@contrast/protect 1.53.1 → 1.54.1

package/lib/input-tracing/install/marsdb.test.js

@@ -1,126 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const { patchType } = require('../constants');
-const methods = ['find', 'findOne', 'update', 'insert', 'remove', 'ids', 'count'];
-
-describe('protect input-tracing marsdb', function () {
-  const sourceContext = {};
-  const store = { protect: sourceContext };
-
-  let core, inputTracing, mockMarsDb, marsdbInstr;
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.patcher = patcher(core);
-    core.scopes = scopes(core);
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-    core.depHooks = mocks.depHooks();
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    ({ protect: { inputTracing } } = core);
-
-    sinon.spy(core.patcher, 'patch');
-
-    mockMarsDb = {
-      Collection: function Collection() { },
-    };
-    methods.forEach((method) => {
-      mockMarsDb.Collection.prototype[method] = () => { };
-    });
-
-    core.depHooks.resolve.yields(mockMarsDb);
-
-    marsdbInstr = require('./marsdb')(core);
-  });
-
-  describe('patcher patches', function () {
-    it('patches all relevant objects in marsdb', function () {
-      marsdbInstr.install();
-      expect(core.patcher.patch).to.have.callCount(methods.length);
-
-      methods.forEach((method) => {
-        expect(core.patcher.patch).to.have.been.calledWithMatch(
-          mockMarsDb.Collection.prototype, method, {
-            name: `marsdb.Collection.prototype.${method}`,
-            patchType,
-            pre: sinon.match.func
-          }
-        );
-      });
-    });
-  });
-
-  describe('patcher pre-hooks', function () {
-    let hooksFns;
-    const correctArg = { id: 'some-query' };
-    const incorrectArgs = [null, '', undefined, {}];
-    const captureStackTraceArgs = (method) => ([
-      {
-        name: `marsdb.Collection.prototype.${method}`,
-        value: correctArg
-      }, { constructorOpt: sinon.match.func, prependFrames: [sinon.match.func] }
-    ]);
-
-    const inputTracingNosqlInjectionArgs = (method) => ([sourceContext,
-      {
-        name: `marsdb.Collection.prototype.${method}`,
-        value: correctArg
-      }]);
-
-    beforeEach(function () {
-      marsdbInstr.install();
-      hooksFns = methods.reduce((acc, method) => {
-        acc[method] = new mockMarsDb.Collection()[method];
-
-        return acc;
-      }, {});
-    });
-
-    methods.forEach((method) => {
-      it(`marsdb.Collection.prototype.${method} calls \`inputTracing.nosqlInjectionMongo\` when called with expected arguments`, function () {
-        const fn = hooksFns[method];
-
-        fn(correctArg);
-
-        const stackTraceArgs = captureStackTraceArgs(method);
-        const inputTracingArgs = inputTracingNosqlInjectionArgs(method);
-        expect(inputTracing.nosqlInjectionMongo).to.have.been.calledWith(inputTracingArgs[0], {
-          ...inputTracingArgs[1],
-          stacktraceData: {
-            constructorOpt: stackTraceArgs[1].constructorOpt, prependFrames: stackTraceArgs[1].prependFrames
-          }
-        });
-      });
-
-      it(`marsdb.Collection.prototype.${method} does not call \`inputTracing.nosqlInjectionMongo\` and \`core.captureStacktrace\` when called with wrong/no arguments`, function () {
-        const fn = hooksFns[method];
-
-        for (let i = 0; i < incorrectArgs.length; i++) {
-          fn(incorrectArgs[i]);
-
-          expect(core.captureStacktrace).to.not.have.been.called;
-          expect(inputTracing.nosqlInjectionMongo).to.not.have.been.called;
-        }
-      });
-
-      it(`marsdb.Collection.prototype.${method} does not call \`inputTracing.nosqlInjectionMongo\` and \`core.captureStacktrace\` when there is no sourceContext`, function () {
-        const fn = hooksFns[method];
-
-        core.scopes.sources.getStore.returns(null);
-
-        fn(correctArg);
-
-        expect(core.captureStacktrace).to.not.have.been.called;
-        expect(inputTracing.nosqlInjectionMongo).to.not.have.been.called;
-      });
-    });
-
-  });
-});
-

package/lib/input-tracing/install/mongodb.test.js

@@ -1,280 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const { initProtectFixture } = require('@contrast/test/fixtures');
-
-describe('protect input-tracing mongodb', function() {
-  let core, instr, simulateRequestScope, nosqlInjectionMongo;
-
-  class Db {
-    command() { }
-    eval() { }
-    aggregate() { }
-  }
-
-  class Collection {
-    find() { }
-    findOne() { }
-    findAndModify() { }
-    findOneAndDelete() { }
-    findOneAndReplace() { }
-    findOneAndUpdate() { }
-    remove() { }
-    removeOne() { }
-    replaceOne() { }
-    removeMany() { }
-    rename() { }
-    update() { }
-    updateOne() { }
-    updateMany() { }
-    deleteOne() { }
-    deleteMany() { }
-    aggregate() { }
-    mapReduce() { }
-    group() { }
-  }
-
-  before(function() {
-    ({ core, simulateRequestScope } = initProtectFixture());
-    require('../../get-source-context')(core);
-
-    core.depHooks.resolve.yields({ Collection, Db });
-
-    instr = require('./mongodb')(core);
-    instr.install();
-  });
-
-  beforeEach(function() {
-    sinon.stub(core.protect.inputTracing, 'nosqlInjectionMongo');
-    ({ nosqlInjectionMongo } = core.protect.inputTracing);
-  });
-
-  [
-    { subject: Collection, method: 'find' },
-    { subject: Collection, method: 'findOne' },
-    { subject: Collection, method: 'findAndModify' },
-    { subject: Collection, method: 'findOneAndDelete' },
-    { subject: Collection, method: 'findOneAndReplace' },
-    { subject: Collection, method: 'findOneAndUpdate' },
-    { subject: Collection, method: 'remove' },
-    { subject: Collection, method: 'replaceOne' },
-    { subject: Collection, method: 'update' },
-    { subject: Collection, method: 'updateOne' },
-    { subject: Collection, method: 'updateMany' },
-    { subject: Collection, method: 'deleteOne' },
-    { subject: Collection, method: 'deleteMany' },
-    { subject: Db, method: 'command' },
-  ].forEach(({ subject, method }) => {
-    describe(`${subject.name}.prototype.${method}()`, function() {
-      it('skips instrumentation if assess store is missing', function() {
-        simulateRequestScope(() => {
-          const expObject = { $ne: 'test' };
-
-          (new subject())[method]({ expObject });
-
-          expect(nosqlInjectionMongo).not.to.have.been.called;
-        }, {});
-      });
-
-      it('skips instrumentation if the argument is not a string or an non-empty object', function() {
-        simulateRequestScope(function() {
-          (new subject())[method]({});
-          expect(nosqlInjectionMongo).not.to.have.been.called;
-        });
-      });
-
-      it('analyzes the input for a nosql-injection with string input', function() {
-        simulateRequestScope(function() {
-          const attackString = 'sleep(1)';
-          const sc = core.scopes.sources.getStore()?.protect;
-
-          (new subject())[method](attackString);
-
-          expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: attackString, name: `mongodb.${subject.name}.prototype.${method}` });
-        });
-      });
-
-      it('analyzes the input for a nosql-injection with an object input', function() {
-        simulateRequestScope(function() {
-          const expObject = { $ne: 'test' };
-          const sc = core.scopes.sources.getStore()?.protect;
-
-          (new subject())[method]({ expObject });
-
-          expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: { expObject }, name: `mongodb.${subject.name}.prototype.${method}` });
-        });
-      });
-    });
-  });
-
-  describe('Db.prototype.aggregate and Collection.prototype.aggregate', function() {
-    it('analyzes for a nosql-injection from user input in the $function operator', function() {
-      simulateRequestScope(function() {
-        const sc = core.scopes.sources.getStore()?.protect;
-        const attackString = 'sleep(1)';
-        (new Collection()).aggregate([
-          {
-            $function: {
-              body: attackString
-            }
-          }
-        ]);
-        (new Db()).aggregate([
-          {
-            $function: {
-              body: attackString
-            }
-          }
-        ]);
-
-        expect(nosqlInjectionMongo).to.have.been.calledTwice;
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: attackString, name: 'mongodb.Db.prototype.aggregate' });
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: attackString, name: 'mongodb.Collection.prototype.aggregate' });
-      });
-    });
-
-    [
-      'init',
-      'merge',
-      'accumulate',
-      'finalize'
-    ].forEach((prop) => {
-      it(`analyzes for a nosql-injection from user input in the $accumulator operator and ${prop} property`, function() {
-        simulateRequestScope(function() {
-          const attackString = 'sleep(1)';
-          const sc = core.scopes.sources.getStore()?.protect;
-          (new Collection()).aggregate([
-            {
-              $accumulator: {
-                [prop]: attackString
-              }
-            }
-          ]);
-
-          expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: attackString, name: 'mongodb.Collection.prototype.aggregate' });
-        });
-      });
-    });
-  });
-
-  describe('Collection.prototype.mapReduce', function() {
-    it('analyzes for a nosql-injection from user input in the first 2 arguments of `mapReduce` method', function() {
-      const options = { options: 'something' };
-      simulateRequestScope(function() {
-        const attackString1 = 'sleep(1)';
-        const attackString2 = 'sleep(2)';
-        const sc = core.scopes.sources.getStore()?.protect;
-        (new Collection()).mapReduce(
-          attackString1,
-          'devData#1',
-          options
-        );
-        (new Collection()).mapReduce(
-          'devData#2',
-          attackString2,
-          options
-        );
-
-        expect(nosqlInjectionMongo).to.have.a.callCount(4);
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: attackString1, name: 'mongodb.Collection.prototype.mapReduce' });
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: 'devData#1', name: 'mongodb.Collection.prototype.mapReduce' });
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: attackString2, name: 'mongodb.Collection.prototype.mapReduce' });
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: 'devData#2', name: 'mongodb.Collection.prototype.mapReduce' });
-      });
-    });
-
-    it('analyzes for a nosql-injection from user input in the third argument of `mapReduce` method', function() {
-      simulateRequestScope(function() {
-        const attackString = 'sleep(1)';
-        const expObj = { $ne: 'test' };
-        const options1 = { query: { expObj } };
-        const options2 = { finalize: attackString };
-        const sc = core.scopes.sources.getStore()?.protect;
-        (new Collection()).mapReduce(
-          'devData#1',
-          'devData#2',
-          options1
-        );
-        (new Collection()).mapReduce(
-          'devData#3',
-          'devData#4',
-          options2
-        );
-
-        expect(nosqlInjectionMongo).to.have.a.callCount(6);
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: 'devData#1', name: 'mongodb.Collection.prototype.mapReduce' });
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: 'devData#2', name: 'mongodb.Collection.prototype.mapReduce' });
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: attackString, name: 'mongodb.Collection.prototype.mapReduce' });
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: 'devData#3', name: 'mongodb.Collection.prototype.mapReduce' });
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: 'devData#4', name: 'mongodb.Collection.prototype.mapReduce' });
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: { expObj }, name: 'mongodb.Collection.prototype.mapReduce' });
-      });
-    });
-  });
-
-  describe('Collection.prototype.group', function() {
-    it('analyzes for a nosql-injection from user input in the first, the second and the fourth argument of `group` method', function() {
-      simulateRequestScope(function() {
-        const attackString1 = 'sleep(1)';
-        const attackString2 = 'sleep(2)';
-        const condition = { expObj: { $ne: 'test' } };
-        const initState = { init: 'state' };
-        const sc = core.scopes.sources.getStore()?.protect;
-        (new Collection()).group(
-          attackString1,
-          condition,
-          initState,
-          attackString2
-        );
-
-        expect(nosqlInjectionMongo).to.have.a.callCount(3);
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: attackString1, name: 'mongodb.Collection.prototype.group' });
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: attackString2, name: 'mongodb.Collection.prototype.group' });
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: { expObj: { $ne: 'test' } }, name: 'mongodb.Collection.prototype.group' });
-      });
-    });
-  });
-
-  describe('Db.prototype.eval() and other edge cases', function() {
-    it('skips patching if the method is missing', function() {
-      class Collection {
-        findOne() { }
-      }
-      class Db {
-        command() { }
-      }
-      core.depHooks.resolve
-        .withArgs(sinon.match({ name: 'mongodb' }))
-        .yields({ Collection, Db }, 'v5.x.x');
-
-      const instr = require('./mongodb')(core);
-      instr.install();
-      expect(core.logger.trace).to.have.been.calledWith({ name: 'mongodb.Db.prototype.eval', version: 'v5.x.x' }, 'method not found - skipping instrumentation');
-      expect(core.logger.trace).to.have.been.calledWith({ name: 'mongodb.Collection.prototype.findOneAndDelete', version: 'v5.x.x' }, 'method not found - skipping instrumentation');
-    });
-
-    it('analyzes for a nosql-injection from the eval methhod', function() {
-      simulateRequestScope(function() {
-        const attackString = 'sleep(1)';
-        const sc = core.scopes.sources.getStore()?.protect;
-        (new Db()).eval(attackString);
-
-        expect(nosqlInjectionMongo).to.have.a.callCount(1);
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: attackString, name: 'mongodb.Db.prototype.eval' });
-      });
-    });
-
-    it('analyzes the `.filter` property on a command method', function() {
-      simulateRequestScope(function() {
-        const expObject = { $ne: 'test' };
-        const sc = core.scopes.sources.getStore()?.protect;
-
-        (new Db()).command({ filter: { expObject } });
-
-        expect(nosqlInjectionMongo).to.have.been.calledWithMatch(sc, { value: { expObject }, name: 'mongodb.Db.prototype.command' });
-      });
-    });
-  });
-});
-

package/lib/input-tracing/install/mssql.test.js

@@ -1,81 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-
-describe('protect input-tracing mssql', function () {
-  class PreparedStatement { }
-  class Request { }
-  let core, handleSqlInjection;
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.patcher = patcher(core);
-    core.scopes = scopes(core);
-    sinon.stub(core.scopes.sources, 'getStore').returns({ protect: {} });
-    core.depHooks = mocks.depHooks();
-    core.protect = mocks.protect();
-    handleSqlInjection = core.protect.inputTracing.handleSqlInjection;
-    require('../../get-source-context')(core);
-
-    PreparedStatement.prototype.prepare = sinon.stub();
-    Request.prototype.batch = sinon.stub();
-    Request.prototype.query = sinon.stub();
-
-    core.depHooks.resolve
-      .withArgs(sinon.match({ file: 'lib/base/prepared-statement.js' }))
-      .yields(PreparedStatement);
-
-    core.depHooks.resolve
-      .withArgs(sinon.match({ file: 'lib/base/request.js' }))
-      .yields(Request);
-
-    require('./mssql')(core).install();
-  });
-
-  [
-    { subject: PreparedStatement, method: 'prepare' },
-    { subject: Request, method: 'batch' },
-    { subject: Request, method: 'query' },
-  ].forEach(({ subject, method }) => {
-    describe(`${subject.name}.prototype.${method}()`, function () {
-      it('does not call handleSqlInjection() if there is no sourceContext', function () {
-        core.scopes.sources.getStore.returns({});
-
-        subject.prototype[method]();
-        expect(handleSqlInjection).not.to.have.been.called;
-      });
-
-      it('does not call handleSqlInjection() if there is no argument', function () {
-        subject.prototype[method]();
-        expect(handleSqlInjection).not.to.have.been.called;
-      });
-
-      it('does not call handleSqlInjection() if the argument is not a string', function () {
-        subject.prototype[method](4);
-        expect(handleSqlInjection).not.to.have.been.called;
-      });
-
-      it('calls handleSqlInjection() as expected', function () {
-        const value = ';drop table Foo--';
-
-        subject.prototype[method](value);
-        expect(handleSqlInjection).to.have.been.calledWith(
-          {},
-          {
-            name: `mssql.${subject.name}.prototype.${method}`,
-            value,
-            stacktraceOpts: {
-              constructorOpt: subject.prototype[method],
-              prependFrames: [sinon.match.func],
-            },
-          },
-        );
-      });
-    });
-  });
-});

package/lib/input-tracing/install/mysql.test.js

@@ -1,108 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-
-describe('protect input-tracing mysql', function () {
-  let core, inputTracing;
-  const store = { protect: {} };
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.patcher = patcher(core);
-    core.scopes = scopes(core);
-    core.depHooks = mocks.depHooks();
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    inputTracing = core.protect.inputTracing;
-
-
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-  });
-
-  describe('mysql', function () {
-    let Connection;
-
-    beforeEach(function () {
-      Connection = function () { };
-      Connection.prototype.query = sinon.stub();
-      core.depHooks.resolve.yields(Connection);
-      require('./mysql')(core).install();
-    });
-
-    describe('instruments connection.query()', function () {
-      it('handleSqlInjection() is called with valid expected values', function () {
-        const conn = new Connection();
-        const value = 'SELECT "foo"';
-        conn.query(value);
-
-        expect(inputTracing.handleSqlInjection).to.have.been.calledWith(
-          {},
-          { name: 'mysql.Connection.prototype.query', value, stacktraceOpts: { constructorOpt: conn.query, prependFrames: [sinon.match.func] } }
-        );
-      });
-
-      it('handleSqlInjection() is not called if there is no sourceContext', function () {
-        core.scopes.sources.getStore.returns({ protect: undefined });
-        const conn = new Connection();
-        const value = 'SELECT "foo"';
-        conn.query(value);
-
-        expect(inputTracing.handleSqlInjection).not.to.have.been.called;
-      });
-
-      it('handleSqlInjection() is not called if the sql value is empty or not a string', function () {
-        const conn = new Connection();
-        conn.query('');
-        conn.query(100);
-
-        expect(inputTracing.handleSqlInjection).not.to.have.been.called;
-      });
-    });
-  });
-
-  describe('mysql2', function () {
-    let Connection;
-
-    beforeEach(function () {
-      Connection = function () { };
-      Connection.prototype.execute = sinon.stub();
-      core.depHooks.resolve.yields(Connection);
-      require('./mysql')(core).install();
-    });
-
-    describe('instruments connection.execute()', function () {
-      it('handleSqlInjection() is called with expected values', function () {
-        const conn = new Connection();
-        const value = 'SELECT "foo"';
-        conn.execute(value);
-
-        expect(inputTracing.handleSqlInjection).to.have.been.calledWith(
-          {},
-          { name: 'mysql2.Connection.prototype.execute', value, stacktraceOpts: { constructorOpt: conn.execute, prependFrames: [sinon.match.func] } }
-        );
-      });
-
-      it('handleSqlInjection() is not called if there is no sourceContext', function () {
-        core.scopes.sources.getStore.returns({ protect: undefined });
-        const conn = new Connection();
-        const value = 'SELECT "foo"';
-        conn.execute(value);
-
-        expect(inputTracing.handleSqlInjection).not.to.have.been.called;
-      });
-
-      it('handleSqlInjection() is not called if the sql value is empty or not a string', function () {
-        const conn = new Connection();
-        conn.execute('');
-        conn.execute(100);
-
-        expect(inputTracing.handleSqlInjection).not.to.have.been.called;
-      });
-    });
-  });
-});