npm - @contrast/assess - Versions diffs - 1.46.1 → 1.46.2 - Mend

@contrast/assess 1.46.1 → 1.46.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/lib/dataflow/propagation/install/mustache-escape.test.js DELETED Viewed

@@ -1,62 +0,0 @@
-'use strict';
-const {
-  DataflowTag: { UNTRUSTED, HTML_ENCODED }
-} = require('@contrast/common');
-const sinon = require('sinon');
-const { expect } = require('chai');
-const mustache = require('mustache');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow propagation mustache.escape', function () {
-  let core, trackString, simulateRequestScope, tracker;
-  beforeEach(function () {
-    ({
-      core,
-      simulateRequestScope,
-      trackString
-    } = initAssessFixture());
-    tracker = core.assess.dataflow.tracker;
-    core.assess.dataflow.propagation.mustacheEscape.install();
-    core.depHooks.resolve.yield(mustache);
-  });
-  afterEach(function () {
-    sinon.resetHistory();
-  });
-  it('will not propagate if there is no assess policy in request context', function () {
-    simulateRequestScope(function () {
-      const value = trackString('<script>alert("hello");</script>');
-      const result = mustache.escape(value);
-      expect(tracker.getData(result)).to.be.null;
-    }, { assess: { policy: null } });
-  });
-  it('will not propagate if there instrumentation is locked', function () {
-    simulateRequestScope(function () {
-      core.scopes.instrumentation.run({ lock: true }, function () {
-        const value = trackString('<script>alert("hello");</script>');
-        const result = mustache.escape(value);
-        expect(tracker.getData(result)).to.be.null;
-      });
-    });
-  });
-  it('propagates correctly', function () {
-    simulateRequestScope(function () {
-      const value = trackString('<script>alert("hello");</script>');
-      const result = mustache.escape(value);
-      const strInfo = tracker.getData(result);
-      expect(result).to.be.equal('&lt;script&gt;alert(&quot;hello&quot;);&lt;&#x2F;script&gt;');
-      expect(strInfo?.tags).to.deep.equal({
-        [UNTRUSTED]: [4, 9, 14, 19, 26, 30, 37, 38, 49, 54],
-        [HTML_ENCODED]: [0, 58]
-      });
-    });
-  });
-});

package/lib/dataflow/propagation/install/mysql-connection-escape.test.js DELETED Viewed

@@ -1,74 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const {
-  DataflowTag: {
-    UNTRUSTED,
-    SQL_ENCODED,
-  }
-} = require('@contrast/common');
-const sinon = require('sinon');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow propagation mysql.connection.escape', function () {
-  let core, trackString, simulateRequestScope, tracker, mockConnection;
-  beforeEach(function () {
-    ({
-      core,
-      simulateRequestScope,
-      trackString
-    } = initAssessFixture());
-    mockConnection = function () { };
-    mockConnection.prototype.escape = (str) => `mock-escape_${str}_mock-escape`;
-    tracker = core.assess.dataflow.tracker;
-    core.assess.dataflow.propagation.mysqlEscape.install();
-    core.depHooks.resolve.withArgs(sinon.match({ name: 'mysql', file: 'lib/Connection.js' })).yield(mockConnection);
-  });
-  afterEach(function () {
-    sinon.resetHistory();
-  });
-  it('propagates correctly', function () {
-    simulateRequestScope(function () {
-      const notTrackedValue = 'foo';
-      const trackedValue = trackString('foo', { tags: { [UNTRUSTED]: [0, 2] } });
-      const connection = new mockConnection();
-      const notTrackedResult = connection.escape(notTrackedValue);
-      const notTrackedStrInfo = tracker.getData(notTrackedResult);
-      const trackedResult = connection.escape(trackedValue);
-      const trackedStrInfo = tracker.getData(trackedResult);
-      expect(notTrackedStrInfo).to.be.null;
-      expect(trackedStrInfo?.tags).to.deep.equal({
-        [UNTRUSTED]: [0, trackedStrInfo?.value.length - 1],
-        [SQL_ENCODED]: [0, trackedStrInfo?.value.length - 1]
-      });
-    });
-  });
-  it('will not propagate if there is no assess policy in request context', function () {
-    simulateRequestScope(function () {
-      const value = trackString('foo');
-      const connection = new mockConnection();
-      const result = connection.escape(value);
-      expect(tracker.getData(result)).to.be.null;
-    }, { assess: { policy: null } });
-  });
-  it('will not propagate if there instrumentation is locked', function () {
-    simulateRequestScope(function () {
-      core.scopes.instrumentation.run({ lock: true }, function () {
-        const value = trackString('foo');
-        const connection = new mockConnection();
-        const result = connection.escape(value);
-        expect(tracker.getData(result)).to.be.null;
-      });
-    });
-  });
-});

package/lib/dataflow/propagation/install/parse-int.test.js DELETED Viewed

@@ -1,48 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow propagation parseInt', function () {
-  let core, simulateRequestScope, trackString, tracker;
-  beforeEach(function () {
-    ({ core, simulateRequestScope, trackString } = initAssessFixture());
-    tracker = core.assess.dataflow.tracker;
-    core.assess.dataflow.propagation.parseIntInstrumentation.install();
-  });
-  afterEach(function () {
-    core.assess.dataflow.propagation.parseIntInstrumentation.uninstall();
-  });
-  it('will not sanitize if Number coercion fails', function () {
-    simulateRequestScope(() => {
-      const str = trackString('foo');
-      global.parseInt(str);
-      expect(tracker.getData(str)).to.deep.include({
-        context: 'UNKNOWN.val',
-        name: 'assess-dataflow-fixture',
-        fieldName: 'val',
-        pathName: 'val',
-        stack: [],
-        inputType: 'UNKNOWN',
-        tags: { UNTRUSTED: [0, 2] },
-        result: { tracked: true, value: 'foo' },
-      });
-    });
-  });
-  it('will untrack if Number coercion succeeds', function () {
-    simulateRequestScope(() => {
-      const str = trackString('30000');
-      global.parseInt(str);
-      expect(tracker.getData(str)).to.be.null;
-      expect(core.logger.trace).to.have.been.calledWithMatch({
-        funcKey: 'assess-dataflow-propagator:global.parseInt',
-        sanitizer: 'global.parseInt',
-        value: '30000',
-      }, 'untracked a string value');
-    });
-  });
-});

package/lib/dataflow/propagation/install/path/basename.test.js DELETED Viewed

@@ -1,143 +0,0 @@
-'use strict';
-const {
-  DataflowTag: { UNTRUSTED, STRING_TYPE_CHECKED, CUSTOM_ENCODED },
-} = require('@contrast/common');
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow propagation path basename', function () {
-  let core, tracker, createPropagationEvent, trackString, simulateRequestScope;
-  beforeEach(function () {
-    ({ core, simulateRequestScope, trackString } = initAssessFixture());
-    tracker = core.assess.dataflow.tracker;
-    createPropagationEvent = sinon.spy(
-      core.assess.eventFactory,
-      'createPropagationEvent'
-    );
-  });
-  ['posix', 'win32'].forEach((os) => {
-    describe(os, function () {
-      let path;
-      beforeEach(function () {
-        path = require('path')[os];
-        core.depHooks.resolve.yields(path);
-        const basenameInstr = require('./basename')(core);
-        basenameInstr.install();
-      });
-      it('should ignore empty or non-string values', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('');
-          const file = path.basename(myPath);
-          const strInfo = tracker.getData(file);
-          expect(strInfo).to.be.null;
-          expect(() => path.basename(1)).to.throw();
-        });
-      });
-      it('will not propagate if there is no assess policy in request context', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('/script.sh');
-          const result = path.basename(myPath);
-          expect(tracker.getData(result)).to.be.null;
-        }, { assess: { policy: null } });
-      });
-      it('will not propagate if there instrumentation is locked', function () {
-        simulateRequestScope(function () {
-          core.scopes.instrumentation.run({ lock: true }, function () {
-            const myPath = trackString('/script.sh');
-            const result = path.basename(myPath);
-            expect(tracker.getData(result)).to.be.null;
-          });
-        });
-      });
-      it('will not propagate if the argument is not tracked', function () {
-        simulateRequestScope(function () {
-          const myPath = '/script.sh';
-          const trackedExtension = trackString('.sh');
-          path.basename(myPath);
-          path.basename(myPath, trackedExtension);
-          expect(createPropagationEvent).to.not.have.been.called;
-        });
-      });
-      it('will not propagate if there no event created', function () {
-        simulateRequestScope(function () {
-          core.config.assess.max_propagation_events = 0;
-          const myPath = trackString('/script.sh');
-          const result = path.basename(myPath);
-          expect(tracker.getData(result)).to.be.null;
-        });
-      });
-      it('should track entire path if entire string was tracked before normalizing', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('/some/other/file.exe/../../path/file.txt');
-          const basename = path.basename(myPath, '.exe');
-          const strInfo = tracker.getData(basename);
-          expect(strInfo.tags).to.deep.equal({
-            [UNTRUSTED]: [0, 3, 5, 7],
-          });
-        });
-      });
-      it('should account for the extension properly', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('/some/path/file.txt', {
-            tags: {
-              [UNTRUSTED]: [0, 18],
-              [CUSTOM_ENCODED]: [13, 17],
-              [STRING_TYPE_CHECKED]: [5, 10],
-            },
-          });
-          const basename = path.basename(myPath, '.txt');
-          const strInfo = tracker.getData(basename);
-          expect(strInfo.tags).to.deep.equal({
-            [UNTRUSTED]: [0, 3],
-            [CUSTOM_ENCODED]: [2, 3],
-          });
-        });
-      });
-      it('should account for the extension properly when it is repeated in the path', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('/some/path/file.txt/../../other/txt/file/../../path/to/file.txt.txt', {
-            tags: {
-              [UNTRUSTED]: [0, 66],
-              [CUSTOM_ENCODED]: [57, 62],
-              [STRING_TYPE_CHECKED]: [5, 45],
-            },
-          });
-          const basename = path.basename(myPath, '.txt');
-          const strInfo = tracker.getData(basename);
-          expect(strInfo.tags).to.deep.equal({
-            [UNTRUSTED]: [0, 3, 5, 7],
-            [CUSTOM_ENCODED]: [2, 3, 5, 7],
-          });
-        });
-      });
-    });
-  });
-});

package/lib/dataflow/propagation/install/path/dirname.test.js DELETED Viewed

@@ -1,167 +0,0 @@
-'use strict';
-const sinon = require('sinon');
-const { expect } = require('chai');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-const { DataflowTag: { UNTRUSTED } } = require('@contrast/common');
-describe('assess dataflow propagation path dirname', function () {
-  let core, tracker, createPropagationEvent, trackString, simulateRequestScope;
-  beforeEach(function () {
-    ({ core, simulateRequestScope, trackString } = initAssessFixture());
-    tracker = core.assess.dataflow.tracker;
-    createPropagationEvent = sinon.spy(
-      core.assess.eventFactory,
-      'createPropagationEvent'
-    );
-    core.assess.dataflow.propagation.stringInstrumentation.concat.install();
-  });
-  ['posix', 'win32'].forEach((os) => {
-    describe(os, function () {
-      let path;
-      beforeEach(function () {
-        path = require('path')[os];
-        core.depHooks.resolve.yields(path);
-        const dirnameInstr = require('./dirname')(core);
-        dirnameInstr.install();
-      });
-      it('should ignore empty string', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('');
-          const result = path.dirname(myPath);
-          const strInfo = tracker.getData(result);
-          expect(strInfo).to.be.null;
-        });
-      });
-      it('will not propagate if there is no assess policy in request context', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('/path');
-          const result = path.dirname(myPath);
-          expect(tracker.getData(result)).to.be.null;
-        }, { assess: { policy: null } });
-      });
-      it('will not propagate if there instrumentation is locked', function () {
-        simulateRequestScope(function () {
-          core.scopes.instrumentation.run({ lock: true }, function () {
-            const myPath = trackString('/path');
-            const result = path.dirname(myPath);
-            expect(tracker.getData(result)).to.be.null;
-          });
-        });
-      });
-      it('will not propagate if the argument is not tracked', function () {
-        simulateRequestScope(function () {
-          const myPath = '/path';
-          path.dirname(myPath);
-          expect(createPropagationEvent).to.not.have.been.called;
-        });
-      });
-      it('will not propagate if there no event created', function () {
-        simulateRequestScope(function () {
-          core.config.assess.max_propagation_events = 0;
-          const myPath = trackString('/path');
-          const result = path.dirname(myPath);
-          expect(tracker.getData(result)).to.be.null;
-        });
-      });
-      it('should not propagate if tracked string is not in result', function() {
-        simulateRequestScope(function () {
-          const myPath = trackString('/file');
-          const result = path.dirname('/dir/path/to'.concat(myPath));
-          expect(result).to.be.equal('/dir/path/to');
-          expect(tracker.getData(result)).to.be.null;
-        });
-      });
-      it('should propagate if entire path is tracked ', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('/dir/path/to/file');
-          const result = path.dirname(myPath);
-          const strInfo = tracker.getData(result);
-          expect(result).to.be.equal('/dir/path/to');
-          if (os === 'win32') {
-            expect(strInfo.tags).to.deep.equal({
-              [UNTRUSTED]: [1, 3, 5, 8, 10, 11],
-            });
-          } else {
-            expect(strInfo.tags).to.deep.equal({
-              [UNTRUSTED]: [0, 11],
-            });
-          }
-        });
-      });
-      it('should propagate if partial path is tracked ', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('/path/to/file');
-          const result = path.dirname('/dir'.concat(myPath));
-          const strInfo = tracker.getData(result);
-          expect(result).to.be.equal('/dir/path/to');
-          if (os === 'win32') {
-            expect(strInfo.tags).to.deep.equal({
-              [UNTRUSTED]: [5, 8, 10, 11],
-            });
-          } else {
-            expect(strInfo.tags).to.deep.equal({
-              [UNTRUSTED]: [4, 11],
-            });
-          }
-        });
-      });
-      it('should propagate multiple tag ranges ', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('/dir/path/to/file', {
-            tags: {
-              UNTRUSTED: [0, 16],
-              'FOO': [5, 8],
-              'BAR': [10, 16]
-            }
-          });
-          const result = path.dirname(myPath);
-          const strInfo = tracker.getData(result);
-          expect(result).to.be.equal('/dir/path/to');
-          if (os === 'win32') {
-            expect(strInfo.tags).to.deep.equal({
-              [UNTRUSTED]: [1, 3, 5, 8, 10, 11],
-              ['FOO']: [5, 8],
-              ['BAR']: [10, 11]
-            });
-          } else {
-            expect(strInfo.tags).to.deep.equal({
-              [UNTRUSTED]: [0, 11],
-              ['FOO']: [5, 8],
-              ['BAR']: [10, 11]
-            });
-          }
-        });
-      });
-    });
-  });
-});

package/lib/dataflow/propagation/install/path/extname.test.js DELETED Viewed

@@ -1,141 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-const { DataflowTag: { UNTRUSTED } } = require('@contrast/common');
-describe('assess dataflow propagation path extname', function () {
-  let core, tracker, trackString, simulateRequestScope;
-  beforeEach(function () {
-    ({ core, simulateRequestScope, trackString } = initAssessFixture());
-    tracker = core.assess.dataflow.tracker;
-    core.assess.dataflow.propagation.stringInstrumentation.concat.install();
-  });
-  ['posix', 'win32'].forEach((os) => {
-    describe(os, function () {
-      let path;
-      beforeEach(function () {
-        path = require('path')[os];
-        core.depHooks.resolve.yields(path);
-        const extnameInstr = require('./extname')(core);
-        extnameInstr.install();
-      });
-      it('should ignore empty string', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('');
-          const result = path.extname(myPath);
-          const strInfo = tracker.getData(result);
-          expect(strInfo).to.be.null;
-        });
-      });
-      it('will not propagate if there is no assess policy in request context', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('/path/to/file.txt');
-          const result = path.extname(myPath);
-          expect(tracker.getData(result)).to.be.null;
-        }, { assess: { policy: null } });
-      });
-      it('will not propagate if there instrumentation is locked', function () {
-        simulateRequestScope(function () {
-          core.scopes.instrumentation.run({ lock: true }, function () {
-            const myPath = trackString('/path/to/file.txt');
-            const result = path.extname(myPath);
-            expect(tracker.getData(result)).to.be.null;
-          });
-        });
-      });
-      it('will not propagate if the argument is not tracked', function () {
-        simulateRequestScope(function () {
-          const myPath = '/path/to/file.txt';
-          const result = path.extname(myPath);
-          expect(tracker.getData(result)).to.be.null;
-        });
-      });
-      it('will not propagate if there no event created', function () {
-        simulateRequestScope(function () {
-          core.config.assess.max_propagation_events = 0;
-          const myPath = trackString('/path/to/file.txt');
-          const result = path.extname(myPath);
-          expect(tracker.getData(result)).to.be.null;
-        });
-      });
-      it('should not propagate if tracked string is not in result', function() {
-        simulateRequestScope(function () {
-          const myPath = trackString('/path/to/file');
-          const result = path.extname(myPath.concat('.txt'));
-          expect(result).to.be.equal('.txt');
-          expect(tracker.getData(result)).to.be.null;
-        });
-      });
-      it('should propagate if entire path is tracked', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('/path/to/file.txt');
-          const result = path.extname(myPath);
-          const strInfo = tracker.getData(result);
-          expect(result).to.be.equal('.txt');
-          expect(strInfo.tags).to.deep.equal({
-            [UNTRUSTED]: [1, 3]
-          });
-        });
-      });
-      it('should propagate if partial path is tracked ', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('file.txt');
-          const result = path.extname('/path/to/'.concat(myPath));
-          const strInfo = tracker.getData(result);
-          expect(result).to.be.equal('.txt');
-          expect(strInfo.tags).to.deep.equal({
-            [UNTRUSTED]: [1, 3],
-          });
-        });
-      });
-      it('should propagate multiple tag ranges ', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('/path/to/file.txt', {
-            tags: {
-              UNTRUSTED: [0, 16],
-              'FOO': [9, 12],
-              'BAR': [14, 16]
-            }
-          });
-          const result = path.extname(myPath);
-          const strInfo = tracker.getData(result);
-          expect(result).to.be.equal('.txt');
-          expect(strInfo.tags).to.deep.equal({
-            [UNTRUSTED]: [1, 3],
-            ['BAR']: [1, 3]
-          });
-        });
-      });
-    });
-  });
-});