@contrast/assess 1.46.1 → 1.46.3

package/lib/dataflow/propagation/install/joi/array.test.js

@@ -1,912 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const util = require('util');
-const { initAssessFixture } = require('@contrast/test/fixtures');
-const {
-  DataflowTag: {
-    UNTRUSTED,
-    STRING_TYPE_CHECKED,
-    CUSTOM_VALIDATED
-  }
-} = require('@contrast/common');
-
-function makeTag(string, tag = UNTRUSTED) {
-  return { [tag]: [0, string.length - 1] };
-}
-
-function makeTags(string, ...tags) {
-  const ret = {};
-
-  tags.forEach((t) => {
-    ret[t] = [0, string.length - 1];
-  });
-
-  return ret;
-}
-
-function makeSchema(chain, base) {
-  for (let i = 0; i < chain.length; i++) {
-    const { fn, args = [] } = chain[i];
-    base = base[fn](...(typeof args === 'function' ? args() : args));
-  }
-  return base;
-}
-
-describe('assess dataflow propagation joi array schema validation', function() {
-  let core, joi, tracker, trackString, simulateRequestScope, makeArraySchema;
-
-  beforeEach(function() {
-    ({ core, simulateRequestScope, trackString } = initAssessFixture());
-    tracker = core.assess.dataflow.tracker;
-    core.config.assess.trust_custom_validators = true;
-
-    core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/string.js', version: '>=17 <18' }).yields(require('joi-17/lib/types/string'));
-    core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/keys.js', version: '>=17 <18' }).yields(require('joi-17/lib/types/keys'));
-    core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/types/any', version: '>=17 <18' }).yields(require('joi-17/lib/types/any'));
-    core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/validator', version: '>=17 <18' }).yields(require('joi-17/lib/validator'));
-    core.depHooks.resolve.withArgs({ name: 'joi', file: 'lib/values.js', version: '>=17 <18' }).yields(require('joi-17/lib/values'));
-
-    require('./index')(core).install();
-    joi = require('joi-17');
-    makeArraySchema = function(chain) {
-      return makeSchema([{ fn: 'array' }, ...chain], joi);
-    };
-  });
-
-  afterEach(function() {
-    Object.keys(require.cache).forEach((key) => {
-      if (key.includes('joi')) {
-        delete require.cache[key];
-      }
-    });
-  });
-
-  describe('.items()', function() {
-    const xyzzy = 'xyzzy';
-    const plover = 22;
-    const twisty = 'twisty-passages';
-    const colossal = 44;
-    const refData = [xyzzy, plover, twisty, colossal];
-
-    const itemsPositionTests = [
-      // as soon as the first element is validated as a string the
-      // remaining elements don't get validated in any way, so they
-      // won't get tagged. a single string satisfies both .has() and
-      // .items(joi.string().required()).
-      {
-        chain: [
-          { fn: 'items', args: () => [joi.string().required(), joi.any()] },
-          { fn: 'max', args: [4] },
-          { fn: 'min', args: [2] },
-          { fn: 'length', args: [4] },
-          { fn: 'has', args: () => [joi.string()] },
-          { fn: 'single', args: [] }
-        ],
-        data: refData,
-        tags: [
-          { ...makeTag(xyzzy), ...makeTag(xyzzy, STRING_TYPE_CHECKED) },
-          { ...makeTag(plover) },
-          { ...makeTag(twisty) },
-          { ...makeTag(colossal) }
-        ]
-      }
-    ];
-
-    // build additional tests with .items() in each position of the chain
-    const refTest = itemsPositionTests[0];
-    for (let i = 1; i < refTest.chain.length; i++) {
-      itemsPositionTests[i] = Object.assign({}, refTest);
-      itemsPositionTests[i].chain = rotate(refTest.chain, i);
-    }
-
-    itemsPositionTests.forEach((t) => {
-      const reducer = (acc, i) => {
-        acc.push(i.fn);
-        return acc;
-      };
-      const text = t.chain.reduce(reducer, []).join(', ');
-
-      it(`works in ${text} order`, function() {
-        simulateRequestScope(() => {
-          const schema = makeArraySchema(t.chain);
-          const data = t.data.map((d) => trackString(d));
-          const { value, error } = schema.validate(data);
-
-          // check each element of the array
-          for (let i = 0; i < value.length; i++) {
-            const v = value[i];
-            const td = tracker.getData(v);
-            expect(error).equal(undefined, `${t.fn} for ${v}`);
-            if (typeof v === 'string') {
-              expect(td).to.not.be.null;
-              const tags = t.tags[i];
-              expect(td.tags).eql(tags, `${t.fn} for ${v}(${i})`);
-            }
-          }
-        });
-      });
-    });
-
-    const dataPositionTests = [
-      // as soon as the first element is validated as a string the
-      // remaining elements don't get validated in any way, so they
-      // won't get tagged. a single string satisfies both .has() and
-      // .items(joi.string().required()).
-      {
-        name: 'string required',
-        chain: [
-          { fn: 'items', args: () => [joi.string().required(), joi.any()] }
-        ],
-        data: undefined,
-        tags: undefined
-      },
-      {
-        name: 'string and number required',
-        chain: [
-          {
-            fn: 'items',
-            args: () => [
-              joi.string().required(),
-              joi.number().required(),
-              joi.any()
-            ]
-          }
-        ],
-        data: undefined,
-        tags: undefined
-      }
-    ];
-
-    //
-    // for each test generate a test for each permutation of data order
-    //
-    for (const t of dataPositionTests) {
-      const indexPermutations = permutations(Object.keys(refData));
-      let data;
-      let dataText;
-      let tags;
-      for (const indexes of indexPermutations) {
-        data = [];
-        dataText = [];
-        tags = [];
-        let firstString = true;
-        for (let i = 0; i < indexes.length; i++) {
-          if (typeof refData[indexes[i]] === 'string') {
-            data[i] = () => trackString(refData[indexes[i]]);
-            if (firstString) {
-              tags[i] = {
-                ...makeTag(refData[indexes[i]]),
-                ...makeTag(refData[indexes[i]], STRING_TYPE_CHECKED)
-              };
-              firstString = false;
-            } else {
-              tags[i] = { ...makeTag(refData[indexes[i]]) };
-            }
-          } else {
-            data[i] = refData[indexes[i]];
-            tags[i] = [];
-          }
-          dataText[i] = refData[indexes[i]];
-        }
-
-        const text = `${t.name} in ${util.format(dataText)}`;
-
-        it(`${text}`, function() {
-          simulateRequestScope(() => {
-            data = data.map(i => {
-              if (typeof i === 'function') {
-                return i();
-              }
-
-              return i;
-            });
-            // run the test we just constructed
-            const schema = makeArraySchema(t.chain);
-            const { value, error } = schema.validate(data);
-
-            // check each element of the array
-            for (let i = 0; i < value.length; i++) {
-              const v = value[i];
-              let td = tracker.getData(v);
-              expect(error).equal(undefined, `${t.name} for ${v}`);
-              if (typeof v === 'string') {
-                expect(td).to.not.be.null;
-                expect(td.tags).eql(tags[i], `${v}(${i})`);
-                // and the tags should be correct in the original array too
-                td = tracker.getData(data[i]);
-                expect(td).to.not.be.null;
-                expect(td.tags).eql(tags[i], `${v}(${i})`);
-              }
-            }
-          });
-        });
-      }
-    }
-  });
-
-  describe('.has()', function() {
-    it('.has() tags a single string when using .valid()', function() {
-      simulateRequestScope(() => {
-        // 'b' is valid so tracking should be removed from it
-        const schema = joi.string().valid('b');
-        const objSchema = joi.object().valid({ prop: 'c' });
-        const data = [trackString('a'), trackString('b'), { prop: trackString('c') }];
-
-        const j = joi.array().has(schema)
-          .has(objSchema);
-        const { value, error } = j.validate(data);
-
-        expect(error).undefined;
-
-        const td = tracker.getData(value[0]);
-        expect(td).to.not.be.null;
-        expect(td)
-          .property('tags')
-          .eql({ ...makeTag('b') });
-
-        expect(tracker.getData(value[1])).to.be.null;
-        expect(tracker.getData(value[2].prop)).to.be.null;
-      });
-    });
-
-    it('.has() tags a single string when using .string()', function() {
-      simulateRequestScope(() => {
-        const schema = joi.string();
-        const a = trackString('a');
-        const b = trackString('b');
-        const data = [a, b];
-
-        const j = joi.array().has(schema);
-        const { value, error } = j.validate(data);
-
-        expect(error).undefined;
-
-        const tagA = makeTags(a, UNTRUSTED, STRING_TYPE_CHECKED);
-        const tagB = makeTags(b, UNTRUSTED);
-
-        // only the first value that passes is needed by .has()
-        const checks = [
-          { name: 'value[0]', value: value[0], tags: tagA },
-          { name: 'value[1]', value: value[1], tags: tagB },
-          { name: 'a', value: a, tags: tagA },
-          { name: 'b', value: b, tags: tagB }
-        ];
-        checks.forEach(({ name, value, tags }) => {
-          const td = tracker.getData(value);
-          expect(td).to.not.be.null;
-          expect(td.tags).eql(tags, `for ${name}`);
-        });
-      });
-    });
-
-    it('.has() tags a string embedded in an object', function() {
-      simulateRequestScope(() => {
-        const schema = joi.object({ xyzzy: joi.string() });
-        const a = trackString('a');
-        const b = trackString('b');
-        const data = [{ xyzzy: a }, b];
-
-        const j = joi.array().has(schema);
-        const { value, error } = j.validate(data);
-
-        const tags1 = makeTags('a', UNTRUSTED, STRING_TYPE_CHECKED);
-        const tags2 = makeTags('b', UNTRUSTED);
-
-        expect(error).undefined;
-
-        let td = tracker.getData(a);
-        expect(td).to.not.be.null;
-        expect(td.tags).eql(tags1, 'a should be untrusted');
-        td = tracker.getData(value[0].xyzzy);
-        expect(td).to.not.be.null;
-        expect(td.tags).eql(tags1, 'xyzzy.a should be string-type-checked');
-
-        td = tracker.getData(b);
-        expect(td).to.not.be.null;
-        expect(td.tags).eql(tags2, 'b should be untrusted');
-        td = tracker.getData(value[1]);
-        expect(td).to.not.be.null;
-        expect(td.tags).eql(tags2);
-      });
-    });
-  });
-
-  describe('array length constraints', function() {
-    const lengthTests = [
-      { fn: 'length', args: [4] },
-      { fn: 'max', args: [4] },
-      { fn: 'min', args: [2] },
-      { fn: 'single', args: [] }
-    ];
-
-    for (const t of lengthTests) {
-      const xyzzy = () => trackString('xyzzy');
-      const plover = () => trackString('plover');
-      const dragon = () => trackString('dragon');
-      const twisty = () => trackString('twisty');
-      let data = [xyzzy, plover, dragon, twisty];
-
-      it(`${t.fn} propagates tags`, function() {
-        simulateRequestScope(() => {
-          data = data.map(i => i());
-          const schema = makeArraySchema([t]);
-          const { value, error } = schema.validate(data);
-          expect(error).undefined;
-
-          for (let i = 0; i < value.length; i++) {
-            const v = value[i];
-            const tags = data.map((d) => makeTags(d, UNTRUSTED));
-
-            let td = tracker.getData(v);
-            expect(td).to.not.be.null;
-            expect(td.tags).eql(tags[i], `for ${v}`);
-
-            td = tracker.getData(data[i]);
-            expect(td).to.not.be.null;
-            expect(td.tags).eql(tags[i], `for ${v}`);
-          }
-        });
-      });
-    }
-
-    it('.single() has no effect on an array element', function() {
-      simulateRequestScope(() => {
-        const chain = [
-          { fn: 'has', args: [joi.string()] },
-          { fn: 'single', args: [] }
-        ];
-
-        const xyzzy = trackString('xyzzy');
-        const tags = makeTags('xyzzy', UNTRUSTED, STRING_TYPE_CHECKED);
-
-        const schema = makeArraySchema(chain);
-        const { value, error } = schema.validate([xyzzy]);
-        expect(error).undefined;
-
-        let td = tracker.getData(xyzzy);
-        expect(td).to.not.be.null;
-        expect(td.tags).eql(tags);
-
-        td = tracker.getData(value[0]);
-        expect(td).to.not.be.null;
-        expect(td.tags).eql(tags);
-      });
-    });
-
-    it('.single() propagates tags on a string promoted to an array element', function() {
-      simulateRequestScope(() => {
-        const chain = [
-          { fn: 'has', args: [joi.string()] },
-          { fn: 'single', args: [] }
-        ];
-
-        const xyzzy = trackString('xyzzy');
-        const tags = makeTags('xyzzy', UNTRUSTED, STRING_TYPE_CHECKED);
-
-        const schema = makeArraySchema(chain);
-        const { value, error } = schema.validate(xyzzy);
-        expect(error).undefined;
-
-        let td = tracker.getData(xyzzy);
-        expect(td).to.not.be.null;
-        expect(td.tags).eql(tags);
-
-        td = tracker.getData(value[0]);
-        expect(td).to.not.be.null;
-        expect(td.tags).eql(tags);
-      });
-    });
-  });
-
-  describe('.ordered()', function() {
-    const xyzzy = 'xyzzy';
-    const plover = 22;
-    const twisty = 'twisty-passages';
-    const colossal = 44;
-    const refData = [xyzzy, plover, twisty, colossal];
-
-    const orderedPositionTests = [
-      // as soon as the first element is validated as a string the
-      // remaining elements don't get validated in any way, so they
-      // won't get tagged. a single string satisfies both .has() and
-      // .items(joi.string().required()).
-      {
-        chain: [
-          {
-            fn: 'ordered',
-            args: () => [
-              joi.string().required(),
-              joi.number().required(),
-              joi.string(),
-              joi.any()
-            ]
-          },
-          { fn: 'max', args: [4] },
-          { fn: 'min', args: [2] },
-          { fn: 'length', args: [4] },
-          { fn: 'has', args: () => [joi.string()] },
-          { fn: 'single', args: [] }
-        ],
-        data: refData,
-        tags: [
-          makeTags(xyzzy, UNTRUSTED, STRING_TYPE_CHECKED),
-          [],
-          makeTags(twisty, UNTRUSTED, STRING_TYPE_CHECKED),
-          []
-        ]
-      }
-    ];
-
-    // test .ordered() in each chain position by making additional tests.
-    const refTest = orderedPositionTests[0];
-    for (let i = 1; i < refTest.chain.length; i++) {
-      orderedPositionTests[i] = Object.assign({}, refTest);
-      orderedPositionTests[i].chain = rotate(refTest.chain, i);
-    }
-
-    for (const t of orderedPositionTests) {
-      const reducer = (acc, i) => {
-        acc.push(i.fn);
-        return acc;
-      };
-      const text = t.chain.reduce(reducer, []).join(', ');
-
-      it(`works in ${text} order`, function() {
-        simulateRequestScope(() => {
-          const schema = makeArraySchema(t.chain);
-          const data = t.data.map((d) => trackString(d));
-          const { value, error } = schema.validate(data);
-
-          // check each element of the array
-          for (let i = 0; i < value.length; i++) {
-            const v = value[i];
-            const td = tracker.getData(v);
-            expect(error).equal(undefined, `${t.fn} for ${v}`);
-            if (typeof v === 'string') {
-              expect(td).to.not.be.null;
-              const tags = t.tags[i];
-              expect(td.tags).eql(tags, `${t.fn} for ${v}(${i})`);
-            }
-          }
-        });
-      });
-    }
-
-    const orderedErrorTests = [
-      // as soon as the first element is validated as a string the
-      // remaining elements don't get validated in any way, so they
-      // won't get tagged. a single string satisfies both .has() and
-      // .items(joi.string().required()).
-      {
-        name: 'first element fails validation',
-        chain: [
-          {
-            fn: 'ordered',
-            args: () => [
-              joi.number().required(),
-              joi.string().required(),
-              joi.string(),
-              joi.any()
-            ]
-          }
-        ],
-        data: [() => trackString(xyzzy), () => trackString(twisty), () => 1, () => 1],
-        tags: [
-          makeTags(xyzzy, UNTRUSTED),
-          makeTags(twisty, UNTRUSTED),
-          [],
-          []
-        ]
-      },
-      {
-        name: 'first element passes, second element fails',
-        chain: [
-          {
-            fn: 'ordered',
-            args: () => [
-              joi.string().required(),
-              joi.number().required(),
-              joi.string(),
-              joi.any()
-            ]
-          }
-        ],
-        data: [() => trackString(xyzzy), () => trackString(twisty), () => 1, () => 1],
-        tags: [
-          makeTags(xyzzy, UNTRUSTED, STRING_TYPE_CHECKED),
-          makeTags(twisty, UNTRUSTED),
-          [],
-          []
-        ]
-      },
-      {
-        name: 'string, any, number, string, then fail',
-        chain: [
-          {
-            fn: 'ordered',
-            args: () => [
-              joi.string().required(),
-              joi.any(),
-              joi.number().required(),
-              joi.string().required(),
-              joi.number()
-            ]
-          }
-        ],
-        data: [() => trackString(xyzzy), () => trackString(twisty), () => 12, () => trackString('z'), () => true],
-        tags: [
-          makeTags(xyzzy, UNTRUSTED, STRING_TYPE_CHECKED),
-          makeTags(twisty, UNTRUSTED),
-          [],
-          makeTags('z', UNTRUSTED, STRING_TYPE_CHECKED)
-        ]
-      }
-    ];
-
-    for (const t of orderedErrorTests) {
-      it(`works when ${t.name}`, function() {
-        simulateRequestScope(() => {
-          t.data = t.data.map((i) => i());
-          const schema = makeArraySchema(t.chain);
-          const { value, error } = schema.validate(t.data);
-
-          expect(error).instanceof(Error, `${t.name}`);
-          for (let i = 0; i < t.data.length; i++) {
-            const v = value[i];
-            const td = tracker.getData(v);
-            if (typeof v === 'string') {
-              expect(td).to.not.be.null;
-              expect(td.tags).eql(t.tags[i], `${t.name} for ${v}(${i})`);
-            }
-          }
-        });
-      });
-    }
-  });
-
-  describe('.sort', function() {
-    const a = 'a';
-    const b = 'bb';
-    const c = 'ccc';
-    const d = 'dddd';
-    const e = 'eeeee';
-    const z = 'z'.repeat(26);
-
-    const sortedRefData = [a, b, c, d, e, z];
-
-    const sortedTests = [
-      {
-        name: 'propagates with no validation',
-        chain: [{ fn: 'sort', args: [] }],
-        tags: sortedRefData
-          .map((s) => makeTags(s, UNTRUSTED))
-      },
-      {
-        name: 'validates and propagates with .items(joi.string())',
-        chain: [
-          { fn: 'sort', args: [] },
-          { fn: 'items', args: () => [joi.string()] }
-        ],
-        tags: sortedRefData
-          .map((s) => makeTags(s, UNTRUSTED, STRING_TYPE_CHECKED))
-      }
-    ];
-
-    for (const t of sortedTests) {
-      // build schema and execute the test
-      it(`${t.name} for sorted arrays`, function() {
-        simulateRequestScope(() => {
-          const schema = makeArraySchema(t.chain);
-          const { value, error } = schema.validate(sortedRefData.map(i => trackString(i)));
-
-          expect(error).undefined;
-
-          for (let i = 0; i < sortedRefData.length; i++) {
-            const v = value[i];
-            const td = tracker.getData(v);
-            expect(td).to.not.be.null;
-            expect(td.tags).eql(t.tags[i], `${t.name} for ${v}`);
-          }
-        });
-      });
-    }
-
-    const unsortedRefData = [e, d, c, b, a, z];
-    const unsortedTests = [
-      {
-        name: 'propagates with no validation',
-        chain: [
-          {
-            fn: 'sort',
-            args: []
-          }
-        ],
-        tags: unsortedRefData.map((s) => makeTags(s, UNTRUSTED))
-      },
-      {
-        name: 'validates and propagates',
-        chain: [
-          { fn: 'sort', args: [] },
-          { fn: 'items', args: () => [joi.string()] }
-        ],
-        tags: unsortedRefData.map((s) =>
-          makeTags(s, UNTRUSTED, STRING_TYPE_CHECKED)
-        )
-      }
-    ];
-
-    for (const t of unsortedTests) {
-      it(`${t.name} for unsorted arrays`, function() {
-        simulateRequestScope(() => {
-          const schema = makeArraySchema(t.chain);
-          const data = unsortedRefData.map(i => trackString(i));
-          const { value, error } = schema.validate(data);
-
-          expect(error).undefined;
-
-          // get sorted tags to check output array
-          const sortedTags = t.tags.slice().sort((a, b) => a[UNTRUSTED][1] - b[UNTRUSTED][1]);
-
-          for (let i = 0; i < data.length; i++) {
-            // check the sorted values
-            const v = value[i];
-            let td = tracker.getData(v);
-            expect(td).to.not.be.null;
-            expect(td.tags).eql(sortedTags[i], `${t.name} for ${v}`);
-            // check the original unsorted data
-            td = tracker.getData(data[i]);
-            expect(td).to.not.be.null;
-            expect(td.tags).eql(t.tags[i], `${t.name} source ${data[i]}`);
-          }
-        });
-      });
-    }
-  });
-
-  describe('nested arrays', function() {
-    const a = 'a';
-    const b = 'bb';
-    const c = 'ccc';
-    const d = 'dddd';
-    const e = 'eeeee';
-    const refData = [a, [b, c, [d, e]]];
-
-    function tagger(item, fn = trackString) {
-      return (function execute(item) {
-        if (Array.isArray(item)) {
-          return item.map(execute);
-        }
-        return fn(item);
-      })(item);
-    }
-
-    const tests = [
-      {
-        name: 'explicit schema',
-        chain: [
-          {
-            fn: 'items',
-            args: () => [
-              joi.string(),
-              joi.array().items(joi.string(), joi.array().items(joi.string()))
-            ]
-          }
-        ],
-        data: () => tagger(refData)
-      }
-    ];
-
-    for (const t of tests) {
-      it(`tags all elements with ${t.name}`, function() {
-        simulateRequestScope(() => {
-          t.data = t.data();
-          const schema = makeArraySchema(t.chain);
-          const { value, error } = schema.validate(t.data);
-
-          expect(error).undefined;
-
-          const check = (item) => {
-            const td = tracker.getData(item);
-            expect(td).to.not.be.null;
-            expect(td.tags).eql(
-              makeTags(item, UNTRUSTED, STRING_TYPE_CHECKED)
-            );
-          };
-          // use tagger to check too
-          tagger(value, check);
-        });
-      });
-    }
-  });
-
-  describe('errors', function() {
-    const xyzzy = 'xyzzy';
-    const twisty = 'twisty-passages';
-    const cave = 'cave';
-    const blowup = 42;
-    const refData = [xyzzy, twisty, cave, blowup];
-
-    const tests = [
-      // as soon as the first element is validated as a string the
-      // remaining elements don't get validated in any way, so they
-      // won't get tagged. a single string satisfies both .has() and
-      // .items(joi.string().required()).
-      {
-        chain: [
-          { fn: 'items', args: () => [joi.number().forbidden(), joi.string()] }
-        ],
-        data: refData
-      },
-      {
-        chain: [
-          { fn: 'items', args: () => [joi.string(), joi.number().forbidden()] }
-        ]
-      }
-    ];
-
-    // make additional tests, moving the number that causes failure.
-    const refTest = tests[0];
-    for (let i = 1; i < refData.length; i++) {
-      tests[i] = {
-        chain: refTest.chain,
-        data: rotate(refTest.data, i)
-      };
-    }
-
-    for (const t of tests) {
-      const failIndex = t.data.findIndex((d) => typeof d === 'number');
-
-      it(`should validate strings before index ${failIndex}`, function() {
-        simulateRequestScope(() => {
-          const data = t.data.map((d) => trackString(d));
-          const schema = makeArraySchema(t.chain);
-          const { value, error } = schema.validate(data);
-
-          expect(error).not.undefined;
-
-          // strings before the number should have 'string-type-checked'
-          for (let i = 0; i < failIndex; i++) {
-            const v = value[i];
-            const tags = makeTags(v, UNTRUSTED, STRING_TYPE_CHECKED);
-            let td = tracker.getData(v);
-            expect(td).to.not.be.null;
-            expect(td.tags).eql(tags);
-
-            td = tracker.getData(data[i]);
-            expect(td).to.not.be.null;
-            expect(td.tags).eql(tags);
-          }
-
-          // strings after the number should have only 'untrusted'
-          for (let i = failIndex + 1; i < data.length; i++) {
-            const v = value[i];
-            const tags = makeTags(v, UNTRUSTED);
-            let td = tracker.getData(v);
-            expect(td).to.not.be.null;
-            expect(td.tags).eql(tags, `for ${v}`);
-
-            td = tracker.getData(data[i]);
-            expect(td).to.not.be.null;
-            expect(td.tags).eql(tags, `for ${data[i]}`);
-          }
-        });
-      });
-    }
-  });
-
-  describe('async', function() {
-    const a = 'a';
-    const b = 'bb';
-    const c = 'ccc';
-    const d = 'dddd';
-    const e = 'eeeee';
-    const unnestedRefData = [a, b, c, d, e];
-    const nestedRefData = [a, [b, c, [d, e]]];
-
-    function tagger(item, fn = trackString) {
-      return (function execute(item) {
-        if (Array.isArray(item)) {
-          return item.map(execute);
-        }
-
-        return fn(item);
-      })(item);
-    }
-
-    function syncValidator() {
-      return;
-    }
-
-    async function asyncValidator() {
-      return new Promise((resolve) => {
-        setTimeout(() => {
-          resolve();
-        }, 10);
-      });
-    }
-
-    const tests = [
-      {
-        name: 'unnested without modification (sync)',
-        chain: [
-          { fn: 'items', args: () => [joi.string().external(syncValidator)] }
-        ],
-        data: () => tagger(unnestedRefData),
-        tags: [UNTRUSTED, STRING_TYPE_CHECKED, CUSTOM_VALIDATED]
-      },
-      {
-        name: 'pass without modification (async)',
-        chain: [
-          {
-            fn: 'items',
-            args: () => [joi.any().external(asyncValidator)]
-          }
-        ],
-        data: () => tagger(nestedRefData),
-        tags: [UNTRUSTED, CUSTOM_VALIDATED]
-      },
-      {
-        name: 'pass with modification (sync)',
-        chain: [
-          {
-            fn: 'items',
-            args: () => [joi.any().external(syncValidator)]
-          }
-        ],
-        data: () => tagger(nestedRefData),
-        tags: [UNTRUSTED, CUSTOM_VALIDATED]
-      }
-    ];
-
-    for (const t of tests) {
-      it(`tags all elements with ${t.name}`, function(done) {
-        simulateRequestScope(() => {
-          t.data = t.data();
-          const schema = makeArraySchema(t.chain);
-          schema.validateAsync(t.data)
-            .then((value) => {
-              const check = (item) => {
-                const td = tracker.getData(item);
-                expect(td).to.not.be.null;
-                expect(td.tags).to.deep.equal(makeTags(item, ...t.tags));
-              };
-              // use tagger to check too
-              tagger(value, check);
-              tagger(t.data, check);
-              done();
-            })
-            .catch(err => done(err));
-        });
-      });
-    }
-  });
-
-  //
-  // helpers
-  //
-  function rotate(a, n) {
-    if (a.length === 0 || n === 0) {
-      return a;
-    }
-    n = n % a.length;
-    return [...a.slice(n), ...a.slice(0, n)];
-  }
-
-  function permutations(arr, n = arr.length, out = []) {
-    for (let i = 0; i < n; i++) {
-      // if down to one remaing just use it
-      if (n === 2) {
-        out.push(arr.slice());
-      } else {
-        permutations(arr, n - 1, out);
-      }
-      const j = n % 2 == 0 ? i : 0;
-      const t = arr[n - 1];
-      arr[n - 1] = arr[j];
-      arr[j] = t;
-    }
-    return out;
-  }
-});
-