@contrast/protect 1.53.1 → 1.54.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (58) hide show
  1. package/package.json +15 -12
  2. package/lib/error-handlers/common-handler.test.js +0 -52
  3. package/lib/error-handlers/index.test.js +0 -32
  4. package/lib/error-handlers/init-domain.test.js +0 -22
  5. package/lib/error-handlers/install/express.test.js +0 -290
  6. package/lib/error-handlers/install/fastify.test.js +0 -130
  7. package/lib/error-handlers/install/hapi.test.js +0 -102
  8. package/lib/error-handlers/install/koa2.test.js +0 -83
  9. package/lib/error-handlers/install/restify.test.js +0 -57
  10. package/lib/get-source-context.test.js +0 -35
  11. package/lib/hardening/handlers.test.js +0 -89
  12. package/lib/hardening/index.test.js +0 -31
  13. package/lib/hardening/install/node-serialize0.test.js +0 -58
  14. package/lib/index.test.js +0 -53
  15. package/lib/input-analysis/handlers.test.js +0 -1604
  16. package/lib/input-analysis/index.test.js +0 -45
  17. package/lib/input-analysis/install/body-parser1.test.js +0 -134
  18. package/lib/input-analysis/install/busboy1.test.js +0 -81
  19. package/lib/input-analysis/install/cookie-parser1.test.js +0 -144
  20. package/lib/input-analysis/install/express.test.js +0 -241
  21. package/lib/input-analysis/install/fastify.test.js +0 -96
  22. package/lib/input-analysis/install/formidable1.test.js +0 -114
  23. package/lib/input-analysis/install/hapi.test.js +0 -292
  24. package/lib/input-analysis/install/http.test.js +0 -270
  25. package/lib/input-analysis/install/koa-body5.test.js +0 -92
  26. package/lib/input-analysis/install/koa-bodyparser4.test.js +0 -92
  27. package/lib/input-analysis/install/koa2.test.js +0 -259
  28. package/lib/input-analysis/install/multer1.test.js +0 -209
  29. package/lib/input-analysis/install/qs6.test.js +0 -79
  30. package/lib/input-analysis/install/restify.test.js +0 -98
  31. package/lib/input-analysis/install/universal-cookie4.test.js +0 -70
  32. package/lib/input-analysis/ip-analysis.test.js +0 -71
  33. package/lib/input-analysis/virtual-patches.test.js +0 -106
  34. package/lib/input-tracing/handlers/index.test.js +0 -1236
  35. package/lib/input-tracing/index.test.js +0 -62
  36. package/lib/input-tracing/install/child-process.test.js +0 -133
  37. package/lib/input-tracing/install/eval.test.js +0 -78
  38. package/lib/input-tracing/install/fs.test.js +0 -108
  39. package/lib/input-tracing/install/function.test.js +0 -81
  40. package/lib/input-tracing/install/http.test.js +0 -85
  41. package/lib/input-tracing/install/http2.test.js +0 -83
  42. package/lib/input-tracing/install/marsdb.test.js +0 -126
  43. package/lib/input-tracing/install/mongodb.test.js +0 -280
  44. package/lib/input-tracing/install/mssql.test.js +0 -81
  45. package/lib/input-tracing/install/mysql.test.js +0 -108
  46. package/lib/input-tracing/install/postgres.test.js +0 -117
  47. package/lib/input-tracing/install/sequelize.test.js +0 -78
  48. package/lib/input-tracing/install/spdy.test.js +0 -76
  49. package/lib/input-tracing/install/sqlite3.test.js +0 -88
  50. package/lib/input-tracing/install/vm.test.js +0 -176
  51. package/lib/make-response-blocker.test.js +0 -99
  52. package/lib/make-source-context.test.js +0 -219
  53. package/lib/policy.test.js +0 -446
  54. package/lib/semantic-analysis/handlers.test.js +0 -379
  55. package/lib/semantic-analysis/index.test.js +0 -38
  56. package/lib/semantic-analysis/install/libxmljs.test.js +0 -156
  57. package/lib/semantic-analysis/utils/xml-analysis.test.js +0 -156
  58. package/lib/throw-security-exception.test.js +0 -37
package/lib/semantic-analysis/utils/xml-analysis.test.js DELETED
@@ -1,156 +0,0 @@
1
- 'use strict';
2
-
3
- const { expect } = require('chai');
4
-
5
- const {
6
- findExternalEntities,
7
- isExternalEntity
8
- } = require('./xml-analysis');
9
-
10
- const XML = `
11
- <!DOCTYPE doc [
12
- <!ENTITY ent SYSTEM "file:///tmp/marker">
13
- <!ENTITY ent2 not_external "hoohoo">
14
- <!ENTITY ent3 PUBLIC "http://www.google.com/marker">
15
- <!ENTITY ent4 not_either "hehehe">
16
- <!ENTITY ent5 PUBLIC "entity-public-id" "http://www.google.com/marker-1">
17
- ]>
18
- <root>
19
- <element>&ent;</element>
20
- <element>&ent2;</element>
21
- </root>`;
22
-
23
- const XML_PROLOG = `
24
- <!DOCTYPE doc [
25
- <!ENTITY ent SYSTEM "file:///tmp/marker">
26
- <!ENTITY ent2 not_external "hoohoo">
27
- <!ENTITY ent3 PUBLIC "http://www.google.com/marker">
28
- <!ENTITY ent4 not_either "hehehe">
29
- <!ENTITY ent5 PUBLIC "entity-public-id" "http://www.google.com/marker-1">`;
30
-
31
- describe('protect semantic-analysis utils xml-analysis', function() {
32
- describe('findExternalEntities', function() {
33
- it('should instantiate a xml finder properly', function() {
34
- const finder = findExternalEntities(XML);
35
-
36
- expect(finder).to.have.property('prolog', XML_PROLOG);
37
- expect(finder)
38
- .to.have.property('entities')
39
- .that.deep.equals([
40
- {
41
- finish: 60,
42
- start: 19,
43
- type: 'SYSTEM',
44
- uri: 'file:///tmp/marker'
45
- },
46
- {
47
- finish: 267,
48
- start: 194,
49
- type: 'PUBLIC',
50
- uri: 'http://www.google.com/marker-1'
51
- }
52
- ]);
53
- });
54
-
55
- it('should default xml to empty string if undefined', function() {
56
- const finder = findExternalEntities();
57
- expect(finder).to.eql({
58
- entities: [],
59
- prolog: null
60
- });
61
- });
62
- });
63
-
64
- describe('isExternalEntity', function() {
65
- it('handles undefined properly', function() {
66
- expect(isExternalEntity()).to.be.false;
67
- });
68
-
69
- it('can determine external http', function() {
70
- const uri = 'http://something.com';
71
- expect(isExternalEntity(uri)).to.be.true;
72
- });
73
-
74
- it('can determine external https', function() {
75
- const uri = 'https://something.com';
76
- expect(isExternalEntity(uri)).to.be.true;
77
- });
78
-
79
- it('can determine external http - ignore dtd', function() {
80
- const uri = 'http://something.dtd';
81
- expect(isExternalEntity(uri)).to.be.false;
82
- });
83
-
84
- it('can determine external https - ignore dtd', function() {
85
- const uri = 'https://something.dtd';
86
- expect(isExternalEntity(uri)).to.be.false;
87
- });
88
-
89
- it('can determine external file', function() {
90
- const uri = 'file://something.com';
91
- expect(isExternalEntity(uri)).to.be.true;
92
- });
93
-
94
- it('can determine external ftp', function() {
95
- const uri = 'ftp://something.com';
96
- expect(isExternalEntity(uri)).to.be.true;
97
- });
98
-
99
- it('can determine external gopher', function() {
100
- const uri = 'gopher://something.com';
101
- expect(isExternalEntity(uri)).to.be.true;
102
- });
103
-
104
- it('can determine external jar', function() {
105
- const uri = 'jar://something.com';
106
- expect(isExternalEntity(uri)).to.be.true;
107
- });
108
-
109
- it('can determine slash start', function() {
110
- const uri = '/something.com';
111
- expect(isExternalEntity(uri)).to.be.true;
112
- });
113
-
114
- it('can determine period start', function() {
115
- const uri = './something.com';
116
- expect(isExternalEntity(uri)).to.be.true;
117
- });
118
-
119
- it('can determine up dir', function() {
120
- const posixUri = '../something.com';
121
- expect(isExternalEntity(posixUri)).to.be.true;
122
-
123
- const windowsUri = '..\\something.com';
124
- expect(isExternalEntity(windowsUri)).to.be.true;
125
- });
126
-
127
- it('can determine windows files', function() {
128
- const uri = '\\\\c:foo';
129
- expect(isExternalEntity(uri)).to.be.true;
130
- });
131
-
132
- it('can find system entities', function() {
133
- const declaration = '<!ENTITY ent SYSTEM "file:///tmp/marker">';
134
- expect(findExternalEntities(declaration)).to.have.nested.property(
135
- 'entities[0].uri',
136
- 'file:///tmp/marker'
137
- );
138
- });
139
-
140
- it('can find system entities using single quotes too', function() {
141
- const declaration = "<!ENTITY ent SYSTEM 'file:///tmp/marker'>";
142
- expect(findExternalEntities(declaration)).to.have.nested.property(
143
- 'entities[0].uri',
144
- 'file:///tmp/marker'
145
- );
146
- });
147
-
148
- it('can find named public entities', function() {
149
- const declaration = '<!ENTITY ent PUBLIC "asdf" "file:///tmp/marker">';
150
- expect(findExternalEntities(declaration)).to.have.nested.property(
151
- 'entities[0].uri',
152
- 'file:///tmp/marker'
153
- );
154
- });
155
- });
156
- });
package/lib/throw-security-exception.test.js DELETED
@@ -1,37 +0,0 @@
1
- 'use strict';
2
-
3
- const { expect } = require('chai');
4
- const sinon = require('sinon');
5
- const mocks = require('@contrast/test/mocks');
6
-
7
- describe('protect throw-security-exception', function () {
8
- let core, protect, sourceContext;
9
-
10
- beforeEach(function () {
11
- core = mocks.core();
12
- core.logger = mocks.logger();
13
- protect = core.protect = mocks.protect();
14
- sourceContext = {
15
- block: sinon.stub(),
16
- securityException: ['block', 'cmd-injection']
17
- };
18
- require('./throw-security-exception')(core);
19
- });
20
-
21
- it('will throw a security exception if source context is provided', function () {
22
- expect(function () {
23
- protect.throwSecurityException(sourceContext);
24
- }).to.throw('SecurityException');
25
- expect(core.logger.debug).to.have.been.calledWith(sinon.match({
26
- ruleId: 'cmd-injection',
27
- mode: 'block',
28
- }));
29
- });
30
-
31
- it('method is noop if source context is not provided', function () {
32
- expect(function () {
33
- protect.throwSecurityException();
34
- expect(sourceContext.block).not.to.have.been.called;
35
- }).not.to.throw('SecurityException');
36
- });
37
- });