@contrast/protect 1.39.0 → 1.40.0

package/lib/error-handlers/common-handler.test.js

@@ -0,0 +1,52 @@
+'use strict';
+
+const { expect } = require('chai');
+const { initProtectFixture, createProtectStore } = require('@contrast/test/fixtures');
+const SecurityException = require('../security-exception');
+
+describe('protect error-handlers common-handler', function () {
+  let core, simulateRequestScope, commonHandler;
+
+  beforeEach(function () {
+    ({
+      core,
+      simulateRequestScope
+    } = initProtectFixture());
+
+    commonHandler = core.protect.errorHandlers.commonHandler;
+  });
+
+  it('should re-throw if not security excpetion', function () {
+    simulateRequestScope(() => {
+      const err = new Error('Not a SecurityException');
+      expect(() => {
+        commonHandler(err);
+      }).to.throw(err);
+    });
+  });
+
+  it('should catch exception and delegate to source context to block', function () {
+    const customStore = { protect: createProtectStore() };
+    customStore.protect.securityException = ['block', 'cmd-injection'];
+
+    simulateRequestScope(() => {
+      expect(() => {
+        commonHandler(new SecurityException());
+        expect(customStore.protect.block).to.have.been.calledWith('block', 'cmd-injection');
+      }).not.to.throw();
+    }, customStore);
+  });
+
+  it('should catch exception if request context is unavailable but will log and NOT block', function () {
+    const customStore = { protect: createProtectStore() };
+    customStore.protect.securityException = ['block', 'cmd-injection'];
+
+    expect(() => {
+      commonHandler(new SecurityException());
+      expect(customStore.protect.block).to.not.have.been.called;
+      expect(core.logger.info).to.have.been.calledWith(
+        'SecurityException caught by Contrast but Protect store is unavailable for req handling'
+      );
+    }).not.to.throw();
+  });
+});

package/lib/error-handlers/index.test.js

@@ -0,0 +1,32 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { initProtectFixture } = require('@contrast/test/fixtures');
+
+describe('protect error-handlers', function () {
+  let core, errorHandlers;
+
+  const installerList = [
+    'express4ErrorHandler',
+    'fastifyErrorHandler',
+    'hapiErrorHandler',
+    'koa2ErrorHandler',
+    'restifyErrorHandler'
+  ];
+
+  beforeEach(function () {
+    ({ core } = initProtectFixture());
+    errorHandlers = core.protect.errorHandlers;
+    installerList.forEach((installer) => {
+      sinon.stub(errorHandlers[installer], 'install');
+    });
+  });
+
+  it('installs subcomponents', function () {
+    errorHandlers.install();
+    installerList.forEach((installer) => {
+      expect(errorHandlers[installer].install).to.have.been.called;
+    });
+  });
+});

package/lib/error-handlers/init-domain.test.js

@@ -0,0 +1,34 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const { initProtectFixture } = require('@contrast/test/fixtures');
+
+describe('protect error-handlers init-domain', function () {
+  let core, errorHandlers, initDomain;
+
+  beforeEach(function () {
+    ({ core } = initProtectFixture());
+
+    sinon.stub(core.protect.errorHandlers, 'commonHandler');
+
+    errorHandlers = core.protect.errorHandlers;
+    initDomain = errorHandlers.initDomain;
+  });
+
+  describe('domain integration', function () {
+    beforeEach(function () {
+      sinon.stub(errorHandlers, 'AsyncHookDomain');
+    });
+
+    it('initializes correct domain', function () {
+      expect(core.protect.errorHandlers.AsyncHookDomain).to.be.a('function');
+      expect(core.protect.errorHandlers.Domain).to.be.undefined;
+    });
+
+    it('instantiates async-hook-domain with common error handler', function () {
+      initDomain();
+      expect(errorHandlers.AsyncHookDomain).to.have.been.calledWith(errorHandlers.commonHandler);
+    });
+  });
+});

package/lib/error-handlers/install/express4.test.js

@@ -0,0 +1,238 @@
+/* eslint-disable object-shorthand */
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+const SecurityException = require('../../security-exception');
+
+describe('protect error-handlers express4', function () {
+  let core, store, errorHandlerInstr;
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.config = mocks.config();
+    core.logger = mocks.logger();
+    core.scopes = scopes(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    core.depHooks = mocks.depHooks();
+    core.patcher = patcher(core);
+
+    store = {
+      protect: {
+        block: sinon.stub(),
+        securityException: ['block', 'cmd-injection']
+      }
+    };
+
+    sinon.spy(core.patcher, 'patch');
+  });
+
+  describe('finalhandler', function () {
+    let finalhandler, returnedFn;
+
+    beforeEach(function () {
+      finalhandler = function () {
+        return function () { };
+      };
+
+      core.depHooks.resolve.withArgs({ name: 'finalhandler' }).yields(finalhandler);
+
+      errorHandlerInstr = require('./express4')(core);
+      errorHandlerInstr.install();
+
+      const patchedFinalhandler = core.patcher.patch.getCall(0).returnValue;
+      returnedFn = patchedFinalhandler();
+    });
+
+    it('should block the request when there is SecurityException', function () {
+      const error = SecurityException.create();
+
+      core.scopes.sources.run(store, () => {
+        returnedFn(error);
+        expect(core.logger.info).not.to.have.been.called;
+        expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
+      });
+    });
+
+    it('should not block the request when there is SecurityException but sourceContext is missing', function () {
+      const error = SecurityException.create();
+
+      core.scopes.sources.run({}, () => {
+        returnedFn(error);
+        expect(core.logger.info).to.have.been.calledWith(
+          { funcKey: 'protect-error-handling:finalHandler.returnedFunction' },
+          'source context not found; unable to handle response',
+        );
+      });
+    });
+
+    it('should skip the instrumentation when there is no SecurityException', function () {
+      const error = new Error('Error');
+
+      core.scopes.sources.run({}, () => {
+        returnedFn(error);
+        expect(core.logger.info).not.to.have.been.called;
+        expect(store.protect.block).not.to.have.been.called;
+      });
+    });
+  });
+
+  describe('Layer.prototype.handle_error', function () {
+    let Layer;
+
+    beforeEach(function () {
+      Layer = function () { };
+      Layer.prototype.handle_error = function () { };
+
+      core.depHooks.resolve.withArgs({ name: 'express', version: '>=4.0.0', file: 'lib/router/layer.js' }).yields(Layer);
+
+      errorHandlerInstr = require('./express4')(core);
+      errorHandlerInstr.install();
+    });
+
+    it('should block the request when there is SecurityException', function () {
+      const error = SecurityException.create();
+
+      core.scopes.sources.run(store, () => {
+        Layer.prototype.handle_error(error);
+        expect(core.logger.info).not.to.have.been.called;
+        expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
+      });
+    });
+
+    it('should not block the request when there is SecurityException but sourceContext is missing', function () {
+      const error = SecurityException.create();
+
+      core.scopes.sources.run({}, () => {
+        Layer.prototype.handle_error(error);
+        expect(core.logger.info).to.have.been.calledWith(
+          { funcKey: 'protect-error-handling:Layer.prototype.handle_error' },
+          'source context not found; unable to handle response'
+        );
+      });
+    });
+
+    it('should skip the instrumentation when there is no SecurityException', function () {
+      const error = new Error('Error');
+
+      core.scopes.sources.run({}, () => {
+        Layer.prototype.handle_error(error);
+        expect(core.logger.info).not.to.have.been.called;
+        expect(store.protect.block).not.to.have.been.called;
+      });
+    });
+  });
+
+  describe('Layer.prototype.handle', function () {
+    const sampleFn = function () { };
+    let Layer;
+
+    beforeEach(function () {
+      Layer = function () { };
+
+      core.depHooks.resolve.withArgs({ name: 'express', version: '>=4.0.0', file: 'lib/router/layer.js' }).yields(Layer);
+
+      errorHandlerInstr = require('./express4')(core);
+      errorHandlerInstr.install();
+    });
+
+    it('should patch the function that is being set for `handle`', function () {
+      Layer.prototype.handle = sampleFn;
+
+      expect(core.patcher.patch).to.have.been.calledWith(sampleFn, sinon.match.object);
+    });
+
+    it('should return the patched function for the `handle` get', function () {
+      Layer.prototype.handle = sampleFn;
+
+      expect(Layer.prototype.handle).to.equal(Layer.prototype.__handle);
+    });
+  });
+
+  describe('Router.prototype.constructor.param', function () {
+    let Router;
+    const sampleFn = function () { };
+    const throwingHandler = (error) => async function () {
+      await Promise.reject(error);
+    };
+
+    beforeEach(function () {
+      Router = function () { };
+      Router.prototype.constructor = {
+        param: function () { },
+      };
+
+      core.depHooks.resolve.withArgs({ name: 'express', version: '>=4.0.0', file: 'lib/router/index.js' }).yields(Router);
+
+      core.patcher.patch.resetHistory();
+
+      errorHandlerInstr = require('./express4')(core);
+      errorHandlerInstr.install();
+    });
+
+    it('should patch the function for the param property', function () {
+      Router.prototype.constructor.param('sampleFn', sampleFn);
+
+      expect(core.patcher.patch).to.have.been.calledWith(sampleFn, sinon.match.object);
+    });
+
+    it('should block the request when there is SecurityException', async function () {
+      const error = SecurityException.create();
+      const fn = throwingHandler(error);
+
+      Router.prototype.constructor.param('fn', fn);
+
+      const patchedFn = core.patcher.patch.getCall(1).returnValue;
+
+      await core.scopes.sources.run(store, async () => {
+        await patchedFn();
+      });
+
+      expect(core.logger.info).not.to.have.been.called;
+      expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
+    });
+
+    it('should not block the request when there is SecurityException but sourceContext is missing', async function () {
+      const error = SecurityException.create();
+      const fn = throwingHandler(error);
+
+      Router.prototype.constructor.param('fn', fn);
+
+      const patchedFn = core.patcher.patch.getCall(1).returnValue;
+
+      await core.scopes.sources.run({}, async () => {
+        await patchedFn();
+      });
+
+      expect(core.logger.info).to.have.been.calledWith(
+        { funcKey: 'protect-error-handling:express.route-handler' },
+        'source context not found; unable to handle response',
+      );
+    });
+
+    it('should skip the instrumentation when there is no SecurityException', async function () {
+      const error = new Error('Error');
+      const fn = throwingHandler(error);
+
+      Router.prototype.constructor.param('fn', fn);
+
+      const patchedFn = core.patcher.patch.getCall(1).returnValue;
+
+      try {
+        await core.scopes.sources.run(store, async () => {
+          await patchedFn();
+        });
+      } catch (err) {
+        expect(err).to.equal(error);
+        expect(core.logger.info).not.to.have.been.called;
+        expect(store.protect.block).not.to.have.been.called;
+      }
+    });
+  });
+
+
+});

package/lib/error-handlers/install/fastify.test.js

@@ -0,0 +1,130 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+const securityException = require('../../security-exception');
+
+describe('protect error-handlers fastify', function () {
+  let core, errorHandler, fastify, server, reply;
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.config = mocks.config();
+    core.logger = mocks.logger();
+    core.scopes = scopes(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    core.depHooks = mocks.depHooks();
+    core.patcher = patcher(core);
+
+    server = {
+      setErrorHandler: sinon.stub(),
+      errorHandler: sinon.stub()
+    };
+    fastify = function () {
+      return server;
+    };
+    core.depHooks.resolve.callsFake((desc, cb) => {
+      fastify = cb(fastify);
+    });
+    reply = {
+      log: {
+        info: sinon.stub(),
+        error: sinon.stub()
+      },
+      send: sinon.stub(),
+      statusCode: 500,
+    };
+
+    errorHandler = require('./fastify')(core);
+    sinon.spy(errorHandler, 'defaultErrorHandler');
+    errorHandler.install();
+
+    fastify();
+  });
+
+  describe('instrumentation adds custom handler', function () {
+    it('patches fastify', function () {
+      expect(server.setErrorHandler).to.have.been.calledWith(errorHandler.handler);
+    });
+  });
+
+  describe('defaultErrorHandler()', function () {
+    let request, err;
+
+    beforeEach(function () {
+      request = {};
+      err = {};
+    });
+
+    it('logs at error level when 500 status code', function () {
+      errorHandler.handler(err, request, reply);
+      expect(reply.log.error).to.have.been.calledWith({ req: request, res: reply, err });
+    });
+
+    it('logs at info level when <500 status code', function () {
+      reply.statusCode = 404;
+      errorHandler.handler(err, request, reply);
+      expect(reply.log.info).to.have.been.calledWith({ res: reply, err });
+    });
+  });
+
+  describe('handler()', function () {
+    let request, err, store, userHandler;
+
+    beforeEach(function () {
+      request = {};
+      err = securityException.create();
+      store = {
+        protect: {
+          block: sinon.stub(),
+          securityException: ['block', 'cmd-injection']
+        }
+      };
+      userHandler = sinon.stub();
+    });
+
+    it('calls default handler when the source context is not available', function () {
+      errorHandler.handler(err, request, reply);
+    });
+
+    it('when set, calls user handler when the source context is not available', function () {
+      server.setErrorHandler(userHandler);
+      errorHandler.handler(err, request, reply);
+      expect(userHandler).to.have.been.calledWith(err, request, reply);
+    });
+
+    it('calls source context\'s .block() with mode and id of rule which raised error', function () {
+      const {
+        protect: {
+          block,
+          securityException
+        }
+      } = store;
+      core.scopes.sources.run(store, () => {
+        errorHandler.handler(err, request, reply);
+        expect(block).to.have.been.calledWith(...securityException);
+      });
+    });
+
+    it('calls default error handler when error is not security exception', function () {
+      err = {};
+      core.scopes.sources.run(store, () => {
+        errorHandler.handler(err, request, reply);
+        expect(errorHandler.defaultErrorHandler).to.have.been.calledWith(err, request, reply);
+      });
+    });
+
+    it('when set, calls user handler when error is ont seecurity exception', function () {
+      err = {};
+      server.setErrorHandler(userHandler);
+      core.scopes.sources.run(store, () => {
+        errorHandler.handler(err, request, reply);
+        expect(userHandler).to.have.been.calledWith(err, request, reply);
+      });
+    });
+  });
+});

package/lib/error-handlers/install/hapi.test.js

@@ -0,0 +1,102 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+const SecurityException = require('../../security-exception');
+
+describe('protect error-handlers hapi', function () {
+  let core,
+    errorHandler,
+    store;
+
+  const Boom = {
+    name: 'boom',
+  };
+  const HapiBoom = {
+    name: '@hapi/boom'
+  };
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.config = mocks.config();
+    core.logger = mocks.logger();
+    core.scopes = scopes(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    core.depHooks = mocks.depHooks();
+    core.patcher = patcher(core);
+
+    store = {
+      protect: {
+        block: sinon.stub(),
+        securityException: ['block', 'cmd-injection']
+      }
+    };
+
+    Boom.boomify = function boom() { };
+    HapiBoom.boomify = function hapiBoom() { };
+
+    core.depHooks.resolve.withArgs({ name: Boom.name }).yields(Boom);
+    core.depHooks.resolve.withArgs({ name: HapiBoom.name }).yields(HapiBoom);
+
+    errorHandler = require('./hapi')(core);
+    errorHandler.install();
+  });
+
+  [Boom, HapiBoom].forEach((module) => {
+    it(`should block the request when there is SecurityException - ${module.name}`, function () {
+      const { boomify } = module;
+      const error = SecurityException.create();
+
+      core.scopes.sources.run(store, () => {
+        error.output = {
+          statusCode: 500,
+        };
+        error.reformat = () => ({});
+
+        boomify(error);
+        expect(core.logger.info).to.have.been.calledWith(
+          { funcKey: `protect-error-handling:${module.name}.boomify`, mode: 'block', ruleId: 'cmd-injection' },
+          'Request blocked'
+        );
+        expect(error.output).to.have.property('statusCode', 403);
+      });
+    });
+  });
+
+  [Boom, HapiBoom].forEach((module) => {
+    it(`should not block the request when there is SecurityException but sourceContext is missing - ${module.name}`, function () {
+      const { boomify } = module;
+      const error = SecurityException.create();
+
+      core.scopes.sources.run({}, () => {
+        error.output = {
+          statusCode: 500,
+        };
+        error.reformat = () => ({});
+
+        boomify(error);
+        expect(core.logger.info).to.have.been.calledWith(
+          { funcKey: `protect-error-handling:${module.name}.boomify` },
+          'source context not found; unable to handle response'
+        );
+      });
+    });
+  });
+
+  [Boom, HapiBoom].forEach((module) => {
+    it(`should skip the instrumentation when there is no SecurityException - ${module.name}`, function () {
+      const { boomify } = module;
+      const error = new Error('Error');
+
+      core.scopes.sources.run({}, () => {
+        boomify(error);
+        expect(core.logger.info).not.to.have.been.called;
+        expect(store.protect.block).not.to.have.been.called;
+      });
+    });
+  });
+});

package/lib/error-handlers/install/koa2.test.js

@@ -0,0 +1,83 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+const SecurityException = require('../../security-exception');
+
+describe('protect error-handlers koa2', function () {
+  let core,
+    errorHandler,
+    Koa,
+    onerror,
+    store,
+    ctx;
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.config = mocks.config();
+    core.logger = mocks.logger();
+    core.scopes = scopes(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    core.depHooks = mocks.depHooks();
+    core.patcher = patcher(core);
+
+    store = {
+      protect: {
+        block: sinon.stub(),
+        securityException: ['block', 'cmd-injection']
+      }
+    };
+
+    Koa = function () { };
+
+    Koa.prototype.handleRequest = function () { };
+
+    core.depHooks.resolve.yields(Koa);
+
+    errorHandler = require('./koa2')(core);
+    errorHandler.install();
+
+    onerror = sinon.stub();
+    ctx = {
+      onerror,
+    };
+    Koa.prototype.handleRequest(ctx);
+  });
+
+  it('should block the request when there is SecurityException', function () {
+    const error = SecurityException.create();
+
+    core.scopes.sources.run(store, () => {
+      ctx.onerror(error);
+      expect(core.logger.info).not.to.have.been.called;
+      expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
+      expect(ctx.body).to.equal('');
+    });
+  });
+
+  it('should not block the request when there is SecurityException but sourceContext is missing', function () {
+    const error = SecurityException.create();
+
+    core.scopes.sources.run({}, () => {
+      ctx.onerror(error);
+      expect(core.logger.info).to.have.been.calledWith(
+        { funcKey: 'protect-error-handling:koa.ctx.onerror' },
+        'source context not found; unable to handle response'
+      );
+    });
+  });
+
+  it('should skip the instrumentation when there is no SecurityException', function () {
+    const error = new Error('Error');
+
+    core.scopes.sources.run({}, () => {
+      ctx.onerror(error);
+      expect(core.logger.info).not.to.have.been.called;
+      expect(store.protect.block).not.to.have.been.called;
+    });
+  });
+});