npm - @contrast/assess - Versions diffs - 1.46.1 → 1.46.2 - Mend

@contrast/assess 1.46.1 → 1.46.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/lib/dataflow/propagation/install/sequelize/query-generator.test.js DELETED Viewed

@@ -1,74 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const sinon = require('sinon');
-const {
-  DataflowTag: { UNTRUSTED, SQL_ENCODED }
-} = require('@contrast/common');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow propagation sequelize QueryGenerators', function() {
-  let core, component, trackString, simulateRequestScope, tracker;
-  class QueryGeneratorMock {
-    quoteIdentifier(identifier) {
-      return '`'.concat(identifier).concat('`');
-    }
-  }
-  before(function() {
-    ({ core, trackString, simulateRequestScope } = initAssessFixture());
-    tracker = core.assess.dataflow.tracker;
-    core.assess.dataflow.propagation.stringInstrumentation.concat.install();
-    component = require('./query-generator')(core);
-  });
-  after(function() {
-    core.assess.dataflow.propagation.stringInstrumentation.concat.uninstall();
-  });
-  [
-    {
-      Ctor: class MSSQLQueryGenerator extends QueryGeneratorMock {},
-      file: 'lib/dialects/mssql/query-generator.js',
-    },
-    {
-      Ctor: class MySqlQueryGenerator extends QueryGeneratorMock {},
-      file: 'lib/dialects/mysql/query-generator.js',
-    },
-    {
-      Ctor: class PostgresQueryGenerator extends QueryGeneratorMock {},
-      file: 'lib/dialects/postgres/query-generator.js',
-    },
-    {
-      Ctor: class SQLiteQueryGenerator extends QueryGeneratorMock {},
-      file: 'lib/dialects/sqlite/query-generator.js',
-    },
-  ].forEach(({ Ctor, file }) => {
-    it(`${Ctor.name}.prototype.quoteIdentifier adds sql-encoded tag`, function() {
-      core.depHooks.resolve.withArgs(sinon.match({ name: 'sequelize', file })).yields(Ctor);
-      component.install();
-      simulateRequestScope(() => {
-        const tracked = trackString('foo');
-        const result = new Ctor().quoteIdentifier(tracked);
-        const strInfo = tracker.getData(result);
-        expect(strInfo).to.deep.include({
-          args: [{ tracked: true, value: 'foo' }],
-          moduleName: 'sequelize',
-          methodName: `${Ctor.name}.prototype.quoteIdentifier`,
-          object: { tracked: false, value: Ctor.name },
-          result: { tracked: true, value: '`foo`' },
-          source: 'P',
-          tags: {
-            [UNTRUSTED]: [1, 3],
-            [SQL_ENCODED]: [0, 4],
-          },
-          target: 'R',
-        });
-        expect(strInfo.history).to.have.lengthOf(1);
-      });
-    });
-  });
-});

package/lib/dataflow/propagation/install/sequelize/sql-string.test.js DELETED Viewed

@@ -1,119 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const sinon = require('sinon');
-const {
-  DataflowTag: { SQL_ENCODED, UNTRUSTED },
-} = require('@contrast/common');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow propagation sequelize sql-string', function () {
-  let core, trackString, simulateRequestScope, tracker, mockSequelizeSqlString;
-  beforeEach(function () {
-    ({
-      core,
-      simulateRequestScope,
-      trackString
-    } = initAssessFixture());
-    mockSequelizeSqlString = {
-      escape: (str) => str,
-      format(str, repl) {
-        repl.forEach((r) => {
-          str = str.replace(/\?/, r);
-        });
-        return str;
-      },
-      formatNamedParameters(str, repl) {
-        Object.keys(repl).forEach((key) => {
-          str = str.replace(new RegExp(`:${key}`), repl[key]);
-        });
-        return str;
-      }
-    };
-    tracker = core.assess.dataflow.tracker;
-    core.assess.dataflow.propagation.stringInstrumentation.install();
-    core.assess.dataflow.propagation.sequelizeInstrumentation.install();
-    core.depHooks.resolve.yield(mockSequelizeSqlString);
-  });
-  afterEach(function () {
-    core.assess.dataflow.propagation.stringInstrumentation.uninstall();
-    sinon.resetHistory();
-  });
-  [
-    {
-      method: 'escape',
-      args: [() => trackString('inserted-value')],
-      notTrackedArgs: ['safe-value'],
-      expectedTags: {
-        [UNTRUSTED]: [0, 13],
-        [SQL_ENCODED]: [0, 13]
-      }
-    },
-    {
-      method: 'format',
-      args: [() => 'SELECT ? FROM ?', () => ['id', trackString('users')]],
-      notTrackedArgs: ['SELECT ? FROM ?', ['id', 'users']],
-      expectedTags: {
-        [UNTRUSTED]: [15, 19],
-        [SQL_ENCODED]: [15, 19]
-      }
-    },
-    {
-      onlySanitizeCheck: true,
-      method: 'format',
-      args: [() => trackString('SELECT password FROM users'), () => ['id', trackString('users')]],
-      notTrackedArgs: ['SELECT ? FROM ?', ['id', 'users']],
-      expectedTags: {
-        [UNTRUSTED]: [0, 25],
-      }
-    },
-    {
-      method: 'formatNamedParameters',
-      args: [() => 'SELECT :columns FROM :table', () => ({ columns: 'id', table: trackString('users') })],
-      notTrackedArgs: ['SELECT :columns FROM :table', { columns: 'id', table: 'users' }],
-      expectedTags: {
-        [UNTRUSTED]: [15, 19],
-        [SQL_ENCODED]: [15, 19]
-      }
-    },
-    {
-      onlySanitizeCheck: true,
-      method: 'formatNamedParameters',
-      args: [() => trackString('SELECT password FROM users'), () => ({ columns: 'id', table: trackString('users') })],
-      notTrackedArgs: ['SELECT ? FROM ?', ['id', 'users']],
-      expectedTags: {
-        [UNTRUSTED]: [0, 25],
-      }
-    },
-  ].forEach(({ onlySanitizeCheck, method, args, notTrackedArgs, expectedTags }) => {
-    describe(method, function () {
-      it('sanitizes correctly', function () {
-        simulateRequestScope(function () {
-          const notTrackedResult = mockSequelizeSqlString[method](...notTrackedArgs);
-          const notTrackedStrInfo = tracker.getData(notTrackedResult);
-          const trackedResult = mockSequelizeSqlString[method](...args.map(a => a()));
-          const trackedStrInfo = tracker.getData(trackedResult);
-          expect(notTrackedStrInfo).to.be.null;
-          expect(trackedStrInfo?.tags).to.deep.equal(expectedTags);
-        });
-      });
-      if (!onlySanitizeCheck) {
-        it('will not sanitize if there is no assess policy in request context', function () {
-          simulateRequestScope(function () {
-            const result = mockSequelizeSqlString[method](...args.map(a => a()));
-            expect(tracker.getData(result)).to.be.null;
-          }, { assess: { policy: null } });
-        });
-      }
-    });
-  });
-});

package/lib/dataflow/propagation/install/sql-template-strings.test.js DELETED Viewed

@@ -1,100 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const sinon = require('sinon');
-const {
-  DataflowTag: { UNTRUSTED, SQL_ENCODED }
-} = require('@contrast/common');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-// TODO: The proper usage of the method is with a template string so
-// meaningful tests can be written after we add support for them (NODE-2826);
-describe('assess dataflow propagation sql-template-strings', function () {
-  let core, trackString, simulateRequestScope, tracker, mockSqlTemplateStrings;
-  beforeEach(function () {
-    ({
-      core,
-      simulateRequestScope,
-      trackString
-    } = initAssessFixture());
-    mockSqlTemplateStrings = {
-      // SQL: (str) => ['mock-template-strings', str, 'mock-template-strings'].join('')
-      SQL: (str) => {
-        const ret = {
-          strings: [],
-          values: []
-        };
-        const valueLength = 'inserted-value'.length;
-        let idx = str.indexOf('inserted-value');
-        let newStr = str;
-        while (idx >= 0) {
-          ret.strings.push(newStr.substring(0, idx));
-          ret.values.push(newStr.substring(idx, idx + valueLength));
-          newStr = newStr.substring(idx + valueLength);
-          idx = newStr.indexOf('inserted-value');
-        }
-        if (newStr) ret.strings.push(newStr);
-        return ret;
-      }
-    };
-    tracker = core.assess.dataflow.tracker;
-    core.assess.dataflow.propagation.stringInstrumentation.install();
-    core.assess.dataflow.propagation.arrayJoin.install();
-    core.assess.dataflow.propagation.sqlTemplateStrings.install();
-    core.depHooks.resolve.yield(mockSqlTemplateStrings);
-  });
-  afterEach(function () {
-    sinon.resetHistory();
-  });
-  it('propagates correctly', function () {
-    simulateRequestScope(function () {
-      const trackedValue = trackString('inserted-value', { tags: { [UNTRUSTED]: [9, 13] } });
-      const trackedContext = trackString('tracked-context', { tags: { [UNTRUSTED]: [0, 13] } });
-      const notTrackedResult = mockSqlTemplateStrings.SQL('foo-inserted-value-bar-baz-inserted-value');
-      const notTrackedStrInfoStrings = tracker.getData(notTrackedResult.strings.toString());
-      const notTrackedStrInfoValues = tracker.getData(notTrackedResult.values.toString());
-      const trackedResult = mockSqlTemplateStrings.SQL([trackedContext, 'foo', trackedValue, 'bar', trackedValue].join('-'));
-      const trackedStrInfoStrings = tracker.getData(trackedResult.strings.toString());
-      const trackedStrInfoValues = tracker.getData(trackedResult.values.toString());
-      expect(notTrackedStrInfoStrings).to.be.null;
-      expect(notTrackedStrInfoValues).to.be.null;
-      expect(trackedStrInfoStrings?.tags).to.deep.equal({
-        [UNTRUSTED]: [0, 13],
-        [SQL_ENCODED]: [0, 19],
-      }); // the string is 'tracked-context-foo-,-bar-'
-      expect(trackedStrInfoValues?.tags).to.deep.equal({
-        [UNTRUSTED]: [9, 13, 24, 28],
-        [SQL_ENCODED]: [0, 13, 15, 28]
-      }); // the string is 'inserted-value,inserted-value'
-    });
-  });
-  it('will not propagate if there is no assess policy in request context', function () {
-    simulateRequestScope(function () {
-      const value = trackString('foo');
-      const result = mockSqlTemplateStrings.SQL(['foo', value].join());
-      expect(tracker.getData(result.strings.toString())).to.be.null;
-    }, { assess: { policy: null } });
-  });
-  it('will not propagate if there instrumentation is locked', function () {
-    simulateRequestScope(function () {
-      core.scopes.instrumentation.run({ lock: true }, function () {
-        const value = trackString('foo');
-        const result = mockSqlTemplateStrings.SQL(['foo', value].join());
-        expect(tracker.getData(result.strings.toString())).to.be.null;
-      });
-    });
-  });
-});

package/lib/dataflow/propagation/install/string/concat.test.js DELETED Viewed

@@ -1,145 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow propagation string concat', function () {
-  let core, trackString, simulateRequestScope, tracker;
-  const allPatcher = new Map();
-  beforeEach(function () {
-    ({
-      core,
-      simulateRequestScope,
-      trackString
-    } = initAssessFixture());
-    tracker = core.assess.dataflow.tracker;
-    core.assess.dataflow.propagation.stringInstrumentation.concat.install();
-  });
-  afterEach(function () {
-    core.assess.dataflow.propagation.stringInstrumentation.concat.uninstall();
-    sinon.resetHistory();
-  });
-  // eslint-disable-next-line mocha/no-sibling-hooks
-  afterEach(function() {
-    core.Perf.fromAllToMap('patcher', allPatcher);
-  });
-  after(function() {
-    const stats = core.Perf.getStats(allPatcher);
-    for (const [key, { n, totalMicros, mean }] of stats.entries()) {
-      console.log(key, n, totalMicros, 'nsec', mean, 'mean');
-    }
-  });
-  [
-    {
-      str: 'foo',
-      tags: {
-        untrusted: [0, 2]
-      },
-      args: [() => 'bar', () => 'baz'],
-      expected: {
-        untrusted: [0, 2]
-      }
-    },
-    {
-      str: 'foo',
-      tags: {
-        untrusted: [0, 2]
-      },
-      args: [
-        () => trackString('bar', { tags: { untrusted: [0, 2] } }),
-        () => trackString('baz', { tags: { untrusted: [0, 2] } }),
-      ],
-      expected: {
-        untrusted: [0, 8]
-      }
-    },
-    {
-      str: 'boo',
-      tags: {
-        untrusted: [0, 2]
-      },
-      args: [
-        () => trackString('bar', { tags: { untrusted: [0, 2] } }),
-        () => null,
-        () => undefined,
-        () => trackString('baz', { tags: { untrusted: [0, 2] } }),
-      ],
-      expected: {
-        untrusted: [0, 5, 19, 21]
-      }
-    },
-    {
-      str: 'foo',
-      tags: {
-        untrusted: [0, 2]
-      },
-      args: [
-        () => trackString('bar', { other: 'metadata', tags: undefined }),
-        () => trackString('baz', { tags: { untrusted: [0, 2] } }),
-      ],
-      expected: {
-        untrusted: [0, 2, 6, 8]
-      }
-    },
-    {
-      str: 'not-tracked',
-      args: [
-        () => trackString('bar', { tags: { untrusted: [0, 2] } }),
-        () => trackString('baz', { tags: { untrusted: [0, 2] } }),
-      ],
-      expected: {
-        untrusted: [11, 16]
-      }
-    },
-  ].forEach(({ str, tags, args, expected = null }) => {
-    it('concat', function () {
-      simulateRequestScope(function () {
-        let result;
-        const value = str !== 'not-tracked' ? trackString(str, { tags }) : str;
-        if (str !== 'boo') {
-          result = value.concat(...args.map((a) => a()));
-        } else {
-          result = value.concat.bind('', value, ...args.map((a) => a()))();
-        }
-        const strInfo = tracker.getData(result);
-        expect(strInfo?.tags).to.deep.equal(expected);
-      });
-    });
-  });
-  it('will nto "retrack" if result is unchanged', function () {
-    simulateRequestScope(function () {
-      const value = trackString('foo');
-      const result = value.concat('');
-      expect(tracker.getData(value)).to.equal(tracker.getData(result));
-    });
-  });
-  it('will not propagate if there is no assess policy in request context', function () {
-    simulateRequestScope(function () {
-      const value = trackString('foo');
-      const result = value.concat('bar');
-      expect(tracker.getData(result)).to.be.null;
-    }, { assess: { policy: null } });
-  });
-  it('will not propagate if there instrumentation is locked', function () {
-    simulateRequestScope(function () {
-      core.scopes.instrumentation.run({ lock: true }, function () {
-        const value = trackString('foo');
-        const result = value.concat('bar');
-        expect(tracker.getData(result)).to.be.null;
-      });
-    });
-  });
-});

package/lib/dataflow/propagation/install/string/format-methods.test.js DELETED Viewed

@@ -1,74 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow propagation string format-methods', function () {
-  let core, trackString, simulateRequestScope, tracker;
-  const allPatcher = new Map();
-  beforeEach(function () {
-    ({
-      core,
-      simulateRequestScope,
-      trackString
-    } = initAssessFixture());
-    tracker = core.assess.dataflow.tracker;
-    core.assess.dataflow.propagation.stringInstrumentation.formatMethods.install();
-  });
-  afterEach(function () {
-    core.assess.dataflow.propagation.stringInstrumentation.formatMethods.uninstall();
-    sinon.resetHistory();
-  });
-  // eslint-disable-next-line mocha/no-sibling-hooks
-  afterEach(function() {
-    core.Perf.fromAllToMap('patcher', allPatcher);
-  });
-  after(function() {
-    const stats = core.Perf.getStats(allPatcher);
-    for (const [key, { n, totalMicros, mean }] of stats.entries()) {
-      console.log(key, n, totalMicros, 'nsec', mean, 'mean');
-    }
-  });
-  ['toLowerCase', 'toUpperCase', 'toLocaleLowerCase', 'toLocaleUpperCase'].forEach((method) => {
-    it(method, function () {
-      simulateRequestScope(function () {
-        const notTrackedValue = 'foo';
-        const trackedValue = trackString('foo', { tags: { untrusted: [0, 2] } });
-        const notTrackedResult = notTrackedValue[method]();
-        const notTrackedStrInfo = tracker.getData(notTrackedResult);
-        const trackedResult = trackedValue[method]();
-        const trackedStrInfo = tracker.getData(trackedResult);
-        expect(notTrackedStrInfo).to.be.null;
-        expect(trackedStrInfo?.tags).to.deep.equal({ untrusted: [0, 2] });
-      });
-    });
-  });
-  it('will not propagate if there is no assess policy in request context', function () {
-    simulateRequestScope(function () {
-      const value = trackString('foo');
-      const result = value.toLowerCase('bar');
-      expect(tracker.getData(result)).to.be.null;
-    }, { assess: { policy: null } });
-  });
-  it('will not propagate if there instrumentation is locked', function () {
-    simulateRequestScope(function () {
-      core.scopes.instrumentation.run({ lock: true }, function () {
-        const value = trackString('foo');
-        const result = value.toLowerCase('bar');
-        expect(tracker.getData(result)).to.be.null;
-      });
-    });
-  });
-});

package/lib/dataflow/propagation/install/string/html-methods.test.js DELETED Viewed

@@ -1,177 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow propagation string html-methods', function () {
-  let core, trackString, simulateRequestScope, tracker;
-  const allPatcher = new Map();
-  beforeEach(function () {
-    ({
-      core,
-      simulateRequestScope,
-      trackString
-    } = initAssessFixture());
-    tracker = core.assess.dataflow.tracker;
-    core.assess.dataflow.propagation.stringInstrumentation.htmlMethods.install();
-  });
-  afterEach(function () {
-    core.assess.dataflow.propagation.stringInstrumentation.htmlMethods.uninstall();
-    sinon.resetHistory();
-  });
-  // eslint-disable-next-line mocha/no-sibling-hooks
-  afterEach(function() {
-    core.Perf.fromAllToMap('patcher', allPatcher);
-  });
-  after(function() {
-    const stats = core.Perf.getStats(allPatcher);
-    for (const [key, { n, totalMicros, mean }] of stats.entries()) {
-      console.log(key, n, totalMicros, 'nsec', mean, 'mean');
-    }
-  });
-  [
-    {
-      method: 'anchor',
-      str: 'foo',
-      args: [() => undefined, () => 'id', () => trackString('tracked-id', { tags: { untrusted: [0, 9] } })],
-      tags: {
-        untrusted: [0, 2]
-      },
-      expected: [{ untrusted: [20, 22] }, { untrusted: [13, 15] }, { untrusted: [9, 18, 21, 23] }],
-    },
-    {
-      method: 'anchor',
-      str: 'not-tracked',
-      args: [() => 'id', () => trackString('tracked-id', { tags: { untrusted: [0, 9] } })],
-      expected: [undefined, { untrusted: [9, 18] }]
-    },
-    {
-      method: 'big',
-      str: 'foo',
-      tags: {
-        untrusted: [0, 2]
-      },
-      expected: { untrusted: [5, 7] }
-    },
-    {
-      method: 'big',
-      str: 'not-tracked',
-    },
-    {
-      method: 'blink',
-      str: 'foo',
-      tags: {
-        untrusted: [0, 2]
-      },
-      expected: { untrusted: [7, 9] }
-    },
-    {
-      method: 'blink',
-      str: 'not-tracked',
-    },
-    {
-      method: 'italics',
-      str: 'foo',
-      tags: {
-        untrusted: [0, 2]
-      },
-      expected: { untrusted: [3, 5] }
-    },
-    {
-      method: 'italics',
-      str: 'not-tracked',
-    },
-    {
-      method: 'small',
-      str: 'foo',
-      tags: {
-        untrusted: [0, 2]
-      },
-      expected: { untrusted: [7, 9] }
-    },
-    {
-      method: 'small',
-      str: 'not-tracked',
-    },
-    {
-      method: 'strike',
-      str: 'foo',
-      tags: {
-        untrusted: [0, 2]
-      },
-      expected: { untrusted: [8, 10] }
-    },
-    {
-      method: 'strike',
-      str: 'not-tracked',
-    },
-    {
-      method: 'sub',
-      str: 'foo',
-      tags: {
-        untrusted: [0, 2]
-      },
-      expected: { untrusted: [5, 7] }
-    },
-    {
-      method: 'sub',
-      str: 'not-tracked',
-    },
-    {
-      method: 'fixed',
-      str: 'foo',
-      tags: {
-        untrusted: [0, 2]
-      },
-      expected: { untrusted: [4, 6] }
-    },
-    {
-      method: 'fixed',
-      str: 'not-tracked',
-    },
-  ].forEach(({ str, tags, args, method, expected }) => {
-    it(method, function () {
-      simulateRequestScope(function () {
-        const value = str !== 'not-tracked' ? trackString(str, { tags }) : str;
-        if (args?.length) {
-          for (let i = 0; i < args.length; i++) {
-            const result = value[method](args[i]());
-            const strInfo = tracker.getData(result);
-            expect(strInfo?.tags).to.deep.equal(expected[i]);
-          }
-        } else {
-          const result = value[method]();
-          const strInfo = tracker.getData(result);
-          expect(strInfo?.tags).to.deep.equal(expected);
-        }
-      });
-    });
-  });
-  it('will not propagate if there is no assess policy in request context', function () {
-    simulateRequestScope(function () {
-      const value = trackString('foo');
-      const result = value.anchor('bar');
-      expect(tracker.getData(result)).to.be.null;
-    }, { assess: { policy: null } });
-  });
-  it('will not propagate if there instrumentation is locked', function () {
-    simulateRequestScope(function () {
-      core.scopes.instrumentation.run({ lock: true }, function () {
-        const value = trackString('foo');
-        const result = value.anchor('bar');
-        expect(tracker.getData(result)).to.be.null;
-      });
-    });
-  });
-});