npm - @contrast/assess - Versions diffs - 1.46.1 → 1.46.3 - Mend

@contrast/assess 1.46.1 → 1.46.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/lib/dataflow/propagation/install/path/join-and-resolve.test.js DELETED Viewed

@@ -1,485 +0,0 @@
-'use strict';
-const { DataflowTag: { UNTRUSTED, CUSTOM_ENCODED } } = require('@contrast/common');
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow propagation path', function () {
-  let core, tracker, createPropagationEvent, trackString, simulateRequestScope;
-  beforeEach(function () {
-    ({
-      core,
-      simulateRequestScope,
-      trackString
-    } = initAssessFixture());
-    tracker = core.assess.dataflow.tracker;
-    createPropagationEvent = sinon.spy(core.assess.eventFactory, 'createPropagationEvent');
-  });
-  ['posix', 'win32'].forEach((os) => {
-    describe(os, function () {
-      let path;
-      beforeEach(function () {
-        path = require('path')[os];
-        core.depHooks.resolve.yields(path);
-        const joinAndResolveInstr = require('./join-and-resolve')(core);
-        joinAndResolveInstr.install();
-      });
-      ['join', 'resolve'].forEach((method) => {
-        describe(`${method} common checks`, function () {
-          it('should ignore empty strings', function () {
-            simulateRequestScope(function () {
-              const emptyStr = trackString('');
-              const result1 = path[method](...[emptyStr, emptyStr, emptyStr]);
-              const result2 = path[method]();
-              expect(tracker.getData(result1)).to.be.null;
-              expect(tracker.getData(result2)).to.be.null;
-            });
-          });
-          it('will not propagate if there is no assess policy in request context', function () {
-            simulateRequestScope(function () {
-              const seg1 = trackString('/path');
-              const seg2 = trackString('/to');
-              const seg3 = trackString('/file');
-              const result = path[method](seg1, seg2, seg3);
-              expect(tracker.getData(result)).to.be.null;
-            }, { assess: { policy: null } });
-          });
-          it('will not propagate if there instrumentation is locked', function () {
-            simulateRequestScope(function () {
-              core.scopes.instrumentation.run({ lock: true }, function () {
-                const seg1 = trackString('/path');
-                const seg2 = trackString('/to');
-                const seg3 = trackString('/file');
-                const result = path[method](seg1, seg2, seg3);
-                expect(tracker.getData(result)).to.be.null;
-              });
-            });
-          });
-          it('will not propagate if the argument is not tracked', function () {
-            simulateRequestScope(function () {
-              const seg1 = '/path';
-              const seg2 = '/to';
-              const seg3 = '/file';
-              path[method](seg1, seg2, seg3);
-              expect(createPropagationEvent).to.not.have.been.called;
-            });
-          });
-          it('will not propagate if there no event created', function () {
-            simulateRequestScope(function () {
-              core.config.assess.max_propagation_events = 0;
-              const seg1 = trackString('/path');
-              const seg2 = trackString('/to');
-              const seg3 = trackString('/file');
-              const result = path[method](seg1, seg2, seg3);
-              expect(tracker.getData(result)).to.be.null;
-            });
-          });
-          it('should contain 2 parent events on result when there are 2 args to function that had tag ranges', function () {
-            simulateRequestScope(function () {
-              const seg1 = trackString('/root');
-              const seg2 = trackString('path/to/file');
-              const result = path[method](seg1, seg2);
-              const strInfo = tracker.getData(result);
-              expect(strInfo.history).to.have.lengthOf(2);
-            });
-          });
-          [
-            {
-              name: 'should move tags when 2 diff args have partially tracked segments',
-              args: [
-                () => trackString('/path/to/the/file', {
-                  tags: {
-                    [UNTRUSTED]: [1, 4]
-                  }
-                }),
-                () => trackString('path/to/new/file', {
-                  tags: {
-                    [CUSTOM_ENCODED]: [5, 10]
-                  }
-                })
-              ],
-              expectedWin32: {
-                [UNTRUSTED]: [1, 4],
-                [CUSTOM_ENCODED]: [23, 24, 26, 28]
-              },
-              expectedPosix: {
-                [UNTRUSTED]: [1, 4],
-                [CUSTOM_ENCODED]: [23, 28]
-              }
-            },
-            {
-              name: 'should properly move tags when there is bunch of `../` ',
-              args: [
-                () => trackString('/path-a/path-b', {
-                  tags: {
-                    [UNTRUSTED]: [2, 9]
-                  }
-                }),
-                () => trackString('../../../../file.txt', {
-                  tags: {
-                    [CUSTOM_ENCODED]: [12, 19]
-                  }
-                })
-              ],
-              expectedWin32: {
-                [UNTRUSTED]: [1, 4],
-                [CUSTOM_ENCODED]: [23, 24, 26, 28]
-              },
-              expectedPosix: {
-                [UNTRUSTED]: [1, 4],
-                [CUSTOM_ENCODED]: [23, 28]
-              },
-              expected: {
-                [CUSTOM_ENCODED]: [1, 4, 6, 8]
-              }
-            },
-            {
-              name: 'should properly move tags when segments have duplicate names',
-              args: [
-                () => trackString('/path/path', {
-                  tags: {
-                    [UNTRUSTED]: [2, 7]
-                  }
-                }),
-                () => trackString('path/path', {
-                  tags: {
-                    [CUSTOM_ENCODED]: [1, 6]
-                  }
-                })
-              ],
-              expectedWin32: {
-                [UNTRUSTED]: [2, 4, 6, 7],
-                [CUSTOM_ENCODED]: [12, 14, 16, 17]
-              },
-              expectedPosix: {
-                [UNTRUSTED]: [2, 7],
-                [CUSTOM_ENCODED]: [12, 17]
-              }
-            },
-            {
-              name: 'should properly move tags when there is `./` in the middle of the path',
-              args: [
-                () => trackString('/path/a/bb', {
-                  tags: {
-                    [UNTRUSTED]: [2, 8]
-                  }
-                }),
-                () => trackString('some/./ccc/dddd', {
-                  tags: {
-                    [CUSTOM_ENCODED]: [3, 12]
-                  }
-                })
-              ],
-              expectedPosix: {
-                [UNTRUSTED]: [2, 8],
-                [CUSTOM_ENCODED]: [14, 21]
-              },
-              expectedWin32: {
-                [UNTRUSTED]: [2, 4, 6, 6, 8, 8],
-                [CUSTOM_ENCODED]: [14, 14, 16, 18, 20, 21]
-              }
-            },
-            {
-              name: 'should properly move tags when there is a folder back',
-              args: [
-                () => trackString('/path/a/bb', {
-                  tags: {
-                    [UNTRUSTED]: [2, 8]
-                  }
-                }),
-                () => trackString('some/../ccc/dddd', {
-                  tags: {
-                    [CUSTOM_ENCODED]: [3, 12]
-                  }
-                })
-              ],
-              expectedPosix: {
-                [UNTRUSTED]: [2, 8],
-                [CUSTOM_ENCODED]: [10, 15]
-              },
-              expectedWin32: {
-                [UNTRUSTED]: [2, 4, 6, 6, 8, 8],
-                [CUSTOM_ENCODED]: [11, 13, 15, 15]
-              }
-            },
-            {
-              name: 'should properly move tags if `.` and `..` were tracked',
-              args: [
-                () => trackString('/path/to/the/../file/gone/..', {
-                  tags: {
-                    [UNTRUSTED]: [9, 18]
-                  }
-                }),
-                () => trackString('path/./////to/the/new/file', {
-                  tags: {
-                    [CUSTOM_ENCODED]: [0, 15]
-                  }
-                })
-              ],
-              expectedPosix: {
-                [UNTRUSTED]: [8, 11],
-                [CUSTOM_ENCODED]: [14, 23]
-              },
-              expectedWin32: {
-                [UNTRUSTED]: [9, 11],
-                [CUSTOM_ENCODED]: [14, 17, 19, 20, 22, 23]
-              }
-            },
-            {
-              name: 'should not track path if tracked part is removed because of a ..',
-              args: [
-                () => 'path/to/',
-                () => trackString('file.txt'),
-                () => '..'
-              ],
-              expectedPosix: undefined,
-              expectedWin32: undefined
-            },
-            {
-              name: 'should properly track segments that contain 0 length strings and ./',
-              args: [
-                () => trackString('/path'),
-                () => trackString(''),
-                () => trackString('./foo'),
-                () => trackString('bar.txt')
-              ],
-              expectedPosix: {
-                [UNTRUSTED]: [0, 8, 10, 12, 14, 16],
-              },
-              expectedWin32: {
-                [UNTRUSTED]: [1, 4, 6, 8, 10, 12, 14, 16],
-              }
-            },
-          ].forEach(({ name, args, expected, expectedWin32, expectedPosix }) => {
-            it(name, function () {
-              simulateRequestScope(function () {
-                const result = path[method](...args.map(a => a()));
-                const strInfo = tracker.getData(result);
-                if (os === 'win32') {
-                  if (method === 'resolve' && process.platform === 'win32') {
-                    // resolve will prepend C:\ or some other drive letter
-                    // in front of the root dir so we need to modify
-                    // the expected tags
-                    const expectedTags = expected || expectedWin32;
-                    expectedTags && Object.keys(expectedTags).forEach((key) => {
-                      expectedTags[key] = expectedTags[key].map(r => r + 2);
-                    });
-                    expect(strInfo?.tags).to.eql(expectedTags);
-                  } else {
-                    expect(strInfo?.tags).to.eql(expected || expectedWin32);
-                  }
-                } else {
-                  expect(strInfo?.tags).to.eql(expected || expectedPosix);
-                }
-              });
-            });
-          });
-        });
-        it('throw error if part of join is not a string', function () {
-          simulateRequestScope(function () {
-            const segment = trackString('/path/to/the');
-            expect(() => {
-              path[method](segment, ['test'], {}, '/file');
-            }).to.throw;
-          });
-        });
-        if (os === 'posix') {
-          it('should properly propagate mis-matched path separator segments', function () {
-            simulateRequestScope(function () {
-              const segment = trackString(
-                'path/to/..\\invalid\\separator/file.txt'
-              );
-              const result = path[method]('/root', segment, 'end');
-              const strInfo = tracker.getData(result);
-              expect(strInfo?.tags).to.eql({
-                [UNTRUSTED]: [6, 42]
-              });
-            });
-          });
-        }
-      });
-      describe('join specific', function () {
-        it('tracks properly case with two relative paths', function () {
-          simulateRequestScope(function () {
-            const path1 = trackString('../foo/to/dir', {
-              tags: {
-                [UNTRUSTED]: [0, 5]
-              }
-            });
-            const path2 = trackString('../path/to/bar', {
-              tags: {
-                [UNTRUSTED]: [0, 2, 11, 13]
-              }
-            });
-            const result = path.join(path1, path2);
-            const strInfo = tracker.getData(result);
-            if (os === 'win32') {
-              expect(strInfo?.tags).to.eql({
-                [UNTRUSTED]: [0, 1, 3, 5, 18, 20]
-              });
-            } else {
-              expect(strInfo?.tags).to.eql({
-                [UNTRUSTED]: [0, 5, 9, 9, 18, 20]
-              });
-            }
-          });
-        });
-      });
-      describe('resolve specific', function () {
-        it('should properly move tags in case of non-absolute paths', function () {
-          simulateRequestScope(function () {
-            const workingDir = process.cwd();
-            const tagStart = 0;
-            const tagStop = 3;
-            const seg1 = trackString('my-folder', {
-              tags: {
-                [UNTRUSTED]: [tagStart, tagStop]
-              }
-            });
-            const seg2 = trackString('path/to/other/stuff.txt', {
-              tags: {
-                [UNTRUSTED]: [tagStart, tagStop]
-              }
-            });
-            const result = path.resolve(seg1, seg2);
-            const seg2Offset = workingDir.length + 1 + seg1.length + 1;
-            const strInfo = tracker.getData(result);
-            // Sample result for posix in GitHub windows test:
-            // '/a/node-mono/node-mono/my-folder/path/to/other/stuff.txt'
-            // Workdir is: 'D:\\a\\node-mono\\node-mono'
-            const offsetOnWindows = process.platform === 'win32' && os === 'posix' ? -2 : 0;
-            expect(strInfo.tags).to.deep.equal({
-              [UNTRUSTED]: [
-                workingDir.length + 1 + tagStart,
-                workingDir.length + 1 + tagStop,
-                seg2Offset + tagStart,
-                seg2Offset + tagStop,
-              ].map(i => i + offsetOnWindows)
-            });
-          });
-        });
-        it('should handle adjusting ranges when multiple args', function () {
-          simulateRequestScope(function () {
-            const prefix = './path/to/something';
-            const suffixes = ['/usr', 'usr', '/root', 'file.txt'].map((s) =>
-              trackString(s)
-            );
-            const result = path.resolve(prefix, ...suffixes);
-            const strInfo = tracker.getData(result);
-            if (os === 'win32') {
-              if (process.platform === 'win32') {
-                // C:\\root\\file.txt
-                expect(strInfo.tags).to.deep.equal({
-                  [UNTRUSTED]: [3, 6, 8, 11, 13, 15]
-                });
-              } else {
-                // \\root\\file.txt
-                expect(strInfo.tags).to.deep.equal({
-                  [UNTRUSTED]: [1, 4, 6, 9, 11, 13]
-                });
-              }
-            } else {
-              expect(strInfo.tags).to.deep.equal({
-                [UNTRUSTED]: [0, 4, 6, 9, 11, 13]
-              });
-            }
-          });
-        });
-        it('should handle adjusting ranges when fully overwritten', function () {
-          simulateRequestScope(function () {
-            const prefix = '/path/to/something';
-            const suffix = trackString('./../../../../etc/shadow.txt');
-            const result = path.resolve(prefix, suffix);
-            const strInfo = tracker.getData(result);
-            if (os === 'win32') {
-              if (process.platform === 'win32') {
-                // C:\\etc\\shadow.txt
-                expect(strInfo.tags).to.deep.equal({
-                  [UNTRUSTED]: [3, 5, 7, 12, 14, 16]
-                });
-              } else {
-                // \\etc\\shadow.txt
-                expect(strInfo.tags).to.deep.equal({
-                  [UNTRUSTED]: [1, 3, 5, 10, 12, 14]
-                });
-              }
-            } else {
-              expect(strInfo.tags).to.deep.equal({
-                [UNTRUSTED]: [0, 10, 12, 14]
-              });
-            }
-          });
-        });
-        if (os === 'win32') {
-          it('should handle adjusting ranges on windows absolute paths', function () {
-            simulateRequestScope(function () {
-              const prefix = 'C:\\WINDOWS/system32';
-              const suffix = trackString('win.ini');
-              const result = path.resolve(prefix, suffix);
-              const strInfo = tracker.getData(result);
-              expect(strInfo.tags).to.deep.equal({
-                [UNTRUSTED]: [20, 22, 24, 26]
-              });
-            });
-          });
-          it('should handle paths with unicode chars and spaces', function () {
-            simulateRequestScope(function () {
-              const prefix = 'C:\\WINDOWS\\Users\\Ивайло';
-              const suffix = trackString('Моите Документи');
-              const result = path.resolve(prefix, suffix);
-              const strInfo = tracker.getData(result);
-              expect(strInfo.tags).to.deep.equal({
-                [UNTRUSTED]: [24, 38]
-              });
-            });
-          });
-        }
-      });
-    });
-  });
-});

package/lib/dataflow/propagation/install/path/normalize.test.js DELETED Viewed

@@ -1,176 +0,0 @@
-'use strict';
-const {
-  DataflowTag: { UNTRUSTED, STRING_TYPE_CHECKED, CUSTOM_ENCODED },
-} = require('@contrast/common');
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow propagation path normalize', function () {
-  let core, tracker, createPropagationEvent, trackString, simulateRequestScope;
-  beforeEach(function () {
-    ({ core, simulateRequestScope, trackString } = initAssessFixture());
-    tracker = core.assess.dataflow.tracker;
-    createPropagationEvent = sinon.spy(
-      core.assess.eventFactory,
-      'createPropagationEvent'
-    );
-  });
-  ['posix', 'win32'].forEach((os) => {
-    describe(os, function () {
-      let path;
-      beforeEach(function () {
-        path = require('path')[os];
-        core.depHooks.resolve.yields(path);
-        const normalizeInstr = require('./normalize')(core);
-        normalizeInstr.install();
-      });
-      it('should ignore empty string', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('');
-          const file = path.normalize(myPath);
-          const strInfo = tracker.getData(file);
-          expect(strInfo).to.be.null;
-        });
-      });
-      it('will not propagate if there is no assess policy in request context', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('/path');
-          const result = path.normalize(myPath);
-          expect(tracker.getData(result)).to.be.null;
-        }, { assess: { policy: null } });
-      });
-      it('will not propagate if there instrumentation is locked', function () {
-        simulateRequestScope(function () {
-          core.scopes.instrumentation.run({ lock: true }, function () {
-            const myPath = trackString('/path');
-            const result = path.normalize(myPath);
-            expect(tracker.getData(result)).to.be.null;
-          });
-        });
-      });
-      it('will not propagate if the argument is not tracked', function () {
-        simulateRequestScope(function () {
-          const myPath = '/path';
-          path.normalize(myPath);
-          expect(createPropagationEvent).to.not.have.been.called;
-        });
-      });
-      it('will not propagate if there no event created', function () {
-        simulateRequestScope(function () {
-          core.config.assess.max_propagation_events = 0;
-          const myPath = trackString('/path');
-          const result = path.normalize(myPath);
-          expect(tracker.getData(result)).to.be.null;
-        });
-      });
-      it('Support test/edge case (ported from v4)', function () {
-        simulateRequestScope(function () {
-          const extern = trackString('.//public/../private/private.txt');
-          const result = path.normalize(extern);
-          const strInfo = tracker.getData(result);
-          if (os === 'win32') {
-            // win32 transforms the '/' to '\' so we should untrack it
-            expect(strInfo.tags).to.deep.equal({
-              [UNTRUSTED]: [0, 6, 8, 14, 16, 18],
-            });
-          } else {
-            expect(strInfo.tags).to.deep.equal({
-              [UNTRUSTED]: [0, 14, 16, 18],
-            });
-          }
-        });
-      });
-      it('should track entire path if entire string was tracked before normalizing', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('/path/./to/replaced/../dir/./file.txt');
-          const normPath = path.normalize(myPath);
-          const strInfo = tracker.getData(normPath);
-          if (os === 'win32') {
-            // Transformation from / to \ separators which are untracked
-            expect(strInfo.tags).to.deep.equal({
-              [UNTRUSTED]: [1, 4, 6, 7, 9, 11, 13, 16, 18, 20],
-            });
-          } else {
-            expect(strInfo.tags).to.deep.equal({
-              [UNTRUSTED]: [0, 16, 18, 20],
-            });
-          }
-        });
-      });
-      it('should track parts of a path', function () {
-        simulateRequestScope(function () {
-          const myPath = trackString('/path/to/the/file/../bogus/..', {
-            tags: {
-              [UNTRUSTED]: [1, 4, 13, 16],
-              [CUSTOM_ENCODED]: [3, 20],
-              [STRING_TYPE_CHECKED]: [10, 12],
-            },
-          });
-          const normPath = path.normalize(myPath);
-          const strInfo = tracker.getData(normPath);
-          if (os === 'win32') {
-            // Transformation from / to \ separators which are untracked
-            expect(strInfo.tags).to.deep.equal({
-              [UNTRUSTED]: [1, 4],
-              [CUSTOM_ENCODED]: [3, 4, 6, 7, 9, 11],
-              [STRING_TYPE_CHECKED]: [10, 11],
-            });
-          } else {
-            expect(strInfo.tags).to.deep.equal({
-              [UNTRUSTED]: [1, 4],
-              [CUSTOM_ENCODED]: [3, 11],
-              [STRING_TYPE_CHECKED]: [10, 11],
-            });
-          }
-        });
-      });
-      if (os === 'win32') {
-        it('should track parts of windows absolute path', function () {
-          simulateRequestScope(function () {
-            const myPath = trackString('C:\\path\\..\\unexpected.txt', {
-              tags: {
-                [UNTRUSTED]: [7, 24],
-              },
-            });
-            const normPath = path.normalize(myPath);
-            const strInfo = tracker.getData(normPath);
-            expect(strInfo.tags).to.deep.equal({
-              [UNTRUSTED]: [2, 12, 14, 16],
-            });
-          });
-        });
-      }
-    });
-  });
-});