@contrast/protect 1.53.1 → 1.54.1

package/package.json

@@ -1,11 +1,14 @@
 {
   "name": "@contrast/protect",
-  "version": "1.53.1",
+  "version": "1.54.1",
   "description": "Contrast service providing framework-agnostic Protect support",
   "license": "SEE LICENSE IN LICENSE",
   "author": "Contrast Security <nodejs@contrastsecurity.com> (https://www.contrastsecurity.com)",
   "files": [
-    "lib/"
+    "lib/",
+    "!*.test.*",
+    "!tsconfig.*",
+    "!*.map"
   ],
   "main": "lib/index.js",
   "types": "lib/index.d.ts",
@@ -17,17 +20,17 @@
     "test": "../scripts/test.sh"
   },
   "dependencies": {
-    "@contrast/agent-lib": "^7.0.1",
+    "@contrast/agent-lib": "^9.0.0",
     "@contrast/common": "1.29.1",
-    "@contrast/config": "1.40.1",
-    "@contrast/core": "1.45.1",
-    "@contrast/dep-hooks": "1.14.1",
-    "@contrast/esm-hooks": "2.19.1",
-    "@contrast/instrumentation": "1.24.1",
-    "@contrast/logger": "1.18.1",
-    "@contrast/patcher": "1.17.1",
-    "@contrast/rewriter": "1.21.1",
-    "@contrast/scopes": "1.15.1",
+    "@contrast/config": "1.40.2",
+    "@contrast/core": "1.45.2",
+    "@contrast/dep-hooks": "1.14.2",
+    "@contrast/esm-hooks": "2.19.3",
+    "@contrast/instrumentation": "1.24.2",
+    "@contrast/logger": "1.18.2",
+    "@contrast/patcher": "1.17.2",
+    "@contrast/rewriter": "1.21.3",
+    "@contrast/scopes": "1.15.2",
     "async-hook-domain": "^4.0.1",
     "ipaddr.js": "^2.0.1",
     "on-finished": "^2.4.1",

package/lib/error-handlers/common-handler.test.js

@@ -1,52 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const { initProtectFixture, createProtectStore } = require('@contrast/test/fixtures');
-const SecurityException = require('../security-exception');
-
-describe('protect error-handlers common-handler', function () {
-  let core, simulateRequestScope, commonHandler;
-
-  beforeEach(function () {
-    ({
-      core,
-      simulateRequestScope
-    } = initProtectFixture());
-
-    commonHandler = core.protect.errorHandlers.commonHandler;
-  });
-
-  it('should re-throw if not security excpetion', function () {
-    simulateRequestScope(() => {
-      const err = new Error('Not a SecurityException');
-      expect(() => {
-        commonHandler(err);
-      }).to.throw(err);
-    });
-  });
-
-  it('should catch exception and delegate to source context to block', function () {
-    const customStore = { protect: createProtectStore() };
-    customStore.protect.securityException = ['block', 'cmd-injection'];
-
-    simulateRequestScope(() => {
-      expect(() => {
-        commonHandler(new SecurityException());
-        expect(customStore.protect.block).to.have.been.calledWith('block', 'cmd-injection');
-      }).not.to.throw();
-    }, customStore);
-  });
-
-  it('should catch exception if request context is unavailable but will log and NOT block', function () {
-    const customStore = { protect: createProtectStore() };
-    customStore.protect.securityException = ['block', 'cmd-injection'];
-
-    expect(() => {
-      commonHandler(new SecurityException());
-      expect(customStore.protect.block).to.not.have.been.called;
-      expect(core.logger.info).to.have.been.calledWith(
-        'SecurityException caught by Contrast but Protect store is unavailable for req handling'
-      );
-    }).not.to.throw();
-  });
-});

package/lib/error-handlers/index.test.js

@@ -1,32 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const { initProtectFixture } = require('@contrast/test/fixtures');
-
-describe('protect error-handlers', function () {
-  let core, errorHandlers;
-
-  const installerList = [
-    'expressErrorHandler',
-    'fastifyErrorHandler',
-    'hapiErrorHandler',
-    'koa2ErrorHandler',
-    'restifyErrorHandler'
-  ];
-
-  beforeEach(function () {
-    ({ core } = initProtectFixture());
-    errorHandlers = core.protect.errorHandlers;
-    installerList.forEach((installer) => {
-      sinon.stub(errorHandlers[installer], 'install');
-    });
-  });
-
-  it('installs subcomponents', function () {
-    errorHandlers.install();
-    installerList.forEach((installer) => {
-      expect(errorHandlers[installer].install).to.have.been.called;
-    });
-  });
-});

package/lib/error-handlers/init-domain.test.js

@@ -1,22 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { initProtectFixture } = require('@contrast/test/fixtures');
-
-describe('protect error-handlers init-domain', function () {
-  let core;
-
-  beforeEach(function () {
-    ({ core } = initProtectFixture());
-
-    sinon.stub(core.protect.errorHandlers, 'commonHandler');
-  });
-
-  describe('domain integration', function () {
-    it('instantiates async-hook-domain with common error handler', function () {
-      const d = core.protect.errorHandlers.initDomain();
-      expect(d.onerror).to.equal(core.protect.errorHandlers.commonHandler);
-    });
-  });
-});

package/lib/error-handlers/install/express.test.js

@@ -1,290 +0,0 @@
-/* eslint-disable */
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const SecurityException = require('../../security-exception');
-
-describe('protect error-handlers express', function () {
-  let core, store, errorHandlerInstr;
-
-  const throwingHandler = (error) => async function () {
-    await Promise.reject(error);
-  };  
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.config = mocks.config();
-    core.logger = mocks.logger();
-    core.scopes = scopes(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    core.depHooks = mocks.depHooks();
-    core.patcher = patcher(core);
-
-    store = {
-      protect: {
-        block: sinon.stub(),
-        securityException: ['block', 'cmd-injection']
-      }
-    };
-
-    sinon.spy(core.patcher, 'patch');
-  });
-
-  describe('finalhandler', function () {
-    let finalhandler, returnedFn;
-
-    beforeEach(function () {
-      finalhandler = function () {
-        return function () { };
-      };
-
-      core.depHooks.resolve.withArgs({ name: 'finalhandler', version: '<3' }).yields(finalhandler);
-
-      errorHandlerInstr = require('./express')(core);
-      errorHandlerInstr.install();
-
-      const patchedFinalhandler = core.patcher.patch.getCall(0).returnValue;
-      returnedFn = patchedFinalhandler();
-    });
-
-    it('should block the request when there is SecurityException', function () {
-      const error = SecurityException.create();
-
-      core.scopes.sources.run(store, () => {
-        returnedFn(error);
-        expect(core.logger.info).not.to.have.been.called;
-        expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
-      });
-    });
-
-    it('should not block the request when there is SecurityException but sourceContext is missing', function () {
-      const error = SecurityException.create();
-
-      core.scopes.sources.run({}, () => {
-        returnedFn(error);
-        expect(core.logger.info).to.have.been.calledWith(
-          { funcKey: 'protect-error-handling:finalHandler.returnedFunction' },
-          'source context not found; unable to handle response',
-        );
-      });
-    });
-
-    it('should skip the instrumentation when there is no SecurityException', function () {
-      const error = new Error('Error');
-
-      core.scopes.sources.run({}, () => {
-        returnedFn(error);
-        expect(core.logger.info).not.to.have.been.called;
-        expect(store.protect.block).not.to.have.been.called;
-      });
-    });
-  });
-
-  [
-    { name: 'express', version: '4', file: 'lib/router/layer.js' },
-    { name: 'router', version: '2', file: 'lib/layer.js' }
-  ].forEach((args) => {
-    const fn = args.name === 'express' ? 'handle_error' : 'handleError';
-    describe(`${args.name} Layer.prototype.${fn}`, function () {
-      let Layer;
-  
-      beforeEach(function () {
-        Layer = function () { };
-
-        Layer.prototype[fn] = function () { };
-  
-        core.depHooks.resolve.withArgs(args).yields(Layer);
-  
-        errorHandlerInstr = require('./express')(core);
-        errorHandlerInstr.install();
-      });
-  
-      it('should block the request when there is SecurityException', function () {
-        const error = SecurityException.create();
-  
-        core.scopes.sources.run(store, () => {
-          Layer.prototype[fn](error);
-          expect(core.logger.info).not.to.have.been.called;
-          expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
-        });
-      });
-  
-      it('should not block the request when there is SecurityException but sourceContext is missing', function () {
-        const error = SecurityException.create();
-  
-        core.scopes.sources.run({}, () => {
-          Layer.prototype[fn](error);
-          expect(core.logger.info).to.have.been.calledWith(
-            { funcKey: `protect-error-handling:Layer.prototype.${fn}` },
-            'source context not found; unable to handle response'
-          );
-        });
-      });
-  
-      it('should skip the instrumentation when there is no SecurityException', function () {
-        const error = new Error('Error');
-  
-        core.scopes.sources.run({}, () => {
-          Layer.prototype[fn](error);
-          expect(core.logger.info).not.to.have.been.called;
-          expect(store.protect.block).not.to.have.been.called;
-        });
-      });
-    });
-
-    describe(`${args.name} Layer handle`, function () {
-      let Layer, patchedLayer;
-      const error = SecurityException.create();
-      const fn = throwingHandler(error);
-      beforeEach(function () {
-        Layer = function () {
-          return {
-            handle: fn
-          }
-        };
-  
-        errorHandlerInstr = require('./express')(core);
-        errorHandlerInstr.install();
-        [patchedLayer] = core.depHooks.resolve.withArgs(args).yield(Layer);
-        });
-
-      it('should block the request when there is SecurityException', async function () {
-        await core.scopes.sources.run(store, async () => {
-          await patchedLayer().handle();
-        });
-        expect(core.logger.info).not.to.have.been.called;
-        expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
-      });
-
-      it('should not block the request when there is SecurityException but sourceContext is missing', async function () {
-        await core.scopes.sources.run({}, async () => {
-          await patchedLayer().handle();
-        });
-  
-        expect(core.logger.info).to.have.been.calledWith(
-          { funcKey: 'protect-error-handling:handle' },
-          'source context not found; unable to handle response',
-        );
-      });
-
-      it('should skip the instrumentation when there is no SecurityException', async function () {
-        const error = new Error('Error');
-        const fn = throwingHandler(error);
-        Layer = function () {
-          return {
-            handle: fn
-          }
-        };
-  
-        errorHandlerInstr = require('./express')(core);
-        errorHandlerInstr.install();
-        [patchedLayer] = core.depHooks.resolve.withArgs(args).yield(Layer);
-
-        try {
-          await core.scopes.sources.run(store, async () => {
-            await patchedLayer().handle();
-          });
-          } catch (err) {
-            expect(err).to.equal(error);
-            expect(core.logger.info).not.to.have.been.called;
-            expect(store.protect.block).not.to.have.been.called;
-          }
-      });
-    });
-  });
-
-  [
-    { name: 'express', version: '4', file: 'lib/router/index.js' },
-    { name: 'router', version: '2' }
-  ].forEach((args) => {
-    describe(`${args.name} Router param`, function () {
-      let Router, param;
-      const sampleFn = function () { };
-  
-      beforeEach(function () {
-
-        Router = function() { };
-        if (args.name === 'express') {
-          Router.prototype.constructor = {
-            param: function () { },
-          };    
-          param = (...args) => Router.prototype.constructor.param(...args);
-        } else {
-          Router.prototype = {
-            param: function () { },
-          };
-          param = (...args) => Router.prototype.param(...args);
-        }
-        core.depHooks.resolve.withArgs(args).yields(Router);
-  
-        core.patcher.patch.resetHistory();
-  
-        errorHandlerInstr = require('./express')(core);
-        errorHandlerInstr.install();
-      });
-  
-      it('should patch the function for the param property', function () {
-        param('sampleFn', sampleFn);
-        expect(core.patcher.patch).to.have.been.calledWith(sinon.match.array, '1', sinon.match.object);
-      });
-  
-      it('should block the request when there is SecurityException', async function () {
-        const error = SecurityException.create();
-        const fn = throwingHandler(error);
-  
-        param('fn', fn);
-  
-        const patchedFn = core.patcher.patch.getCall(1).returnValue[1];
-  
-        await core.scopes.sources.run(store, async () => {
-          await patchedFn();
-        });
-  
-        expect(core.logger.info).not.to.have.been.called;
-        expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
-      });
-  
-      it('should not block the request when there is SecurityException but sourceContext is missing', async function () {
-        const error = SecurityException.create();
-        const fn = throwingHandler(error);
-  
-        param('fn', fn);
-  
-        const patchedFn = core.patcher.patch.getCall(1).returnValue[1];
-  
-        await core.scopes.sources.run({}, async () => {
-          await patchedFn();
-        });
-  
-        expect(core.logger.info).to.have.been.calledWith(
-          { funcKey: 'protect-error-handling:express.route-handler' },
-          'source context not found; unable to handle response',
-        );
-      });
-  
-      it('should skip the instrumentation when there is no SecurityException', async function () {
-        const error = new Error('Error');
-        const fn = throwingHandler(error);
-  
-        param('fn', fn);
-  
-        const patchedFn = core.patcher.patch.getCall(1).returnValue[1];
-  
-        try {
-          await core.scopes.sources.run(store, async () => {
-            await patchedFn();
-          });
-        } catch (err) {
-          expect(err).to.equal(error);
-          expect(core.logger.info).not.to.have.been.called;
-          expect(store.protect.block).not.to.have.been.called;
-        }
-      });
-    });  
-  });
-});

package/lib/error-handlers/install/fastify.test.js

@@ -1,130 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const securityException = require('../../security-exception');
-
-describe('protect error-handlers fastify', function () {
-  let core, errorHandler, fastify, server, reply;
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.config = mocks.config();
-    core.logger = mocks.logger();
-    core.scopes = scopes(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    core.depHooks = mocks.depHooks();
-    core.patcher = patcher(core);
-
-    server = {
-      setErrorHandler: sinon.stub(),
-      errorHandler: sinon.stub()
-    };
-    fastify = function () {
-      return server;
-    };
-    core.depHooks.resolve.callsFake((desc, cb) => {
-      fastify = cb(fastify);
-    });
-    reply = {
-      log: {
-        info: sinon.stub(),
-        error: sinon.stub()
-      },
-      send: sinon.stub(),
-      statusCode: 500,
-    };
-
-    errorHandler = require('./fastify')(core);
-    sinon.spy(errorHandler, 'defaultErrorHandler');
-    errorHandler.install();
-
-    fastify();
-  });
-
-  describe('instrumentation adds custom handler', function () {
-    it('patches fastify', function () {
-      expect(server.setErrorHandler).to.have.been.calledWith(errorHandler.handler);
-    });
-  });
-
-  describe('defaultErrorHandler()', function () {
-    let request, err;
-
-    beforeEach(function () {
-      request = {};
-      err = {};
-    });
-
-    it('logs at error level when 500 status code', function () {
-      errorHandler.handler(err, request, reply);
-      expect(reply.log.error).to.have.been.calledWith({ req: request, res: reply, err });
-    });
-
-    it('logs at info level when <500 status code', function () {
-      reply.statusCode = 404;
-      errorHandler.handler(err, request, reply);
-      expect(reply.log.info).to.have.been.calledWith({ res: reply, err });
-    });
-  });
-
-  describe('handler()', function () {
-    let request, err, store, userHandler;
-
-    beforeEach(function () {
-      request = {};
-      err = securityException.create();
-      store = {
-        protect: {
-          block: sinon.stub(),
-          securityException: ['block', 'cmd-injection']
-        }
-      };
-      userHandler = sinon.stub();
-    });
-
-    it('calls default handler when the source context is not available', function () {
-      errorHandler.handler(err, request, reply);
-    });
-
-    it('when set, calls user handler when the source context is not available', function () {
-      server.setErrorHandler(userHandler);
-      errorHandler.handler(err, request, reply);
-      expect(userHandler).to.have.been.calledWith(err, request, reply);
-    });
-
-    it('calls source context\'s .block() with mode and id of rule which raised error', function () {
-      const {
-        protect: {
-          block,
-          securityException
-        }
-      } = store;
-      core.scopes.sources.run(store, () => {
-        errorHandler.handler(err, request, reply);
-        expect(block).to.have.been.calledWith(...securityException);
-      });
-    });
-
-    it('calls default error handler when error is not security exception', function () {
-      err = {};
-      core.scopes.sources.run(store, () => {
-        errorHandler.handler(err, request, reply);
-        expect(errorHandler.defaultErrorHandler).to.have.been.calledWith(err, request, reply);
-      });
-    });
-
-    it('when set, calls user handler when error is ont seecurity exception', function () {
-      err = {};
-      server.setErrorHandler(userHandler);
-      core.scopes.sources.run(store, () => {
-        errorHandler.handler(err, request, reply);
-        expect(userHandler).to.have.been.calledWith(err, request, reply);
-      });
-    });
-  });
-});

package/lib/error-handlers/install/hapi.test.js

@@ -1,102 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const SecurityException = require('../../security-exception');
-
-describe('protect error-handlers hapi', function () {
-  let core,
-    errorHandler,
-    store;
-
-  const Boom = {
-    name: 'boom',
-  };
-  const HapiBoom = {
-    name: '@hapi/boom'
-  };
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.config = mocks.config();
-    core.logger = mocks.logger();
-    core.scopes = scopes(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    core.depHooks = mocks.depHooks();
-    core.patcher = patcher(core);
-
-    store = {
-      protect: {
-        block: sinon.stub(),
-        securityException: ['block', 'cmd-injection']
-      }
-    };
-
-    Boom.boomify = function boom() { };
-    HapiBoom.boomify = function hapiBoom() { };
-
-    core.depHooks.resolve.withArgs(sinon.match({ name: Boom.name })).yields(Boom);
-    core.depHooks.resolve.withArgs(sinon.match({ name: HapiBoom.name })).yields(HapiBoom);
-
-    errorHandler = require('./hapi')(core);
-    errorHandler.install();
-  });
-
-  [Boom, HapiBoom].forEach((module) => {
-    it(`should block the request when there is SecurityException - ${module.name}`, function () {
-      const { boomify } = module;
-      const error = SecurityException.create();
-
-      core.scopes.sources.run(store, () => {
-        error.output = {
-          statusCode: 500,
-        };
-        error.reformat = () => ({});
-
-        boomify(error);
-        expect(core.logger.info).to.have.been.calledWith(
-          { funcKey: `protect-error-handling:${module.name}.boomify`, mode: 'block', ruleId: 'cmd-injection' },
-          'Request blocked'
-        );
-        expect(error.output).to.have.property('statusCode', 403);
-      });
-    });
-  });
-
-  [Boom, HapiBoom].forEach((module) => {
-    it(`should not block the request when there is SecurityException but sourceContext is missing - ${module.name}`, function () {
-      const { boomify } = module;
-      const error = SecurityException.create();
-
-      core.scopes.sources.run({}, () => {
-        error.output = {
-          statusCode: 500,
-        };
-        error.reformat = () => ({});
-
-        boomify(error);
-        expect(core.logger.info).to.have.been.calledWith(
-          { funcKey: `protect-error-handling:${module.name}.boomify` },
-          'source context not found; unable to handle response'
-        );
-      });
-    });
-  });
-
-  [Boom, HapiBoom].forEach((module) => {
-    it(`should skip the instrumentation when there is no SecurityException - ${module.name}`, function () {
-      const { boomify } = module;
-      const error = new Error('Error');
-
-      core.scopes.sources.run({}, () => {
-        boomify(error);
-        expect(core.logger.info).not.to.have.been.called;
-        expect(store.protect.block).not.to.have.been.called;
-      });
-    });
-  });
-});