npm - @contrast/assess - Versions diffs - 1.46.1 → 1.46.3 - Mend

@contrast/assess 1.46.1 → 1.46.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/lib/index.test.js DELETED Viewed

@@ -1,45 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const sinon = require('sinon');
-const proxyquire = require('proxyquire');
-const mocks = require('@contrast/test/mocks');
-const moduleMock = (moduleName, mock) => (deps) => {
-  deps.assess[moduleName] = mock[moduleName];
-};
-describe('assess', function () {
-  let core, assessMock, assessModule, modulesWithInstall;
-  beforeEach(function () {
-    assessMock = mocks.assess();
-    core = mocks.core();
-    core.config = mocks.config();
-    core.logger = mocks.logger();
-    core.rewriter = mocks.rewriter();
-    core.scopes = mocks.scopes();
-    core.config.assess.enable = true;
-    core.sources = {
-      addHook: sinon.stub(),
-    };
-    assessModule = proxyquire('.', {
-      './session-configuration': moduleMock('sessionConfiguration', assessMock),
-      './dataflow': moduleMock('dataflow', assessMock),
-      './response-scanning': moduleMock('responseScanning', assessMock),
-      './crypto-analysis': moduleMock('cryptoAnalysis', assessMock),
-    });
-    modulesWithInstall = ['sessionConfiguration', 'dataflow', 'responseScanning', 'cryptoAnalysis'];
-  });
-  it('installs the components', function () {
-    core.config.getEffectiveValue.withArgs('assess.enable').returns(true);
-    assessModule(core).install();
-    modulesWithInstall.forEach((module) => {
-      expect(assessMock[module].install).to.have.been.calledOnce;
-    });
-    expect(core.rewriter.install).to.have.been.calledWith('assess');
-  });
-});

package/lib/make-source-context.test.js DELETED Viewed

@@ -1,50 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-const mocks = require('@contrast/test/mocks');
-describe('assess makeSourceContext', function () {
-  let core;
-  beforeEach(function () {
-    ({ core } = initAssessFixture());
-  });
-  it('will return `null` and log error when passed insufficient parameters', function() {
-    const assessCtx = core.assess.makeSourceContext({});
-    expect(assessCtx).to.be.null;
-    expect(core.logger.error).to.have.been.calledWithMatch({
-      err: sinon.match.has('message'),
-    }, 'unable to construct assess store. assess will be disabled for request.');
-  });
-  it('construct the store correctly given req and res', function() {
-    const mockSourceData = {
-      store: {},
-      incomingMessage: mocks.incomingMessage()
-    };
-    const assessCtx = core.assess.makeSourceContext(mockSourceData);
-    expect(assessCtx).to.deep.include({
-      propagationEventsCount: 0,
-      sampleInfo: null,
-      sourceEventsCount: 0,
-      reqData: {
-        contentType: 'text/html',
-        headers: {
-          'content-type': 'text/html',
-          referer: 'http://fake.url.foo',
-          language: 'en',
-        },
-        httpVersion: '1.1',
-        ip: '127.0.0.1',
-        method: 'get',
-        queries: '_id=123',
-        uriPath: '/index',
-      },
-      responseData: {},
-    });
-    expect(assessCtx.policy.enabledRules).to.have.length.greaterThan(5);
-  });
-});

package/lib/response-scanning/handlers/index.test.js DELETED Viewed

@@ -1,419 +0,0 @@
-'use strict';
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-const handlers = require('.');
-describe('assess response scanning handlers', function () {
-  let core,
-    simulateRequestScope,
-    reportFindings,
-    handleAutoCompleteMissing,
-    handleCacheControlsMissing,
-    handleClickJackingControlsMissing,
-    handleParameterPollution,
-    handleCspHeader,
-    handleHstsHeaderMissing,
-    handleXPoweredByHeader,
-    handleXContentTypeHeaderMissing,
-    handleXxsProtectionHeaderDisabled;
-  beforeEach(function () {
-    ({ core, simulateRequestScope } = initAssessFixture());
-    sinon.stub(core.assess.responseScanning, 'reportFindings');
-    ({
-      handleAutoCompleteMissing,
-      handleCacheControlsMissing,
-      handleClickJackingControlsMissing,
-      handleParameterPollution,
-      handleCspHeader,
-      handleHstsHeaderMissing,
-      handleXPoweredByHeader,
-      handleXContentTypeHeaderMissing,
-      handleXxsProtectionHeaderDisabled,
-      reportFindings,
-    } = handlers(core));
-  });
-  describe('handleAutoCompleteMissing', function () {
-    const responseHeaders = { 'content-type': 'text/html' };
-    it('returns undefined if we are not checking html content', function () {
-      simulateRequestScope(() => {
-        handleAutoCompleteMissing(core.assess.getSourceContext(), {
-          responseHeaders: { 'content-type': 'application/json' },
-          responseBody: 'test'
-        });
-        expect(reportFindings).to.not.have.been.called;
-      });
-    });
-    it('does not report anything if the auto-complete options is set to "off"', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleAutoCompleteMissing(sc, { responseHeaders, responseBody: '<form autocomplete="off"></form>' });
-        expect(reportFindings).to.not.have.been.called;
-      });
-    });
-    it('reports when the auto-complete option is not set to "off"', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleAutoCompleteMissing(
-          sc,
-          responseHeaders,
-          '<form autocomplete="off"></form><form></form><form autocomplete="o"></form>'
-        );
-        expect(reportFindings).to.have.been.calledOnceWith(sc, {
-          ruleId: 'autocomplete-missing',
-          vulnerabilityMetadata: {
-            attribute: undefined,
-            html: '&lt;form&gt;',
-            start: 0,
-            end: 6
-          }
-        });
-      });
-    });
-  });
-  describe('handleCacheControlsMissing', function () {
-    it('does not report anything if there is no body and the result is parsable', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleCacheControlsMissing(sc, {}, '');
-        expect(reportFindings).to.not.have.been.called;
-      });
-    });
-    it('does not report if there are cache control headers', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleCacheControlsMissing(
-          sc,
-          { 'cache-control': 'no-cache; no-store' },
-          'test'
-        );
-        expect(reportFindings).to.not.have.been.called;
-      });
-    });
-    it('reports if there is a pragma header', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleCacheControlsMissing(
-          sc,
-          { pragma: 'no-cache' },
-          'test'
-        );
-        expect(reportFindings).to.have.been.calledOnceWith(sc, {
-          ruleId: 'cache-controls-missing',
-          vulnerabilityMetadata: {
-            data: JSON.stringify([{ type: 'Header', name: 'pragma', value: 'no-cache' }])
-          }
-        });
-      });
-    });
-    it('reports the cache-control header and the meta tags if they are not fully safe', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleCacheControlsMissing(
-          sc,
-          { 'cache-control': 'no-store' },
-          '<meta http-equiv="cache-control">'
-        );
-        expect(reportFindings).to.have.been.calledOnceWith(sc, {
-          ruleId: 'cache-controls-missing',
-          vulnerabilityMetadata: {
-            data: JSON.stringify([
-              { type: 'Header', name: 'cache-control', value: 'no-store' },
-              { type: 'META tag', name: 'cache-control', value: '<meta http-equiv="cache-control">' },
-            ])
-          }
-        });
-      });
-    });
-  });
-  describe('handleClickJackingControlsMissing', function () {
-    it('does not report when we have the correct x-frame-options header', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleClickJackingControlsMissing(sc, {
-          'x-frame-options': 'DENY'
-        });
-        handleClickJackingControlsMissing(sc, {
-          'x-frame-options': 'SAMEORIGIN'
-        });
-        expect(reportFindings).to.not.have.been.called;
-      });
-    });
-    it('reports when there is no x-frame-options header', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleClickJackingControlsMissing(sc, {});
-        expect(reportFindings).to.have.been.calledOnceWith(sc, {
-          ruleId: 'clickjacking-control-missing'
-        });
-      });
-    });
-    it('reports when the x-frame-options header is with a not safe value', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleClickJackingControlsMissing(sc, {
-          'x-frame-options': 'ALLOW-FROM origin'
-        });
-        expect(reportFindings).to.have.been.calledOnceWith(sc, {
-          ruleId: 'clickjacking-control-missing'
-        });
-      });
-    });
-  });
-  describe('handleParameterPollution', function () {
-    it('does not report if all form elements have an action attribute', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleParameterPollution(sc, '<form action="foo.com"></form><form action="bar.com"></form>');
-        expect(reportFindings).to.not.have.been.called;
-      });
-    });
-    it('reports when one of the form elements does not have an acton attribute', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleParameterPollution(sc, '<form action="foo.com"></form><form></form>');
-        expect(reportFindings).to.have.been.calledOnceWith(sc, {
-          ruleId: 'parameter-pollution',
-          vulnerabilityMetadata: {
-            attribute: undefined,
-            html: '&lt;form&gt;'
-          }
-        });
-      });
-    });
-  });
-  describe('handleCspHeader', function () {
-    it('does not report when we have a secure csp header', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleCspHeader(sc, {
-          'content-security-policy': 'default-src "self"; base-uri "foobar"; form-action "foobar"; frame-ancestors "foobar"; plugin-types "foobar"'
-        });
-        expect(reportFindings).to.not.have.been.called;
-      });
-    });
-    it('reports when there are no csp headers', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleCspHeader(sc, {});
-        expect(reportFindings).to.have.been.calledOnceWith(sc, {
-          ruleId: 'csp-header-missing'
-        });
-      });
-    });
-    it('reports whent the csp headers are not all secure', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleCspHeader(sc, {
-          'content-security-policy': 'default-src "self"; form-action "foobar"; frame-ancestors "foobar"; plugin-types "foobar"'
-        });
-        expect(reportFindings).to.have.been.calledOnceWith(sc, {
-          ruleId: 'csp-header-insecure',
-          vulnerabilityMetadata: {
-            data: JSON.stringify({
-              defaultSrcSecure: true,
-              defaultSrcValue: '"self"',
-              childSrcSecure: true,
-              childSrcValue: '',
-              connectSrcSecure: true,
-              connectSrcValue: '',
-              frameSrcSecure: true,
-              frameSrcValue: '',
-              mediaSrcSecure: true,
-              mediaSrcValue: '',
-              objectSrcSecure: true,
-              objectSrcValue: '',
-              scriptSrcSecure: true,
-              scriptSrcValue: '',
-              styleSrcSecure: true,
-              styleSrcValue: '',
-              baseUriSecure: false,
-              baseUriValue: '',
-              formActionSecure: true,
-              formActionValue: '"foobar"',
-              frameAncestorsSecure: true,
-              frameAncestorsValue: '"foobar"',
-            })
-          }
-        });
-      });
-    });
-  });
-  describe('handleHstsHeaderMissing', function () {
-    it('does not report when the max age is set properly on the hsts header', function () {
-      const sc = core.assess.getSourceContext();
-      handleHstsHeaderMissing(sc, {
-        'strict-transport-security': 'max-age=1'
-      });
-      expect(reportFindings).to.not.have.been.called;
-    });
-    it('reports when the max age is not set properly on the hsts header', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleHstsHeaderMissing(sc, {
-          'strict-transport-security': 'max-age=0;'
-        });
-        expect(reportFindings).to.have.been.calledOnceWith(sc, {
-          ruleId: 'hsts-header-missing',
-          vulnerabilityMetadata: { data: '0' }
-        });
-      });
-    });
-    it('reports when the hsts headers is not set at all', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleHstsHeaderMissing(sc, {});
-        expect(reportFindings).to.have.been.calledOnceWith(sc, {
-          ruleId: 'hsts-header-missing',
-          vulnerabilityMetadata: { data: '' }
-        });
-      });
-    });
-  });
-  describe('handleXPoweredByHeader', function () {
-    it('does not report if the x-powered-by header is not set', function () {
-      simulateRequestScope(() => {
-        handleXPoweredByHeader(core.assess.getSourceContext(), {});
-        expect(reportFindings).to.not.have.been.called;
-      });
-    });
-    it('reports when the x-powered-by header is set', function () {
-      simulateRequestScope(() => {
-        const sc = core.assess.getSourceContext();
-        handleXPoweredByHeader(sc, {
-          'x-powered-by': 'nginx'
-        });
-        expect(reportFindings).to.have.been.calledOnceWith(sc, {
-          ruleId: 'x-powered-by-header',
-          vulnerabilityMetadata: { platform: 'nginx' }
-        });
-      });
-    });
-    describe('handleXContentTypeHeaderMissing', function () {
-      it('does not report if the x-content-type-options header is set to "nosniff"', function () {
-        simulateRequestScope(() => {
-          handleXContentTypeHeaderMissing(core.assess.getSourceContext(), {
-            'x-content-type-options': 'nosniff'
-          });
-          expect(reportFindings).to.not.have.been.called;
-        });
-      });
-      it('reports if the x-content-type-options header is set to an unsafe value', function () {
-        simulateRequestScope(() => {
-          const sc = core.assess.getSourceContext();
-          handleXContentTypeHeaderMissing(sc, {
-            'x-content-type-options': 'unsafe'
-          });
-          expect(reportFindings).to.have.been.calledOnceWith(sc, {
-            ruleId: 'xcontenttype-header-missing',
-            vulnerabilityMetadata: { data: 'unsafe' }
-          });
-        });
-      });
-      it('reports when the x-content-type-options header is not set', function () {
-        simulateRequestScope(() => {
-          const sc = core.assess.getSourceContext();
-          handleXContentTypeHeaderMissing(sc, {
-            responseHeaders: {}
-          });
-          expect(reportFindings).to.have.been.calledOnceWith(sc, {
-            ruleId: 'xcontenttype-header-missing',
-            vulnerabilityMetadata: { data: '' }
-          });
-        });
-      });
-    });
-    describe('handleXxsProtectionHeaderDisabled', function () {
-      it('does not report if the x-xss-protection header value starts with 1', function () {
-        simulateRequestScope(() => {
-          handleXxsProtectionHeaderDisabled(core.assess.getSourceContext(), {
-            responseHeaders: {
-              'x-xss-protection': '1'
-            }
-          });
-          expect(reportFindings).to.not.have.been.called;
-        });
-      });
-      it('reports if the x-xss-protection header is set to an unsafe value', function () {
-        simulateRequestScope(() => {
-          const sc = core.assess.getSourceContext();
-          handleXxsProtectionHeaderDisabled(sc, {
-            'x-xss-protection': '0'
-          });
-          expect(reportFindings).to.have.been.calledOnceWith(sc, {
-            ruleId: 'xxssprotection-header-disabled',
-            vulnerabilityMetadata: { data: '0' }
-          });
-        });
-      });
-      it('reports when the x-xss-protection header is not set', function () {
-        simulateRequestScope(() => {
-          const sc = core.assess.getSourceContext();
-          handleXxsProtectionHeaderDisabled(sc, {});
-          expect(reportFindings).not.to.have.been.called;
-        });
-      });
-    });
-  });
-});