From 986718cda5af1b21ae683f3f66ba4b0f6771773d Mon Sep 17 00:00:00 2001 From: Adam Richardson Date: Fri, 11 Jan 2019 14:00:49 -0500 Subject: [PATCH] Test dev vs. prod dependencies in yarn audit --- __tests__/commands/audit.js | 40 ++++++ .../audit-api-response.json | 132 ++++++++++++++++++ .../dev-and-prod-vulnerabilities/package.json | 10 ++ .../dev-and-prod-vulnerabilities/yarn.lock | 13 ++ 4 files changed, 195 insertions(+) create mode 100644 __tests__/fixtures/audit/dev-and-prod-vulnerabilities/audit-api-response.json create mode 100644 __tests__/fixtures/audit/dev-and-prod-vulnerabilities/package.json create mode 100644 __tests__/fixtures/audit/dev-and-prod-vulnerabilities/yarn.lock diff --git a/__tests__/commands/audit.js b/__tests__/commands/audit.js index d44bad8ad2..0d58473f41 100644 --- a/__tests__/commands/audit.js +++ b/__tests__/commands/audit.js @@ -173,6 +173,46 @@ test('calls reporter auditSummary with correct data for private package', () => }); }); +test.concurrent('distinguishes dev and prod transitive dependencies in audit request and result', () => { + const expectedApiPost = { + name: 'foo', + version: '1.0.0', + install: [], + remove: [], + metadata: {}, + requires: { + mime: '1.4.0', + hoek: '4.2.0', + }, + dependencies: { + mime: { + version: '1.4.0', + integrity: 'sha512-n9ChLv77+QQEapYz8lV+rIZAW3HhAPW2CXnzb1GN5uMkuczshwvkW7XPsbzU0ZQN3sP47Er2KVkp2p3KyqZKSQ==', + requires: {}, + dependencies: {}, + dev: false, + }, + hoek: { + version: '4.2.0', + integrity: 'sha512-v0XCLxICi9nPfYrS9RL8HbYnXi9obYAeLbSP00BmnZwCK9+Ih9WOjoZ8YoHCoav2csqn4FOz4Orldsy2dmDwmQ==', + requires: {}, + dependencies: {}, + dev: true, + }, + }, + dev: false, + }; + + return runAudit([], {}, 'dev-and-prod-vulnerabilities', async (config, reporter) => { + const calledWithPipe = config.requestManager.request.mock.calls[0][0].body; + const calledWith = JSON.parse(await gunzip(calledWithPipe)); + expect(calledWith).toEqual(expectedApiPost); + + const apiResponse = getAuditResponse(config); + expect(reporter.auditSummary).toBeCalledWith(apiResponse.metadata); + }); +}); + describe('returns semantic exit codes', () => { let lockfileSpy; let installSpy; diff --git a/__tests__/fixtures/audit/dev-and-prod-vulnerabilities/audit-api-response.json b/__tests__/fixtures/audit/dev-and-prod-vulnerabilities/audit-api-response.json new file mode 100644 index 0000000000..70160e4fc6 --- /dev/null +++ b/__tests__/fixtures/audit/dev-and-prod-vulnerabilities/audit-api-response.json @@ -0,0 +1,132 @@ +{ + "actions": [ + { + "action": "install", + "module": "mime", + "target": "2.4.0", + "isMajor": true, + "resolves": [ + { + "id": 535, + "path": "mime", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "install", + "module": "hoek", + "target": "6.1.2", + "isMajor": true, + "resolves": [ + { + "id": 566, + "path": "hoek", + "dev": true, + "optional": false, + "bundled": false + } + ] + } + ], + "advisories": { + "535": { + "findings": [ + { + "version": "1.4.0", + "paths": [ + "mime" + ], + "dev": false, + "optional": false, + "bundled": false + } + ], + "id": 535, + "created": "2017-09-25T19:02:28.152Z", + "updated": "2018-04-09T00:38:22.785Z", + "deleted": null, + "title": "Regular Expression Denial of Service", + "found_by": { + "name": "Cristian-Alexandru Staicu" + }, + "reported_by": { + "name": "Cristian-Alexandru Staicu" + }, + "module_name": "mime", + "cves": [ + "CVE-2017-16138" + ], + "vulnerable_versions": "< 1.4.1 || > 2.0.0 < 2.0.3", + "patched_versions": ">= 1.4.1 < 2.0.0 || >= 2.0.3", + "overview": "Affected versions of `mime` are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.", + "recommendation": "Update to version 2.0.3 or later.", + "references": "[Issue #167](https://github.com/broofa/node-mime/issues/167)", + "access": "public", + "severity": "moderate", + "cwe": "CWE-400", + "metadata": { + "module_type": "Multi.Library", + "exploitability": 4, + "affected_components": "" + }, + "url": "https://npmjs.com/advisories/535" + }, + "566": { + "findings": [ + { + "version": "4.2.0", + "paths": [ + "hoek" + ], + "dev": true, + "optional": false, + "bundled": false + } + ], + "id": 566, + "created": "2018-04-20T21:25:58.421Z", + "updated": "2018-04-20T21:25:58.421Z", + "deleted": null, + "title": "Prototype pollution", + "found_by": { + "name": "HoLyVieR" + }, + "reported_by": { + "name": "HoLyVieR" + }, + "module_name": "hoek", + "cves": [], + "vulnerable_versions": "<= 4.2.0 || >= 5.0.0 < 5.0.3", + "patched_versions": "> 4.2.0 < 5.0.0 || >= 5.0.3", + "overview": "Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.\n\nThe `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing the `__proto__` property.\n\nThis can be demonstrated like so:\n\n```javascript\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n```\n\nThis type of attack can be used to overwrite existing properties causing a potential denial of service.", + "recommendation": "Update to version 4.2.1, 5.0.3 or later.", + "references": "", + "access": "public", + "severity": "moderate", + "cwe": "CWE-471", + "metadata": { + "module_type": "", + "exploitability": 5, + "affected_components": "" + }, + "url": "https://npmjs.com/advisories/566" + } + }, + "muted": [], + "metadata": { + "vulnerabilities": { + "info": 0, + "low": 0, + "moderate": 2, + "high": 0, + "critical": 0 + }, + "dependencies": 1, + "devDependencies": 1, + "optionalDependencies": 0, + "totalDependencies": 2 + } +} diff --git a/__tests__/fixtures/audit/dev-and-prod-vulnerabilities/package.json b/__tests__/fixtures/audit/dev-and-prod-vulnerabilities/package.json new file mode 100644 index 0000000000..f299785331 --- /dev/null +++ b/__tests__/fixtures/audit/dev-and-prod-vulnerabilities/package.json @@ -0,0 +1,10 @@ +{ + "name": "foo", + "version": "1.0.0", + "devDependencies": { + "hoek": "4.2.0" + }, + "dependencies": { + "mime": "1.4.0" + } +} diff --git a/__tests__/fixtures/audit/dev-and-prod-vulnerabilities/yarn.lock b/__tests__/fixtures/audit/dev-and-prod-vulnerabilities/yarn.lock new file mode 100644 index 0000000000..6acff70962 --- /dev/null +++ b/__tests__/fixtures/audit/dev-and-prod-vulnerabilities/yarn.lock @@ -0,0 +1,13 @@ +# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. +# yarn lockfile v1 + + +hoek@4.2.0: + version "4.2.0" + resolved "https://registry.yarnpkg.com/hoek/-/hoek-4.2.0.tgz#72d9d0754f7fe25ca2d01ad8f8f9a9449a89526d" + integrity sha512-v0XCLxICi9nPfYrS9RL8HbYnXi9obYAeLbSP00BmnZwCK9+Ih9WOjoZ8YoHCoav2csqn4FOz4Orldsy2dmDwmQ== + +mime@1.4.0: + version "1.4.0" + resolved "https://registry.yarnpkg.com/mime/-/mime-1.4.0.tgz#69e9e0db51d44f2a3b56e48b7817d7d137f1a343" + integrity sha512-n9ChLv77+QQEapYz8lV+rIZAW3HhAPW2CXnzb1GN5uMkuczshwvkW7XPsbzU0ZQN3sP47Er2KVkp2p3KyqZKSQ==