@contrast/protect 1.38.0 → 1.40.0

package/lib/error-handlers/install/restify.test.js

@@ -0,0 +1,57 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initProtectFixture } = require('@contrast/test/fixtures');
+const SecurityException = require('../../security-exception');
+
+describe('protect error-handlers restify v8+', function () {
+  let core, simulateRequestScope, Server, store;
+
+  beforeEach(function () {
+    ({ core, simulateRequestScope } = initProtectFixture());
+
+    Server = { prototype: { _onHandlerError: sinon.stub().returnsArg(0) } };
+    store = { protect: { block: sinon.stub(), securityException: ['block'] } };
+
+    core.depHooks.resolve
+      .withArgs({ name: 'restify', file: 'lib/server.js', version: '>=8' })
+      .yields(Server);
+
+    core.protect.errorHandlers.restifyErrorHandler.install();
+  });
+
+  it('blocks the request when a security exception is handled', function () {
+    const err = SecurityException.create();
+
+    simulateRequestScope(() => {
+      Server.prototype._onHandlerError(err);
+
+      expect(store.protect.block).to.have.been.calledWith(...store.protect.securityException);
+    }, store);
+  });
+
+  it('does not block the request when context is missing', function () {
+    const err = SecurityException.create();
+
+    simulateRequestScope(() => {
+      Server.prototype._onHandlerError(err);
+      expect(store.protect.block).not.to.have.been.called;
+      expect(core.logger.info).to.have.been.calledWith(
+        sinon.match.object,
+        'source context not found; unable to handle response',
+      );
+    }, {});
+  });
+
+  it('does not handle other errors', function () {
+    const err = new Error();
+
+    simulateRequestScope(() => {
+      const result = Server.prototype._onHandlerError(err);
+      expect(store.protect.block).not.to.have.been.called;
+      expect(core.logger.info).not.to.have.been.called;
+      expect(result).to.equal(err);
+    }, store);
+  });
+});

package/lib/get-source-context.test.js

@@ -0,0 +1,35 @@
+'use strict';
+
+const { expect } = require('chai');
+const { initProtectFixture } = require('@contrast/test/fixtures');
+
+describe('protect get-source-context', function () {
+  let core, getSourceContext;
+
+  beforeEach(function () {
+    ({ core } = initProtectFixture());
+    ({ getSourceContext } = core.protect);
+  });
+
+  it('returns the sourceContext when there is `allowed` property in it', function () {
+    core.scopes.sources.run({ protect: { test: 'store' } }, () => {
+      const result = getSourceContext();
+      expect(result).to.deep.equal({ test: 'store' });
+    });
+  });
+
+  it('logs a debug log when the sourceContext is missing and returns null', function () {
+    core.scopes.sources.run({ protect: null }, () => {
+      const result = getSourceContext();
+      expect(result).to.null;
+    });
+  });
+
+  it('returns null when the protect store has a thruthy `allowed` property', function () {
+    core.scopes.sources.run({ protect: { allowed: true } }, () => {
+      const result = getSourceContext();
+      expect(core.logger.debug).not.to.have.been.called;
+      expect(result).to.null;
+    });
+  });
+});

package/lib/hardening/handlers.test.js

@@ -0,0 +1,89 @@
+'use strict';
+
+const { expect } = require('chai');
+const mocks = require('@contrast/test/mocks');
+const { create: createSecurityException } = require('../security-exception');
+const handlersFactory = require('./handlers');
+
+describe('protect hardening handlers', function () {
+  let core, handlers, map, sourceContext;
+
+  const exception = createSecurityException();
+  const sinkContext = {
+    name: 'node-serialize.unserialize',
+    value: '"foo":"_$$ND_FUNC$$_while(true)',
+    get stack() {
+      return [{
+        file: 'index.js',
+        lineNumber: 123,
+        method: '',
+        type: 'Function',
+      }];
+    },
+  };
+
+  function makePolicy(mode) {
+    return {
+      'untrusted-deserialization': mode,
+    };
+  }
+
+  beforeEach(function () {
+    map = {};
+    sourceContext = {
+      resultsMap: map,
+    };
+    core = mocks.core();
+    core.protect = mocks.protect();
+    core.protect.hardening = {};
+    core.protect.throwSecurityException.throws(exception);
+    handlers = handlersFactory(core);
+  });
+
+  ['block', 'block_at_perimeter'].forEach((mode) => {
+    it(`${mode}`, function () {
+      sourceContext.policy = makePolicy(mode);
+
+      expect(function () {
+        handlers.handleUntrustedDeserialization(sourceContext, sinkContext);
+      }).to.throw(exception.constructor);
+
+      expect(map).to.have.deep.property('untrusted-deserialization', [{
+        blocked: true,
+        exploitMetadata: [{ deserializer: 'node-serialize.unserialize', command: false }],
+        sinkContext,
+        value: sinkContext.value,
+      }]);
+    });
+  });
+
+  it('monitor', function () {
+    sourceContext.policy = makePolicy('monitor');
+
+    handlers.handleUntrustedDeserialization(sourceContext, sinkContext);
+
+    expect(map).to.have.deep.property('untrusted-deserialization', [{
+      blocked: false,
+      exploitMetadata: [{ deserializer: 'node-serialize.unserialize', command: false }],
+      sinkContext,
+      value: sinkContext.value,
+    }]);
+  });
+
+  it('off', function () {
+    sourceContext.policy = makePolicy('off');
+
+    handlers.handleUntrustedDeserialization(sourceContext, sinkContext);
+
+    expect(map).not.to.have.deep.property('untrusted-deserialization');
+  });
+
+  it('returns if the result value type is incorrect', function () {
+    sourceContext.policy = makePolicy('monitor');
+    sinkContext.value = true;
+
+    handlers.handleUntrustedDeserialization(sourceContext, sinkContext);
+
+    expect(map).not.to.have.deep.property('untrusted-deserialization');
+  });
+});

package/lib/hardening/index.test.js

@@ -0,0 +1,31 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+const mocks = require('@contrast/test/mocks');
+
+describe('protect hardening', function () {
+  let modulesMock, installStub, core, hardening;
+  beforeEach(function () {
+    installStub = sinon.stub();
+    modulesMock = (propertyName) => function (core) {
+      if (propertyName) {
+        core.protect.hardening[propertyName] = { install: installStub };
+      }
+    };
+    core = mocks.core();
+    core.protect = mocks.protect();
+
+    hardening = proxyquire('.', {
+      './handlers': modulesMock,
+      './install/node-serialize0': modulesMock('nodeSerialize0Instrumentation'),
+      // Total of 2 modules required - 1 handlers and 1 module to be installed
+    });
+  });
+
+  it('calls the install method on nodeSerialize0Instrumentation', function () {
+    hardening(core).install();
+    expect(installStub).to.have.been.calledOnce;
+  });
+});

package/lib/hardening/install/node-serialize0.test.js

@@ -0,0 +1,61 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const patcher = require('@contrast/patcher');
+const scopes = require('@contrast/scopes');
+const mocks = require('@contrast/test/mocks');
+const instrumentationFactory = require('./node-serialize0');
+
+describe('protect hardening node-serialize0', function () {
+  let core, mockLib, hardening;
+
+  beforeEach(function () {
+    mockLib = {
+      unserialize() { }
+    };
+
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.depHooks = mocks.depHooks();
+    core.depHooks
+      .resolve
+      .withArgs({ name: 'node-serialize', version: '<1.0.0' })
+      .yields(mockLib);
+    core.patcher = patcher(core);
+    core.scopes = scopes(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    hardening = core.protect.hardening;
+
+    instrumentationFactory(core).install();
+  });
+
+  it('calls hardening handler when called in sources scope', function () {
+    const value = '"foo":"_$$ND_FUNC$$_while(true)';
+    const sourceContext = {};
+    const store = { protect: sourceContext };
+    const sinkContext = {
+      name: 'node-serialize.unserialize',
+      value,
+      stacktraceOpts: { constructorOpt: mockLib.unserialize, prependFrames: [sinon.match.func] }
+    };
+
+    core.scopes.sources.run(store, function () {
+      mockLib.unserialize(value);
+    });
+
+    expect(hardening.handleUntrustedDeserialization).to.have.been.calledWith(
+      sourceContext,
+      sinkContext
+    );
+  });
+
+  it('hardening handler is not called when out of sources scope', function () {
+    const value = '"foo":"_$$ND_FUNC$$_while(true)';
+
+    mockLib.unserialize(value);
+
+    expect(hardening.handleUntrustedDeserialization).not.to.have.been.called;
+  });
+});

package/lib/index.test.js

@@ -0,0 +1,53 @@
+'use strict';
+
+const { expect } = require('chai');
+const proxyquire = require('proxyquire');
+const mocks = require('@contrast/test/mocks');
+
+const moduleMock = (moduleName, mock) => (deps) => {
+  deps.protect[moduleName] = mock[moduleName];
+};
+
+describe('protect', function () {
+  let core, protectMock, protectModule, modulesWithInstall;
+
+  beforeEach(function () {
+    protectMock = mocks.protect();
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.config = mocks.config();
+    core.scopes = mocks.scopes();
+    core.config.protect.rules = {
+      ['nosql-injection']: { mode: 'monitor' },
+      ['cmd-injection']: { mode: 'block' },
+      ['path-traversal']: { mode: 'off' }
+    };
+    core.config.protect.rules.disabled_rules = ['sql-injection'];
+    core.rewriter = mocks.rewriter();
+    protectModule = proxyquire('.', {
+      './input-analysis': moduleMock('inputAnalysis', protectMock),
+      './input-tracing': moduleMock('inputTracing', protectMock),
+      './semantic-analysis': moduleMock('semanticAnalysis', protectMock),
+      './hardening': moduleMock('hardening', protectMock),
+      './error-handlers': moduleMock('errorHandlers', protectMock),
+    });
+    modulesWithInstall = ['inputAnalysis', 'inputTracing', 'hardening', 'errorHandlers'];
+  });
+
+  it('installs components and initializes policy', function () {
+    core.config.getEffectiveValue.withArgs('protect.enable').returns(true);
+    protectModule(core).install();
+
+    modulesWithInstall.forEach((module) => {
+      expect(protectMock[module].install).to.have.been.calledOnce;
+    });
+
+    expect(core.protect.getPolicy()).to.deep.include({
+      rulesMask: 48,
+      'cmd-injection': 'block',
+      'nosql-injection': 'monitor',
+    });
+
+    expect(core.rewriter.install).to.have.been.calledWith('protect');
+  });
+});