@contrast/protect 1.39.0 → 1.40.0

package/lib/input-analysis/install/fastify.test.js

@@ -0,0 +1,96 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+const SecurityException = require('../../security-exception');
+const secEx = SecurityException.create();
+const fastifyInstr = require('./fastify');
+
+describe('protect input-analysis fastify v3.x', function () {
+  let core, inputAnalysis, fastify, serverMock, reqMock, resMock, doneMock;
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.scopes = scopes(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    core.depHooks = mocks.depHooks();
+    core.patcher = patcher(core);
+
+    reqMock = {
+      query: { foo: 'bar' },
+      cookies: { foo: 'bar' },
+      params: { foo: 'bar' },
+      body: { foo: 'bar' },
+    };
+    resMock = {};
+    doneMock = sinon.stub();
+    serverMock = {
+      addHook: sinon.stub().yields(reqMock, resMock, doneMock),
+    };
+
+    const fastifyOrig = () => serverMock;
+    core.depHooks.resolve.callsFake(function (desc, cb) {
+      fastify = cb(fastifyOrig);
+    });
+
+    inputAnalysis = core.protect.inputAnalysis;
+    fastifyInstr(core).install();
+  });
+
+  describe('preValidationHook', function () {
+    it('adds hook and calls appropriate analysis handlers', function () {
+      core.scopes.sources.run({ protect: {} }, () => {
+        fastify();
+      });
+
+      expect(serverMock.addHook).to.have.been.called;
+      expect(doneMock).to.have.been.called;
+      expect(core.logger.debug).not.to.have.been.called;
+
+      expect(inputAnalysis.handleQueryParams).to.have.been.called;
+      expect(inputAnalysis.handleUrlParams).to.have.been.called;
+      expect(inputAnalysis.handleCookies).to.have.been.called;
+      expect(inputAnalysis.handleParsedBody).to.have.been.called;
+    });
+
+    it('input analysis does not occur if there is no protect source context', function () {
+      fastify();
+      expect(doneMock).to.have.been.called;
+
+      expect(inputAnalysis.handleQueryParams).not.to.have.been.called;
+      expect(inputAnalysis.handleUrlParams).not.to.have.been.called;
+      expect(inputAnalysis.handleCookies).not.to.have.been.called;
+      expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
+    });
+
+    it('handles a case with SecurityException from the input-analysis', function () {
+      inputAnalysis.handleQueryParams.throws(secEx);
+      core.scopes.sources.run({ protect: {} }, () => {
+        fastify();
+      });
+
+      expect(doneMock).to.have.been.calledOnceWith(secEx);
+    });
+
+    it('handles a case with a normal error in the input analysis', function () {
+      const err = new Error('Input Analysis Error');
+
+      inputAnalysis.handleQueryParams.throws(err);
+      core.scopes.sources.run({ protect: {} }, () => {
+        fastify();
+      });
+
+      expect(core.logger.error).to.have.been.calledWith(
+        { err, funcKey: 'protect-input-analysis:fastify.build' },
+        'Unexpected error during input analysis'
+      );
+      expect(doneMock).to.have.been.calledOnce;
+      expect(doneMock).not.to.have.been.calledWith(err);
+    });
+  });
+});

package/lib/input-analysis/install/formidable1.test.js

@@ -0,0 +1,114 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+const formidableInstr = require('./formidable1');
+
+describe('protect input-analysis formidable v1.x', function () {
+  let core, inputAnalysis, parseMock, patchedParse, req, cbStub;
+
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.logger = mocks.logger();
+    core.scopes = scopes(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    core.depHooks = mocks.depHooks();
+    core.patcher = patcher(core);
+
+    inputAnalysis = core.protect.inputAnalysis;
+    req = { fields: { parameter: 'parsed' }, files: { fileField: { name: 'some-file' } } };
+    parseMock = (req, cb) => {
+      if (typeof cb === 'function') {
+        cb(null, req.fields, req.files);
+      }
+    };
+    cbStub = sinon.stub();
+    sinon.spy(core.patcher, 'patch');
+
+    formidableInstr(core).install();
+    patchedParse = core.depHooks.resolve.yield({ IncomingForm: { prototype: { parse: parseMock } } })[0].IncomingForm.prototype.parse;
+    core.patcher.patch.resetHistory();
+  });
+
+  it('calls patcher on the `.parse` method', function () {
+    core.depHooks.resolve.yield({ IncomingForm: { prototype: { parse: parseMock } } });
+
+    expect(core.patcher.patch).to.have.been.calledOnce;
+    expect(core.patcher.patch).to.have.been.calledWithMatch(sinon.match.func, {
+      name: 'Formidable.IncomingForm.prototype.parse',
+      patchType: 'protect-input-analysis',
+      pre: sinon.match.func
+    });
+  });
+
+  it('calls `.handleParsedBody` and `handleFileUploadName` when parsing is successful and in right context', function () {
+    core.scopes.sources.run({ protect: {} }, () => {
+      patchedParse(req, cbStub);
+    });
+
+    expect(cbStub).to.have.been.calledOnce;
+    expect(inputAnalysis.handleParsedBody).to.have.been.calledOnce;
+    expect(inputAnalysis.handleParsedBody).to.have.been.calledWithMatch({ parsedBody: req.fields }, req.fields);
+    expect(inputAnalysis.handleFileUploadName).to.have.been.calledOnce;
+    expect(inputAnalysis.handleFileUploadName).to.have.been.calledWithMatch({ parsedBody: req.fields }, ['some-file']);
+  });
+
+
+  it('calls `handleFileUploadName` when parsing is successful with multiple files and in right context', function () {
+    req.files = { filesField: [{ name: 'some-file-1' }, { name: 'some-file-2' }] };
+    core.scopes.sources.run({ protect: {} }, () => {
+      patchedParse(req, cbStub);
+    });
+
+    expect(inputAnalysis.handleFileUploadName).to.have.been.calledOnce;
+    expect(inputAnalysis.handleFileUploadName).to.have.been.calledWithMatch({ parsedBody: req.fields }, ['some-file-1', 'some-file-2']);
+  });
+
+  it('calls `.handleParsedBody` when parsing is successful and in right context, but there are no files', function () {
+    req.files = null;
+    core.scopes.sources.run({ protect: {} }, () => {
+      patchedParse(req, cbStub);
+    });
+
+    expect(cbStub).to.have.been.calledOnce;
+    expect(inputAnalysis.handleParsedBody).to.have.been.calledOnce;
+    expect(inputAnalysis.handleParsedBody).to.have.been.calledWithMatch({ parsedBody: req.fields }, req.fields);
+    expect(core.logger.debug).not.to.have.been.called;
+  });
+
+  it('does not call `.handleParsedBody` when not in context', function () {
+    core.scopes.sources.run({}, () => {
+      patchedParse(req, cbStub);
+    });
+
+    expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
+    expect(cbStub).to.have.been.calledOnce;
+  });
+
+  it('does not call `.handleParsedBody` when `formidable` there is a result, but only files are uploaded', function () {
+    req.fields = null;
+    core.scopes.sources.run({ protect: {} }, () => {
+      patchedParse(req, cbStub);
+    });
+
+    expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
+    expect(inputAnalysis.handleFileUploadName).to.have.been.calledOnce;
+    expect(inputAnalysis.handleFileUploadName).to.have.been.calledWithMatch({}, ['some-file']);
+    expect(cbStub).to.have.been.calledOnce;
+  });
+
+  it('does not call `.handleParsedBody` when `formidable` does not return a result', function () {
+    core.scopes.sources.run({ protect: {} }, () => {
+      patchedParse({}, cbStub);
+    });
+
+    expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
+    expect(core.logger.debug).not.to.have.been.called;
+    expect(cbStub).to.have.been.calledOnce;
+  });
+});

package/lib/input-analysis/install/hapi.test.js

@@ -0,0 +1,300 @@
+'use strict';
+
+const sinon = require('sinon');
+const { expect } = require('chai');
+const scopes = require('@contrast/scopes');
+const patcher = require('@contrast/patcher');
+const mocks = require('@contrast/test/mocks');
+const { create, isSecurityException } = require('../../security-exception');
+
+describe('protect input-analysis hapi', function () {
+  let core,
+    hapiSources,
+    store,
+    inputAnalysis;
+
+  const Hapi = {
+    name: 'hapi',
+    version: '>=18 <22'
+  };
+  const HapiHapi = {
+    name: '@hapi/hapi',
+    version: '>=18 <22'
+  };
+  const HapiPez = {
+    name: '@hapi/pez'
+  };
+
+  beforeEach(function () {
+    core = mocks.core();
+    core.config = mocks.config();
+    core.logger = mocks.logger();
+    core.scopes = scopes(core);
+    core.protect = mocks.protect();
+    require('../../get-source-context')(core);
+    core.depHooks = mocks.depHooks();
+    core.patcher = patcher(core);
+
+    inputAnalysis = core.protect.inputAnalysis;
+    sinon.spy(core.patcher, 'patch');
+    store = {
+      protect: {
+        block: sinon.stub(),
+        securityException: ['block', 'cmd-injection']
+      }
+    };
+
+    Hapi.server = function hapi(server) {
+      return server;
+    };
+    HapiHapi.server = function hapiHapi(server) {
+      return server;
+    };
+    HapiPez.Dispenser = function () { };
+    HapiPez.Dispenser.prototype.emit = function () { };
+
+    core.depHooks.resolve.withArgs({ name: Hapi.name, version: Hapi.version }).yields(Hapi);
+    core.depHooks.resolve.withArgs({ name: HapiHapi.name, version: HapiHapi.version }).yields(HapiHapi);
+    core.depHooks.resolve.withArgs({ name: HapiPez.name }).yields(HapiPez);
+
+    hapiSources = require('./hapi')(core);
+    hapiSources.install();
+  });
+
+  [Hapi, HapiHapi].forEach((module) => {
+    it(`skip instrumentation if server is missing - ${module.name}`, function () {
+      const { server } = module;
+
+      core.scopes.sources.run(store, () => {
+        server();
+        expect(core.logger.error).to.have.been.calledWith(
+          { funcKey: 'protect-input-analysis:hapi.server' },
+          'Hapi Server is called but there is no server instance!'
+        );
+      });
+    });
+  });
+
+  [Hapi, HapiHapi].forEach((module) => {
+    it(`should log onPreStart hapi version - ${module.name}`, function () {
+      const { server } = module;
+      const serverInstance = {
+        ext: sinon.stub(),
+      };
+
+      serverInstance.ext.withArgs('onPreStart', sinon.match.func).callsFake((string, method) => {
+        method({ version: '4.0.0' });
+      });
+
+      core.scopes.sources.run(store, () => {
+        server(serverInstance);
+        expect(core.logger.debug).to.have.been.calledWith('hapi version %s', '4.0.0');
+      });
+    });
+  });
+
+  [Hapi, HapiHapi].forEach((module) => {
+    it(`should handle url params, state (cookies), payload/body, query - ${module.name}`, function () {
+      const { server } = module;
+      const serverInstance = {
+        ext: sinon.stub(),
+      };
+
+      const params = { userId: 1 };
+      const state = { auth: 'vasko jabata' };
+      const payload = { name: 'vasko jabata' };
+      const query = { name: 'vasko jabata' };
+
+      serverInstance.ext.withArgs('onPreHandler', sinon.match.func).callsFake((string, method) => {
+        method({
+          params,
+          state,
+          payload,
+          query,
+        }, {
+          continue: () => { }
+        });
+      });
+
+      core.scopes.sources.run(store, () => {
+        server(serverInstance);
+
+        expect(store.protect.parsedParams).to.eql(params);
+        expect(store.protect.parsedCookies).to.eql(state);
+        expect(store.protect.parsedBody).to.eql(payload);
+        expect(store.protect.parsedQuery).to.eql(query);
+        expect(core.protect.inputAnalysis.handleUrlParams).to.have.been.calledWith(sinon.match.object, params);
+        expect(core.protect.inputAnalysis.handleCookies).to.have.been.calledWith(sinon.match.object, state);
+        expect(core.protect.inputAnalysis.handleParsedBody).to.have.been.calledWith(sinon.match.object, payload);
+        expect(core.protect.inputAnalysis.handleQueryParams).to.have.been.calledWith(sinon.match.object, query);
+      });
+    });
+  });
+
+  [Hapi, HapiHapi].forEach((module) => {
+    it(`error handling - ${module.name}`, function () {
+      const err = new Error('error');
+
+      const { server } = module;
+      const serverInstance = {
+        ext: sinon.stub(),
+      };
+
+      const params = { userId: 1 };
+
+      serverInstance.ext.withArgs('onPreHandler', sinon.match.func).callsFake((string, method) => {
+        method({
+          params,
+        }, {
+          continue: () => { }
+        });
+      });
+
+      core.protect.inputAnalysis.handleUrlParams.callsFake(() => {
+        throw err;
+      });
+
+      core.scopes.sources.run(store, () => {
+        server(serverInstance);
+        expect(core.logger.error).to.have.been.calledWith(
+          { err, funcKey: 'protect-input-analysis:hapi.server' },
+          'Unexpected error during input analysis',
+        );
+      });
+    });
+
+    it(`should throw SecurityException - ${module.name}`, function () {
+      const error = create();
+
+      const { server } = module;
+      const serverInstance = {
+        ext: sinon.stub(),
+      };
+
+      const params = { userId: 1 };
+
+      serverInstance.ext.withArgs('onPreHandler', sinon.match.func).callsFake((string, method) => {
+        method({
+          params,
+        }, {
+          continue: () => { }
+        });
+      });
+
+      core.protect.inputAnalysis.handleUrlParams.callsFake(() => {
+        throw error;
+      });
+
+      core.scopes.sources.run(store, () => {
+        try {
+          server(serverInstance);
+        } catch (error) {
+          expect(isSecurityException(error)).to.be.true;
+        }
+      });
+    });
+  });
+
+  [Hapi, HapiHapi].forEach((module) => {
+    it(`empty request - ${module.name}`, function () {
+      const { server } = module;
+      const serverInstance = {
+        ext: sinon.stub(),
+      };
+
+      const continueFunction = () => ({});
+      let result;
+      serverInstance.ext.withArgs('onPreHandler', sinon.match.func).callsFake((string, method) => {
+        result = method({}, {
+          continue: continueFunction
+        });
+      });
+
+      core.scopes.sources.run(store, () => {
+        server(serverInstance);
+        expect(result).to.eql(continueFunction);
+      });
+    });
+
+    it(`empty sourceContext - ${module.name}`, function () {
+      const { server } = module;
+      const serverInstance = {
+        ext: sinon.stub(),
+      };
+
+      const continueFunction = () => ({});
+      let result;
+      serverInstance.ext.withArgs('onPreHandler', sinon.match.func).callsFake((string, method) => {
+        result = method({}, {
+          continue: continueFunction
+        });
+      });
+
+      core.scopes.sources.run({}, () => {
+        server(serverInstance);
+        expect(result).to.eql(continueFunction);
+      });
+    });
+  });
+
+  describe('hapi/pez', function () {
+    it('works', function () {
+      HapiPez.Dispenser.prototype.emit();
+    });
+    it('calls patcher on the `.emit` method', function () {
+
+      expect(core.patcher.patch).to.have.callCount(3);
+      expect(core.patcher.patch).to.have.been.calledWithMatch(Hapi, 'server', {
+        name: 'hapi.server',
+        patchType: 'protect-input-analysis',
+        post: sinon.match.func
+      });
+      expect(core.patcher.patch).to.have.been.calledWithMatch(HapiHapi, 'server', {
+        name: 'hapi.server',
+        patchType: 'protect-input-analysis',
+        post: sinon.match.func
+      });
+      expect(core.patcher.patch).to.have.been.calledWithMatch(HapiPez.Dispenser.prototype, 'emit', {
+        name: 'Pez.Dispenser.prototype.emit',
+        patchType: 'protect-input-analysis',
+        pre: sinon.match.func
+      });
+    });
+
+    it('calls `.handleFileUploadName` when there is a multipart file and it is in right context', function () {
+      core.scopes.sources.run({ protect: {} }, () => {
+        HapiPez.Dispenser.prototype.emit('part', { filename: 'filename' });
+      });
+
+      expect(inputAnalysis.handleFileUploadName).to.have.been.calledOnce;
+      expect(inputAnalysis.handleFileUploadName).to.have.been.calledWithMatch({}, ['filename']);
+    });
+
+
+    it('does not call `.handleFileUploadName` when not in context', function () {
+      core.scopes.sources.run({}, () => {
+        HapiPez.Dispenser.prototype.emit('part', { filename: 'filename' });
+      });
+
+      expect(inputAnalysis.handleFileUploadName).not.to.have.been.called;
+    });
+
+    it('does not call `.handleFileUploadName` when `.emit` is not called with `part` event', function () {
+      core.scopes.sources.run({ protect: {} }, () => {
+        HapiPez.Dispenser.prototype.emit('not-part', { filename: 'filename' });
+      });
+
+      expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
+      expect(core.logger.debug).not.to.have.been.called;
+    });
+
+    it('does not call `.handleFileUploadName` when `.emit` call does not contain a filename', function () {
+      core.scopes.sources.run({ protect: {} }, () => {
+        HapiPez.Dispenser.prototype.emit('part', { filename: null });
+      });
+
+      expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
+      expect(core.logger.debug).not.to.have.been.called;
+    });
+  });
+});