@contrast/protect 1.0.1 → 1.2.0

package/lib/input-tracing/install/mysql.test.js

@@ -1,108 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const sinon = require('sinon');
-
-describe('protect input-tracing installs: mysql interfaces', function() {
-  const store = { protect: {} };
-
-  let core;
-  let inputTracing;
-
-  beforeEach(function() {
-    const mocks = require('../../../../test/mocks');
-    const patcher = require('@contrast/patcher');
-
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.patcher = patcher(core);
-    core.scopes = mocks.scopes();
-    core.depHooks = mocks.depHooks();
-    core.protect = mocks.protect();
-    ({ protect: { inputTracing } } = core);
-
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-  });
-
-  describe('mysql', function() {
-    let Connection;
-
-    beforeEach(function() {
-      Connection = function() {};
-      Connection.prototype.query = sinon.stub();
-      core.depHooks.resolve.yields(Connection);
-      require('./mysql')(core).install();
-    });
-
-    describe('instruments connection.query()', function() {
-      it('handleSqlInjection() is called with valid expected values', function() {
-        const conn = new Connection();
-        const value = 'SELECT "foo"';
-        conn.query(value);
-
-        expect(inputTracing.handleSqlInjection).to.have.been.calledWith(
-          {},
-          { name: 'mysql.Connection.prototype.query', value }
-        );
-      });
-
-      it('handleSqlInjection() is not called if there is no sourceContext', function() {
-        core.scopes.sources.getStore.returns({ protect: undefined });
-        const conn = new Connection();
-        const value = 'SELECT "foo"';
-        conn.query(value);
-
-        expect(inputTracing.handleSqlInjection).to.have.not.been.called;
-      });
-
-      it('handleSqlInjection() is not called if the sql value is empty or not a string', function() {
-        const conn = new Connection();
-        conn.query('');
-        conn.query(100);
-
-        expect(inputTracing.handleSqlInjection).to.have.not.been.called;
-      });
-    });
-  });
-
-  describe('mysql2', function() {
-    let Connection;
-
-    beforeEach(function() {
-      Connection = function() {};
-      Connection.prototype.execute = sinon.stub();
-      core.depHooks.resolve.yields(Connection);
-      require('./mysql')(core).install();
-    });
-
-    describe('instruments connection.execute()', function() {
-      it('handleSqlInjection() is called with expected values', function() {
-        const conn = new Connection();
-        const value = 'SELECT "foo"';
-        conn.execute(value);
-
-        expect(inputTracing.handleSqlInjection).to.have.been.calledWith(
-          {},
-          { name: 'mysql2.Connection.prototype.execute', value }
-        );
-      });
-
-      it('handleSqlInjection() is not called if there is no sourceContext', function() {
-        core.scopes.sources.getStore.returns({ protect: undefined });
-        const conn = new Connection();
-        const value = 'SELECT "foo"';
-        conn.execute(value);
-
-        expect(inputTracing.handleSqlInjection).to.have.not.been.called;
-      });
-
-      it('handleSqlInjection() is not called if the sql value is empty or not a string', function() {
-        const conn = new Connection();
-        conn.execute('');
-        conn.execute(100);
-
-        expect(inputTracing.handleSqlInjection).to.have.not.been.called;
-      });
-    });
-  });
-});

package/lib/input-tracing/install/postgres.test.js

@@ -1,125 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const sinon = require('sinon');
-
-describe('protect input-tracing installs: postgres interfaces', function() {
-  const sourceContext = {};
-  const store = { protect: sourceContext };
-  const query = 'SELECT "foo"';
-
-  let core;
-  let inputTracing;
-
-  beforeEach(function() {
-    const mocks = require('../../../../test/mocks');
-    const patcher = require('@contrast/patcher');
-
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.patcher = patcher(core);
-    core.scopes = mocks.scopes();
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-    core.depHooks = mocks.depHooks();
-    core.protect = mocks.protect();
-    ({ protect: { inputTracing } } = core);
-  });
-
-  describe('pg.Client.prototype.query', function() {
-    let Client;
-
-    beforeEach(function() {
-      Client = function() {};
-      Client.prototype.query = sinon.stub();
-      core
-        .depHooks
-        .resolve
-        .withArgs({ name: 'pg', file: 'lib/client.js' })
-        .yields(Client);
-      require('./postgres')(core).install();
-    });
-
-    it('handleSqlInjection() is called with expected values', function() {
-      const conn = new Client();
-      conn.query(query);
-      conn.query({ text: query });
-
-      const sinkContext = { name: 'pg.Client.prototype.query', value: query };
-
-      expect(inputTracing.handleSqlInjection.callCount).to.eql(2);
-      [0, 1].forEach(callNum => {
-        expect(inputTracing.handleSqlInjection.getCall(callNum).calledWithExactly(store, sinkContext));
-      });
-    });
-
-    it('handleSqlInjection() is not called if there is no sourceContext', function() {
-      core.scopes.sources.getStore.returns({ protect: undefined });
-
-      const conn = new Client();
-      conn.query(query);
-      conn.query({ text: query });
-
-      expect(inputTracing.handleSqlInjection).to.have.not.been.called;
-    });
-
-    it('handleSqlInjection() is not called if the sql value is empty or not a string', function() {
-      const conn = new Client();
-      conn.query('');
-      conn.query(100);
-      conn.query({ text: '' });
-      conn.query({ text: 100 });
-
-      expect(inputTracing.handleSqlInjection).to.have.not.been.called;
-    });
-  });
-
-  describe('pg-pool.Pool.prototype.query', function() {
-    let Pool;
-
-    beforeEach(function() {
-      Pool = function() {};
-      Pool.prototype.query = sinon.stub();
-      core
-        .depHooks
-        .resolve
-        .withArgs({ name: 'pg-pool' })
-        .yields(Pool);
-
-      require('./postgres')(core).install();
-    });
-
-    it('handleSqlInjection() is called with expected values', function() {
-      const pool = new Pool();
-      pool.query(query);
-      pool.query({ text: query });
-
-      const sinkContext = { name: 'pg-pool.Pool.prototype.query', value: query };
-
-      expect(inputTracing.handleSqlInjection.callCount).to.eql(2);
-      [0, 1].forEach(callNum => {
-        expect(inputTracing.handleSqlInjection.getCall(callNum).calledWithExactly(store, sinkContext));
-      });
-    });
-
-    it('handleSqlInjection() is not called if there is no sourceContext', function() {
-      core.scopes.sources.getStore.returns({ protect: undefined });
-
-      const pool = new Pool();
-      const value = 'SELECT "foo"';
-      pool.query(value);
-      pool.query({ text: value });
-
-      expect(inputTracing.handleSqlInjection).to.have.not.been.called;
-    });
-
-    it('handleSqlInjection() is not called if the sql value is empty or not a string', function() {
-      const pool = new Pool();
-      pool.query('');
-      pool.query(100);
-      pool.query({ text: '' });
-      pool.query({ text: 100 });
-
-      expect(inputTracing.handleSqlInjection).to.have.not.been.called;
-    });
-  });
-});

package/lib/input-tracing/install/sequelize.test.js

@@ -1,79 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const sinon = require('sinon');
-
-describe('protect input-tracing installs: sequelize interfaces', function() {
-  const store = { protect: {} };
-
-  let core;
-  let inputTracing;
-
-  beforeEach(function() {
-    const mocks = require('../../../../test/mocks');
-    const patcher = require('@contrast/patcher');
-
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.patcher = patcher(core);
-    core.scopes = mocks.scopes();
-    core.depHooks = mocks.depHooks();
-    core.protect = mocks.protect();
-    ({ protect: { inputTracing } } = core);
-
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-  });
-
-  describe('sequelize', function() {
-    let sequelize;
-
-    beforeEach(function() {
-      sequelize = function() {};
-      sequelize.prototype.query = sinon.stub();
-      core.depHooks.resolve.yields(sequelize);
-      require('./sequelize')(core).install();
-    });
-
-    describe('instruments sequelize.query()', function() {
-      it('handleSqlInjection() is called with valid expected values', function() {
-        const conn = new sequelize();
-        const value = 'SELECT "foo"';
-        conn.query(value);
-        conn.query({ query: value });
-
-        expect(inputTracing.handleSqlInjection).to.have.been.calledTwice;
-        expect(inputTracing.handleSqlInjection).to.have.been.calledWith(
-          {},
-          { name: 'sequelize.prototype.query', value }
-        );
-      });
-
-      it('handleSqlInjection() is not called if instrumentation is locked', function() {
-        core.scopes.instrumentation.isLocked.returns(true);
-        const conn = new sequelize();
-        const value = 'SELECT "foo"';
-        conn.query(value);
-
-        expect(inputTracing.handleSqlInjection).to.have.not.been.called;
-      });
-
-      it('handleSqlInjection() is not called if there is no sourceContext', function() {
-        core.scopes.sources.getStore.returns({ protect: undefined });
-        const conn = new sequelize();
-        const value = 'SELECT "foo"';
-        conn.query(value);
-
-        expect(inputTracing.handleSqlInjection).to.have.not.been.called;
-      });
-
-      it('handleSqlInjection() is not called if the sql value is empty or not a string', function() {
-        const conn = new sequelize();
-        conn.query('');
-        conn.query(100);
-        conn.query({ query: '' });
-
-        expect(inputTracing.handleSqlInjection).to.have.not.been.called;
-      });
-    });
-  });
-});

package/lib/input-tracing/install/sqlite3.test.js

@@ -1,88 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const sinon = require('sinon');
-
-describe('protect input-tracing installs: sqlite3 interfaces', function() {
-  const store = { protect: {} };
-
-  let core;
-  let inputTracing;
-
-  beforeEach(function() {
-    const mocks = require('../../../../test/mocks');
-    const patcher = require('@contrast/patcher');
-
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.patcher = patcher(core);
-    core.scopes = mocks.scopes();
-    core.depHooks = mocks.depHooks();
-    core.protect = mocks.protect();
-    ({ protect: { inputTracing } } = core);
-
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-  });
-
-  describe('sqlite3', function() {
-    let sqlite3;
-
-    beforeEach(function() {
-      sqlite3 = {
-        // eslint-disable-next-line object-shorthand
-        Database: function() {}
-      };
-      sqlite3.Database.prototype = {
-        all: sinon.stub(),
-        run: sinon.stub(),
-        get: sinon.stub(),
-        each: sinon.stub(),
-        exec: sinon.stub(),
-        prepare: sinon.stub()
-      };
-      core.depHooks.resolve.yields(sqlite3);
-      require('./sqlite3')(core).install();
-    });
-
-    ['all', 'run', 'get', 'each', 'exec', 'prepare'].forEach((method) => {
-      describe(`instruments connection.${method}()`, function() {
-        it('handleSqlInjection() is called with valid expected values', function() {
-          const db = new sqlite3.Database();
-          const value = 'SELECT "foo"';
-          db[method](value);
-
-          expect(inputTracing.handleSqlInjection).to.have.been.calledWith(
-            {},
-            { name: `sqlite3.Database.prototype.${method}`, value }
-          );
-        });
-
-        it('handleSqlInjection() is not called if instrumentation is locked', function() {
-          core.scopes.instrumentation.isLocked.returns(true);
-          const db = new sqlite3.Database();
-          const value = 'SELECT "foo"';
-          db[method](value);
-
-          expect(inputTracing.handleSqlInjection).to.have.not.been.called;
-        });
-
-        it('handleSqlInjection() is not called if there is no sourceContext', function() {
-          core.scopes.sources.getStore.returns({ protect: undefined });
-          const db = new sqlite3.Database();
-          const value = 'SELECT "foo"';
-          db[method](value);
-
-          expect(inputTracing.handleSqlInjection).to.have.not.been.called;
-        });
-
-        it('handleSqlInjection() is not called if the sql value is empty or not a string', function() {
-          const db = new sqlite3.Database();
-          db[method]('');
-          db[method](100);
-
-          expect(inputTracing.handleSqlInjection).to.have.not.been.called;
-        });
-      });
-    });
-  });
-});

package/lib/make-response-blocker.test.js

@@ -1,88 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const mocks = require('../../test/mocks');
-
-describe('protect make-response-blocker', function() {
-
-  let res, core, makeResponseBlocker;
-  beforeEach(function() {
-
-    res = {
-      end: sinon.stub(),
-      headersSent: false,
-      writeHead: sinon.stub()
-    };
-
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.patcher = mocks.patcher();
-    core.protect = {};
-
-    makeResponseBlocker = require('./make-response-blocker')(core);
-  });
-
-  it('Sends a blocked response', function() {
-    const block = makeResponseBlocker(res);
-    block('block', 'sql-injection');
-    expect(core.patcher.unwrap).to.have.been.calledWith(res.writeHead);
-    expect(core.patcher.unwrap).to.have.been.calledWith(res.end);
-    expect(res.writeHead).to.have.been.calledWith(403);
-    expect(res.end).to.have.been.calledWith('');
-    expect(core.logger.info).to.have.been.calledWith(
-      { mode: 'BLOCK', ruleId: 'sql-injection' },
-      'Request blocked'
-    );
-  });
-
-  it('Sets blocked property', function() {
-    const block = makeResponseBlocker(res);
-    block('block', 'sql-injection');
-    expect(makeResponseBlocker.blocked.has(res)).equal(true);
-  });
-
-  it('Set core.protect.makeResponseBlocker', function() {
-    expect(core.protect.makeResponseBlocker).to.be.equal(makeResponseBlocker);
-  });
-
-  it('Blocks on the same "res" object only once', function() {
-    const block = makeResponseBlocker(res);
-    block('block', 'sql-injection');
-    block('block', 'cmd-injection');
-    expect(makeResponseBlocker.blocked.has(res));
-    expect(res.end).to.have.been.calledOnce;
-    expect(res.writeHead).to.have.been.calledOnce;
-    expect(core.logger.info).to.have.been.calledOnce;
-  });
-
-  it('Adds multiple responses to blocked set', function() {
-    const res1 = Object.assign({}, res);
-    const res2 = Object.assign({}, res);
-    const block1 = makeResponseBlocker(res1);
-    const block2 = makeResponseBlocker(res2);
-    block1('block', 'sql-injection');
-    block2('block', 'cmd-injection');
-    expect(makeResponseBlocker.blocked.has(res1));
-    expect(makeResponseBlocker.blocked.has(res2));
-  });
-
-  it('Does not call writeHead when headers already sent', function() {
-    const block = makeResponseBlocker(res);
-    res.headersSent = true;
-    block('block_at_perimeter', 'reflected-xss');
-    expect(res.writeHead).to.not.have.been.called;
-    expect(res.end).to.have.been.calledWith('');
-  });
-
-  it('Logs error when exception thrown', function() {
-    const err = new Error('error');
-    res.end.throws(err);
-    const block = makeResponseBlocker(res);
-    block('block', 'path-traversal');
-    expect(core.logger.error).to.have.been.calledWith(
-      { err, mode: 'BLOCK', ruleId: 'path-traversal' },
-      'Error blocking request'
-    );
-  });
-});