@contrast/protect 1.38.0 → 1.40.0

package/lib/input-analysis/install/universal-cookie4.test.js

@@ -0,0 +1,70 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+const universalCookieInstr = require('./universal-cookie4');
+
+describe('protect input-analysis universal-cookie v4.x', function () {
+  let core, inputAnalysis, universalCookieMock, patchedUniversalCookie, cookie;
+
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.scopes = scopes(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    core.depHooks = mocks.depHooks();
+    core.patcher = patcher(core);
+
+    inputAnalysis = core.protect.inputAnalysis;
+    cookie = { parameter: 'parsed' };
+    universalCookieMock = {
+      parseCookies: (cookie) => cookie || {}
+    };
+    sinon.spy(core.patcher, 'patch');
+
+    universalCookieInstr(core).install();
+    patchedUniversalCookie = core.depHooks.resolve.yield(universalCookieMock)[0];
+    core.patcher.patch.resetHistory();
+  });
+
+  it('calls patcher on the `.parseCookies` method', function () {
+    core.depHooks.resolve.yield(universalCookieMock);
+
+    expect(core.patcher.patch).to.have.been.calledOnce;
+    expect(core.patcher.patch).to.have.been.calledWithMatch(universalCookieMock, 'parseCookies', {
+      name: 'universal-cookie.utils',
+      patchType: 'protect-input-analysis',
+      post: sinon.match.func
+    });
+  });
+
+  it('calls `.handleCookies` when parsing is successful, in right context and with reqData.queries present', function () {
+    core.scopes.sources.run({ protect: {} }, () => {
+      patchedUniversalCookie.parseCookies(cookie);
+    });
+
+    expect(inputAnalysis.handleCookies).to.have.been.calledOnce;
+    expect(inputAnalysis.handleCookies).to.have.been.calledWithMatch({ parsedCookies: cookie }, cookie);
+  });
+
+  it('does not call `.handleCookies` when not in context', function () {
+    core.scopes.sources.run({}, () => {
+      patchedUniversalCookie.parseCookies(cookie);
+    });
+
+    expect(inputAnalysis.handleCookies).not.to.have.been.called;
+  });
+
+  it('does not call `.handleCookies` when `universal-cookie` does not return a result', function () {
+    core.scopes.sources.run({ protect: {} }, () => {
+      patchedUniversalCookie.parseCookies(null);
+    });
+
+    expect(inputAnalysis.handleCookies).not.to.have.been.called;
+  });
+});

package/lib/input-analysis/ip-analysis.test.js

@@ -0,0 +1,71 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const mocks = require('@contrast/test/mocks');
+const { Event } = require('@contrast/common');
+const address = require('ipaddr.js');
+
+describe('protect input-analysis ip-analysis', function () {
+  let core, serverUpdate, clock;
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.protect = mocks.protect();
+
+    clock = sinon.useFakeTimers();
+
+    serverUpdate = {
+      protect: {
+        rules: {
+          ip_allowlist: [{ ip: '127.0.0.1', expires: 0 }, { ip: '1.2.3.4', expires: 50000 }],
+          ip_denylist: [{ ip: '192.168.1.0/12', expires: 0 }]
+        }
+      }
+    };
+  });
+
+  this.afterEach(function () {
+    clock.restore();
+  });
+
+  it('stores the IP allow/deny lists', function () {
+    require('./ip-analysis')(core);
+    const { ipAllowlist, ipDenylist } = core.protect.inputAnalysis;
+
+    expect(ipAllowlist.length).to.equal(0);
+    expect(ipDenylist.length).to.equal(0);
+
+
+    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, serverUpdate);
+
+    expect(ipAllowlist).to.deep.equal([
+      {
+        ip: '127.0.0.1',
+        expires: 0,
+        doesExpire: false,
+        expiresAt: undefined,
+        normalizedValue: '127.0.0.1',
+        cidr: undefined
+      },
+      {
+        ip: '1.2.3.4',
+        expires: 50000,
+        doesExpire: true,
+        expiresAt: 50000,
+        normalizedValue: '1.2.3.4',
+        cidr: undefined
+      }
+    ]);
+    expect(ipDenylist).to.deep.equal([
+      {
+        ip: '192.168.1.0/12',
+        expires: 0,
+        doesExpire: false,
+        expiresAt: undefined,
+        normalizedValue: '192.168.1.0',
+        cidr: { range: address.parseCIDR('192.168.1.0/12'), kind: 'ipv4' }
+      }
+    ]);
+  });
+});

package/lib/input-analysis/virtual-patches.test.js

@@ -0,0 +1,106 @@
+'use strict';
+
+const { expect } = require('chai');
+const mocks = require('@contrast/test/mocks');
+const { Event } = require('@contrast/common');
+
+describe('protect input-analysis virtual-patches', function () {
+  let core, virtualPatches, positiveTestData, negativeTestData;
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.protect = mocks.protect();
+
+    virtualPatches = [
+      {
+        headers: [{
+          evaluation: 'MATCHES',
+          name: 'Content-Type',
+          value: 'json'
+        }],
+        parameters: [{
+          evaluation: 'DOESNT_EQUALS',
+          name: 'sink',
+          value: 'safe'
+        }],
+        urls: [{
+          evaluation: 'CONTAINS',
+          value: 'database'
+        }],
+      },
+      {
+        headers: [{
+          evaluation: 'EQUALS',
+          name: 'malicious-header',
+          value: 'attack'
+        }],
+        parameters: [{
+          evaluation: 'DOESNT_CONTAIN',
+          name: 'sink',
+          value: 'safe'
+        }],
+        urls: [{
+          evaluation: 'DOESNT_MATCH',
+          value: 'public'
+        }],
+      },
+      {
+        urls: [{
+          evaluation: 'INVALID_EVALUATION',
+          value: 'invalid'
+        }]
+      }
+    ];
+    positiveTestData = {
+      headers: [['content-type', 'application/json'], { 'malicious-header': 'attack' }],
+      parameters: [{ sink: 'unsafe' }, { sink: 'vulnerable' }],
+      urls: ['/api/v1/database', '/api/v1/private']
+    };
+    negativeTestData = {
+      headers: [['test-header', 'test'], ['safe-header', 'not-an-attack']],
+      parameters: [{ sink: 'safe' }, { sink: 'safe' }],
+      urls: ['/api/v1/about', '/api/v1/public']
+    };
+  });
+
+  it('builds the evaluators', function () {
+    require('./virtual-patches')(core);
+    const { virtualPatchesEvaluators } = core.protect.inputAnalysis;
+
+    expect(virtualPatchesEvaluators.length).to.equal(0);
+
+    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, { protect: { 'virtual-patches': virtualPatches } });
+
+    expect(virtualPatchesEvaluators.length).to.equal(3);
+    expect(virtualPatchesEvaluators[0].size).to.equal(4);
+    expect(virtualPatchesEvaluators[1].size).to.equal(4);
+    expect(virtualPatchesEvaluators[2].size).to.equal(2);
+  });
+
+  it('evaluates the patch conditions correctly', function () {
+    require('./virtual-patches')(core);
+    const { virtualPatchesEvaluators } = core.protect.inputAnalysis;
+
+    core.messages.emit(Event.SERVER_SETTINGS_UPDATE, { protect: { 'virtual-patches': virtualPatches } });
+
+    expect(virtualPatchesEvaluators.length).to.equal(3);
+    virtualPatchesEvaluators.forEach((evaluators, index) => {
+      const headersEvaluator = evaluators.get('HEADERS');
+      const parametersEvaluator = evaluators.get('PARAMETERS');
+      const urlsEvaluators = evaluators.get('URLS');
+
+      if (index !== 2) {
+        expect(headersEvaluator(positiveTestData.headers[index])).to.be.true;
+        expect(headersEvaluator(negativeTestData.headers[index])).to.be.false;
+        expect(parametersEvaluator(positiveTestData.parameters[index])).to.be.true;
+        expect(parametersEvaluator(negativeTestData.parameters[index])).to.be.false;
+        expect(urlsEvaluators(positiveTestData.urls[index])).to.be.true;
+        expect(urlsEvaluators(negativeTestData.urls[index])).to.be.false;
+      } else {
+        expect(headersEvaluator).to.be.undefined;
+        expect(parametersEvaluator).to.be.undefined;
+        expect(urlsEvaluators(positiveTestData.urls[0])).to.be.false;
+      }
+    });
+  });
+});