npm - @contrast/assess - Versions diffs - 1.46.1 → 1.46.3 - Mend

@contrast/assess 1.46.1 → 1.46.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/lib/dataflow/sinks/install/child-process.test.js DELETED Viewed

@@ -1,338 +0,0 @@
-'use strict';
-const {
-  DataflowTag: { UNTRUSTED }
-} = require('@contrast/common');
-const sinon = require('sinon');
-const { expect } = require('chai');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-const { primordials: { UtilInspect } } = require('@contrast/common');
-describe('assess dataflow sinks child_process', function () {
-  let core, child_process, simulateRequestScope, trackString, tracker, reportFindings;
-  beforeEach(function () {
-    child_process = {
-      exec() { },
-      execSync() { },
-      spawn() { },
-      spawnSync() { },
-      execFile() { },
-      execFileSync() { }
-    };
-    ({ core, simulateRequestScope, trackString } = initAssessFixture());
-    tracker = core.assess.dataflow.tracker;
-    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
-    const origCreateSinkEvent = core.assess.eventFactory.createSinkEvent;
-    core.assess.eventFactory.createSinkEvent = function (data) {
-      if (data.tags['do-not-create-an-event']) {
-        return null;
-      }
-      return origCreateSinkEvent(data);
-    };
-    core.depHooks.resolve.yields(child_process);
-    require('./child-process')(core).install();
-  });
-  ['execFile', 'execFileSync', 'execSync', 'spawn', 'spawnSync'].forEach((method) => {
-    describe(`skips instrumentation in faulty cases for child_process.${method}()`, function () {
-      it('skips instrumentation if assess store is missing', function () {
-        child_process[method]('test &whoami');
-        expect(reportFindings).not.to.have.been.called;
-      });
-      it('skips instrumentation if a command value is not provided ', function () {
-        simulateRequestScope(function () {
-          child_process[method]();
-          expect(reportFindings).not.to.have.been.called;
-        });
-      });
-      it('skips instrumentation if the command value is not a string', function () {
-        simulateRequestScope(function () {
-          child_process[method]({});
-          expect(reportFindings).not.to.have.been.called;
-        });
-      });
-    });
-  });
-  ['spawn', 'spawnSync'].forEach((method) => {
-    describe(`instrumentation specific for child_process.${method}`, function () {
-      it('skips instrumentation if neither the command nor the args are tracked', function () {
-        simulateRequestScope(function () {
-          child_process[method]('test', ['whoami'], { shell: true });
-          expect(reportFindings).not.to.have.been.called;
-        });
-      });
-      it('skips instrumentation if only the args are tracked and shell option is set to false', function () {
-        simulateRequestScope(function () {
-          const str = trackString('whoami', {
-            tags: {
-              [UNTRUSTED]: [0, 11],
-            },
-          });
-          const { extern } = tracker.getData(str);
-          child_process[method]('test', [extern], { shell: false });
-          expect(reportFindings).not.to.have.been.called;
-        });
-      });
-      it('reports an cmd-injection from the command argument', function () {
-        simulateRequestScope(function () {
-          const value = 'test &whoami';
-          const extern = trackString(value, {
-            tags: {
-              [UNTRUSTED]: [0, 11],
-            },
-          });
-          child_process[method](extern);
-          child_process[method](extern, ['untracked-arg']);
-          child_process[method](extern, ['untracked-arg'], { shell: true });
-          expect(reportFindings).to.have.been.calledThrice;
-          expect(reportFindings).to.have.been.calledWithMatch({
-            ruleId: 'cmd-injection',
-            sinkEvent: {
-              name: `child_process.${method}`,
-              moduleName: 'child_process',
-              methodName: method,
-              context: `child_process.${method}('${extern}')`,
-              object: {
-                value: 'child_process',
-                tracked: false,
-              },
-              args: [{ value, tracked: true }],
-              tags: { [UNTRUSTED]: [0, 11] },
-              source: 'P0',
-            },
-          });
-          expect(reportFindings).to.have.been.calledWithMatch({
-            ruleId: 'cmd-injection',
-            sinkEvent: {
-              name: `child_process.${method}`,
-              moduleName: 'child_process',
-              methodName: method,
-              context: `child_process.${method}('${extern}', [ 'untracked-arg' ])`,
-              object: {
-                value: 'child_process',
-                tracked: false,
-              },
-              args: [
-                { value, tracked: true },
-                { value: UtilInspect(['untracked-arg']), tracked: false }
-              ],
-              tags: { [UNTRUSTED]: [0, 11] },
-              source: 'P0',
-            },
-          });
-          expect(reportFindings).to.have.been.calledWithMatch({
-            ruleId: 'cmd-injection',
-            sinkEvent: {
-              name: `child_process.${method}`,
-              moduleName: 'child_process',
-              methodName: method,
-              context: `child_process.${method}('${extern}', [ 'untracked-arg' ], { shell: true })`,
-              object: {
-                value: 'child_process',
-                tracked: false,
-              },
-              args: [
-                { value, tracked: true },
-                { value: UtilInspect(['untracked-arg']), tracked: false },
-                { value: UtilInspect({ shell: true }), tracked: false }
-              ],
-              tags: { [UNTRUSTED]: [0, 11] },
-              source: 'P0',
-            },
-          });
-        });
-      });
-      it('reports an cmd-injection from the args for the command with the shell option set to true', function () {
-        simulateRequestScope(function () {
-          const value = '; whoami';
-          const extern = trackString(value, {
-            tags: {
-              [UNTRUSTED]: [0, 7],
-            },
-          });
-          child_process[method]('test', [extern], { shell: true });
-          expect(reportFindings).to.have.been.calledWithMatch({
-            ruleId: 'cmd-injection',
-            sinkEvent: {
-              name: `child_process.${method}`,
-              moduleName: 'child_process',
-              methodName: method,
-              context: `child_process.${method}('test', [ '${extern}' ], { shell: true })`,
-              object: {
-                value: 'child_process',
-                tracked: false,
-              },
-              args: [
-                { value: 'test', tracked: false },
-                { value: UtilInspect([value]), tracked: true },
-                { value: UtilInspect({ shell: true }), tracked: false },
-              ],
-              tags: { [UNTRUSTED]: [0, 7] },
-              source: 'P1',
-            },
-          });
-        });
-      });
-      it('reports an cmd-injection from the args for the command with the shell option set to true even with an error in the first event creation', function () {
-        simulateRequestScope(function () {
-          const cmd = trackString('test', {
-            tags: {
-              [UNTRUSTED]: [0, 3],
-              'do-not-create-an-event': [0, 3],
-            },
-          });
-          const value = '; whoami';
-          const extern = trackString(value, {
-            tags: {
-              [UNTRUSTED]: [0, 7],
-            },
-          });
-          child_process[method](cmd, [extern], { shell: true });
-          expect(reportFindings).to.have.been.calledWithMatch({
-            ruleId: 'cmd-injection',
-            sinkEvent: {
-              name: `child_process.${method}`,
-              object: {
-                value: 'child_process',
-                tracked: false,
-              },
-              args: [
-                { value: 'test', tracked: true },
-                { value: UtilInspect([value]), tracked: true },
-                { value: UtilInspect({ shell: true }), tracked: false },
-              ],
-              tags: { [UNTRUSTED]: [0, 7] },
-              source: 'P1',
-            },
-          });
-        });
-      });
-    });
-  });
-  ['exec', 'execSync'].forEach((method) => {
-    describe(`instrumentation specific for child_process.${method}`, function () {
-      it('reports an cmd-injection from the command argument', function () {
-        simulateRequestScope(function() {
-          const value = 'test &whoami';
-          const extern = trackString(value, {
-            tags: {
-              [UNTRUSTED]: [0, 11],
-            },
-          });
-          child_process[method](extern);
-          child_process[method](extern, ['untracked-arg']);
-          child_process[method](extern, ['untracked-arg'], { shell: true });
-          expect(reportFindings).to.have.been.calledThrice;
-          expect(reportFindings).to.have.been.calledWithMatch({
-            ruleId: 'cmd-injection',
-            sinkEvent: {
-              name: `child_process.${method}`,
-              object: {
-                value: 'child_process',
-                tracked: false,
-              },
-              args: [{ value, tracked: true }],
-              tags: { [UNTRUSTED]: [0, 11] },
-              source: 'P0',
-            },
-          });
-          expect(reportFindings).to.have.been.calledWithMatch({
-            ruleId: 'cmd-injection',
-            sinkEvent: {
-              name: `child_process.${method}`,
-              object: {
-                value: 'child_process',
-                tracked: false,
-              },
-              args: [
-                { value, tracked: true },
-                { value: UtilInspect(['untracked-arg']), tracked: false }
-              ],
-              tags: { [UNTRUSTED]: [0, 11] },
-              source: 'P0',
-            },
-          });
-          expect(reportFindings).to.have.been.calledWithMatch({
-            ruleId: 'cmd-injection',
-            sinkEvent: {
-              name: `child_process.${method}`,
-              object: {
-                value: 'child_process',
-                tracked: false,
-              },
-              args: [
-                { value, tracked: true },
-                { value: UtilInspect(['untracked-arg']), tracked: false },
-                { value: UtilInspect({ shell: true }), tracked: false }
-              ],
-              tags: { [UNTRUSTED]: [0, 11] },
-              source: 'P0',
-            },
-          });
-        });
-      });
-    });
-  });
-  ['execFile', 'execFileSync'].forEach((method) => {
-    describe(`instrumentation specific for child_process.${method}`, function () {
-      it('does not report if the second argument is not an Array, or is an empty Array', function () {
-        simulateRequestScope(function () {
-          child_process[method]('test', { shell: true });
-          child_process[method]('test', [], { shell: true });
-          child_process[method]('test', 'test', { shell: true });
-          expect(reportFindings).to.not.have.been.called;
-        });
-      });
-      it('reports an cmd-injection from the args for the command with the shell option set to true', function () {
-        simulateRequestScope(function () {
-          const value = '; showami';
-          const extern = trackString(value, {
-            tags: {
-              [UNTRUSTED]: [0, 7],
-            },
-          });
-          child_process[method]('test', [extern], { shell: true });
-          expect(reportFindings).to.have.been.calledWithMatch({
-            ruleId: 'cmd-injection',
-            sinkEvent: {
-              name: `child_process.${method}`,
-              object: {
-                value: 'child_process',
-                tracked: false,
-              },
-              args: [
-                { value: 'test', tracked: false },
-                { value: UtilInspect([value]), tracked: true },
-                { value: UtilInspect({ shell: true }), tracked: false },
-              ],
-              tags: { [UNTRUSTED]: [0, 7] },
-              source: 'P1',
-            },
-          });
-        });
-      });
-    });
-  });
-});

package/lib/dataflow/sinks/install/eval.test.js DELETED Viewed

@@ -1,95 +0,0 @@
-'use strict';
-const {
-  DataflowTag: { UNTRUSTED, CUSTOM_VALIDATED },
-  Rule: { UNSAFE_CODE_EXECUTION },
-} = require('@contrast/common');
-const sinon = require('sinon');
-const { expect } = require('chai');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow sinks eval', function () {
-  let core, simulateRequestScope, trackString, reportFindings, reportSafePositive;
-  beforeEach(function () {
-    ({ core, simulateRequestScope, trackString } = initAssessFixture());
-    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
-    reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
-    core.contrastMethods.install();
-    require('./eval')(core).install();
-  });
-  it('skips instrumentation if assess store is missing', function () {
-    global.ContrastMethods.eval('test');
-    expect(reportFindings).not.to.have.been.called;
-  });
-  it('skips instrumentation if a value is not provided ', function () {
-    simulateRequestScope(function () {
-      global.ContrastMethods.eval();
-      expect(reportFindings).not.to.have.been.called;
-    });
-  });
-  it('skips instrumentation if the argument is not a tracked', function () {
-    simulateRequestScope(function () {
-      global.ContrastMethods.eval('not-tracked');
-      expect(reportFindings).not.to.have.been.called;
-    });
-  });
-  it('skips instrumentation if the argument is sanitized', function () {
-    simulateRequestScope(function () {
-      const value = 'test';
-      const extern = trackString(value, {
-        tags: {
-          [UNTRUSTED]: [0, 3],
-          [CUSTOM_VALIDATED]: [0, 3]
-        }
-      });
-      global.ContrastMethods.eval(extern);
-      expect(reportFindings).not.to.have.been.called;
-      expect(reportSafePositive).to.have.been.calledWith({
-        name: 'eval',
-        ruleId: UNSAFE_CODE_EXECUTION,
-        safeTags: [CUSTOM_VALIDATED],
-        strInfo: { value, tags: { [UNTRUSTED]: [0, 3], [CUSTOM_VALIDATED]: [0, 3] } }
-      });
-    });
-  });
-  it('reports an unsafe-code-execution', function () {
-    simulateRequestScope(function () {
-      const value = 'test';
-      const extern = trackString(value, {
-        tags: {
-          [UNTRUSTED]: [0, 3],
-        }
-      });
-      global.ContrastMethods.eval(extern);
-      expect(reportFindings).to.have.been.calledWithMatch({
-        ruleId: UNSAFE_CODE_EXECUTION,
-        sinkEvent: {
-          args: [{ value, tracked: true }],
-          context: 'eval(\'test\')',
-          name: 'eval',
-          moduleName: 'global',
-          methodName: 'eval',
-          object: { value: 'global', tracked: false },
-          source: 'P0',
-          tags: { [UNTRUSTED]: [0, 3] }
-        }
-      });
-    });
-  });
-});

package/lib/dataflow/sinks/install/express/index.test.js DELETED Viewed

@@ -1,33 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const proxyquire = require('proxyquire');
-const sinon = require('sinon');
-const mocks = require('@contrast/test/mocks');
-const MODULES = ['unvalidatedRedirect'];
-describe('assess dataflow sinks express', function () {
-  let core, express;
-  beforeEach(function () {
-    core = mocks.core();
-    core.assess = { dataflow: { sinks: {} } };
-    const moduleMock = (name) => (deps) => {
-      deps.assess.dataflow.sinks.express[name] = { install: sinon.stub() };
-    };
-    express = proxyquire('.', {
-      './reflected-xss': moduleMock('reflectedXss'),
-      './unvalidated-redirect': moduleMock('unvalidatedRedirect'),
-    })(core);
-  });
-  it('installs its components', function () {
-    express.install();
-    MODULES.forEach((module) => {
-      expect(express[module].install).to.have.been.calledOnce;
-    });
-  });
-});

package/lib/dataflow/sinks/install/express/reflected-xss.test.js DELETED Viewed

@@ -1,109 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const sinon = require('sinon');
-const {
-  DataflowTag: {
-    UNTRUSTED,
-    URL_ENCODED,
-  }
-} = require('@contrast/common');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess dataflow sinks express reflected-xss', function () {
-  let core, Response, simulateRequestScope, trackString, reportFindings, reportSafePositive;
-  beforeEach(function () {
-    ({ core, simulateRequestScope, trackString } = initAssessFixture());
-    reportFindings = sinon.stub(core.assess.dataflow.sinks, 'reportFindings');
-    reportSafePositive = sinon.stub(core.assess.dataflow.sinks, 'reportSafePositive');
-    Response = {
-      send: () => { }
-    };
-    core.depHooks.resolve.yields(Response);
-    require('./reflected-xss')(core).install();
-  });
-  it('skips instrumentation if there is no assess store', function () {
-    Response.send('hello');
-    expect(reportFindings).to.not.have.been.called;
-  });
-  it('skips instrumentation if chunk does not exist', function () {
-    simulateRequestScope(function () {
-      Response.send();
-      expect(reportFindings).to.not.have.been.called;
-    });
-  });
-  it('skip instrumentation if chunk is not string', function () {
-    simulateRequestScope(function () {
-      Response.send(true);
-      expect(reportFindings).to.not.have.been.called;
-    });
-  });
-  it('skips instrumentation if chunk is not tracked', function () {
-    simulateRequestScope(function () {
-      Response.send('foo');
-      expect(reportFindings).to.not.have.been.called;
-    });
-  });
-  it('reports a "safe positive" event when safe tags overlap UNTRUSTED', function () {
-    simulateRequestScope(function () {
-      const value = 'foo';
-      const extern = trackString(value, {
-        tags: {
-          [URL_ENCODED]: [0, 2],
-          [UNTRUSTED]: [0, 2],
-        },
-      });
-      Response.send(extern);
-      expect(reportSafePositive).to.have.been.calledWithMatch({
-        name: 'Express.Response.send',
-        ruleId: 'reflected-xss',
-        safeTags: [URL_ENCODED],
-        strInfo: {
-          tags: { [URL_ENCODED]: [0, 2], [UNTRUSTED]: [0, 2] },
-          value
-        },
-      });
-    });
-  });
-  it('reports a reflected-xss', function () {
-    simulateRequestScope(function () {
-      const value = 'foo';
-      const extern = trackString(value, {
-        tags: {
-          [UNTRUSTED]: [0, 2]
-        },
-      });
-      Response.send(extern);
-      expect(reportFindings).to.have.been.calledWithMatch({
-        ruleId: 'reflected-xss',
-        sinkEvent: {
-          args: [{ value, tracked: true }],
-          context: "response.send('foo')",
-          name: 'Express.Response.send',
-          moduleName: 'express',
-          methodName: 'Response.send',
-          object: {
-            value: 'Express.Response',
-            tracked: false,
-          },
-          result: { value: undefined, tracked: false },
-          source: 'P0',
-          tags: {
-            [UNTRUSTED]: [0, 2],
-          },
-        },
-      });
-    });
-  });
-});