@contrast/protect 1.0.1

package/lib/input-analysis/handlers.test.js

@@ -0,0 +1,898 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { constants: { RuleType, InputType } } = require('@contrast/agent-lib');
+const sqlMask = RuleType['sql-injection'];
+const xssMask = RuleType['reflected-xss'];
+const mongoMask = RuleType['nosql-injection-mongo'];
+const preferWW = { preferWorthWatching: true };
+const { UrlParameter, ParameterKey, ParameterValue } = InputType;
+/* eslint-disable newline-per-chained-call */
+
+// FASTIFY tests (NODE-2239, NODE-2240, NODE-2241)
+describe('basic input-analysis handlers', function () {
+  let mocks,
+    core,
+    sourceContext,
+    handleConnect,
+    handleRequestEnd,
+    handleQueryParams,
+    handleUrlParams,
+    handleCookies,
+    handleParsedBody,
+    handleFileUploadName;
+
+  beforeEach(function () {
+    mocks = require('../../../test/mocks');
+    core = {
+      config: mocks.config(),
+      protect: mocks.protect(),
+      logger: {
+        debug: sinon.stub(),
+      }
+    };
+    require('./handlers')(core);
+    ({
+      protect: {
+        inputAnalysis: {
+          handleConnect,
+          handleRequestEnd,
+          handleQueryParams,
+          handleUrlParams,
+          handleCookies,
+          handleParsedBody,
+          handleFileUploadName,
+        }
+      }
+    } = core);
+
+    sourceContext = {
+      rules: {
+        agentLibRulesMask: sqlMask,
+        agentLibRules: {
+          'sql-injection': { mode: 'block' },
+        },
+      },
+      block: sinon.stub(),
+      findings: {
+        trackRequest: false,
+        securityException: undefined,
+        bodyType: undefined,
+        resultsMap: Object.create(null),
+      },
+      reqData: {
+        method: 'GET',
+        uriPath: '/',
+        search: '',
+        headers: { 'content-type': 'application/json' },
+        contentType: '',
+      }
+    };
+  });
+
+
+  describe('handleConnect', function () {
+    let connectInputs;
+
+    beforeEach(function () {
+      connectInputs = {
+        headers: ['content-type', '.25 beretta', 'user-agent', '; drop table *'],
+      };
+      sinon.spy(core.protect.agentLib, 'scoreRequestConnect');
+    });
+
+    it('does not block a request with an attack for a worth-watching rule', function () {
+      handleConnect(sourceContext, connectInputs);
+
+      const expectedReturnValue = {
+        trackRequest: true,
+        resultsList: [{
+          ruleId: 'sql-injection',
+          inputType: 'HeaderValue',
+          path: ['user-agent'],
+          key: 'user-agent',
+          value: '; drop table *',
+          score: 10,
+          idsList: [],
+          // added by "normalizeFindings"
+          details: [],
+          blocked: false,
+          mappedId: 'sql-injection',
+        }],
+      };
+      const { agentLib } = core.protect;
+      expect(agentLib.scoreRequestConnect).calledOnceWith(sqlMask, connectInputs, preferWW);
+      // i don't know why i can't use expect(core.protect...scoreRequestConnect).returned(expected...);
+      const rv = agentLib.scoreRequestConnect.getCall(0).returnValue;
+      expect(rv).eql(expectedReturnValue);
+
+      // it calls with worth watching, so only reflected-xss can return a 90
+      expect(sourceContext.block).callCount(0);
+
+    });
+
+    // non-worth-watching rules
+    ['path-traversal', 'reflected-xss', 'method-tampering'].forEach((rule) => {
+      it(`blocks an attack for non-worth-watching rule: ${rule}`, function () {
+        const { agentLib } = core.protect;
+        sourceContext.rules = {
+          agentLibRulesMask: agentLib.RuleType[rule],
+          agentLibRules: { [rule]: { mode: 'block' } }
+        };
+        const target = {
+          'path-traversal': 'queries',
+          'reflected-xss': 'queries',
+          'method-tampering': 'method',
+        };
+        const attack = {
+          'path-traversal': ['x', '../..'],
+          'reflected-xss': ['x', '<script'],
+          'method-tampering': 'XYZZY',
+        };
+        connectInputs[target[rule]] = attack[rule];
+
+        const block = handleConnect(sourceContext, connectInputs);
+
+        expect(agentLib.scoreRequestConnect).calledOnceWith(agentLib.RuleType[rule], connectInputs, preferWW);
+        expect(sourceContext.block).callCount(0);
+        expect(block).eql(['block', rule]);
+      });
+    });
+  });
+
+  describe('handleRequestEnd', function() {
+    it('nyi', function() {
+      expect(() => handleRequestEnd()).to.throw('nyi');
+    });
+  });
+
+  describe('handleQueryParams', function() {
+    beforeEach(function() {
+      sinon.spy(core.protect.agentLib, 'scoreAtom');
+      sinon.spy(core.protect.agentLib, 'getMongoQueryType');
+    });
+
+    it('does not block a request with an attack for a worth-watching rule', function() {
+      const queryParams = {
+        first: { a: { nested: '; drop table *' } },
+        second: '',
+        third: 'times-a-charm',
+      };
+      const expectedCalls = [
+        { type: ParameterKey, value: 'first', rv: undefined },
+        { type: ParameterKey, value: 'a', rv: undefined },
+        { type: ParameterKey, value: 'nested', rv: undefined },
+        { type: ParameterValue, value: '; drop table *', rv: [{ ruleId: 'sql-injection', score: 10 }] },
+        { type: ParameterKey, value: 'second', rv: undefined },
+        { type: ParameterKey, value: 'third', rv: undefined },
+        { type: ParameterValue, value: 'times-a-charm', rv: [{ ruleId: 'sql-injection', score: 10 }] },
+
+      ];
+      handleQueryParams(sourceContext, queryParams);
+
+      const { agentLib } = core.protect;
+      // note that the empty string for the key 'second' does not generate a callback in handleQueryParams.
+      expect(agentLib.scoreAtom).callCount(7);
+
+      for (let i = 0; i < expectedCalls.length; i++) {
+        const exp = expectedCalls[i];
+        const call = agentLib.scoreAtom.getCall(i);
+        expect(call).calledWith(sqlMask, exp.value, exp.type, preferWW);
+        expect(call.returnValue).eql(exp.rv);
+      }
+
+      // it calls with worth watching, so only reflected-xss can return a 90
+      expect(sourceContext.block).callCount(0);
+
+    });
+
+    it('blocks a request with a definite attack for a non-worth-watching rule', function() {
+      const xssMask = RuleType['reflected-xss'];
+      sourceContext.rules = {
+        agentLibRulesMask: xssMask,
+        agentLibRules: {
+          'reflected-xss': { mode: 'block' },
+        },
+      };
+      const queryParams = {
+        first: { a: { nested: '<script' } },
+        second: '',
+        third: 'eval(x.toString())',
+      };
+
+      const expectedCalls = [
+        { type: ParameterKey, value: 'first', rv: undefined },
+        { type: ParameterKey, value: 'a', rv: undefined },
+        { type: ParameterKey, value: 'nested', rv: undefined },
+        { type: ParameterValue, value: '<script', rv: [{ ruleId: 'reflected-xss', score: 90 }] },
+        { type: ParameterKey, value: 'second', rv: undefined },
+        { type: ParameterKey, value: 'third', rv: undefined },
+        { type: ParameterValue, value: 'eval(x.toString())', rv: [{ ruleId: 'reflected-xss', score: 90 }] },
+
+      ];
+      handleQueryParams(sourceContext, queryParams);
+
+      const { agentLib } = core.protect;
+      // note that the empty string for the key 'second' does not generate a callback in handleQueryParams.
+      expect(agentLib.scoreAtom).callCount(7);
+
+      for (let i = 0; i < expectedCalls.length; i++) {
+        const exp = expectedCalls[i];
+        const call = agentLib.scoreAtom.getCall(i);
+        expect(call).calledWith(xssMask, exp.value, exp.type, preferWW);
+        expect(call.returnValue).eql(exp.rv);
+      }
+
+      // scoreAtom is called with worth watching, so only reflected-xss can return a 90
+      expect(sourceContext.block).callCount(1);
+    });
+
+    it('handles nosql-injection-mongo', function() {
+      const queryParams = {
+        first: { user: { $eq: { id: '*' } } }
+      };
+      sourceContext.rules = {
+        agentLibRulesMask: mongoMask,
+        agentLibRules: {
+          'nosql-injection-mongo': { mode: 'block' },
+        },
+      };
+      const { agentLib } = core.protect;
+
+      handleQueryParams(sourceContext, queryParams);
+
+      expect(agentLib.scoreAtom).callCount(5);
+      expect(agentLib.getMongoQueryType).callCount(4);
+
+      expect(sourceContext.findings.trackRequest).equal(true);
+      expect(sourceContext.findings.securityException).equal(undefined);
+      expect(sourceContext.findings.resultsMap).an('object').keys('nosql-injection-mongo');
+
+      const results = sourceContext.findings.resultsMap['nosql-injection-mongo'];
+      expect(results).an('array').length(1);
+
+      const result = results[0];
+      expect(result.path).eql(['first', 'user']);
+      expect(result.inputType).equal('ParameterKey');
+      expect(result.key).equal('$eq');
+      expect(result.value).equal(agentLib.getMongoQueryType('$eq'));
+      expect(result.mongoContext).an('object').keys('inputToCheck');
+
+      const context = result.mongoContext;
+      expect(context.inputToCheck).eql({ id: '*' });
+    });
+
+    it('handles nested nosql-injection-mongo results', function() {
+      const queryParams = {
+        first: { user: { $eq: { id: { $ne: { password: '' } } } } }
+      };
+      sourceContext.rules = {
+        agentLibRulesMask: mongoMask,
+        agentLibRules: {
+          'nosql-injection-mongo': { mode: 'block' },
+        },
+      };
+      const { agentLib } = core.protect;
+
+      handleQueryParams(sourceContext, queryParams);
+
+      expect(agentLib.scoreAtom).callCount(6);
+      expect(agentLib.getMongoQueryType).callCount(6);
+
+      expect(sourceContext.findings.trackRequest).equal(true);
+      expect(sourceContext.findings.securityException).equal(undefined);
+      expect(sourceContext.findings.resultsMap).an('object').keys('nosql-injection-mongo');
+
+      const results = sourceContext.findings.resultsMap['nosql-injection-mongo'];
+      expect(results).an('array').length(2);
+
+      const exp = [{
+        path: ['first', 'user'],
+        key: '$eq',
+        inputToCheck: { id: { $ne: { password: '' } } },
+      }, {
+        path: ['first', 'user', '$eq', 'id'],
+        key: '$ne',
+        inputToCheck: { password: '' },
+      }];
+
+      for (let i = 0; i < exp.length; i++) {
+        expect(results[i].path).eql(exp[i].path);
+        expect(results[i].inputType).equal('ParameterKey');
+        expect(results[i].key).equal(exp[i].key);
+        expect(results[i].value).equal(agentLib.getMongoQueryType(exp[i].key));
+        expect(results[i].mongoContext).an('object').keys('inputToCheck');
+
+        expect(results[i].mongoContext.inputToCheck).eql(exp[i].inputToCheck);
+      }
+    });
+
+    it('handles multiple nosql-injection-mongo results', function() {
+      const queryParams = {
+        first: {
+          user: { $where: { id: '*' } },
+          password: { $finalize: 'while(1){};' },
+        }
+      };
+      sourceContext.rules = {
+        agentLibRulesMask: mongoMask,
+        agentLibRules: {
+          'nosql-injection-mongo': { mode: 'block' },
+        },
+      };
+      const { agentLib } = core.protect;
+
+      handleQueryParams(sourceContext, queryParams);
+
+      expect(agentLib.scoreAtom).callCount(8);
+      expect(agentLib.getMongoQueryType).callCount(6);
+
+      expect(sourceContext.findings.trackRequest).equal(true, 'trackRequest should be true');
+      expect(sourceContext.findings.securityException).equal(undefined);
+      expect(sourceContext.findings.resultsMap).an('object').keys('nosql-injection-mongo');
+
+      const results = sourceContext.findings.resultsMap['nosql-injection-mongo'];
+      expect(results).an('array').length(2);
+
+      const exp = [{
+        path: ['first', 'user'],
+        key: '$where',
+        inputToCheck: { id: '*' },
+      }, {
+        path: ['first', 'password'],
+        key: '$finalize',
+        inputToCheck: 'while(1){};',
+      }];
+
+      for (let i = 0; i < exp.length; i++) {
+        expect(results[i].path).eql(exp[i].path);
+        expect(results[i].inputType).equal('ParameterKey');
+        expect(results[i].key).equal(exp[i].key);
+        expect(results[i].value).equal(agentLib.getMongoQueryType(exp[i].key));
+        expect(results[i].mongoContext).an('object').keys('inputToCheck');
+
+        expect(results[i].mongoContext.inputToCheck).eql(exp[i].inputToCheck);
+      }
+    });
+  });
+
+  describe('handleUrlParams', function () {
+    beforeEach(function () {
+      sinon.spy(core.protect.agentLib, 'scoreAtom');
+    });
+
+    it('does not block a request with an attack for a worth-watching rule', function() {
+      const urlParams = {
+        first: { a: { nested: '; drop table *' } },
+        second: '',
+        third: 'times-a-charm',
+      };
+      handleUrlParams(sourceContext, urlParams);
+
+      const { agentLib } = core.protect;
+      // scoreAtom is only called from leaf, not key, values that are not falsey.
+      expect(agentLib.scoreAtom).callCount(2);
+      expect(agentLib.scoreAtom.firstCall).calledWith(sqlMask, '; drop table *', UrlParameter, preferWW);
+      expect(agentLib.scoreAtom.secondCall).calledWith(sqlMask, 'times-a-charm', UrlParameter, preferWW);
+
+      for (let i = 0; i < 2; i++) {
+        const rv = agentLib.scoreAtom.getCall(i).returnValue;
+        expect(rv).eql([{ ruleId: 'sql-injection', score: 10 }]);
+      }
+
+      // it calls with worth watching, so only reflected-xss can return a 90
+      expect(sourceContext.block).callCount(0);
+
+    });
+
+    it('blocks a request with a definite attack for a non-worth-watching rule', function() {
+      const xssMask = RuleType['reflected-xss'];
+      sourceContext.rules = {
+        agentLibRulesMask: xssMask,
+        agentLibRules: {
+          'reflected-xss': { mode: 'block' },
+        },
+      };
+      const urlParams = {
+        first: { a: { nested: '<script' } },
+        second: '',
+        third: 'eval(x.toString())',
+      };
+
+      handleUrlParams(sourceContext, urlParams);
+
+      const { agentLib } = core.protect;
+      // scoreAtom is only called from leaf, not key, values that are not falsey.
+      expect(agentLib.scoreAtom).callCount(2);
+      expect(agentLib.scoreAtom.firstCall).calledWith(xssMask, '<script', UrlParameter, preferWW);
+      expect(agentLib.scoreAtom.secondCall).calledWith(xssMask, 'eval(x.toString())', UrlParameter, preferWW);
+
+      for (let i = 0; i < 2; i++) {
+        const rv = agentLib.scoreAtom.getCall(i).returnValue;
+        expect(rv).eql([{ ruleId: 'reflected-xss', score: 90 }]);
+      }
+
+      // it calls with worth watching, so only reflected-xss can return a 90
+      expect(sourceContext.block).callCount(1);
+    });
+
+    // there are no longer any worth-watching returns from a non-worth-watching rule. there
+    // used to be, but there are now. this test is skipped (as opposed to removed) to serve
+    // as a guide in case this can happen in the future.
+    it.skip('does not block a request for a worth-watching score from a non-worth-watching rule', function() {
+      sourceContext.rules = {
+        agentLibRulesMask: xssMask,
+        agentLibRules: {
+          'reflected-xss': { mode: 'block' },
+        },
+      };
+      // this is the only Score::HIGH pattern left; if it goes away then this
+      // test should go away too.
+      const tenScore1 = 'type="text/javascript"';
+      const tenScore2 = 'type="application/javascript"';
+      const urlParams = {
+        first: { a: { nested: tenScore1 } },
+        second: '',
+        third: tenScore2,
+      };
+
+      handleUrlParams(sourceContext, urlParams);
+
+      const { agentLib } = core.protect;
+      // scoreAtom is only called from leaf, not key, values that are not falsey.
+      expect(agentLib.scoreAtom).callCount(2);
+      expect(agentLib.scoreAtom.firstCall).calledWith(xssMask, tenScore1, UrlParameter, preferWW);
+      expect(agentLib.scoreAtom.secondCall).calledWith(xssMask, tenScore2, UrlParameter, preferWW);
+
+      for (let i = 0; i < 2; i++) {
+        const rv = agentLib.scoreAtom.getCall(i).returnValue;
+        expect(rv).eql([{ ruleId: 'reflected-xss', score: 10 }]);
+      }
+
+      // while reflected-xss can return a 90 score, these particular attacks only
+      // score 10, so block shouldn't be called.
+      expect(sourceContext.block).callCount(0);
+      expect(sourceContext.findings.resultsMap).an('object').keys(['reflected-xss']);
+      const expected = {
+        path: [['first', 'a', 'nested'], ['third']],
+        key: ['nested', 'third'],
+        value: [tenScore1, tenScore2]
+      };
+      expect(sourceContext.findings.resultsMap).an('object').keys(['reflected-xss']);
+      const reflectedXssResults = sourceContext.findings.resultsMap['reflected-xss'];
+
+      for (let i = 0; i < reflectedXssResults.length; i++) {
+        const result = reflectedXssResults[i];
+        expect(result.ruleId).equal('reflected-xss');
+        expect(result.inputType).equal('UrlParameter');
+        expect(result.path).eql(expected.path[i]);
+        expect(result.key).equal(expected.key[i]);
+        expect(result.value).equal(expected.value[i]);
+      }
+    });
+  });
+
+  describe('handleCookies', function() {
+    const sql10Score = '; drop table *';
+    let al;
+
+    beforeEach(function () {
+      al = core.protect.agentLib;
+    });
+
+    it('does not block the request because worth-watching is used', function () {
+      const cookies = {
+        secret: sql10Score,
+      };
+
+      const expectedInputs = { cookies: [] };
+      Object.entries(cookies).forEach(entry => expectedInputs.cookies.push(...entry));
+      sinon.spy(al, 'scoreRequestConnect');
+
+      handleCookies(sourceContext, cookies);
+
+      expect(al.scoreRequestConnect).calledOnceWith(sqlMask, expectedInputs, preferWW);
+      expect(sourceContext.block).callCount(0);
+    });
+  });
+
+  describe('handleParsedBody', function() {
+    const sql10Score = '; drop table *';
+    const xss90Score = '<script';
+    let al;
+    let sc;
+
+    beforeEach(function () {
+      al = core.protect.agentLib;
+      sc = sourceContext;
+      sinon.spy(al, 'scoreAtom');
+    });
+
+    it('blocks the request when a 90 score for reflected-xss', function () {
+      sc.rules.agentLibRulesMask |= xssMask;
+      sc.rules.agentLibRules['reflected-xss'] = { mode: 'block' };
+      const body = {
+        secret: sql10Score,
+        [xss90Score]: 'special',
+      };
+      const mask = sc.rules.agentLibRulesMask;
+
+      handleParsedBody(sourceContext, body);
+
+      const PK = al.InputType.ParameterKey;
+      const PV = al.InputType.ParameterValue;
+
+      expect(al.scoreAtom).callCount(4);
+      expect(al.scoreAtom.getCall(0).args).eql([mask, 'secret', PK, preferWW]);
+      expect(al.scoreAtom.getCall(1).args).eql([mask, sql10Score, PV, preferWW]);
+      expect(al.scoreAtom.getCall(2).args).eql([mask, xss90Score, PK, preferWW]);
+      expect(al.scoreAtom.getCall(3).args).eql([mask, 'special', PV, preferWW]);
+      expect(sourceContext.block).calledOnceWith('block', 'reflected-xss');
+
+      expect(sourceContext.findings.resultsMap).an('object').keys(['sql-injection', 'reflected-xss']);
+      const expected = [
+        { ruleId: 'sql-injection', inputType: 'ParameterValue', path: ['secret'], key: 'secret', value: sql10Score, score: 10 },
+        { ruleId: 'reflected-xss', inputType: 'ParameterKey', path: [], key: xss90Score, value: xss90Score, score: 90 },
+      ];
+
+      for (let i = 0; i < expected.length; i++) {
+        expect(sourceContext.findings.resultsMap[expected[i].ruleId]).an('array').length(1);
+
+        const result = sourceContext.findings.resultsMap[expected[i].ruleId][0];
+        expect(result.ruleId).equal(expected[i].ruleId);
+        expect(result.inputType).equal(expected[i].inputType);
+        expect(result.path).eql(expected[i].path);
+        expect(result.key).equal(expected[i].key);
+        expect(result.value).equal(expected[i].value);
+        expect(result.score).equal(expected[i].score);
+      }
+    });
+
+    it('does not block the request if the request is not tracked', function () {
+      const body = { secret: sql10Score };
+
+      handleParsedBody(sourceContext, body);
+
+      expect(al.scoreAtom).callCount(2);
+      expect(sourceContext.block).callCount(0);
+
+      expect(sourceContext.findings.resultsMap).an('object').keys(['sql-injection']);
+      const expected = {
+        ruleId: ['sql-injection'],
+        inputType: ['ParameterValue'],
+        path: [['secret']],
+        key: ['secret'],
+        value: [sql10Score],
+        score: [10],
+      };
+      for (let i = 0; i < expected.length; i++) {
+        expect(sourceContext.findings.resultsMap[expected[i].ruleId]).an('array').length(1);
+
+        const result = sourceContext.findings.resultsMap[expected[i].ruleId][0];
+        expect(result.ruleId).equal(expected[i].ruleId);
+        expect(result.inputType).equal(expected[i].inputType);
+        expect(result.path).eql(expected[i].path);
+        expect(result.key).equal(expected[i].key);
+        expect(result.value).equal(expected[i].value);
+        expect(result.score).equal(expected[i].score);
+      }
+    });
+  });
+
+  describe('handleFileUploadName', function() {
+    it('nyi', function() {
+      expect(() => handleFileUploadName()).to.throw('nyi');
+    });
+  });
+});
+
+// NODE-2170 tests
+const EventEmitter = require('events');
+
+const agentLib = require('@contrast/agent-lib');
+const Protect = require('../../../protect');
+
+const mocks = require('../../../test/mocks');
+
+describe('INPUT ANALYSIS', function() {
+
+  describe('handlers with mock agent-lib', function() {
+    let core;
+    let inputAnalysis;
+    let server;
+    let serverEmit;
+    let req, res;
+    let reqEmitter;
+    let expectedReqData;
+    let connectInputs;
+    let scoreRequestConnect;
+    let srcReturnValue;
+
+    beforeEach(function() {
+      //console.log(this.currentTest.title);
+      core = mocks.core();
+      core.depHooks = mocks.depHooks();
+      core.config = mocks.config();
+      core.patcher = mocks.patcher();
+      Object.assign(core.config.protect.rules, {
+        'cmd-injection': { mode: 'block' }
+      });
+      core.logger = mocks.logger();
+      core.scopes = mocks.scopes();
+
+      srcReturnValue = {
+        trackRequest: true,
+        resultsList: [{
+          score: 90.0,
+          ruleId: 'cmd-injection',
+        }],
+      };
+      scoreRequestConnect = sinon.stub().callsFake(() => srcReturnValue);
+
+      sinon.stub(Protect, 'instantiateAgentLib').returns({
+        // indirection so it can be changed in each test
+        scoreRequestConnect,
+        RuleType: agentLib.constants.RuleType,
+        InputType: agentLib.constants.InputType,
+        // MongoQueryType,
+        // DbType,
+      });
+
+      core.protect = Protect(core);
+
+      sinon.spy(core.protect.inputAnalysis, 'handleConnect');
+
+      inputAnalysis = require('./install/http')(core);
+      inputAnalysis.install();
+      sinon.spy(inputAnalysis, 'makeSourceContext');
+      sinon.spy(inputAnalysis.scope, 'getStore');
+
+      // mock Server thing...
+      server = {};
+      serverEmit = sinon.stub();
+      server.prototype = { emit: serverEmit };
+
+      // mock req, res
+      reqEmitter = new EventEmitter();
+      req = {
+        url: '/',
+        method: 'GET',
+        rawHeaders: ['host', 'vogon.com', 'content-type', 'text/json'],
+        // this needs to look sort of like a real incoming message
+        emit: (...args) => reqEmitter.emit(...args),
+        _events: {},
+        socket: { _readableState: { autoDestroy: false } },
+        resume: sinon.stub(),
+      };
+      res = {
+        end: sinon.stub(),
+        writeHead: sinon.stub(),
+        headersSent: false,
+      };
+
+      // setup a few expected results. these can be modified as needed by
+      // different tests.
+      expectedReqData = {
+        method: req.method,
+        headers: req.rawHeaders.map((h, i) => i & 1 ? h : h.toLowerCase()),
+        rawUrl: req.url,
+        pathname: '/',
+        search: '',
+      };
+      // it's the search string in request parlance but known as query string
+      // here.
+      connectInputs = Object.assign({}, expectedReqData);
+      delete connectInputs.search;
+      connectInputs.queries = expectedReqData.search;
+    });
+
+    // i don't see how to unit test this; xport.Server.prototype.emit()
+    // i.e., the real patching function. i think verifying that function
+    // will require an integration test of some sort.
+    // it('should handle requests on http, https, and http2', ...)
+
+    // initiateRequestHandling() sets up everything but the inputs for all analysis
+    // of this request.
+    it('handleRequestConnect works as expected', function() {
+      const sourceContext = core.protect.makeSourceContext(req, res);
+      sinon.spy(sourceContext, 'block');
+
+      const connectInputs = {
+        method: req.method,
+        headers: req.rawHeaders.map((h, i) => i & 1 ? h : h.toLowerCase()),
+        rawUrl: req.url,
+        pathname: '/',
+        search: '',
+      };
+
+      const block = core.protect.inputAnalysis.handleConnect(sourceContext, connectInputs);
+
+      expect(scoreRequestConnect).callCount(1);
+      expect(sourceContext.block).callCount(0);
+      expect(block).eql(['block', 'cmd-injection']);
+    });
+
+    it('handleRequestConnect() does not block when no attack', function() {
+      const sourceContext = core.protect.makeSourceContext(req, res);
+      sinon.spy(sourceContext, 'block');
+
+      const connectInputs = {
+        method: req.method,
+        headers: req.rawHeaders.map((h, i) => i & 1 ? h : h.toLowerCase()),
+        rawUrl: req.url,
+        pathname: '/',
+        search: '',
+      };
+
+      srcReturnValue = {
+        trackRequest: false,
+      };
+
+      core.protect.inputAnalysis.handleConnect(sourceContext, connectInputs);
+
+      expect(scoreRequestConnect).callCount(1);
+      expect(sourceContext.block).callCount(0);
+    });
+
+    const unimplemented = [
+      'handleRequestEnd',
+      'handleFileUploadName'
+    ];
+    for (const handler of unimplemented) {
+      it(`${handler}() should throw because it's not implemented`, function() {
+        const sourceContext = core.protect.makeSourceContext(req, res);
+        const { inputAnalysis } = core.protect;
+
+        expect(() => inputAnalysis[handler](sourceContext, { x: 'y' })).throws('nyi');
+      });
+    }
+  });
+
+  describe('handlers with real agent-lib', function() {
+    let core;
+    let al;
+    let req, res;
+    let reqEmitter;
+    let expectedReqData;
+    let connectInputs;
+
+    beforeEach(function() {
+      //console.log(this.currentTest.title);
+      core = mocks.core();
+      core.protect = mocks.protect();
+      al = core.protect.agentLib;
+      core.depHooks = mocks.depHooks();
+      core.config = mocks.config();
+      core.patcher = mocks.patcher();
+      Object.assign(core.config.protect.rules, {
+        'cmd-injection': { mode: 'block' }
+      });
+      core.logger = mocks.logger();
+      core.scopes = mocks.scopes();
+
+      // return the real agentLib instantiation.
+      sinon.stub(Protect, 'instantiateAgentLib').returns(al);
+
+      core.protect = Protect(core);
+
+      sinon.spy(core.protect.inputAnalysis, 'handleConnect');
+
+      // mock req, res
+      reqEmitter = new EventEmitter();
+      req = {
+        url: '/',
+        method: 'GET',
+        rawHeaders: ['host', 'vogon.com', 'content-type', 'text/json'],
+        // this needs to look sort of like a real incoming message
+        emit: (...args) => reqEmitter.emit(...args),
+        _events: {},
+        socket: { _readableState: { autoDestroy: false } },
+        resume: sinon.stub(),
+      };
+      res = {
+        end: sinon.stub(),
+        writeHead: sinon.stub(),
+        headersSent: false,
+      };
+
+      // setup a few expected results. these can be modified as needed by
+      // different tests.
+      expectedReqData = {
+        method: req.method,
+        headers: req.rawHeaders.map((h, i) => i & 1 ? h : h.toLowerCase()),
+        rawUrl: req.url,
+        pathname: '/',
+        search: '',
+      };
+      // it's the search string in request parlance but known as query string
+      // here.
+      connectInputs = Object.assign({}, expectedReqData);
+      delete connectInputs.search;
+      connectInputs.queries = expectedReqData.search;
+    });
+
+    describe('handleParsedBody()', function() {
+      it('logs at debug level if the body is not an object', function() {
+        const sourceContext = core.protect.makeSourceContext(req, res);
+        sourceContext.rules.agentLibRules['reflected-xss'] = { mode: 'block' };
+        sourceContext.rules.agentLibRulesMask = al.RuleType['reflected-xss'];
+        sinon.spy(sourceContext, 'block');
+        const { inputAnalysis } = core.protect;
+
+        const parsedBody = 'not-an-object';
+        inputAnalysis.handleParsedBody(sourceContext, parsedBody);
+
+        const text = 'handleParsedBody() called with non-object';
+        expect(core.logger.debug).callCount(1).calledWith({ parsedBody }, text);
+      });
+
+      it('scores the object as JSON', function() {
+        const sourceContext = core.protect.makeSourceContext(req, res);
+        sourceContext.rules.agentLibRules['nosql-injection-mongo'] = { mode: 'block' };
+        sourceContext.rules.agentLibRulesMask |= al.RuleType['nosql-injection-mongo'];
+        const body = {
+          xyzzy: { $ne: { x: 'y' } }
+        };
+        const { inputAnalysis } = core.protect;
+
+        inputAnalysis.handleParsedBody(sourceContext, body);
+        checkNosqlHandleBodyResults(sourceContext, al, body, { mongoContext: true });
+      });
+
+      it('scores the object as urlencoded', function() {
+        const sourceContext = core.protect.makeSourceContext(req, res);
+        sourceContext.rules.agentLibRules['nosql-injection-mongo'] = { mode: 'block' };
+        sourceContext.rules.agentLibRulesMask |= al.RuleType['nosql-injection-mongo'];
+        sourceContext.reqData.contentType = 'x-www-form-urlencoded';
+        const body = {
+          xyzzy: { $ne: { x: 'y' } }
+        };
+        const { inputAnalysis } = core.protect;
+
+        inputAnalysis.handleParsedBody(sourceContext, body);
+        const options = { mongoContext: true, type: 'urlencoded' };
+        checkNosqlHandleBodyResults(sourceContext, al, body, options);
+      });
+    });
+  });
+});
+
+function checkNosqlHandleBodyResults(sourceContext, agentLib, body, opts = {}) {
+  let keyType = 'JsonKey';
+  let bodyType = 'json';
+  if (opts.type === 'urlencoded') {
+    keyType = 'ParameterKey';
+    bodyType = 'urlencoded';
+  }
+  let obj = body;
+  const path = [];
+  let next = Object.keys(body)[0];
+  while (next !== '$ne' && next !== '$finalize') {
+    path.push(next);
+    obj = obj[next];
+    next = Object.keys(obj)[0];
+  }
+  const key = next;
+  const inputToCheck = obj[next];
+
+  expect(sourceContext.findings.trackRequest).equal(true);
+  expect(sourceContext.findings.securityException).equal(undefined);
+  expect(sourceContext.findings.bodyType).equal(bodyType);
+  expect(sourceContext.findings.resultsMap).an('object').keys('nosql-injection-mongo');
+
+  const nosql = sourceContext.findings.resultsMap['nosql-injection-mongo'];
+  expect(nosql).an('array').length(1);
+  expect(nosql[0].ruleId).equal('nosql-injection-mongo');
+  expect(nosql[0].inputType).equal(keyType);
+  expect(nosql[0].path).an('array').eql(path);
+  expect(nosql[0].value).equal(agentLib.getMongoQueryType(key));
+  expect(nosql[0].score).equal(10);
+  expect(nosql[0].mappedId).equal('nosql-injection');
+  expect(nosql[0].blocked).equal(false);
+  expect(nosql[0].details).eql([]);
+
+  if (opts.mongoContext) {
+    expect(nosql[0].mongoContext).an('object').keys('inputToCheck').eql({ inputToCheck });
+  }
+}