@contrast/protect 1.39.0 → 1.40.0

package/lib/input-tracing/install/postgres.test.js

@@ -0,0 +1,125 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+
+describe('protect input-tracing postgres', function () {
+  const sourceContext = {};
+  const store = { protect: sourceContext };
+  const query = 'SELECT "foo"';
+
+  let core, inputTracing;
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.patcher = patcher(core);
+    core.scopes = scopes(core);
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+    core.depHooks = mocks.depHooks();
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    ({ protect: { inputTracing } } = core);
+  });
+
+  describe('pg.Client.prototype.query', function () {
+    let Client;
+
+    beforeEach(function () {
+      Client = function () { };
+      Client.prototype.query = sinon.stub();
+      core
+        .depHooks
+        .resolve
+        .withArgs({ name: 'pg', file: 'lib/client.js' })
+        .yields(Client);
+      require('./postgres')(core).install();
+    });
+
+    it('handleSqlInjection() is called with expected values', function () {
+      const conn = new Client();
+      conn.query(query);
+      conn.query({ text: query });
+
+      const sinkContext = { name: 'pg.Client.prototype.query', value: query };
+
+      expect(inputTracing.handleSqlInjection.callCount).to.equal(2);
+      [0, 1].forEach(callNum => {
+        expect(inputTracing.handleSqlInjection.getCall(callNum).calledWithExactly(store, sinkContext));
+      });
+    });
+
+    it('handleSqlInjection() is not called if there is no sourceContext', function () {
+      core.scopes.sources.getStore.returns({ protect: undefined });
+
+      const conn = new Client();
+      conn.query(query);
+      conn.query({ text: query });
+
+      expect(inputTracing.handleSqlInjection).not.to.have.been.called;
+    });
+
+    it('handleSqlInjection() is not called if the sql value is empty or not a string', function () {
+      const conn = new Client();
+      conn.query('');
+      conn.query(100);
+      conn.query({ text: '' });
+      conn.query({ text: 100 });
+
+      expect(inputTracing.handleSqlInjection).not.to.have.been.called;
+    });
+  });
+
+  describe('pg-pool.Pool.prototype.query', function () {
+    let Pool;
+
+    beforeEach(function () {
+      Pool = function () { };
+      Pool.prototype.query = sinon.stub();
+      core
+        .depHooks
+        .resolve
+        .withArgs({ name: 'pg-pool' })
+        .yields(Pool);
+
+      require('./postgres')(core).install();
+    });
+
+    it('handleSqlInjection() is called with expected values', function () {
+      const pool = new Pool();
+      pool.query(query);
+      pool.query({ text: query });
+
+      const sinkContext = { name: 'pg-pool.Pool.prototype.query', value: query };
+
+      expect(inputTracing.handleSqlInjection.callCount).to.equal(2);
+      [0, 1].forEach(callNum => {
+        expect(inputTracing.handleSqlInjection.getCall(callNum).calledWithExactly(store, sinkContext));
+      });
+    });
+
+    it('handleSqlInjection() is not called if there is no sourceContext', function () {
+      core.scopes.sources.getStore.returns({ protect: undefined });
+
+      const pool = new Pool();
+      const value = 'SELECT "foo"';
+      pool.query(value);
+      pool.query({ text: value });
+
+      expect(inputTracing.handleSqlInjection).not.to.have.been.called;
+    });
+
+    it('handleSqlInjection() is not called if the sql value is empty or not a string', function () {
+      const pool = new Pool();
+      pool.query('');
+      pool.query(100);
+      pool.query({ text: '' });
+      pool.query({ text: 100 });
+
+      expect(inputTracing.handleSqlInjection).not.to.have.been.called;
+    });
+  });
+});

package/lib/input-tracing/install/sequelize.test.js

@@ -0,0 +1,78 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+
+describe('protect input-tracing sequelize', function () {
+  let core, inputTracing;
+  const store = { protect: {} };
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.patcher = patcher(core);
+    core.scopes = scopes(core);
+    core.depHooks = mocks.depHooks();
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    ({ protect: { inputTracing } } = core);
+
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+  });
+
+  describe('sequelize', function () {
+    let sequelize;
+
+    beforeEach(function () {
+      sequelize = function () { };
+      sequelize.prototype.query = sinon.stub();
+      core.depHooks.resolve.yields(sequelize);
+      require('./sequelize')(core).install();
+    });
+
+    describe('instruments sequelize.query()', function () {
+      it('handleSqlInjection() is called with valid expected values', function () {
+        const conn = new sequelize();
+        const value = 'SELECT "foo"';
+        conn.query(value);
+        conn.query({ query: value });
+
+        expect(inputTracing.handleSqlInjection).to.have.been.calledTwice;
+        expect(inputTracing.handleSqlInjection).to.have.been.calledWith(
+          {},
+          { name: 'sequelize.prototype.query', value, stacktraceOpts: { constructorOpt: conn.query, prependFrames: [sinon.match.func] } }
+        );
+      });
+
+      it('handleSqlInjection() is not called if instrumentation is locked', function () {
+        sinon.stub(core.scopes.instrumentation, 'isLocked').returns(true);
+        const conn = new sequelize();
+        const value = 'SELECT "foo"';
+        conn.query(value);
+
+        expect(inputTracing.handleSqlInjection).not.to.have.been.called;
+      });
+
+      it('handleSqlInjection() is not called if there is no sourceContext', function () {
+        core.scopes.sources.getStore.returns({ protect: undefined });
+        const conn = new sequelize();
+        const value = 'SELECT "foo"';
+        conn.query(value);
+
+        expect(inputTracing.handleSqlInjection).not.to.have.been.called;
+      });
+
+      it('handleSqlInjection() is not called if the sql value is empty or not a string', function () {
+        const conn = new sequelize();
+        conn.query('');
+        conn.query(100);
+        conn.query({ query: '' });
+
+        expect(inputTracing.handleSqlInjection).not.to.have.been.called;
+      });
+    });
+  });
+});

package/lib/input-tracing/install/spdy.test.js

@@ -0,0 +1,76 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+
+describe('protect input-tracing spdy', function () {
+  let core, inputTracing;
+  const store = { protect: {} };
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.patcher = patcher(core);
+    core.scopes = scopes(core);
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+    core.depHooks = mocks.depHooks();
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    ({ protect: { inputTracing } } = core);
+  });
+
+  describe('spdy', function () {
+    let spdy;
+
+    beforeEach(function () {
+      spdy = function () {};
+      spdy.response = {};
+      spdy.response.end = sinon.stub();
+      spdy.response.spdyStream = { once: sinon.stub() };
+      core.depHooks.resolve.yields(spdy);
+      require('./spdy')(core).install();
+    });
+
+    it('handleReflectedXss() is not called if there is no value', function () {
+      spdy.response.end();
+
+      expect(inputTracing.handleReflectedXss).not.to.have.been.called;
+    });
+
+    it('handleReflectedXss() is not called if there is no sourceContext', function () {
+      core.scopes.sources.getStore.returns({ protect: undefined });
+      const value = "<script>alert('xss');</script>";
+      spdy.response.end(value);
+
+      expect(inputTracing.handleReflectedXss).not.to.have.been.called;
+    });
+
+    it('handleReflectedXss() is not called if instrumentation is locked', function () {
+      sinon.stub(core.scopes.instrumentation, 'isLocked').returns(true);
+      const value = "<script>alert('xss');</script>";
+      spdy.response.end(value);
+
+      expect(inputTracing.handleReflectedXss).not.to.have.been.called;
+    });
+
+    it('handleReflectedXss() is called with valid expected values', function () {
+      const value = "<script>alert('xss');</script>";
+      spdy.response.end(value);
+
+      expect(inputTracing.handleReflectedXss).to.have.been.calledOnceWith(
+        {},
+        {
+          name: 'spdy.response.end',
+          value,
+          stacktraceOpts: {
+            constructorOpt: spdy.response.end
+          }
+        }
+      );
+    });
+
+  });
+});

package/lib/input-tracing/install/sqlite3.test.js

@@ -0,0 +1,88 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+
+describe('protect input-tracing sqlite3', function () {
+  const store = { protect: {} };
+
+  let core, inputTracing;
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.patcher = patcher(core);
+    core.scopes = scopes(core);
+    core.depHooks = mocks.depHooks();
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    ({ protect: { inputTracing } } = core);
+
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+  });
+
+  describe('sqlite3', function () {
+    let sqlite3;
+
+    beforeEach(function () {
+      sqlite3 = {
+        // eslint-disable-next-line object-shorthand
+        Database: function () { }
+      };
+      sqlite3.Database.prototype = {
+        all: sinon.stub(),
+        run: sinon.stub(),
+        get: sinon.stub(),
+        each: sinon.stub(),
+        exec: sinon.stub(),
+        prepare: sinon.stub()
+      };
+      core.depHooks.resolve.yields(sqlite3);
+      require('./sqlite3')(core).install();
+    });
+
+    ['all', 'run', 'get', 'each', 'exec', 'prepare'].forEach((method) => {
+      describe(`instruments connection.${method}()`, function () {
+        it('handleSqlInjection() is called with valid expected values', function () {
+          const db = new sqlite3.Database();
+          const value = 'SELECT "foo"';
+          db[method](value);
+
+          expect(inputTracing.handleSqlInjection).to.have.been.calledWith(
+            {},
+            { name: `sqlite3.Database.prototype.${method}`, value, stacktraceOpts: { constructorOpt: db[method], prependFrames: [sinon.match.func] } }
+          );
+        });
+
+        it('handleSqlInjection() is not called if instrumentation is locked', function () {
+          sinon.stub(core.scopes.instrumentation, 'isLocked').returns(true);
+          const db = new sqlite3.Database();
+          const value = 'SELECT "foo"';
+          db[method](value);
+
+          expect(inputTracing.handleSqlInjection).not.to.have.been.called;
+        });
+
+        it('handleSqlInjection() is not called if there is no sourceContext', function () {
+          core.scopes.sources.getStore.returns({ protect: undefined });
+          const db = new sqlite3.Database();
+          const value = 'SELECT "foo"';
+          db[method](value);
+
+          expect(inputTracing.handleSqlInjection).not.to.have.been.called;
+        });
+
+        it('handleSqlInjection() is not called if the sql value is empty or not a string', function () {
+          const db = new sqlite3.Database();
+          db[method]('');
+          db[method](100);
+
+          expect(inputTracing.handleSqlInjection).not.to.have.been.called;
+        });
+      });
+    });
+  });
+});

package/lib/input-tracing/install/vm.test.js

@@ -0,0 +1,176 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+
+describe('protect input-tracing vm', function () {
+  const store = { protect: {} };
+  let vm, origVm, core;
+
+  const testSetup = [
+    {
+      methods: ['Script', 'compileFunction', 'runInContext', 'runInNewContext', 'runInThisContext'],
+      vulnerableArgs: [{ type: 'string', index: 0 }],
+    },
+    {
+      methods: ['runInContext', 'runInNewContext'],
+      vulnerableArgs: [{ type: 'string', index: 0 }, { type: 'object', index: 1 }],
+    },
+    {
+      methods: ['createContext'],
+      vulnerableArgs: [{ type: 'object', index: 0 }],
+    },
+    {
+      methods: ['Script.prototype.runInContext', 'Script.prototype.runInNewContext'],
+      vulnerableArgs: [{ type: 'object', index: 0 }],
+    }
+  ];
+
+  function methodPick(vm, method) {
+    let fn = vm[method];
+
+    if (method.includes('.')) {
+      fn = vm;
+      method.split('.').forEach((prop) => {
+        fn = fn[prop];
+      });
+    }
+
+    return fn;
+  }
+
+  beforeEach(function () {
+    vm = {};
+    origVm = {
+      Script: sinon.stub(),
+      createContext: sinon.stub(),
+      compileFunction: sinon.stub(),
+      runInContext: sinon.stub(),
+      runInNewContext: sinon.stub(),
+      runInThisContext: sinon.stub(),
+    };
+    Object.assign(vm, origVm);
+    origVm['Script.prototype.runInContext'] = sinon.stub();
+    origVm['Script.prototype.runInNewContext'] = sinon.stub();
+    vm.Script.prototype.runInContext = origVm['Script.prototype.runInContext'];
+    vm.Script.prototype.runInNewContext = origVm['Script.prototype.runInNewContext'];
+
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.depHooks = mocks.depHooks();
+    core.depHooks.resolve.yields(vm);
+    core.scopes = mocks.scopes();
+    sinon.stub(core.scopes.sources, 'getStore').returns(store);
+    core.patcher = patcher(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+
+    require('./vm')(core);
+
+    core.protect.inputTracing.vmInstrumentation.install();
+  });
+
+  describe('ssjsInjection() is called with expected values', function () {
+    testSetup.forEach(({ methods, vulnerableArgs }) => {
+      const methodArgs = [];
+
+      vulnerableArgs.forEach((arg) => {
+        const argValue = arg.type == 'string' ? 'function() { return "hi"; }' : { prop: 'foobar' };
+        methodArgs[arg.index] = argValue;
+      });
+
+      methods.forEach((method) => {
+        const name = `vm.${method}`;
+
+        it(name, function () {
+          const fn = methodPick(vm, method);
+          fn(...methodArgs);
+
+          expect(core.protect.inputTracing.ssjsInjection).to.have.callCount(vulnerableArgs.length);
+          vulnerableArgs.forEach(({ index }) => {
+            const value = methodArgs[index];
+
+            expect(core.protect.inputTracing.ssjsInjection).to.have.been.calledWith(
+              store.protect,
+              { name, value, stacktraceOpts: { constructorOpt: fn, prependFrames: [origVm[method]] } }
+            );
+          });
+        });
+      });
+    });
+  });
+
+  describe('ssjsInjection() is not called when method args are not relevant', function () {
+    const methodArgs = [1, undefined];
+
+    testSetup.forEach(({ methods }) => {
+      methods.forEach((method) => {
+        const name = `vm.${method}`;
+
+        it(name, function () {
+          const fn = methodPick(vm, method);
+
+          fn(...methodArgs);
+
+          expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
+        });
+      });
+    });
+  });
+
+  describe('ssjsInjection() is not called when instrumentation is locked', function () {
+    beforeEach(function () {
+      core.scopes.instrumentation.isLocked.returns(true);
+    });
+
+    testSetup.forEach(({ methods, vulnerableArgs }) => {
+      const methodArgs = [];
+
+      vulnerableArgs.forEach((arg) => {
+        const argValue = arg.type == 'string' ? 'function() { return "hi"; }' : { prop: 'function() { return "hi"; }' };
+        methodArgs[arg.index] = argValue;
+      });
+
+      methods.forEach((method) => {
+        const name = `vm.${method}`;
+
+        it(name, function () {
+          const fn = methodPick(vm, method);
+
+          fn(...methodArgs);
+
+          expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
+        });
+      });
+    });
+  });
+
+  describe('ssjsInjection() is not called when there is no Protect sourceContext', function () {
+    beforeEach(function () {
+      core.scopes.sources.getStore.returns({ protect: null });
+    });
+
+    testSetup.forEach(({ methods, vulnerableArgs }) => {
+      const methodArgs = [];
+
+      vulnerableArgs.forEach((arg) => {
+        const argValue = arg.type == 'string' ? 'function() { return "hi"; }' : { prop: 'function() { return "hi"; }' };
+        methodArgs[arg.index] = argValue;
+      });
+
+      methods.forEach((method) => {
+        const name = `vm.${method}`;
+
+        it(name, function () {
+          const fn = methodPick(vm, method);
+
+          fn(...methodArgs);
+
+          expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
+        });
+      });
+    });
+  });
+});

package/lib/make-response-blocker.test.js

@@ -0,0 +1,99 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const { symbols: { kMetrics } } = require('@contrast/common');
+const mocks = require('@contrast/test/mocks');
+const patcher = require('@contrast/patcher');
+
+describe('protect make-response-blocker', function () {
+
+  let res, core, makeResponseBlocker;
+  beforeEach(function () {
+
+    res = {
+      end: sinon.stub(),
+      headersSent: false,
+      writeHead: sinon.stub()
+    };
+
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.patcher = patcher(core);
+    core.protect = {};
+
+    sinon.spy(core.patcher, 'unwrap');
+    makeResponseBlocker = require('./make-response-blocker')(core);
+  });
+
+  it('Sends a blocked response', function () {
+    const block = makeResponseBlocker(res);
+    block('block', 'sql-injection');
+    expect(core.patcher.unwrap).to.have.been.calledWith(res.writeHead);
+    expect(core.patcher.unwrap).to.have.been.calledWith(res.end);
+    expect(res.writeHead).to.have.been.calledWith(403);
+    expect(res.end).to.have.been.calledWith('');
+    expect(core.logger.info).to.have.been.calledWith(
+      { mode: 'BLOCK', ruleId: 'sql-injection' },
+      'Request blocked'
+    );
+  });
+
+  it('Sets blocked property', function () {
+    const block = makeResponseBlocker(res);
+    block('block', 'sql-injection');
+    expect(makeResponseBlocker.blocked.has(res)).to.be.true;
+  });
+
+  it('Set core.protect.makeResponseBlocker', function () {
+    expect(core.protect.makeResponseBlocker).to.equal(makeResponseBlocker);
+  });
+
+  it('Blocks on the same "res" object only once', function () {
+    const block = makeResponseBlocker(res);
+    block('block', 'sql-injection');
+    block('block', 'cmd-injection');
+    expect(makeResponseBlocker.blocked.has(res));
+    expect(res.end).to.have.been.calledOnce;
+    expect(res.writeHead).to.have.been.calledOnce;
+    expect(core.logger.info).to.have.been.calledOnce;
+  });
+
+  it('Adds multiple responses to blocked set', function () {
+    const res1 = Object.assign({}, res);
+    const res2 = Object.assign({}, res);
+    const block1 = makeResponseBlocker(res1);
+    const block2 = makeResponseBlocker(res2);
+    block1('block', 'sql-injection');
+    block2('block', 'cmd-injection');
+    expect(makeResponseBlocker.blocked.has(res1));
+    expect(makeResponseBlocker.blocked.has(res2));
+  });
+
+  it('Does not call writeHead when headers already sent', function () {
+    const block = makeResponseBlocker(res);
+    res.headersSent = true;
+    block('block_at_perimeter', 'reflected-xss');
+    expect(res.writeHead).not.to.have.been.called;
+    expect(res.end).to.have.been.calledWith('');
+  });
+
+  it('Logs error when exception thrown', function () {
+    const err = new Error('error');
+    res.end.throws(err);
+    const block = makeResponseBlocker(res);
+    block('block', 'path-traversal');
+    expect(core.logger.error).to.have.been.calledWith(
+      { err, mode: 'BLOCK', ruleId: 'path-traversal' },
+      'Error blocking request'
+    );
+  });
+
+  it('removes the `metrics` object if present', function () {
+    const block = makeResponseBlocker(res);
+    res[kMetrics] = { timeout: setTimeout(sinon.stub(), 1) };
+    block('block', 'sql-injection');
+
+    expect(res).not.to.have.property(kMetrics);
+  });
+});