@contrast/protect 1.49.0 → 1.51.0

package/lib/error-handlers/install/express4.test.js

@@ -1,238 +0,0 @@
-/* eslint-disable object-shorthand */
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const SecurityException = require('../../security-exception');
-
-describe('protect error-handlers express4', function () {
-  let core, store, errorHandlerInstr;
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.config = mocks.config();
-    core.logger = mocks.logger();
-    core.scopes = scopes(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    core.depHooks = mocks.depHooks();
-    core.patcher = patcher(core);
-
-    store = {
-      protect: {
-        block: sinon.stub(),
-        securityException: ['block', 'cmd-injection']
-      }
-    };
-
-    sinon.spy(core.patcher, 'patch');
-  });
-
-  describe('finalhandler', function () {
-    let finalhandler, returnedFn;
-
-    beforeEach(function () {
-      finalhandler = function () {
-        return function () { };
-      };
-
-      core.depHooks.resolve.withArgs({ name: 'finalhandler' }).yields(finalhandler);
-
-      errorHandlerInstr = require('./express4')(core);
-      errorHandlerInstr.install();
-
-      const patchedFinalhandler = core.patcher.patch.getCall(0).returnValue;
-      returnedFn = patchedFinalhandler();
-    });
-
-    it('should block the request when there is SecurityException', function () {
-      const error = SecurityException.create();
-
-      core.scopes.sources.run(store, () => {
-        returnedFn(error);
-        expect(core.logger.info).not.to.have.been.called;
-        expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
-      });
-    });
-
-    it('should not block the request when there is SecurityException but sourceContext is missing', function () {
-      const error = SecurityException.create();
-
-      core.scopes.sources.run({}, () => {
-        returnedFn(error);
-        expect(core.logger.info).to.have.been.calledWith(
-          { funcKey: 'protect-error-handling:finalHandler.returnedFunction' },
-          'source context not found; unable to handle response',
-        );
-      });
-    });
-
-    it('should skip the instrumentation when there is no SecurityException', function () {
-      const error = new Error('Error');
-
-      core.scopes.sources.run({}, () => {
-        returnedFn(error);
-        expect(core.logger.info).not.to.have.been.called;
-        expect(store.protect.block).not.to.have.been.called;
-      });
-    });
-  });
-
-  describe('Layer.prototype.handle_error', function () {
-    let Layer;
-
-    beforeEach(function () {
-      Layer = function () { };
-      Layer.prototype.handle_error = function () { };
-
-      core.depHooks.resolve.withArgs({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/layer.js' }).yields(Layer);
-
-      errorHandlerInstr = require('./express4')(core);
-      errorHandlerInstr.install();
-    });
-
-    it('should block the request when there is SecurityException', function () {
-      const error = SecurityException.create();
-
-      core.scopes.sources.run(store, () => {
-        Layer.prototype.handle_error(error);
-        expect(core.logger.info).not.to.have.been.called;
-        expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
-      });
-    });
-
-    it('should not block the request when there is SecurityException but sourceContext is missing', function () {
-      const error = SecurityException.create();
-
-      core.scopes.sources.run({}, () => {
-        Layer.prototype.handle_error(error);
-        expect(core.logger.info).to.have.been.calledWith(
-          { funcKey: 'protect-error-handling:Layer.prototype.handle_error' },
-          'source context not found; unable to handle response'
-        );
-      });
-    });
-
-    it('should skip the instrumentation when there is no SecurityException', function () {
-      const error = new Error('Error');
-
-      core.scopes.sources.run({}, () => {
-        Layer.prototype.handle_error(error);
-        expect(core.logger.info).not.to.have.been.called;
-        expect(store.protect.block).not.to.have.been.called;
-      });
-    });
-  });
-
-  describe('Layer.prototype.handle', function () {
-    const sampleFn = function () { };
-    let Layer;
-
-    beforeEach(function () {
-      Layer = function () { };
-
-      core.depHooks.resolve.withArgs({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/layer.js' }).yields(Layer);
-
-      errorHandlerInstr = require('./express4')(core);
-      errorHandlerInstr.install();
-    });
-
-    it('should patch the function that is being set for `handle`', function () {
-      Layer.prototype.handle = sampleFn;
-
-      expect(core.patcher.patch).to.have.been.calledWith(sampleFn, sinon.match.object);
-    });
-
-    it('should return the patched function for the `handle` get', function () {
-      Layer.prototype.handle = sampleFn;
-
-      expect(Layer.prototype.handle).to.equal(Layer.prototype.__handle);
-    });
-  });
-
-  describe('Router.prototype.constructor.param', function () {
-    let Router;
-    const sampleFn = function () { };
-    const throwingHandler = (error) => async function () {
-      await Promise.reject(error);
-    };
-
-    beforeEach(function () {
-      Router = function () { };
-      Router.prototype.constructor = {
-        param: function () { },
-      };
-
-      core.depHooks.resolve.withArgs({ name: 'express', version: '>=4.0.0 <5.0.0', file: 'lib/router/index.js' }).yields(Router);
-
-      core.patcher.patch.resetHistory();
-
-      errorHandlerInstr = require('./express4')(core);
-      errorHandlerInstr.install();
-    });
-
-    it('should patch the function for the param property', function () {
-      Router.prototype.constructor.param('sampleFn', sampleFn);
-
-      expect(core.patcher.patch).to.have.been.calledWith(sampleFn, sinon.match.object);
-    });
-
-    it('should block the request when there is SecurityException', async function () {
-      const error = SecurityException.create();
-      const fn = throwingHandler(error);
-
-      Router.prototype.constructor.param('fn', fn);
-
-      const patchedFn = core.patcher.patch.getCall(1).returnValue;
-
-      await core.scopes.sources.run(store, async () => {
-        await patchedFn();
-      });
-
-      expect(core.logger.info).not.to.have.been.called;
-      expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
-    });
-
-    it('should not block the request when there is SecurityException but sourceContext is missing', async function () {
-      const error = SecurityException.create();
-      const fn = throwingHandler(error);
-
-      Router.prototype.constructor.param('fn', fn);
-
-      const patchedFn = core.patcher.patch.getCall(1).returnValue;
-
-      await core.scopes.sources.run({}, async () => {
-        await patchedFn();
-      });
-
-      expect(core.logger.info).to.have.been.calledWith(
-        { funcKey: 'protect-error-handling:express.route-handler' },
-        'source context not found; unable to handle response',
-      );
-    });
-
-    it('should skip the instrumentation when there is no SecurityException', async function () {
-      const error = new Error('Error');
-      const fn = throwingHandler(error);
-
-      Router.prototype.constructor.param('fn', fn);
-
-      const patchedFn = core.patcher.patch.getCall(1).returnValue;
-
-      try {
-        await core.scopes.sources.run(store, async () => {
-          await patchedFn();
-        });
-      } catch (err) {
-        expect(err).to.equal(error);
-        expect(core.logger.info).not.to.have.been.called;
-        expect(store.protect.block).not.to.have.been.called;
-      }
-    });
-  });
-
-
-});