195] },
-      { key: [null, null], value: [177, 197] },
-      { key: [131, 133], value: [136, 198] },
-      { key: '', value: [0, 199] },
-    ]);
-  });
-  it('should parse an object with spaces', function () {
-    const result = getKeyValueIndices(JSON.stringify(obj, null, '   '));
-    expect(result).to.eql([
-      {
-        key: [6, 10],
-        value: [15, 18],
-      },
-      {
-        key: [26, 30],
-        value: [35, 39],
-      },
-      {
-        key: [47, 51],
-        value: [null, null],
-      },
-      {
-        key: [111, 115],
-        value: [120, 124],
-      },
-      {
-        key: [89, 92],
-        value: [96, 136],
-      },
-      {
-        key: [null, null],
-        value: [77, 144],
-      },
-      {
-        key: [null, null],
-        value: [153, 153],
-      },
-      {
-        key: [null, null],
-        value: [163, 167],
-      },
-      {
-        key: [63, 65],
-        value: [69, 173],
-      },
-      {
-        key: [198, 202],
-        value: [207, 210],
-      },
-      {
-        key: [180, 185],
-        value: [189, 216],
-      },
-      {
-        key: [223, 227],
-        value: [232, 236],
-      },
-      {
-        key: [null, null],
-        value: [275, 275],
-      },
-      {
-        key: [null, null],
-        value: [288, 289],
-      },
-      {
-        key: [null, null],
-        value: [301, 303],
-      },
-      {
-        key: [null, null],
-        value: [316, 318],
-      },
-      {
-        key: [259, 259],
-        value: [263, 327],
-      },
-      {
-        key: [337, 340],
-        value: [345, 348],
-      },
-      {
-        key: [374, 375],
-        value: [380, 381],
-      },
-      {
-        key: [395, 396],
-        value: [401, 402],
-      },
-      {
-        key: [null, null],
-        value: [362, 411],
-      },
-      {
-        key: [244, 246],
-        value: [250, 416],
-      },
-      {
-        key: '',
-        value: [0, 418],
-      },
-    ]);
-  });
-  it('should parse escaped values', function () {
-    const data = {
-      '"': "na\"'me",
-      '\\&': '&amp;',
-    };
-    const result = getKeyValueIndices(JSON.stringify(data));
-    // `{"\\"":"na\\"'me","\\\\&":"&amp;"}`
-    expect(result).to.eql([
-      { key: [2, 3], value: [7, 13] },
-      { key: [17, 19], value: [23, 27] },
-      { key: '', value: [0, 29] },
-    ]);
-  });
-  it('should parse decimal numbers', function () {
-    const data = {
-      a: 0.11,
-      b: 1.01,
-      c: 0.00001,
-    };
-    const result = getKeyValueIndices(JSON.stringify(data));
-    // '{"a":0.11,"b":1.01,"c":0.00001}'
-    expect(result).to.eql([
-      { key: [2, 2], value: [5, 8] },
-      { key: [11, 11], value: [14, 17] },
-      { key: [20, 20], value: [23, 29] },
-      { key: '', value: [0, 30] },
-    ]);
-  });
-});