@contrast/protect 1.53.1 → 1.54.1

package/lib/semantic-analysis/handlers.test.js

@@ -1,379 +0,0 @@
-'use strict';
-
-const os = require('os');
-const { Rule } = require('@contrast/common');
-const { expect } = require('chai');
-const mocks = require('@contrast/test/mocks');
-
-describe('protect semantic-analysis handlers', function () {
-  let core, handlers;
-
-  // each test should be asserting this at least
-  const TEST_DESCRIPTION = 'captures findings and sinkContext in result.exploitMetadata array';
-
-  // for additional assertions that might happen in tests, add to description
-  function makeTestDescription(blocks) {
-    const addl = blocks ? ' and blocks when in BLOCK mode' : '';
-    return `${TEST_DESCRIPTION}${addl}`;
-  }
-
-  function makeSourceContext(resultsList, ruleModes) {
-    const semanticResultsMap = Object.create(null);
-    if (resultsList) {
-      for (const result of resultsList) {
-        if (!semanticResultsMap[result.ruleId]) {
-          semanticResultsMap[result.ruleId] = [];
-        }
-        semanticResultsMap[result.ruleId].push(result);
-      }
-    }
-
-    return {
-      policy: {
-        [Rule.CMD_INJECTION_COMMAND_BACKDOORS]: 'monitor',
-        [Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS]: 'monitor',
-        [Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS]: 'monitor',
-        [Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS]: 'monitor',
-        ...(ruleModes || {}),
-      },
-      trackRequest: true,
-      resultsMap: semanticResultsMap,
-    };
-  }
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.protect = mocks.protect();
-    core.protect.throwSecurityException = require('../throw-security-exception');
-
-    handlers = require('./handlers')(core);
-  });
-
-  describe('handleCmdInjectionSemanticDangerous()', function () {
-    const sinkContextPositive = {
-      name: 'child_process.execSync',
-      value: 'ls; cat /etc/passwd',
-      stack: [],
-    };
-    const sinkContextNegative = {
-      name: 'child_process.execSync',
-      value: 'foo',
-      stack: []
-    };
-    const command = 'ls; cat /etc/passwd';
-
-    [
-      {
-        blocks: false,
-        sourceContext: makeSourceContext([]),
-        expectedResults: [
-          {
-            mappedId: Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS,
-            ruleId: Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS,
-            value: sinkContextPositive.value,
-            sinkContext: sinkContextPositive,
-            exploitMetadata: [{ command }],
-            blocked: false
-          },
-          {
-            mappedId: Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS,
-            ruleId: Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS,
-            value: sinkContextPositive.value,
-            sinkContext: sinkContextPositive,
-            exploitMetadata: [{ command }],
-            blocked: false
-          },
-        ]
-      },
-      {
-        blocks: true,
-        sourceContext: makeSourceContext(
-          [], {
-            [Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS]: 'block'
-          }
-        ),
-        expectedResults: [
-          {
-            mappedId: Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS,
-            ruleId: Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS,
-            value: sinkContextPositive.value,
-            sinkContext: sinkContextPositive,
-            exploitMetadata: [{ command }],
-            blocked: true
-          },
-        ]
-      },
-      {
-        blocks: false,
-        sourceContext: makeSourceContext(
-          [], {
-            [Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS]: 'off'
-          }
-        ),
-        expectedResults: undefined,
-      }
-    ].forEach(({ blocks, sourceContext, expectedResults }) => {
-      it(makeTestDescription(blocks), function () {
-        const testFn = () => {
-          handlers.handleCmdInjectionSemanticDangerous(sourceContext, sinkContextPositive);
-          handlers.handleCmdInjectionSemanticDangerous(sourceContext, sinkContextPositive);
-          handlers.handleCmdInjectionSemanticDangerous(sourceContext, sinkContextNegative);
-        };
-
-        const test = expect(testFn);
-        blocks ? test.to.throw('SecurityException') : test.not.to.throw();
-
-        const cmdiSDPResults = sourceContext.resultsMap[Rule.CMD_INJECTION_SEMANTIC_DANGEROUS_PATHS];
-        expect(cmdiSDPResults).to.deep.equal(expectedResults);
-      });
-    });
-  });
-
-  describe('handleCmdInjectionSemanticChainedCommands()', function () {
-    const sinkContextPositive = {
-      name: 'child_process.execSync',
-      value: 'test&whoami',
-      stack: [],
-    };
-    const sinkContextNegative = {
-      name: 'child_process.execSync',
-      value: 'foo',
-      stack: []
-    };
-    const command = 'test&whoami';
-
-    [
-      {
-        blocks: false,
-        sourceContext: makeSourceContext([]),
-        expectedResults: [
-          {
-            mappedId: Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS,
-            ruleId: Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS,
-            value: sinkContextPositive.value,
-            sinkContext: sinkContextPositive,
-            exploitMetadata: [{ command }],
-            blocked: false
-          },
-          {
-            mappedId: Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS,
-            ruleId: Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS,
-            value: sinkContextPositive.value,
-            sinkContext: sinkContextPositive,
-            exploitMetadata: [{ command }],
-            blocked: false
-          },
-        ]
-      },
-      {
-        blocks: true,
-        sourceContext: makeSourceContext(
-          [], {
-            [Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS]: 'block'
-          }
-        ),
-        expectedResults: [
-          {
-            mappedId: Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS,
-            ruleId: Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS,
-            value: sinkContextPositive.value,
-            sinkContext: sinkContextPositive,
-            exploitMetadata: [{ command }],
-            blocked: true
-          },
-        ]
-      },
-      {
-        blocks: false,
-        sourceContext: makeSourceContext(
-          [], {
-            [Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS]: 'off'
-          }
-        ),
-        expectedResults: undefined,
-      }
-    ].forEach(({ blocks, sourceContext, expectedResults }) => {
-      it(makeTestDescription(blocks), function () {
-        const testFn = () => {
-          handlers.handleCmdInjectionSemanticChainedCommands(sourceContext, sinkContextPositive);
-          handlers.handleCmdInjectionSemanticChainedCommands(sourceContext, sinkContextPositive);
-          handlers.handleCmdInjectionSemanticChainedCommands(sourceContext, sinkContextNegative);
-        };
-
-        const test = expect(testFn);
-        blocks ? test.to.throw('SecurityException') : test.not.to.throw();
-
-
-        const cmdiSDPResults = sourceContext.resultsMap[Rule.CMD_INJECTION_SEMANTIC_CHAINED_COMMANDS];
-        expect(cmdiSDPResults).to.deep.equal(expectedResults);
-      });
-    });
-  });
-
-  describe('handleCommandInjectionCommandBackdoors()', function () {
-    const sinkContextPositive = {
-      name: 'child_process.execSync',
-      value: 'ls .',
-      stack: [],
-    };
-    const sinkContextPositiveV2 = {
-      name: 'child_process.execSync',
-      value: '/bin/sh -c "cat /etc/passwd"',
-      stack: [],
-    };
-    const sinkContextNegative = {
-      name: 'child_process.execSync',
-      value: 'f',
-      stack: []
-    };
-    const command = 'ls .';
-
-    [
-      {
-        blocks: false,
-        sourceContext: makeSourceContext([]),
-        expectedResults: [
-          {
-            sinkContext: sinkContextPositive,
-            exploitMetadata: [{ command }],
-            inputType: 'HEADER',
-            key: 'malicious-header',
-            path: [],
-            blocked: false,
-            value: 'ls .',
-            mappedId: Rule.CMD_INJECTION_COMMAND_BACKDOORS,
-            ruleId: Rule.CMD_INJECTION_COMMAND_BACKDOORS,
-          },
-          {
-            sinkContext: sinkContextPositiveV2,
-            exploitMetadata: [{ command: '/bin/sh -c "cat /etc/passwd"' }],
-            inputType: 'JSON_VALUE',
-            key: 'command',
-            path: ['some', 'hidden'],
-            blocked: false,
-            value: '/bin/sh -c "cat /etc/passwd"',
-            mappedId: Rule.CMD_INJECTION_COMMAND_BACKDOORS,
-            ruleId: Rule.CMD_INJECTION_COMMAND_BACKDOORS,
-          },
-        ]
-      },
-      {
-        blocks: true,
-        sourceContext: makeSourceContext(
-          [], {
-            [Rule.CMD_INJECTION_COMMAND_BACKDOORS]: 'block'
-          }
-        ),
-        expectedResults: [
-          {
-            sinkContext: sinkContextPositive,
-            exploitMetadata: [{ command }],
-            inputType: 'HEADER',
-            key: 'malicious-header',
-            path: [],
-            blocked: true,
-            value: 'ls .',
-            mappedId: Rule.CMD_INJECTION_COMMAND_BACKDOORS,
-            ruleId: Rule.CMD_INJECTION_COMMAND_BACKDOORS,
-          },
-        ]
-      },
-      {
-        blocks: false,
-        sourceContext: makeSourceContext(
-          [], {
-            [Rule.CMD_INJECTION_COMMAND_BACKDOORS]: 'off'
-          }
-        ),
-        expectedResults: undefined,
-      }
-    ].forEach(({ blocks, sourceContext, expectedResults }) => {
-      it(makeTestDescription(blocks), function () {
-        sourceContext.reqData = {
-          headers: ['some-other-header', 'and-its-value', 'malicious-header', 'ls .']
-        };
-        sourceContext.parsedBody = { some: { hidden: { command: '-c "cat /etc/passwd"' } } };
-        const testFn = () => {
-          handlers.handleCommandInjectionCommandBackdoors(sourceContext, sinkContextPositive);
-          handlers.handleCommandInjectionCommandBackdoors(sourceContext, sinkContextPositiveV2);
-          handlers.handleCommandInjectionCommandBackdoors(sourceContext, sinkContextNegative);
-        };
-
-        const test = expect(testFn);
-        blocks ? test.to.throw('SecurityException') : test.not.to.throw();
-
-
-        const cmdiSDPResults = sourceContext.resultsMap[Rule.CMD_INJECTION_COMMAND_BACKDOORS];
-        expect(cmdiSDPResults).to.deep.equal(expectedResults);
-      });
-    });
-  });
-
-  describe('handlePathTraversalFileSecurityBypass()', function () {
-    const sinkContextNegative = {
-      name: 'fs.writeFile',
-      value: 'f',
-      stack: []
-    };
-    const sinkContexts = [{ name: 'fs.readFileSync', value: 'c:\textfile.txt::$DATA' }];
-
-    if (os.platform() !== 'win32') {
-      sinkContexts.push({ name: 'fs.readFile', value: '/etc/passwd' });
-    }
-
-    [
-      {
-        blocks: false,
-        sourceContext: makeSourceContext([]),
-        sinkContexts,
-        expectedResults: sinkContexts.map((ctx) => ({
-          sinkContext: ctx,
-          exploitMetadata: [{ path: ctx.value }],
-          blocked: false,
-          mappedId: Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS,
-          ruleId: Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS,
-          value: ctx.value
-        })),
-      },
-      {
-        blocks: true,
-        sourceContext: makeSourceContext([], {
-          [Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS]: 'block',
-        }),
-        sinkContexts,
-        expectedResults: [{
-          sinkContext: sinkContexts[0],
-          exploitMetadata: [{ path: sinkContexts[0].value }],
-          blocked: true,
-          mappedId: Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS,
-          ruleId: Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS,
-          value: sinkContexts[0].value
-        }],
-      },
-      {
-        blocks: false,
-        sinkContexts,
-        sourceContext: makeSourceContext([], {
-          [Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS]: 'off',
-        }),
-        expectedResults: undefined,
-      }
-    ].forEach(({ blocks, sourceContext, sinkContexts, expectedResults }) => {
-      it(makeTestDescription(blocks), function () {
-        const testFn = () => {
-          sinkContexts.forEach((sinkContext) => {
-            handlers.handlePathTraversalFileSecurityBypass(sourceContext, sinkContext);
-          });
-          handlers.handlePathTraversalFileSecurityBypass(sourceContext, sinkContextNegative);
-        };
-
-        const test = expect(testFn);
-        blocks ? test.to.throw('SecurityException') : test.not.to.throw();
-
-        const results = sourceContext.resultsMap[Rule.PATH_TRAVERSAL_SEMANTIC_FILE_SECURITY_BYPASS];
-        expect(results).to.deep.equal(expectedResults);
-      });
-    });
-  });
-});

package/lib/semantic-analysis/index.test.js

@@ -1,38 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const sinon = require('sinon');
-const proxyquire = require('proxyquire');
-const mocks = require('@contrast/test/mocks');
-
-describe('protect semantic-analysis', function () {
-  let core, installStub, hooksMock;
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.protect = {};
-    core.scopes = mocks.scopes();
-    core.depHooks = mocks.depHooks();
-    core.instrumentation = mocks.instrumentation();
-    installStub = sinon.stub();
-    hooksMock = (hookProp) => function (core) {
-      if (core.protect.semanticAnalysis) {
-        core.protect.semanticAnalysis[hookProp] = { install: installStub };
-      } else {
-        core.protect.semanticAnalysis = {
-          [hookProp]: { install: installStub }
-        };
-      }
-    };
-  });
-
-  it('calls the install() method of the required hooks', function () {
-    const hooks = proxyquire('.', {
-      './install/libxmljs': hooksMock('libxmljsInstrumentation')
-    })(core);
-
-    expect(installStub).not.to.have.been.called;
-    hooks.install();
-    expect(installStub).to.have.callCount(1);
-  });
-});

package/lib/semantic-analysis/install/libxmljs.test.js

@@ -1,156 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const SecurityException = require('../../security-exception');
-
-describe('protect semantic-analysis libxmljs', function () {
-  const store = { protect: {} };
-  let core, modules;
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.depHooks = mocks.depHooks();
-    core.scopes = mocks.scopes();
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-    core.patcher = patcher(core);
-    core.protect = mocks.protect();
-
-
-    modules = {
-      'libxmljs@0': {
-        parseXml: sinon.stub().returns({})
-      },
-
-      'libxmljs@1': {
-        parseXml: sinon.stub().returns({})
-      },
-
-      'libxmljs2': {
-        parseXml: sinon.stub().returns({})
-      },
-    };
-
-    core.depHooks.resolve
-      .withArgs({ name: 'libxmljs', version: '>=1 <2' })
-      .yields(modules['libxmljs@1'], { name: 'libxmljs', version: '1.0.9' });
-    core.depHooks.resolve
-      .withArgs({ name: 'libxmljs', version: '<1' })
-      .yields(modules['libxmljs@0'], { name: 'libxmljs', version: '0.19.10' });
-    core.depHooks.resolve
-      .withArgs({ name: 'libxmljs2', version: '<1' })
-      .yields(modules.libxmljs2, { name: 'libxmljs2', version: '0.32.0' });
-
-    require('../../get-source-context')(core);
-    require('./libxmljs')(core).install();
-  });
-
-  ['libxmljs@0', 'libxmljs@1', 'libxmljs2'].forEach((name) => {
-    describe(name, function () {
-      it('skips instrumentation if sourceContext is missing', function () {
-        core.scopes.sources.getStore.returns(undefined);
-
-        modules[name].parseXml('value');
-
-        expect(core.protect.semanticAnalysis.handleXXE).not.to.have.been.called;
-      });
-
-      it('skips instrumentation if the value is not provided or not a string', function () {
-        [
-          undefined,
-          null,
-          () => ({}),
-          {},
-          1,
-          NaN,
-          true
-        ].forEach(value => {
-          modules[name].parseXml(value);
-        });
-
-        expect(core.protect.semanticAnalysis.handleXXE).not.to.have.been.called;
-      });
-
-      it('skips instrumentation if noent is set to false', function () {
-        modules[name].parseXml('string', { noent: false });
-
-        expect(core.protect.semanticAnalysis.handleXXE).not.to.have.been.called;
-      });
-
-      if (name === 'libxmljs@1') {
-        it('skips instrumentation if replaceEntities is set to false', function () {
-          modules[name].parseXml('string', { replaceEntities: false });
-
-          expect(core.protect.semanticAnalysis.handleXXE).not.to.have.been.called;
-        });
-      }
-
-      it('calls handleXXE with sourceContext and sinkContext when noent: true', function () {
-        const nameWithoutVersion = name.split('@')[0];
-        const sinkContext = {
-          name: `${nameWithoutVersion}:parseXml`,
-          value: 'string1',
-          stacktraceOpts: {
-            constructorOpt: modules[name].parseXml,
-            prependFrames: [sinon.match.func]
-          }
-        };
-
-        modules[name].parseXml('string1', { noent: true });
-
-        expect(core.protect.semanticAnalysis.handleXXE).to.have.been.calledWith(
-          store.protect,
-          sinkContext
-        );
-      });
-
-      if (name === 'libxmljs@1') {
-        it('calls handleXXE with sourceContext and sinkContext when replaceEntities: true', function () {
-          const nameWithoutVersion = name.split('@')[0];
-          const sinkContext = {
-            name: `${nameWithoutVersion}:parseXml`,
-            value: 'string1',
-            stacktraceOpts: {
-              constructorOpt: modules[name].parseXml,
-              prependFrames: [sinon.match.func]
-            }
-          };
-
-          modules[name].parseXml('string1', { replaceEntities: true });
-
-          expect(core.protect.semanticAnalysis.handleXXE).to.have.been.calledWith(
-            store.protect,
-            sinkContext
-          );
-        });
-      }
-
-      it('logs an error when handleXXE throws an unknown error', function () {
-        const nameWithoutVersion = name.split('@')[0];
-        const err = new Error('unknown!');
-        core.protect.semanticAnalysis.handleXXE.throws(err);
-
-        expect(() =>
-          modules[name].parseXml('string1', { noent: true })
-        ).not.to.throw();
-
-        expect(core.logger.error).to.have.been.calledWith(
-          { err, funcKey: `protect-semantic-analysis:${nameWithoutVersion}:parseXml` },
-          'Unexpected error during semantic analysis'
-        );
-      });
-
-      it('throws a SecurityException when handleXXE throws one', function () {
-        const err = SecurityException.create();
-        core.protect.semanticAnalysis.handleXXE.throws(err);
-
-        expect(() =>
-          modules[name].parseXml('string1', { noent: true })
-        ).to.throw(err);
-      });
-    });
-  });
-});