@contrast/protect 1.0.1 → 1.1.0

package/lib/input-tracing/handlers/index.test.js

@@ -1,395 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const sinon = require('sinon');
-
-describe('protect input-tracing handlers', function() {
-  let handlers;
-
-  // each test should be asserting this at least
-  const TEST_DESCRIPTION = 'captures findings and sinkContext in result.details array';
-
-  // for additional assertions that might happen in tests, add to description
-  function makeTestDescription(blocks) {
-    const addl = blocks ? ' and blocks when in BLOCK mode' : '';
-    return `${TEST_DESCRIPTION}${addl}`;
-  }
-
-  function makeSourceContext(resultsList, rules) {
-    const e = new Error('SecurityException');
-    const resultsMap = Object.create(null);
-    if (resultsList) {
-      for (const result of resultsList) {
-        if (!resultsMap[result.ruleId]) {
-          resultsMap[result.ruleId] = [];
-        }
-        resultsMap[result.ruleId].push(result);
-      }
-    }
-
-    return {
-      rules: {
-        agentLibRules: {
-          ['cmd-injection']: { mode: 'monitor' },
-          ['path-traversal']: { mode: 'monitor' },
-          ['sql-injection']: { mode: 'monitor' },
-          ['ssjs-injection']: { mode: 'monitor' },
-          ...(rules || {})
-        }
-      },
-      findings: {
-        trackRequest: true,
-        resultsMap,
-      },
-      block: sinon.stub().throws(e)
-    };
-  }
-
-  before(function() {
-    const mocks = require('../../../../test/mocks');
-
-    const core = mocks.core();
-    core.logger = mocks.logger();
-    core.protect = mocks.protect();
-
-    handlers = require('.')(core);
-  });
-
-  describe('getResultsByRuleId()', function() {
-    [
-      { findings: { resultsMap: {} } },
-      { findings: { resultsMap: { 'not foo': [{ ruleId: 'not foo' }] } } },
-    ].forEach((sourceContext) => {
-      it(`returns null when context has missing keys or empty results. context = ${JSON.stringify(sourceContext)}`, function() {
-        expect(handlers.getResultsByRuleId('foo', sourceContext)).eql(undefined);
-      });
-    });
-
-    it('returns all items from context\'s resultsList which match provided ruldId', function() {
-      const context = {
-        findings: {
-          resultsMap: {
-            'foo': [
-              { ruleId: 'foo', tag: 1 },
-              { ruleId: 'foo' },
-            ],
-            'not foo': [
-              { ruleId: 'not foo' }
-            ],
-          }
-        }
-      };
-      expect(handlers.getResultsByRuleId('foo', context)).eql([
-        { ruleId: 'foo', tag: 1 },
-        { ruleId: 'foo' }
-      ]);
-    });
-
-    it('noops when there are no matching ruleId values', function() {
-      const sourceContext = makeSourceContext([
-        {
-          ruleId: 'foo'
-        }
-      ]);
-      const sinkContext = {
-        name: 'bar',
-        value: 'baz',
-      };
-
-      handlers.handlePathTraversal(sourceContext, sinkContext);
-      handlers.handleCommandInjection(sourceContext, sinkContext);
-      handlers.handleSqlInjection(sourceContext, sinkContext);
-
-      expect(sourceContext.findings.resultsMap['foo'][0].details).undefined;
-    });
-  });
-
-  describe('handlePathTraversal()', function() {
-    const sinkContextPositive = {
-      name: 'fs.readFileSync',
-      value: './../../../etc/passwd',
-      stack: []
-    };
-    const sinkContextNegative = {
-      name: 'fs.readFileSync',
-      value: 'index.js',
-      stack: []
-    };
-    const findings = {
-      path: './../../../etc/passwd',
-    };
-
-    [
-      {
-        blocks: false,
-        sourceContext: makeSourceContext(
-          [{
-            ruleId: 'path-traversal',
-            value: '../../../etc/passwd',
-            details: [],
-          }]
-        ),
-        expectedDetails: [
-          {
-            sinkContext: sinkContextPositive,
-            findings,
-          },
-          {
-            sinkContext: sinkContextPositive,
-            findings,
-          }
-        ]
-      },
-      {
-        blocks: true,
-        sourceContext: makeSourceContext(
-          [{
-            ruleId: 'path-traversal',
-            value: '../../../etc/passwd',
-            details: [],
-          }],
-          {
-            ['path-traversal']: { mode: 'block' }
-          }
-        ),
-        expectedDetails: [
-          {
-            sinkContext: sinkContextPositive,
-            findings,
-          },
-        ]
-      },
-      {
-        blocks: false,
-        sourceContext: makeSourceContext(
-          [{
-            ruleId: 'path-traversal',
-            value: '../../../etc/passwd',
-            details: [],
-          }],
-          {
-            ['path-traversal']: { mode: 'off' }
-          }
-        ),
-        expectedDetails: []
-      }
-    ].forEach(({ blocks, sourceContext, expectedDetails }) => {
-      it(makeTestDescription(blocks), function() {
-        const testFn = () => {
-          handlers.handlePathTraversal(sourceContext, sinkContextPositive);
-          handlers.handlePathTraversal(sourceContext, sinkContextPositive);
-          handlers.handlePathTraversal(sourceContext, sinkContextNegative);
-        };
-
-        const test = expect(testFn);
-        blocks ? test.to.throw('SecurityException') : test.not.to.throw();
-
-        expect(sourceContext.findings.resultsMap['path-traversal'][0].details).to.eql(expectedDetails);
-      });
-    });
-  });
-
-  describe('handleCmdInjection()', function() {
-    const sinkContextPositive = {
-      name: 'child_process.execSync',
-      value: 'ls; cat /etc/passwd',
-      stack: [],
-    };
-    const sinkContextNegative = {
-      name: 'child_process.execSync',
-      value: 'foo',
-      stack: []
-    };
-    const findings = {
-      boundaryIndex: 2,
-      endIndex: 19,
-      overrunIndex: 4,
-      startIndex: 2,
-    };
-
-    [
-      {
-        blocks: false,
-        sourceContext: makeSourceContext(
-          [{
-            ruleId: 'cmd-injection',
-            value: '; cat /etc/passwd',
-            details: [],
-          }]
-        ),
-        expectedDetails: [
-          {
-            sinkContext: sinkContextPositive,
-            findings,
-          },
-          {
-            sinkContext: sinkContextPositive,
-            findings,
-          }
-        ]
-      },
-      {
-        blocks: true,
-        sourceContext: makeSourceContext(
-          [{
-            ruleId: 'cmd-injection',
-            value: '; cat /etc/passwd',
-            details: [],
-          }], {
-            ['cmd-injection']: { mode: 'block' }
-          }
-        ),
-        expectedDetails: [
-          {
-            sinkContext: sinkContextPositive,
-            findings,
-          },
-        ]
-      },
-      {
-        blocks: false,
-        sourceContext: makeSourceContext(
-          [{
-            ruleId: 'cmd-injection',
-            value: '; cat /etc/passwd',
-            details: [],
-          }], {
-            ['cmd-injection']: { mode: 'off' }
-          }
-        ),
-        expectedDetails: []
-      }
-    ].forEach(({ blocks, sourceContext, expectedDetails }) => {
-      it(makeTestDescription(blocks), function() {
-        const testFn = () => {
-          handlers.handleCommandInjection(sourceContext, sinkContextPositive);
-          handlers.handleCommandInjection(sourceContext, sinkContextPositive);
-          handlers.handleCommandInjection(sourceContext, sinkContextNegative);
-        };
-
-        const test = expect(testFn);
-        blocks ? test.to.throw('SecurityException') : test.not.to.throw();
-
-        const cmdiResults = sourceContext.findings.resultsMap['cmd-injection'];
-
-        expect(cmdiResults[0].details).to.eql(expectedDetails);
-      });
-    });
-  });
-
-  describe('handleSqlInjection()', function() {
-    const sinkContextPositive = {
-      name: 'mysql.query',
-      value: 'select * from foo where col = "" and 1 = 1; --',
-      stack: [],
-    };
-    const sinkContextNegative = {
-      name: 'mysql.query',
-      value: 'select 1',
-      stack: [],
-    };
-    const findings = {
-      boundaryIndex: 30,
-      endIndex: 46,
-      overrunIndex: 31,
-      startIndex: 31,
-    };
-
-    [
-      {
-        blocks: false,
-        findings,
-        sourceContext: makeSourceContext(
-          [
-            {
-              ruleId: 'sql-injection',
-              value: '" and 1 = 1; --',
-              details: [],
-            }
-          ]
-        ),
-        expectedDetails: [
-          {
-            sinkContext: sinkContextPositive,
-            findings,
-          },
-          {
-            sinkContext: sinkContextPositive,
-            findings,
-          }
-        ]
-      },
-      {
-        blocks: true,
-        findings: {
-          startIndex: 0,
-          endIndex: 30,
-          overrunIndex: 0,
-          boundaryIndex: 0,
-        },
-        sourceContext: makeSourceContext(
-          [
-            {
-              ruleId: 'sql-injection',
-              // this is the exact value of the query - this is to get coverage
-              value: 'select * from foo where col = "" and 1 = 1; --',
-              details: [],
-            }
-          ],
-          {
-            ['sql-injection']: { mode: 'block' }
-          }
-        ),
-        expectedDetails: [
-          {
-            sinkContext: sinkContextPositive,
-            findings: {
-              startIndex: 0,
-              endIndex: 45,
-              overrunIndex: 0,
-              boundaryIndex: 0,
-            },
-          },
-        ]
-      },
-      {
-        blocks: false,
-        findings: {
-          startIndex: 0,
-          endIndex: 30,
-          overrunIndex: 0,
-          boundaryIndex: 0,
-        },
-        sourceContext: makeSourceContext(
-          [
-            {
-              ruleId: 'sql-injection',
-              value: '" and 1 = 1; --',
-              details: [],
-            }
-          ],
-          {
-            ['sql-injection']: { mode: 'off' }
-          }
-        ),
-        expectedDetails: []
-      }
-    ].forEach(({ analyis, blocks, sourceContext, expectedDetails }) => {
-      it(makeTestDescription(blocks), function() {
-        const testFn = () => {
-          handlers.handleSqlInjection(sourceContext, sinkContextPositive);
-          handlers.handleSqlInjection(sourceContext, sinkContextPositive);
-          handlers.handleSqlInjection(sourceContext, sinkContextNegative);
-        };
-
-        const test = expect(testFn);
-        blocks ? test.to.throw('SecurityException') : test.not.to.throw();
-
-        const sqliResults = sourceContext.findings.resultsMap['sql-injection'];
-        expect(sqliResults[0].details).to.eql(expectedDetails);
-      });
-    });
-  });
-
-  it.skip('handleSsjsInjection()', function() {});
-});

package/lib/input-tracing/install/child-process.test.js

@@ -1,112 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-
-describe('protect input-tracing child-process', function() {
-  const cpInstr = require('./child-process');
-  const store = { protect: {} };
-  let cp, core;
-
-  beforeEach(function() {
-    const mocks = require('../../../../test/mocks/');
-    const patcher = require('@contrast/patcher');
-
-    cp = {
-      exec: sinon.stub(),
-      execSync: sinon.stub()
-    };
-
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.depHooks = mocks.depHooks();
-    core.depHooks.resolve.yields(cp);
-    core.scopes = mocks.scopes();
-    core.scopes.sources = {
-      getStore: sinon.stub().returns(store)
-    };
-    core.patcher = patcher(core);
-    core.protect = mocks.protect();
-
-    cpInstr(core);
-
-    core.protect.inputTracing.cpInstrumentation.install();
-  });
-
-  describe('handleCommandInjection() is called with expected values', function() {
-    const methodArgs = ['foo', 'bar'];
-
-    ['exec', 'execSync'].forEach((method) => {
-      const name = `child_process.${method}`;
-
-      it(`${name}`, function() {
-        cp[method](...methodArgs);
-
-        const value = methodArgs[0];
-
-        expect(core.captureStacktrace).to.have.been.calledOnceWith(
-          { name, value },
-          { constructorOpt: cp[method] }
-        );
-
-        expect(core.protect.inputTracing.handleCommandInjection).to.have.been.calledWith(
-          store.protect,
-          { name, value }
-        );
-      });
-    });
-  });
-
-  describe('handleCommandInjection() is not called when method args are not relevant', function() {
-    const methodArgs = [1, undefined];
-
-    ['exec', 'execSync'].forEach((method) => {
-      const name = `child_process.${method}`;
-
-      it(name, function() {
-        cp[method](...methodArgs);
-
-        expect(core.captureStacktrace).to.not.have.been.called;
-        expect(core.protect.inputTracing.handleCommandInjection).to.not.have.been.called;
-      });
-    });
-  });
-
-  describe('handleCommandInjection() is not called when instrumentation is locked', function() {
-    const methodArgs = ['foo', 'bar'];
-
-    beforeEach(function() {
-      core.scopes.instrumentation.isLocked.returns(true);
-    });
-
-    ['exec', 'execSync'].forEach((method) => {
-      const name = `child_process.${method}`;
-
-      it(name, function() {
-        cp[method](...methodArgs);
-
-        expect(core.captureStacktrace).to.not.have.been.called;
-        expect(core.protect.inputTracing.handleCommandInjection).to.not.have.been.called;
-      });
-    });
-  });
-
-  describe('handleCommandInjection() is not called when there is no Protect sourceContext', function() {
-    const methodArgs = ['foo', 'bar'];
-
-    beforeEach(function() {
-      core.scopes.sources.getStore.returns({ protect: null });
-    });
-
-    ['exec', 'execSync'].forEach((method) => {
-      const name = `child_process.${method}`;
-
-      it(name, function() {
-        cp[method](...methodArgs);
-
-        expect(core.captureStacktrace).to.not.have.been.called;
-        expect(core.protect.inputTracing.handleCommandInjection).to.not.have.been.called;
-      });
-    });
-  });
-});

package/lib/input-tracing/install/fs.test.js

@@ -1,118 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-
-describe('protect input-tracing fs', function() {
-  const fsInstr = require('./fs');
-  const store = { protect: {} };
-  let fs;
-  let core;
-
-  function makeFsMock() {
-    return fsInstr.fsMethods.reduce((fs, { method, indices }) => {
-      fs[method] = sinon.stub();
-      return fs;
-    }, {});
-  }
-
-  beforeEach(function() {
-    const mocks = require('../../../../test/mocks');
-    const patcher = require('@contrast/patcher');
-
-    fs = makeFsMock();
-
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.depHooks = mocks.depHooks();
-    core.depHooks.resolve.yields(fs);
-    core.scopes = mocks.scopes();
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-    core.patcher = patcher(core);
-    core.protect = mocks.protect();
-
-    fsInstr(core);
-
-    core.protect.inputTracing.fsInstrumentation.install();
-  });
-
-  describe('handlePathTraversal() is called with expected values', function() {
-    const methodArgs = ['foo', 'bar'];
-
-    for (const { method, indices = [0] } of fsInstr.fsMethods) {
-      const name = `fs.${method}`;
-
-      it(`${name}`, function() {
-        fs[method](...methodArgs);
-
-        const calledWith = indices.length === 0 ? 'calledOnceWith' : 'calledWith';
-        for (const idx of indices) {
-
-          const value = methodArgs[idx];
-
-          // this is profound - we are asserting that the stacktrace constructor
-          // opt is the original method
-          expect(core.captureStacktrace).to.have.been[calledWith](
-            { name, value },
-            { constructorOpt: fs[method] }
-          );
-
-          expect(core.protect.inputTracing.handlePathTraversal).to.have.been.calledWith(
-            store.protect,
-            { name, value }
-          );
-        }
-      });
-    }
-  });
-
-  describe('handlePathTraversal() is not called when method args are not relevant', function() {
-    const methodArgs = [1, undefined];
-
-    for (const { method } of fsInstr.fsMethods) {
-      const name = `fs.${method}`;
-
-      it(name, function() {
-        fs[method](...methodArgs);
-
-        expect(core.protect.inputTracing.handlePathTraversal).not.to.have.been.called;
-      });
-    }
-  });
-
-  describe('handlePathTraversal() is not called when instrumentation is locked', function() {
-    const methodArgs = ['foo', 'bar'];
-
-    beforeEach(function() {
-      core.scopes.instrumentation.isLocked.returns(true);
-    });
-
-    for (const { method } of fsInstr.fsMethods) {
-      const name = `fs.${method}`;
-
-      it(name, function() {
-        fs[method](...methodArgs);
-
-        expect(core.protect.inputTracing.handlePathTraversal).not.to.have.been.called;
-      });
-    }
-  });
-
-  describe('handlePathTraversal() is not called when there is no Protect sourceContext', function() {
-    const methodArgs = ['foo', 'bar'];
-
-    beforeEach(function() {
-      core.scopes.sources.getStore.returns({ protect: null });
-    });
-
-    for (const { method } of fsInstr.fsMethods) {
-      const name = `fs.${method}`;
-
-      it(name, function() {
-        fs[method](...methodArgs);
-
-        expect(core.protect.inputTracing.handlePathTraversal).not.to.have.been.called;
-      });
-    }
-  });
-});