npm - @contrast/assess - Versions diffs - 1.46.1 → 1.46.3 - Mend

@contrast/assess 1.46.1 → 1.46.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/lib/session-configuration/install/express-session.test.js DELETED Viewed

@@ -1,218 +0,0 @@
-'use strict';
-const sinon = require('sinon');
-const { expect } = require('chai');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-const util = require('util');
-describe('assess session-configuration http', function () {
-  let core,
-    expressSession,
-    simulateRequestScope;
-  function ExpressSession(options) {
-    return (req, res) => true;
-  }
-  beforeEach(function () {
-    ({ core, simulateRequestScope } = initAssessFixture());
-    core.depHooks.resolve.yields(ExpressSession);
-    sinon.spy(core.assess.sessionConfiguration, 'handleHttpOnly');
-    sinon.spy(core.assess.sessionConfiguration, 'handleSecure');
-    expressSession = require('./express-session')(core).install();
-  });
-  it('skip instrumentation if options are set correctly', function () {
-    const options = {
-      secret: 'my-secret',
-      cookie: { httpOnly: true, secure: true },
-    };
-    expressSession(options);
-    expect(core.assess.sessionConfiguration.handleSecure).to.not.have.been.called;
-    expect(core.assess.sessionConfiguration.handleHttpOnly).to.not.have.been.called;
-  });
-  [
-    {
-      title: 'should instrument secure',
-      sessionOptions: [
-        undefined,
-        {},
-        { cookie: { httpOnly: undefined, secure: undefined } },
-        { cookie: { httpOnly: true } },
-      ],
-    },
-  ].forEach(({ title, sessionOptions }) => {
-    sessionOptions.forEach((options) => {
-      it(`${title} - ${util.inspect(options)}`, function () {
-        simulateRequestScope(() => {
-          const httpOnly = options?.cookie?.httpOnly;
-          const secure = options?.cookie?.secure;
-          const middleware = expressSession(options);
-          const request = {};
-          const response = {
-            setHeader: () => true,
-          };
-          middleware(request, response);
-          response.setHeader('Set-Cookie', 'hello');
-          // for code coverage
-          response.setHeader('custom-header', 'value');
-          const sourceContext = core.scopes.sources.getStore()?.assess;
-          expect(core.assess.sessionConfiguration.handleSecure).to.have.been.calledWith(
-            sourceContext,
-            'hello',
-            sinon.match({
-              args: [
-                {
-                  tracked: false,
-                  value: `{ cookie: { httpOnly: ${httpOnly}, secure: ${secure} } }`
-                },
-              ],
-              context: `expressSession({ cookie: { httpOnly: ${httpOnly}, secure: ${secure} } })`,
-              history: [],
-              name: 'express.hookedSessionConstructor',
-              moduleName: 'express-session',
-              methodName: '',
-              object: {
-                tracked: false,
-                value: 'Express.Response',
-              },
-              result: {
-                tracked: false,
-                value: undefined,
-              },
-              source: 'P0',
-              stack: [],
-              tags: {},
-              framework: 'express',
-              options: { cookie: { httpOnly, secure } },
-            })
-          );
-        });
-      });
-    });
-  });
-  [
-    {
-      title: 'should not instrument secure',
-      sessionOptions: [
-        { cookie: { secure: true } },
-      ],
-    },
-  ].forEach(({ title, sessionOptions }) => {
-    sessionOptions.forEach((options) => {
-      it(`${title} - ${util.inspect(options)}`, function () {
-        simulateRequestScope(() => {
-          const middleware = expressSession(options);
-          const request = {};
-          const response = {
-            setHeader: () => true,
-          };
-          middleware(request, response);
-          response.setHeader('Set-Cookie', 'hello');
-          expect(core.assess.sessionConfiguration.handleSecure).to.not.have.been.called;
-        });
-      });
-    });
-  });
-  [
-    {
-      title: 'should not instrument httpOnly',
-      sessionOptions: [
-        undefined,
-        {},
-        { cookie: {} },
-        { cookie: { httpOnly: true } },
-      ],
-    },
-  ].forEach(({ title, sessionOptions }) => {
-    sessionOptions.forEach((options) => {
-      it(`${title} - ${util.inspect(options)}`, function () {
-        simulateRequestScope(() => {
-          const middleware = expressSession(options);
-          const request = {};
-          const response = {
-            setHeader: () => true,
-          };
-          middleware(request, response);
-          response.setHeader('Set-Cookie', 'hello');
-          expect(core.assess.sessionConfiguration.handleHttpOnly).to.not.have.been.called;
-        });
-      });
-    });
-  });
-  [
-    {
-      title: 'should instrument httpOnly',
-      sessionOptions: [
-        { cookie: { httpOnly: false, secure: undefined } },
-      ],
-    },
-  ].forEach(({ title, sessionOptions }) => {
-    sessionOptions.forEach((options) => {
-      it(`${title} - ${util.inspect(options)}`, function () {
-        simulateRequestScope(() => {
-          const middleware = expressSession(options);
-          const request = {};
-          const response = {
-            setHeader: () => true,
-          };
-          middleware(request, response);
-          response.setHeader('Set-Cookie', 'hello');
-          const sourceContext = core.scopes.sources.getStore()?.assess;
-          expect(core.assess.sessionConfiguration.handleHttpOnly).to.have.been.calledWith(
-            sourceContext,
-            'hello',
-            sinon.match({
-              args: [
-                {
-                  tracked: false,
-                  value: util.inspect(options),
-                },
-              ],
-              context: `expressSession(${util.inspect(options)})`,
-              history: [],
-              name: 'express.hookedSessionConstructor',
-              moduleName: 'express-session',
-              methodName: '',
-              object: {
-                tracked: false,
-                value: 'Express.Response',
-              },
-              result: {
-                tracked: false,
-                value: undefined,
-              },
-              source: 'P0',
-              stack: [],
-              tags: {},
-              framework: 'express',
-              options,
-            })
-          );
-        });
-      });
-    });
-  });
-});

package/lib/session-configuration/install/fastify-cookie.test.js DELETED Viewed

@@ -1,63 +0,0 @@
-'use strict';
-const sinon = require('sinon');
-const { expect } = require('chai');
-const { SessionConfigurationRule } = require('@contrast/common');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-const { HTTPONLY, SECURE_FLAG_MISSING } = SessionConfigurationRule;
-describe('assess session-configuration @fastify/cookie', function () {
-  let core,
-    simulateRequestScope,
-    serverMock,
-    mockFastifyCookie,
-    mockExport,
-    reply;
-  beforeEach(function () {
-    ({ core, simulateRequestScope } = initAssessFixture());
-    mockExport = function fastifyCookieMock(server, options) { };
-    mockExport.default = mockExport;
-    mockExport.fastifyCookie = mockExport;
-    reply = { header: sinon.stub() };
-    serverMock = {
-      addHook: sinon.stub().yields({}, reply),
-    };
-    core.depHooks.resolve.yields(mockExport);
-    sinon.stub(core.assess.sessionConfiguration, 'reportFindings');
-    core.assess.sessionConfiguration.fastifyCookie.install();
-    mockFastifyCookie = mockExport.fastifyCookie;
-  });
-  it('reports httponly and secure-flag-missing when both options are unset', function () {
-    mockFastifyCookie(serverMock, {});
-    simulateRequestScope(() => {
-      reply.header('Set-Cookie', 'bar');
-    });
-    expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
-      ruleId: HTTPONLY,
-      sinkEvent: sinon.match({
-        context: 'fastifyCookie({ parseOptions: { httpOnly: undefined, secure: undefined } })',
-      }),
-    });
-    expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
-      ruleId: SECURE_FLAG_MISSING,
-      sinkEvent: sinon.match({
-        context: 'fastifyCookie({ parseOptions: { httpOnly: undefined, secure: undefined } })',
-      }),
-    });
-  });
-  it('will not report if instrumentation runs outside of request scope', function () {
-    mockFastifyCookie(serverMock, {});
-    reply.header('Set-Cookie', 'bar');
-    expect(core.assess.sessionConfiguration.reportFindings).not.to.have.been.called;
-  });
-});

package/lib/session-configuration/install/hapi.test.js DELETED Viewed

@@ -1,269 +0,0 @@
-'use strict';
-const util = require('util');
-const sinon = require('sinon');
-const { expect } = require('chai');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-describe('assess session-configuration hapi', function () {
-  const hapi = {
-    server() {
-      return { state() { }, ext: sinon.stub() };
-    },
-    Server() {
-      return { state() { }, ext: sinon.stub() };
-    }
-  };
-  let core, hapiServer, simulateRequestScope;
-  beforeEach(function () {
-    ({ core, simulateRequestScope } = initAssessFixture());
-    core.depHooks.resolve
-      .withArgs({ name: '@hapi/hapi', version: '>=18 <22' })
-      .yields(hapi);
-    sinon.spy(core.assess.sessionConfiguration, 'handleHttpOnly');
-    sinon.spy(core.assess.sessionConfiguration, 'handleSecure');
-    require('./hapi')(core).install();
-  });
-  ['server', 'Server'].forEach((server) => {
-    describe(`${server}`, function () {
-      it('skips instrumentation if options are set correctly', function () {
-        simulateRequestScope(() => {
-          const options = {
-            isHttpOnly: true,
-            isSecure: true
-          };
-          hapiServer = hapi[server]();
-          hapiServer.state('data', options);
-          expect(core.assess.sessionConfiguration.handleSecure).to.not.have.been.called;
-          expect(core.assess.sessionConfiguration.handleHttpOnly).to.not.have.been.called;
-        });
-      });
-      it('does not call handlers when set-cookie is missing in headers', function () {
-        simulateRequestScope(() => {
-          const options = {
-            isHttpOnly: false,
-            isSecure: false
-          };
-          hapiServer = hapi[server]();
-          hapiServer.ext.withArgs('onPostResponse', sinon.match.func).callsFake((string, method) => {
-            method({
-              response: {
-                headers: {}
-              }
-            });
-          });
-          hapiServer.state('data', options);
-          expect(core.assess.sessionConfiguration.handleHttpOnly).to.not.have.been.called;
-          expect(core.assess.sessionConfiguration.handleSecure).to.not.have.been.called;
-        });
-      });
-      [
-        {
-          isSecure: false
-        },
-        {
-          isSecure: false,
-          isHttpOnly: true
-        }
-      ].forEach((options) => {
-        it('handles isSecure flag set to false', function () {
-          simulateRequestScope(() => {
-            hapiServer = hapi[server]();
-            hapiServer.ext.withArgs('onPostResponse', sinon.match.func).callsFake((string, method) => {
-              method({
-                response: {
-                  headers: {
-                    'set-cookie': ['foo']
-                  }
-                }
-              });
-            });
-            hapiServer.state('data', options);
-            const sourceContext = core.scopes.sources.getStore()?.assess;
-            expect(core.assess.sessionConfiguration.handleHttpOnly).to.not.have.been.called;
-            expect(core.assess.sessionConfiguration.handleSecure).to.have.been.calledWith(
-              sourceContext,
-              'set-cookie: foo',
-              sinon.match({
-                args: [
-                  {
-                    tracked: false,
-                    value: util.inspect(options),
-                  },
-                ],
-                context: `state(${util.inspect(['data', options])})`,
-                history: [],
-                name: `hapi.${server}.state`,
-                moduleName: 'hapi',
-                methodName: '',
-                object: {
-                  tracked: false,
-                  value: `hapi.${server}`,
-                },
-                result: {
-                  tracked: false,
-                  value: undefined,
-                },
-                source: 'P1',
-                framework: 'hapi',
-                options,
-              })
-            );
-          });
-        });
-      });
-      [
-        {
-          isHttpOnly: false
-        },
-        {
-          isSecure: true,
-          isHttpOnly: false
-        }
-      ].forEach((options) => {
-        it('handles isHttpOnly flag set to false', function () {
-          simulateRequestScope(() => {
-            hapiServer = hapi[server]();
-            hapiServer.ext.withArgs('onPostResponse', sinon.match.func).callsFake((string, method) => {
-              method({
-                response: {
-                  headers: {
-                    'set-cookie': ['foo']
-                  }
-                }
-              });
-            });
-            hapiServer.state('data', options);
-            const sourceContext = core.scopes.sources.getStore()?.assess;
-            expect(core.assess.sessionConfiguration.handleHttpOnly).to.have.been.calledWith(
-              sourceContext,
-              'set-cookie: foo',
-              sinon.match({
-                args: [
-                  {
-                    tracked: false,
-                    value: util.inspect(options),
-                  },
-                ],
-                context: `state(${util.inspect(['data', options])})`,
-                history: [],
-                name: `hapi.${server}.state`,
-                moduleName: 'hapi',
-                methodName: '',
-                object: {
-                  tracked: false,
-                  value: `hapi.${server}`,
-                },
-                result: {
-                  tracked: false,
-                  value: undefined,
-                },
-                source: 'P1',
-                framework: 'hapi',
-                options,
-              })
-            );
-          });
-        });
-      });
-      it('handles isHttpOnly flag and isSecure set to false', function () {
-        simulateRequestScope(() => {
-          const options = {
-            isSecure: false,
-            isHttpOnly: false
-          };
-          hapiServer = hapi[server]();
-          hapiServer.ext.withArgs('onPostResponse', sinon.match.func).callsFake((string, method) => {
-            method({
-              response: {
-                headers: {
-                  'set-cookie': ['foo']
-                }
-              }
-            });
-          });
-          hapiServer.state('data', options);
-          const sourceContext = core.scopes.sources.getStore()?.assess;
-          expect(core.assess.sessionConfiguration.handleHttpOnly).to.have.been.calledWith(
-            sourceContext,
-            'set-cookie: foo',
-            sinon.match({
-              args: [
-                {
-                  tracked: false,
-                  value: util.inspect(options),
-                },
-              ],
-              context: `state(${util.inspect(['data', options])})`,
-              history: [],
-              name: `hapi.${server}.state`,
-              moduleName: 'hapi',
-              methodName: '',
-              object: {
-                tracked: false,
-                value: `hapi.${server}`,
-              },
-              result: {
-                tracked: false,
-                value: undefined,
-              },
-              source: 'P1',
-              framework: 'hapi',
-              options,
-            })
-          );
-          expect(core.assess.sessionConfiguration.handleSecure).to.have.been.calledWith(
-            sourceContext,
-            'set-cookie: foo',
-            sinon.match({
-              args: [
-                {
-                  tracked: false,
-                  value: util.inspect(options),
-                },
-              ],
-              context: `state(${util.inspect(['data', options])})`,
-              history: [],
-              name: `hapi.${server}.state`,
-              moduleName: 'hapi',
-              methodName: '',
-              object: {
-                tracked: false,
-                value: `hapi.${server}`,
-              },
-              result: {
-                tracked: false,
-                value: undefined,
-              },
-              source: 'P1',
-              framework: 'hapi',
-              options,
-            })
-          );
-        });
-      });
-    });
-  });
-});

package/lib/session-configuration/install/koa.test.js DELETED Viewed

@@ -1,92 +0,0 @@
-'use strict';
-const sinon = require('sinon');
-const { expect } = require('chai');
-const { SessionConfigurationRule } = require('@contrast/common');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-const { HTTPONLY, SECURE_FLAG_MISSING } = SessionConfigurationRule;
-describe('assess sessionConfiguration Koa', function () {
-  let core,
-    simulateRequestScope,
-    koaMock,
-    ctxMock,
-    patchedMiddleware;
-  beforeEach(function () {
-    ({ core, simulateRequestScope } = initAssessFixture());
-    koaMock = {
-      prototype: {
-        middleware: [],
-        use: (fn) => {
-          koaMock.prototype.middleware.push(fn);
-        },
-      }
-    };
-    ctxMock = function() {};
-    ctxMock.cookies = { set: sinon.stub() };
-    core.depHooks.resolve
-      .withArgs({ name: 'koa', version: '>=2.3.0 <3' })
-      .yields(koaMock);
-    sinon.stub(core.assess.sessionConfiguration, 'reportFindings');
-    core.assess.sessionConfiguration.koa.install();
-    koaMock.prototype.use(ctxMock);
-    [patchedMiddleware] = koaMock.prototype.middleware;
-    patchedMiddleware(ctxMock);
-  });
-  it('will not report if instrumentation runs outside of request scope', function() {
-    patchedMiddleware(ctxMock);
-    ctxMock.cookies.set('cookie', 'foo', { secure: false });
-    expect(core.assess.sessionConfiguration.reportFindings).not.to.have.been.called;
-  });
-  it('will not report when both options are set to true', function() {
-    simulateRequestScope(() => {
-      ctxMock.cookies.set('cookie', 'foo', { httpOnly: true, secure: true });
-      expect(core.assess.sessionConfiguration.reportFindings).not.to.have.been.called;
-    });
-  });
-  it('reports httponly when option is set to false', function() {
-    simulateRequestScope(() => {
-      ctxMock.cookies.set('cookie', 'foo', { httpOnly: false });
-      expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
-        ruleId: HTTPONLY,
-        sinkEvent: sinon.match({
-          context: 'ctx.cookies.set({ httpOnly: false })',
-        }),
-      });
-    });
-  });
-  it('reports secure-flag-missing when option is set to false', function() {
-    simulateRequestScope(() => {
-      ctxMock.cookies.set('cookie', 'foo', { secure: false });
-      expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
-        ruleId: SECURE_FLAG_MISSING,
-        sinkEvent: sinon.match({
-          context: 'ctx.cookies.set({ secure: false })',
-        }),
-      });
-    });
-  });
-  it('reports httponly and secure-flag-missing when options are not set', function() {
-    simulateRequestScope(() => {
-      ctxMock.cookies.set('cookie', 'foo');
-      expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
-        ruleId: HTTPONLY
-      });
-      expect(core.assess.sessionConfiguration.reportFindings).to.have.been.calledWithMatch({
-        ruleId: SECURE_FLAG_MISSING
-      });
-    });
-  });
-});