@contrast/protect 1.39.0 → 1.40.0

package/lib/input-tracing/index.test.js

@@ -0,0 +1,62 @@
+'use strict';
+
+const { expect } = require('chai');
+const sinon = require('sinon');
+const proxyquire = require('proxyquire');
+
+const MODULES = [
+  'childProcess',
+  'eval',
+  'fs',
+  'function',
+  'http',
+  'http2',
+  'marsdb',
+  'mongodb',
+  'mssql',
+  'mysql',
+  'postgres',
+  'sequelize',
+  'spdy',
+  'sqlite3',
+  'vm',
+];
+
+describe('protect input-tracing', function () {
+  let core, inputTracing;
+
+  beforeEach(function () {
+    core = {};
+    core.protect = {};
+
+    const hooksMock = (hookProp) => (core) => {
+      core.protect.inputTracing[hookProp] = { install: sinon.stub() };
+    };
+
+    inputTracing = proxyquire('.', {
+      './install/child-process': hooksMock('childProcess'),
+      './install/eval': hooksMock('eval'),
+      './install/fs': hooksMock('fs'),
+      './install/function': hooksMock('function'),
+      './install/http': hooksMock('http'),
+      './install/http2': hooksMock('http2'),
+      './install/marsdb': hooksMock('marsdb'),
+      './install/mongodb': hooksMock('mongodb'),
+      './install/mssql': hooksMock('mssql'),
+      './install/mysql': hooksMock('mysql'),
+      './install/postgres': hooksMock('postgres'),
+      './install/sequelize': hooksMock('sequelize'),
+      './install/spdy': hooksMock('spdy'),
+      './install/sqlite3': hooksMock('sqlite3'),
+      './install/vm': hooksMock('vm'),
+    })(core);
+  });
+
+  it('calls the install() method of the required hooks', function () {
+    inputTracing.install();
+
+    MODULES.forEach((module) => {
+      expect(inputTracing[module].install).to.have.been.called;
+    });
+  });
+});

package/lib/input-tracing/install/child-process.test.js

@@ -0,0 +1,133 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks/');
+
+describe('protect input-tracing child-process', function () {
+  const cpInstr = require('./child-process');
+  const store = { protect: {} };
+  let cp, origCp, core;
+
+  beforeEach(function () {
+    origCp = {
+      exec: sinon.stub(),
+      execSync: sinon.stub()
+    };
+    cp = {
+      exec: origCp.exec,
+      execSync: origCp.execSync
+    };
+
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.depHooks = mocks.depHooks();
+    core.depHooks.resolve.yields(cp);
+    core.scopes = mocks.scopes();
+    core.scopes.sources = {
+      getStore: sinon.stub().returns(store)
+    };
+    core.patcher = patcher(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+
+    cpInstr(core);
+
+    core.protect.inputTracing.cpInstrumentation.install();
+  });
+
+  describe('handleCommandInjection() is called with expected values', function () {
+    const methodArgs = ['foo', 'bar'];
+
+    ['exec', 'execSync'].forEach((method) => {
+      const name = `child_process.${method}`;
+
+      it(`${name}`, function () {
+        cp[method](...methodArgs);
+
+        const value = methodArgs[0];
+
+        expect(core.protect.inputTracing.handleCommandInjection).to.have.been.calledWith(
+          store.protect,
+          { name, value, stacktraceOpts: { constructorOpt: cp[method], prependFrames: [sinon.match.func] } }
+        );
+        expect(core.protect.semanticAnalysis.handleCommandInjectionCommandBackdoors).to.have.been.calledWith(
+          store.protect,
+          { name, value, stacktraceOpts: { constructorOpt: cp[method], prependFrames: [sinon.match.func] } }
+        );
+        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticChainedCommands).to.have.been.calledWith(
+          store.protect,
+          { name, value, stacktraceOpts: { constructorOpt: cp[method], prependFrames: [sinon.match.func] } }
+        );
+        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticDangerous).to.have.been.calledWith(
+          store.protect,
+          { name, value, stacktraceOpts: { constructorOpt: cp[method], prependFrames: [sinon.match.func] } }
+        );
+        expect(core.protect.semanticAnalysis.handlePathTraversalFileSecurityBypass).to.have.been.calledWith(
+          store.protect,
+          { name, value, stacktraceOpts: { constructorOpt: cp[method], prependFrames: [sinon.match.func] } }
+        );
+      });
+    });
+  });
+
+  describe('handleCommandInjection() is not called when method args are not relevant', function () {
+    const methodArgs = [1, undefined];
+
+    ['exec', 'execSync'].forEach((method) => {
+      const name = `child_process.${method}`;
+
+      it(name, function () {
+        cp[method](...methodArgs);
+
+        expect(core.protect.inputTracing.handleCommandInjection).not.to.have.been.called;
+        expect(core.protect.semanticAnalysis.handleCommandInjectionCommandBackdoors).not.to.have.been.called;
+        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticChainedCommands).not.to.have.been.called;
+        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticDangerous).not.to.have.been.called;
+      });
+    });
+  });
+
+  describe('handleCommandInjection() is not called when instrumentation is locked', function () {
+    const methodArgs = ['foo', 'bar'];
+
+    beforeEach(function () {
+      core.scopes.instrumentation.isLocked.returns(true);
+    });
+
+    ['exec', 'execSync'].forEach((method) => {
+      const name = `child_process.${method}`;
+
+      it(name, function () {
+        cp[method](...methodArgs);
+
+        expect(core.protect.inputTracing.handleCommandInjection).not.to.have.been.called;
+        expect(core.protect.semanticAnalysis.handleCommandInjectionCommandBackdoors).not.to.have.been.called;
+        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticChainedCommands).not.to.have.been.called;
+        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticDangerous).not.to.have.been.called;
+      });
+    });
+  });
+
+  describe('handleCommandInjection() is not called when there is no Protect sourceContext', function () {
+    const methodArgs = ['foo', 'bar'];
+
+    beforeEach(function () {
+      core.scopes.sources.getStore.returns({ protect: null });
+    });
+
+    ['exec', 'execSync'].forEach((method) => {
+      const name = `child_process.${method}`;
+
+      it(name, function () {
+        cp[method](...methodArgs);
+
+        expect(core.protect.inputTracing.handleCommandInjection).not.to.have.been.called;
+        expect(core.protect.semanticAnalysis.handleCommandInjectionCommandBackdoors).not.to.have.been.called;
+        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticChainedCommands).not.to.have.been.called;
+        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticDangerous).not.to.have.been.called;
+      });
+    });
+  });
+});

package/lib/input-tracing/install/eval.test.js

@@ -0,0 +1,78 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+
+describe('protect input-tracing eval', function () {
+  const evalInstr = require('./eval');
+  const store = { protect: {} };
+  let evalArg, core;
+
+  beforeEach(function () {
+    evalArg = 'function() { return "hi"; }';
+
+    if (!global.ContrastMethods) {
+      global.ContrastMethods = {};
+    }
+    global.ContrastMethods.eval = sinon.stub();
+
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.depHooks = mocks.depHooks();
+    core.depHooks.resolve.yields(global.ContrastMethods.eval);
+    core.scopes = mocks.scopes();
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+    core.patcher = patcher(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+
+    evalInstr(core);
+
+    core.protect.inputTracing.evalInstrumentation.install();
+  });
+
+  afterEach(function () {
+    Reflect.deleteProperty(global.ContrastMethods);
+  });
+
+  it('ssjsInjection() is called with expected values', function () {
+    global.ContrastMethods.eval(evalArg);
+
+    expect(core.protect.inputTracing.ssjsInjection).to.have.been.calledWith(
+      store.protect,
+      { name: 'eval', value: evalArg, stacktraceOpts: { constructorOpt: sinon.match.func, prependFrames: [sinon.match.func] } }
+    );
+  });
+
+  it('ssjsInjection() is not called when method args are not relevant', function () {
+    global.ContrastMethods.eval(1, evalArg);
+
+    expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
+  });
+
+  it('ssjsInjection() is not called when instrumentation is locked', function () {
+    core.scopes.instrumentation.isLocked.returns(true);
+
+    global.ContrastMethods.eval(evalArg);
+
+    expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
+  });
+
+  it('ssjsInjection() is not called when there is no Protect sourceContext', function () {
+    core.scopes.sources.getStore.returns({ protect: null });
+
+    global.ContrastMethods.eval(evalArg);
+
+    expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
+  });
+
+  it('logs an error when there is no `global.ContrastMethods.eval` method', function () {
+    global.ContrastMethods.eval = null;
+
+    core.protect.inputTracing.evalInstrumentation.install();
+
+    expect(core.logger.error).to.have.been.calledOnceWith('Cannot install `eval` instrumentation - Contrast method DNE');
+  });
+});

package/lib/input-tracing/install/fs.test.js

@@ -0,0 +1,108 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { FS_METHODS } = require('@contrast/common');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+
+describe('protect input-tracing fs', function () {
+  const store = { protect: {} };
+  let fs, fsPromises, core;
+
+  beforeEach(function () {
+    fs = {
+      promises: {}
+    };
+    fsPromises = {};
+
+    for (const { name, promises, sync } of FS_METHODS) {
+      fs[name] = sinon.stub();
+      if (sync) {
+        fs[`${name}Sync`] = sinon.stub();
+      }
+      if (promises) {
+        fsPromises[name] = sinon.stub();
+        fs.promises[name] = sinon.stub();
+      }
+    }
+
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.depHooks = mocks.depHooks();
+    core.depHooks.resolve.withArgs({ name: 'fs' }).yields(fs);
+    core.depHooks.resolve.withArgs({ name: 'fs/promises' }).yields(fsPromises);
+    core.scopes = mocks.scopes();
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+    core.patcher = patcher(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+
+    require('./fs')(core).install();
+  });
+
+  for (const { name, promises, sync, indices } of FS_METHODS) {
+    const methodsUnderTest = [{ name: `fs.${name}`, getFn: () => fs[name] }];
+    if (sync) {
+      methodsUnderTest.push({ name: `fs.${name}Sync`, getFn: () => fs[`${name}Sync`] });
+    }
+    if (promises) {
+      methodsUnderTest.push({ name: `fsPromises.${name}`, getFn: () => fsPromises[name] });
+      methodsUnderTest.push({ name: `fs.promises.${name}`, getFn: () => fs.promises[name] });
+    }
+
+    for (const { name, getFn } of methodsUnderTest) {
+      describe(name, function () {
+        it('handlePathTraversal() is called with expected values', function () {
+          const method = getFn();
+          const methodArgs = ['foo', 'bar'];
+          method(...methodArgs);
+
+          for (const idx of indices) {
+            const value = methodArgs[idx];
+
+            expect(core.protect.inputTracing.handlePathTraversal).to.have.been.calledWith(
+              store.protect,
+              {
+                name,
+                value,
+                stacktraceOpts: {
+                  constructorOpt: method,
+                  prependFrames: [sinon.match.func]
+                }
+              }
+            );
+          }
+        });
+
+        it('handlePathTraversal() is not called when method args are not relevant', function () {
+          const method = getFn();
+          const methodArgs = [1, undefined];
+          method(...methodArgs);
+
+          expect(core.protect.inputTracing.handlePathTraversal).not.to.have.been.called;
+        });
+
+
+        it('handlePathTraversal() is not called when instrumentation is locked', function () {
+          const method = getFn();
+          const methodArgs = ['foo', 'bar'];
+          core.scopes.instrumentation.isLocked.returns(true);
+          method(...methodArgs);
+
+          expect(core.protect.inputTracing.handlePathTraversal).not.to.have.been.called;
+        });
+
+
+        it('handlePathTraversal() is not called when there is no Protect sourceContext', function () {
+          const method = getFn();
+          const methodArgs = ['foo', 'bar'];
+          core.scopes.sources.getStore.returns({ protect: null });
+          method(...methodArgs);
+
+          expect(core.protect.inputTracing.handlePathTraversal).not.to.have.been.called;
+        });
+      });
+    }
+  }
+});

package/lib/input-tracing/install/function.test.js

@@ -0,0 +1,81 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+
+describe('protect input-tracing function', function () {
+  const functionInstr = require('./function');
+  const store = { protect: {} };
+  let constructorArg, core;
+
+  beforeEach(function () {
+    constructorArg = 'return "hi";';
+
+    if (!global.ContrastMethods) {
+      global.ContrastMethods = {};
+    }
+    global.ContrastMethods.Function = sinon.stub();
+
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.depHooks = mocks.depHooks();
+    core.depHooks.resolve.yields(global.ContrastMethods.Function);
+    core.scopes = mocks.scopes();
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+    core.patcher = patcher(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+
+    functionInstr(core);
+
+    core.protect.inputTracing.functionInstrumentation.install();
+  });
+
+  afterEach(function () {
+    Reflect.deleteProperty(global.ContrastMethods);
+  });
+
+  it('ssjsInjection() is called with expected values', function () {
+    global.ContrastMethods.Function(constructorArg);
+
+    expect(core.protect.inputTracing.ssjsInjection).to.have.been.calledWith(
+      store.protect,
+      { name: 'Function', value: constructorArg, stacktraceOpts: { constructorOpt: sinon.match.func, prependFrames: [sinon.match.func] } }
+    );
+  });
+
+  it('ssjsInjection() is called only with the value for the function body', function () {
+    global.ContrastMethods.Function('a', 'return a');
+
+    expect(core.protect.inputTracing.ssjsInjection).to.have.been.calledOnceWithExactly(
+      store.protect,
+      { name: 'Function', value: 'return a', stacktraceOpts: { constructorOpt: sinon.match.func, prependFrames: [sinon.match.func] } }
+    );
+  });
+
+  it('ssjsInjection() is not called when instrumentation is locked', function () {
+    core.scopes.instrumentation.isLocked.returns(true);
+
+    global.ContrastMethods.Function(constructorArg);
+
+    expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
+  });
+
+  it('ssjsInjection() is not called when there is no Protect sourceContext', function () {
+    core.scopes.sources.getStore.returns({ protect: null });
+
+    global.ContrastMethods.Function(constructorArg);
+
+    expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
+  });
+
+  it('logs an error when there is no `global.ContrastMethods.eval` method', function () {
+    global.ContrastMethods.Function = null;
+
+    core.protect.inputTracing.functionInstrumentation.install();
+
+    expect(core.logger.error).to.have.been.calledOnceWith('Cannot install `Function` instrumentation - Contrast method DNE');
+  });
+});

package/lib/input-tracing/install/http.test.js

@@ -0,0 +1,85 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+
+describe('protect input-tracing http', function () {
+  let core, inputTracing;
+  const store = { protect: {} };
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.patcher = patcher(core);
+    core.scopes = scopes(core);
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+    core.depHooks = mocks.depHooks();
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    ({ protect: { inputTracing } } = core);
+
+  });
+
+  describe('http', function () {
+    let http;
+
+    beforeEach(function () {
+      http = function () { };
+      http.ServerResponse = function () { };
+      http.ServerResponse.prototype.end = sinon.stub();
+      http.ServerResponse.prototype.write = sinon.stub();
+      core.depHooks.resolve.yields(http);
+      require('./http')(core).install();
+    });
+
+    ['write', 'end'].forEach((method) => {
+      describe(`instruments ServerResponse.${method}()`, function () {
+        it('handleReflectedXss() is called with valid expected values', function () {
+          const serverResponse = new http.ServerResponse();
+          const value = '" onmouseover="alert(3)"';
+          serverResponse[method](value);
+
+          expect(inputTracing.handleReflectedXss).to.have.been.calledOnce;
+          expect(inputTracing.handleReflectedXss).to.have.been.calledWith(
+            {},
+            {
+              name: `http.ServerResponse.prototype.${method}`,
+              value,
+              stacktraceOpts: {
+                constructorOpt: serverResponse[method]
+              }
+            }
+          );
+        });
+
+        it('handleReflectedXss() is not called if instrumentation is locked', function () {
+          sinon.stub(core.scopes.instrumentation, 'isLocked').returns(true);
+          const serverResponse = new http.ServerResponse();
+          const value = '" onmouseover="alert(3)"';
+          serverResponse[method](value);
+
+          expect(inputTracing.handleReflectedXss).not.to.have.been.called;
+        });
+
+        it('handleReflectedXss() is not called if there is no sourceContext', function () {
+          core.scopes.sources.getStore.returns({ protect: undefined });
+          const serverResponse = new http.ServerResponse();
+          const value = '" onmouseover="alert(3)"';
+          serverResponse[method](value);
+
+          expect(inputTracing.handleReflectedXss).not.to.have.been.called;
+        });
+
+        it('handleReflectedXss() is not called if there is no value', function () {
+          const serverResponse = new http.ServerResponse();
+          serverResponse[method]();
+
+          expect(inputTracing.handleReflectedXss).not.to.have.been.called;
+        });
+      });
+    });
+  });
+});

package/lib/input-tracing/install/http2.test.js

@@ -0,0 +1,83 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+
+describe('protect input-tracing http2', function () {
+  let core, inputTracing;
+  const store = { protect: {} };
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.patcher = patcher(core);
+    core.scopes = scopes(core);
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+    core.depHooks = mocks.depHooks();
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    ({ protect: { inputTracing } } = core);
+  });
+
+  describe('http2', function () {
+    let http2;
+
+    beforeEach(function () {
+      http2 = function () { };
+      http2.Http2ServerResponse = function () { };
+      http2.Http2ServerResponse.prototype.end = sinon.stub();
+      http2.Http2ServerResponse.prototype.write = sinon.stub();
+      core.depHooks.resolve.yields(http2);
+      require('./http2')(core).install();
+    });
+
+    ['write', 'end'].forEach((method) => {
+      it('handleReflectedXss() is not called if there is no value', function () {
+        const serverResponse = new http2.Http2ServerResponse();
+        serverResponse[method]();
+
+        expect(inputTracing.handleReflectedXss).not.to.have.been.called;
+      });
+
+      it('handleReflectedXss() is not called if there is no sourceContext', function () {
+        core.scopes.sources.getStore.returns({ protect: undefined });
+        const serverResponse = new http2.Http2ServerResponse();
+        const value = "<script>alert('xss');</script>";
+        serverResponse[method](value);
+
+        expect(inputTracing.handleReflectedXss).not.to.have.been.called;
+      });
+
+      it('handleReflectedXss() is not called if instrumentation is locked', function () {
+        sinon.stub(core.scopes.instrumentation, 'isLocked').returns(true);
+        const serverResponse = new http2.Http2ServerResponse();
+        const value = "<script>alert('xss');</script>";
+        serverResponse[method](value);
+
+        expect(inputTracing.handleReflectedXss).not.to.have.been.called;
+      });
+
+      describe(`instruments Http2ServerResponse.${method}()`, function () {
+        it('handleReflectedXss() is called with valid expected values', function () {
+          const serverResponse = new http2.Http2ServerResponse();
+          const value = "<script>alert('xss');</script>";
+          serverResponse[method](value);
+
+          expect(inputTracing.handleReflectedXss).to.have.been.calledOnceWith(
+            {},
+            {
+              name: `http2.Http2ServerResponse.prototype.${method}`,
+              value,
+              stacktraceOpts: {
+                constructorOpt: serverResponse[method]
+              }
+            }
+          );
+        });
+      });
+    });
+  });
+});