@contrast/protect 1.53.1 → 1.54.1

package/lib/input-analysis/handlers.test.js

@@ -1,1604 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const mocks = require('@contrast/test/mocks');
-const { createEmptySourceContext } = require('@contrast/test/fixtures');
-const emptySc = createEmptySourceContext();
-const address = require('ipaddr.js');
-const agentLib = require('@contrast/agent-lib');
-const EventEmitter = require('events');
-const Protect = require('../../../protect');
-
-const { constants: { RuleType, InputType } } = agentLib;
-const { UrlParameter, MultipartName, ParameterKey, ParameterValue } = InputType;
-const preferWW = { preferWorthWatching: true };
-const sqlMask = RuleType['sql-injection'];
-const xssMask = RuleType['reflected-xss'];
-const mongoMask = RuleType['nosql-injection-mongo'];
-const unsafeFileUploadMask = RuleType['unsafe-file-upload'];
-const { InputType: { METHOD }, Rule, ProtectRuleMode, BLOCKING_MODES } = require('@contrast/common');
-const { initProtectFixture } = require('@contrast/test/fixtures');
-
-/* eslint-disable newline-per-chained-call */
-
-describe('protect input-analysis handlers', function () {
-  let core,
-    sourceContext,
-    handleConnect,
-    handleQueryParams,
-    handleUrlParams,
-    handleCookies,
-    handleParsedBody,
-    handleVirtualPatches,
-    handleFileUploadName,
-    handleIpAllowlist,
-    handleIpDenylist,
-    throwSecurityException;
-
-  beforeEach(function () {
-    core = {
-      config: mocks.config(),
-      protect: mocks.protect(),
-      logger: mocks.logger()
-    };
-    require('./handlers')(core);
-    ({
-      protect: {
-        inputAnalysis: {
-          handleConnect,
-          handleQueryParams,
-          handleUrlParams,
-          handleCookies,
-          handleParsedBody,
-          handleFileUploadName,
-          handleVirtualPatches,
-          handleIpAllowlist,
-          handleIpDenylist,
-        },
-        throwSecurityException
-      }
-    } = core);
-
-    sourceContext = {
-      ...emptySc,
-      policy: {
-        ...emptySc.policy,
-        rulesMask: sqlMask,
-        'sql-injection': 'block',
-      },
-      reqData: {
-        ip: '127.0.0.1',
-        method: 'GET',
-        uriPath: '/',
-        search: '',
-        headers: { 'content-type': 'application/json' },
-        contentType: '',
-      },
-      virtualPatchesEvaluators: [],
-      trackRequest: false,
-      securityException: undefined,
-      bodyType: undefined,
-      resultsMap: Object.create(null),
-    };
-  });
-
-  describe('handleConnect', function () {
-    let connectInputs;
-
-    beforeEach(function () {
-      connectInputs = {
-        headers: ['content-type', '.25 beretta', 'user-agent', '; drop table *'],
-      };
-      sinon.spy(core.protect.agentLib, 'scoreRequestConnect');
-      sinon.spy(core.protect.inputAnalysis, 'handleVirtualPatches');
-    });
-
-    it('does not block a request with an attack for a worth-watching rule', function () {
-      handleConnect(sourceContext, connectInputs);
-
-      const expectedReturnValue = {
-        trackRequest: true,
-        resultsList: [{
-          ruleId: 'sql-injection',
-          inputType: 'HeaderValue',
-          path: ['user-agent'],
-          key: 'user-agent',
-          value: '; drop table *',
-          score: 10,
-          // This is only for `agent-lib` v5.0.0,
-          // this id will be removed in the next release
-          idsList: [],
-          // added by "normalizeFindings"
-          exploitMetadata: [],
-          blocked: false,
-          mappedId: 'sql-injection',
-        }],
-      };
-      const { agentLib } = core.protect;
-      expect(agentLib.scoreRequestConnect).to.have.been.calledOnceWith(sqlMask, connectInputs, preferWW);
-      // i don't know why i can't use expect(core.protect...scoreRequestConnect).returned(expected...);
-      const rv = agentLib.scoreRequestConnect.getCall(0).returnValue;
-      expect(rv).to.deep.equal(expectedReturnValue);
-
-      // it calls with worth watching, so only reflected-xss can return a 90
-      expect(throwSecurityException).not.to.have.been.called;
-    });
-
-    // non-worth-watching rules
-    ['path-traversal', 'reflected-xss', 'method-tampering'].forEach((ruleId) => {
-      it(`blocks an attack for non-worth-watching rule: ${ruleId}`, function () {
-        const { agentLib } = core.protect;
-        sourceContext.policy = {
-          ...emptySc.policy,
-          rulesMask: agentLib.RuleType[ruleId],
-          [ruleId]: 'block'
-        };
-        const target = {
-          'path-traversal': 'queries',
-          'reflected-xss': 'queries',
-          'method-tampering': 'method',
-        };
-        const attack = {
-          'path-traversal': ['x', '../..'],
-          'reflected-xss': ['x', '<script>'],
-          'method-tampering': 'XYZZY',
-        };
-        connectInputs[target[ruleId]] = attack[ruleId];
-
-        const block = handleConnect(sourceContext, connectInputs);
-
-        expect(agentLib.scoreRequestConnect).to.have.been.calledOnceWith(agentLib.RuleType[ruleId], connectInputs, preferWW);
-        expect(throwSecurityException).not.to.have.been.called;
-        expect(block).to.deep.equal(['block', ruleId]);
-      });
-    });
-
-    it('allows a request if it is matched by an exception', function () {
-      sourceContext.policy = {
-        rulesMask: core.protect.agentLib.RuleType['path-traversal'],
-        'path-traversal': 'block',
-        exclusions: {
-          ...emptySc.policy.exclusions,
-          cookie: [{
-            name: 'testPolicy',
-            matchesUriPath: () => true,
-            matchesInputName: (inputName) => inputName === 'first',
-            checkCookiesInHeader: (header) => header.includes('first'),
-            policy: { 'path-traversal': 'off' }
-          }]
-        }
-      };
-      const headers = [
-        'cookie', 'first=../..;', 'second', '; drop table *'
-      ];
-
-      const block = handleConnect(sourceContext, { headers });
-
-      expect(block).to.have.be.undefined;
-    });
-  });
-
-  describe('handleQueryParams', function () {
-    beforeEach(function () {
-      sinon.spy(core.protect.agentLib, 'scoreAtom');
-      sinon.spy(core.protect.agentLib, 'isMongoQueryType');
-    });
-
-    it('logs at debug level if the queryParams is not an object', function () {
-      const queryParams = 'Not an object';
-      const text = 'handleQueryParams() called with non-object';
-      const { agentLib } = core.protect;
-
-      const result = handleQueryParams(sourceContext, queryParams);
-
-      expect(agentLib.scoreAtom).not.to.have.been.called;
-      expect(throwSecurityException).not.to.have.been.called;
-      expect(core.logger.debug).to.have.been.calledOnceWith({ queryParams }, text);
-      expect(result).to.be.undefined;
-    });
-
-    it('just returns if the queryParams have been already handled', function () {
-      const queryParams = { test: 'params' };
-      const { agentLib } = core.protect;
-
-      handleQueryParams(sourceContext, queryParams);
-      const result = handleQueryParams(sourceContext, queryParams);
-
-      expect(agentLib.scoreAtom).not.to.have.been.calledOnce;
-      expect(throwSecurityException).not.to.have.been.called;
-      expect(core.logger.debug).not.to.have.been.called;
-      expect(result).to.be.undefined;
-    });
-
-    it('does not block a request with an attack for a worth-watching rule', function () {
-      const queryParams = {
-        first: { a: { nested: '; drop table *' } },
-        second: '',
-        third: 'times-a-charm',
-      };
-      const expectedCalls = [
-        { type: ParameterKey, value: 'first', rv: undefined },
-        { type: ParameterKey, value: 'a', rv: undefined },
-        { type: ParameterKey, value: 'nested', rv: undefined },
-        { type: ParameterValue, value: '; drop table *', rv: [{ ruleId: 'sql-injection', score: 10, idsList: [] }] },
-        { type: ParameterKey, value: 'second', rv: undefined },
-        { type: ParameterKey, value: 'third', rv: undefined },
-        { type: ParameterValue, value: 'times-a-charm', rv: [{ ruleId: 'sql-injection', score: 10, idsList: [] }] },
-
-      ];
-      handleQueryParams(sourceContext, queryParams);
-
-      const { agentLib } = core.protect;
-      // note that the empty string for the key 'second' does not generate a callback in handleQueryParams.
-      expect(agentLib.scoreAtom).to.have.callCount(7);
-
-      for (let i = 0; i < expectedCalls.length; i++) {
-        const exp = expectedCalls[i];
-        const call = agentLib.scoreAtom.getCall(i);
-        expect(call).to.have.been.calledWith(sqlMask, exp.value, exp.type, preferWW);
-        expect(call.returnValue).to.deep.equal(exp.rv);
-      }
-
-      // it calls with worth watching, so only reflected-xss can return a 90
-      expect(throwSecurityException).not.to.have.been.called;
-    });
-
-    it('blocks a request with a definite attack for a non-worth-watching rule', function () {
-      const xssMask = RuleType['reflected-xss'];
-      sourceContext.policy = {
-        ...emptySc.policy,
-        rulesMask: xssMask,
-        'reflected-xss': 'block',
-      };
-      const queryParams = {
-        first: { a: { nested: '<script>' } },
-        second: '',
-        third: 'eval(x.toString())',
-      };
-
-      const expectedCalls = [
-        { type: ParameterKey, value: 'first', rv: undefined },
-        { type: ParameterKey, value: 'a', rv: undefined },
-        { type: ParameterKey, value: 'nested', rv: undefined },
-        { type: ParameterValue, value: '<script>', rv: [{ ruleId: 'reflected-xss', score: 90, idsList: ['PIDS-XSS-38A'] }] },
-        { type: ParameterKey, value: 'second', rv: undefined },
-        { type: ParameterKey, value: 'third', rv: undefined },
-        { type: ParameterValue, value: 'eval(x.toString())', rv: [{ ruleId: 'reflected-xss', score: 90, idsList: ['BAD-JS-FUNCTION-CALL-1'] }] },
-      ];
-      handleQueryParams(sourceContext, queryParams);
-
-      const { agentLib } = core.protect;
-      // note that the empty string for the key 'second' does not generate a callback in handleQueryParams.
-      expect(agentLib.scoreAtom).to.have.callCount(7);
-
-      for (let i = 0; i < expectedCalls.length; i++) {
-        const exp = expectedCalls[i];
-        const call = agentLib.scoreAtom.getCall(i);
-        expect(call).to.have.been.calledWith(xssMask, exp.value, exp.type, preferWW);
-        expect(call.returnValue).to.deep.equal(exp.rv);
-      }
-
-      // scoreAtom is called with worth watching, so only reflected-xss can return a 90
-      expect(throwSecurityException).to.have.been.calledOnceWith(sourceContext);
-    });
-
-    it('allows a request if it is matched by an exception', function () {
-      const xssMask = RuleType['reflected-xss'];
-      sourceContext.policy = {
-        rulesMask: xssMask,
-        'reflected-xss': 'block',
-        exclusions: {
-          ...emptySc.policy.exclusions,
-          parameter: [{
-            name: 'testPolicy',
-            matchesUriPath: () => true,
-            matchesInputName: (inputName) => inputName === 'nested',
-            policy: { 'reflected-xss': 'off' }
-          }]
-        }
-      };
-      const queryParams = {
-        first: { a: { nested: '<script>' } },
-        second: '',
-      };
-
-      handleQueryParams(sourceContext, queryParams);
-
-      expect(throwSecurityException).not.to.have.been.called;
-    });
-
-    it('handles nosql-injection-mongo', function () {
-      const queryParams = {
-        first: { user: { $eq: { id: '*' } } }
-      };
-      sourceContext.policy = {
-        ...emptySc.policy,
-        rulesMask: mongoMask,
-        'nosql-injection-mongo': 'block',
-      };
-      const { agentLib } = core.protect;
-
-      handleQueryParams(sourceContext, queryParams);
-
-      expect(agentLib.scoreAtom).to.have.callCount(5);
-      expect(agentLib.isMongoQueryType).to.have.callCount(4);
-
-      expect(sourceContext.trackRequest).to.be.true;
-      expect(sourceContext.securityException).to.be.undefined;
-      expect(sourceContext.resultsMap).an('object').keys('nosql-injection-mongo');
-
-      const results = sourceContext.resultsMap['nosql-injection-mongo'];
-      expect(results).an('array').length(1);
-
-      const result = results[0];
-      expect(result.path).to.deep.equal(['first', 'user']);
-      expect(result.inputType).to.equal('ParameterKey');
-      expect(result.key).to.equal('$eq');
-      expect(result.value).to.equal('$eq');
-      expect(result.mongoContext).an('object').keys('inputToCheck');
-
-      const context = result.mongoContext;
-      expect(context.inputToCheck).to.deep.equal({ id: '*' });
-    });
-
-    it('handles nested nosql-injection-mongo results', function () {
-      const queryParams = {
-        first: { user: { $eq: { id: { $ne: { password: '' } } } } }
-      };
-      sourceContext.policy = {
-        ...emptySc.policy,
-        rulesMask: mongoMask,
-        'nosql-injection-mongo': 'block',
-      };
-      const { agentLib } = core.protect;
-
-      handleQueryParams(sourceContext, queryParams);
-
-      expect(agentLib.scoreAtom).to.have.callCount(6);
-      expect(agentLib.isMongoQueryType).to.have.callCount(6);
-
-      expect(sourceContext.trackRequest).to.be.true;
-      expect(sourceContext.securityException).to.be.undefined;
-      expect(sourceContext.resultsMap).an('object').keys('nosql-injection-mongo');
-
-      const results = sourceContext.resultsMap['nosql-injection-mongo'];
-      expect(results).an('array').length(2);
-
-      const exp = [{
-        path: ['first', 'user'],
-        key: '$eq',
-        inputToCheck: { id: { $ne: { password: '' } } },
-      }, {
-        path: ['first', 'user', '$eq', 'id'],
-        key: '$ne',
-        inputToCheck: { password: '' },
-      }];
-
-      for (let i = 0; i < exp.length; i++) {
-        expect(results[i].path).to.deep.equal(exp[i].path);
-        expect(results[i].inputType).to.equal('ParameterKey');
-        expect(results[i].key).to.equal(exp[i].key);
-        expect(results[i].value).to.equal(exp[i].key);
-        expect(results[i].mongoContext).an('object').keys('inputToCheck');
-
-        expect(results[i].mongoContext.inputToCheck).to.deep.equal(exp[i].inputToCheck);
-      }
-    });
-
-    it('handles multiple nosql-injection-mongo results', function () {
-      const queryParams = {
-        first: {
-          user: { $where: { id: '*' } },
-          password: { $finalize: 'while(1){};' },
-        }
-      };
-      sourceContext.policy = {
-        ...emptySc.policy,
-        rulesMask: mongoMask,
-        'nosql-injection-mongo': 'block',
-      };
-      const { agentLib } = core.protect;
-
-      handleQueryParams(sourceContext, queryParams);
-
-      expect(agentLib.scoreAtom).to.have.callCount(8);
-      expect(agentLib.isMongoQueryType).to.have.callCount(6);
-
-      expect(sourceContext.trackRequest).to.equal(true, 'trackRequest should be true');
-      expect(sourceContext.securityException).to.be.undefined;
-      expect(sourceContext.resultsMap).an('object').keys('nosql-injection-mongo');
-
-      const results = sourceContext.resultsMap['nosql-injection-mongo'];
-      expect(results).an('array').length(2);
-
-      const exp = [{
-        path: ['first', 'user'],
-        key: '$where',
-        inputToCheck: { id: '*' },
-      }, {
-        path: ['first', 'password'],
-        key: '$finalize',
-        inputToCheck: 'while(1){};',
-      }];
-
-      for (let i = 0; i < exp.length; i++) {
-        expect(results[i].path).to.deep.equal(exp[i].path);
-        expect(results[i].inputType).to.equal('ParameterKey');
-        expect(results[i].key).to.equal(exp[i].key);
-        expect(results[i].value).to.equal(exp[i].key);
-        expect(results[i].mongoContext).an('object').keys('inputToCheck');
-
-        expect(results[i].mongoContext.inputToCheck).to.deep.equal(exp[i].inputToCheck);
-      }
-    });
-  });
-
-  describe('handleUrlParams', function () {
-    beforeEach(function () {
-      sinon.spy(core.protect.agentLib, 'scoreAtom');
-    });
-
-    it('logs at debug level if the urlParams is not an object', function () {
-      const urlParams = 'Not an object';
-      const text = 'handleUrlParams() called with non-object';
-      const { agentLib } = core.protect;
-
-      const result = handleUrlParams(sourceContext, urlParams);
-
-      expect(agentLib.scoreAtom).not.to.have.been.called;
-      expect(throwSecurityException).not.to.have.been.called;
-      expect(core.logger.debug).to.have.been.calledOnceWith({ urlParams }, text);
-      expect(result).to.be.undefined;
-    });
-
-    it('just returns if the urlParams have been already handled', function () {
-      const urlParams = { test: 'params' };
-      const { agentLib } = core.protect;
-
-      handleUrlParams(sourceContext, urlParams);
-      const result = handleUrlParams(sourceContext, urlParams);
-
-      expect(agentLib.scoreAtom).to.have.been.calledOnce;
-      expect(throwSecurityException).not.to.have.been.called;
-      expect(core.logger.debug).not.to.have.been.called;
-      expect(result).to.be.undefined;
-    });
-
-    it('does not block a request when no valid results are found', function () {
-      const urlParams = {
-        first: 'a',
-        second: '',
-        third: 'b',
-      };
-      const result = handleUrlParams(sourceContext, urlParams);
-
-      const { agentLib } = core.protect;
-      expect(agentLib.scoreAtom).to.have.been.calledTwice;
-      expect(agentLib.scoreAtom.firstCall).to.have.been.calledWith(sqlMask, 'a', UrlParameter, preferWW);
-      expect(agentLib.scoreAtom.secondCall).to.have.been.calledWith(sqlMask, 'b', UrlParameter, preferWW);
-
-      expect(throwSecurityException).not.to.have.been.called;
-      expect(result).to.be.undefined;
-    });
-
-    it('does not block a request with an attack for a worth-watching rule', function () {
-      const urlParams = {
-        first: { a: { nested: '; drop table *' } },
-        second: '',
-        third: 'times-a-charm',
-      };
-      handleUrlParams(sourceContext, urlParams);
-
-      const { agentLib } = core.protect;
-      // scoreAtom is only called from leaf, not key, values that are not falsey.
-      expect(agentLib.scoreAtom).to.have.been.calledTwice;
-      expect(agentLib.scoreAtom.firstCall).to.have.been.calledWith(sqlMask, '; drop table *', UrlParameter, preferWW);
-      expect(agentLib.scoreAtom.secondCall).to.have.been.calledWith(sqlMask, 'times-a-charm', UrlParameter, preferWW);
-
-      for (let i = 0; i < 2; i++) {
-        const rv = agentLib.scoreAtom.getCall(i).returnValue;
-        expect(rv).to.deep.equal([{ ruleId: 'sql-injection', score: 10, idsList: [] }]);
-      }
-
-      // it calls with worth watching, so only reflected-xss can return a 90
-      expect(throwSecurityException).not.to.have.been.called;
-    });
-
-    it('blocks a request with a definite attack for a non-worth-watching rule', function () {
-      const xssMask = RuleType['reflected-xss'];
-      sourceContext.policy = {
-        rulesMask: xssMask,
-        'reflected-xss': 'block',
-      };
-      const urlParams = {
-        first: { a: { nested: '<script>' } },
-        second: '',
-        third: 'eval(x.toString())',
-      };
-
-      handleUrlParams(sourceContext, urlParams);
-
-      const { agentLib } = core.protect;
-      // scoreAtom is only called from leaf, not key, values that are not falsey.
-      expect(agentLib.scoreAtom).to.have.been.calledTwice;
-      expect(agentLib.scoreAtom.firstCall).to.have.been.calledWith(xssMask, '<script>', UrlParameter, preferWW);
-      expect(agentLib.scoreAtom.secondCall).to.have.been.calledWith(xssMask, 'eval(x.toString())', UrlParameter, preferWW);
-
-      const expectedCalls = [
-        { type: ParameterKey, value: '<script>', rv: [{ ruleId: 'reflected-xss', score: 90, idsList: ['PIDS-XSS-38A'] }] },
-        { type: ParameterValue, value: 'eval(x.toString())', rv: [{ ruleId: 'reflected-xss', score: 90, idsList: ['BAD-JS-FUNCTION-CALL-1'] }] },
-      ];
-
-      for (let i = 0; i < expectedCalls.length; i++) {
-        const exp = expectedCalls[i];
-        const rv = agentLib.scoreAtom.getCall(i).returnValue;
-        expect(rv).to.deep.equal(exp.rv);
-      }
-
-      // it calls with worth watching, so only reflected-xss can return a 90
-      expect(throwSecurityException).to.have.been.calledOnceWith(sourceContext);
-    });
-
-    // there are no longer any worth-watching returns from a non-worth-watching rule. there
-    // used to be, but there are now. this test is skipped (as opposed to removed) to serve
-    // as a guide in case this can happen in the future.
-    it.skip('does not block a request for a worth-watching score from a non-worth-watching rule', function () {
-      sourceContext.policy = {
-        rulesMask: xssMask,
-        'reflected-xss': 'block',
-      };
-      // this is the only Score::HIGH pattern left; if it goes away then this
-      // test should go away too.
-      const tenScore1 = 'type="text/javascript"';
-      const tenScore2 = 'type="application/javascript"';
-      const urlParams = {
-        first: { a: { nested: tenScore1 } },
-        second: '',
-        third: tenScore2,
-      };
-
-      handleUrlParams(sourceContext, urlParams);
-
-      const { agentLib } = core.protect;
-      // scoreAtom is only called from leaf, not key, values that are not falsey.
-      expect(agentLib.scoreAtom).to.have.been.calledTwice;
-      expect(agentLib.scoreAtom.firstCall).to.have.been.calledWith(xssMask, tenScore1, UrlParameter, preferWW);
-      expect(agentLib.scoreAtom.secondCall).to.have.been.calledWith(xssMask, tenScore2, UrlParameter, preferWW);
-
-      for (let i = 0; i < 2; i++) {
-        const rv = agentLib.scoreAtom.getCall(i).returnValue;
-        expect(rv).to.deep.equal([{ ruleId: 'reflected-xss', score: 10 }]);
-      }
-
-      // while reflected-xss can return a 90 score, these particular attacks only
-      // score 10, so block shouldn't be called.
-      expect(throwSecurityException).not.to.have.been.called;
-      expect(sourceContext.resultsMap).an('object').keys(['reflected-xss']);
-      const expected = {
-        path: [['first', 'a', 'nested'], ['third']],
-        key: ['nested', 'third'],
-        value: [tenScore1, tenScore2]
-      };
-      expect(sourceContext.resultsMap).an('object').keys(['reflected-xss']);
-      const reflectedXssResults = sourceContext.resultsMap['reflected-xss'];
-
-      for (let i = 0; i < reflectedXssResults.length; i++) {
-        const result = reflectedXssResults[i];
-        expect(result.ruleId).to.equal('reflected-xss');
-        expect(result.inputType).to.equal('UrlParameter');
-        expect(result.path).to.deep.equal(expected.path[i]);
-        expect(result.key).to.equal(expected.key[i]);
-        expect(result.value).to.equal(expected.value[i]);
-      }
-    });
-  });
-
-  describe('handleCookies', function () {
-    const sql10Score = '; drop table *';
-    let al;
-
-    beforeEach(function () {
-      al = core.protect.agentLib;
-    });
-
-    it('does not block the request because worth-watching is used', function () {
-      const cookies = {
-        secret: sql10Score,
-      };
-
-      const expectedInputs = { cookies: [] };
-      Object.entries(cookies).forEach(entry => expectedInputs.cookies.push(...entry));
-      sinon.spy(al, 'scoreRequestConnect');
-
-      handleCookies(sourceContext, cookies);
-
-      expect(al.scoreRequestConnect).to.have.been.calledOnceWith(sqlMask, expectedInputs, preferWW);
-      expect(throwSecurityException).not.to.have.been.called;
-    });
-
-    it('just returns if the cookies have been already handled', function () {
-      const cookies = {
-        test: 'cookie',
-      };
-      sinon.spy(al, 'scoreRequestConnect');
-
-      handleCookies(sourceContext, cookies);
-      const result = handleCookies(sourceContext, cookies);
-
-
-      expect(al.scoreRequestConnect).to.have.been.calledOnce;
-      expect(throwSecurityException).not.to.have.been.called;
-      expect(result).to.be.undefined;
-    });
-
-    it('blocks the request when some other finding has a security exception but it is not yet thrown (failsafe)', function () {
-      const cookies = {
-        secret: sql10Score,
-      };
-      sourceContext.securityException = ['block', 'reflected-xss'];
-      sourceContext.resultsMap = {
-        'reflected-xss': { ruleId: 'reflected-xss', inputType: 'ParameterKey', path: [], key: '<script>', value: '<script>', score: 90 }
-      };
-
-      const expectedInputs = { cookies: [] };
-      Object.entries(cookies).forEach(entry => expectedInputs.cookies.push(...entry));
-      sinon.spy(al, 'scoreRequestConnect');
-
-      handleCookies(sourceContext, cookies);
-
-      expect(al.scoreRequestConnect).to.have.been.calledOnceWith(sqlMask, expectedInputs, preferWW);
-      expect(throwSecurityException).to.have.been.calledOnceWith(sourceContext);
-    });
-  });
-
-  describe('handleParsedBody', function () {
-    const sql10Score = '; drop table *';
-    const xss90Score = '<script>';
-    let al;
-    let sc;
-
-    beforeEach(function () {
-      al = core.protect.agentLib;
-      sc = sourceContext;
-      sinon.spy(al, 'scoreAtom');
-    });
-
-    it('blocks the request when a 90 score for reflected-xss', function () {
-      const rulesMask = 0 | al.RuleType['sql-injection'] | al.RuleType['reflected-xss'];
-      sourceContext.policy = {
-        ...emptySc.policy,
-        rulesMask,
-        'reflected-xss': 'block',
-        'sql-injection': 'block',
-      };
-      const body = {
-        secret: sql10Score,
-        [xss90Score]: 'special',
-      };
-
-      handleParsedBody(sourceContext, body);
-
-      const PK = al.InputType.ParameterKey;
-      const PV = al.InputType.ParameterValue;
-
-      expect(al.scoreAtom).to.have.callCount(4);
-      expect(al.scoreAtom.getCall(0).args).to.deep.equal([rulesMask, 'secret', PK, preferWW]);
-      expect(al.scoreAtom.getCall(1).args).to.deep.equal([rulesMask, sql10Score, PV, preferWW]);
-      expect(al.scoreAtom.getCall(2).args).to.deep.equal([rulesMask, xss90Score, PK, preferWW]);
-      expect(al.scoreAtom.getCall(3).args).to.deep.equal([rulesMask, 'special', PV, preferWW]);
-      expect(throwSecurityException).to.have.been.calledOnceWith(sc);
-
-      expect(sourceContext.resultsMap).an('object').keys(['reflected-xss', 'sql-injection']);
-      const expected = [
-        { ruleId: 'sql-injection', inputType: 'ParameterValue', path: ['secret'], key: 'secret', value: sql10Score, score: 10 },
-        { ruleId: 'reflected-xss', inputType: 'ParameterKey', path: [], key: xss90Score, value: xss90Score, score: 90 },
-      ];
-
-      for (let i = 0; i < expected.length; i++) {
-        expect(sourceContext.resultsMap[expected[i].ruleId]).an('array').length(1);
-
-        const result = sourceContext.resultsMap[expected[i].ruleId][0];
-        expect(result.ruleId).to.equal(expected[i].ruleId);
-        expect(result.inputType).to.equal(expected[i].inputType);
-        expect(result.path).to.deep.equal(expected[i].path);
-        expect(result.key).to.equal(expected[i].key);
-        expect(result.value).to.equal(expected[i].value);
-        expect(result.score).to.equal(expected[i].score);
-      }
-    });
-
-    it('just returns if the parsedBody have been already handled', function () {
-      const { inputAnalysis } = core.protect;
-
-      sinon.spy(inputAnalysis, 'handleVirtualPatches');
-
-      const parsedBody = { test: 'body' };
-      inputAnalysis.handleParsedBody(sourceContext, parsedBody);
-      const result = inputAnalysis.handleParsedBody(sourceContext, parsedBody);
-
-      expect(core.logger.debug).not.to.have.been.called;
-      expect(inputAnalysis.handleVirtualPatches).to.have.been.calledOnce;
-      expect(result).to.be.undefined;
-    });
-
-    it('does not block the request if the request is not tracked', function () {
-      const body = { secret: sql10Score };
-
-      handleParsedBody(sourceContext, body);
-
-      expect(al.scoreAtom).to.have.been.calledTwice;
-      expect(throwSecurityException).not.to.have.been.called;
-
-      expect(sourceContext.resultsMap).an('object').keys(['sql-injection']);
-      const expected = {
-        ruleId: ['sql-injection'],
-        inputType: ['ParameterValue'],
-        path: [['secret']],
-        key: ['secret'],
-        value: [sql10Score],
-        score: [10],
-      };
-      for (let i = 0; i < expected.length; i++) {
-        expect(sourceContext.resultsMap[expected[i].ruleId]).an('array').length(1);
-
-        const result = sourceContext.resultsMap[expected[i].ruleId][0];
-        expect(result.ruleId).to.equal(expected[i].ruleId);
-        expect(result.inputType).to.equal(expected[i].inputType);
-        expect(result.path).to.deep.equal(expected[i].path);
-        expect(result.key).to.equal(expected[i].key);
-        expect(result.value).to.equal(expected[i].value);
-        expect(result.score).to.equal(expected[i].score);
-      }
-    });
-  });
-
-  describe('handleFileUploadName', function () {
-    beforeEach(function () {
-      sourceContext.policy = { rulesMask: unsafeFileUploadMask, 'unsafe-file-upload': 'block_at_perimeter' };
-      sinon.spy(core.protect.agentLib, 'scoreAtom');
-    });
-
-    it('logs at debug level if the filename is not a string', function () {
-      const filenames = [1];
-      const text = 'handleFileUploadName() was called with non-string';
-      const { agentLib } = core.protect;
-
-      const result = handleFileUploadName(sourceContext, filenames);
-
-      expect(agentLib.scoreAtom).not.to.have.been.called;
-      expect(throwSecurityException).not.to.have.been.called;
-      expect(core.logger.debug).to.have.been.calledOnceWith({ filename: 1 }, text);
-      expect(result).to.be.undefined;
-    });
-
-    it('does not block when the rule mode is off', function () {
-      sourceContext.policy = { rulesMask: 0, 'unsafe-file-upload': 'off' };
-      const filenames = ['bad-file.php'];
-      const result = handleFileUploadName(sourceContext, filenames);
-
-      const { agentLib } = core.protect;
-      expect(agentLib.scoreAtom).not.to.have.been.called;
-      expect(throwSecurityException).not.to.have.been.called;
-      expect(result).to.be.undefined;
-    });
-
-    it('does not block a request when no valid results are found', function () {
-      const filenames = ['good-file.log'];
-      const result = handleFileUploadName(sourceContext, filenames);
-
-      const { agentLib } = core.protect;
-      expect(agentLib.scoreAtom).to.have.been.calledOnceWithExactly(unsafeFileUploadMask, 'good-file.log', MultipartName);
-
-      expect(throwSecurityException).not.to.have.been.called;
-      expect(result).to.be.undefined;
-    });
-
-    it('blocks a request with a definite attack', function () {
-      const filenames = ['bad-file.php'];
-
-      handleFileUploadName(sourceContext, filenames);
-
-      const { agentLib } = core.protect;
-      // scoreAtom is only called from leaf, not key, values that are not falsey.
-      expect(agentLib.scoreAtom).to.have.been.calledOnceWithExactly(unsafeFileUploadMask, 'bad-file.php', MultipartName);
-      expect(agentLib.scoreAtom.getCall(0).returnValue).to.deep.equal([{ ruleId: 'unsafe-file-upload', score: 90, idsList: ['UFU-1'] }]);
-      expect(throwSecurityException).to.have.been.calledOnceWith(sourceContext);
-    });
-  });
-
-  describe('handleVirtualPatches', function () {
-    it('throws an exception when the request matches the all evaluations in the virtual patch', function () {
-      const mockEvaluator = (value) => value === 'attack';
-
-      sourceContext.virtualPatchesEvaluators = [new Map([['HEADERS', mockEvaluator], ['PARAMETERS', mockEvaluator], ['metadata', { uuid: 'uuid', name: 'name' }]])];
-
-      handleVirtualPatches(sourceContext, { HEADERS: 'attack' });
-
-      expect(throwSecurityException).not.to.have.been.called;
-      handleVirtualPatches(sourceContext, { PARAMETERS: 'attack' });
-
-      expect(throwSecurityException).to.have.been.called;
-    });
-  });
-
-  describe('handleIpAllowlist', function () {
-    let clock, ipAllowlist;
-
-    beforeEach(function () {
-      clock = sinon.useFakeTimers();
-
-      ipAllowlist = [
-        {
-          ip: '127.0.0.1',
-          expires: 0,
-          doesExpire: false,
-          expiresAt: undefined,
-          normalizedValue: '127.0.0.1',
-          cidr: undefined
-        },
-        {
-          name: 'expired-one',
-          ip: '1.2.3.4',
-          expires: 50000,
-          doesExpire: true,
-          expiresAt: 50000,
-          normalizedValue: '1.2.3.4',
-          cidr: undefined
-        }
-      ];
-    });
-
-    afterEach(function () {
-      clock.restore();
-    });
-
-    it('returns true if a non-expired match is found', function () {
-      const result = handleIpAllowlist(sourceContext, ipAllowlist);
-
-      expect(core.logger.info).to.have.been.calledWith({ ...ipAllowlist[0], matchedIp: sourceContext.reqData.ip }, 'Found a matching IP to an entry in ipAllow list');
-      expect(result).to.be.true;
-    });
-
-    it('returns undefined if a the match found is expired', async function () {
-      sourceContext.reqData.ip = '1.2.3.4';
-      await clock.tickAsync(50000);
-      const result = handleIpAllowlist(sourceContext, ipAllowlist);
-
-      expect(core.logger.info).to.have.been.calledWith('IP expired: %s, %s', ipAllowlist[1].name, ipAllowlist[1].ip);
-      expect(result).to.be.undefined;
-    });
-
-    it('does nothing when there is no source context, or the list is empty', function () {
-      const results = [
-        handleIpAllowlist(null, ipAllowlist),
-        handleIpAllowlist(sourceContext, [])
-      ];
-
-      expect(core.logger.info).not.to.have.been.called;
-      expect(results).to.deep.equal([undefined, undefined]);
-    });
-  });
-
-  describe('handleIpDenylist', function () {
-    let ipDenylist;
-
-    beforeEach(function () {
-      ipDenylist = [
-        {
-          ip: '192.168.1.0/12',
-          expires: 0,
-          doesExpire: false,
-          expiresAt: undefined,
-          normalizedValue: '192.168.1.0',
-          cidr: { range: address.parseCIDR('192.168.1.0/12'), kind: 'ipv4' }
-        }
-      ];
-    });
-
-    it('returns true if a non-expired match is found', function () {
-      sourceContext.reqData.headers = ['x-forwarded-for', '127.0.0.1;127.0.0.2,192.168.1.1'];
-      const result = handleIpDenylist(sourceContext, ipDenylist);
-
-      expect(core.logger.info).to.have.been.calledWith({ ...ipDenylist[0], match: '192.168.1.1' }, 'Found a matching IP to an entry in ipDeny list');
-      expect(result).to.deep.equal(['block', 'ip-denylist']);
-    });
-
-    it('returns undefined if a no match is found', async function () {
-      sourceContext.reqData.ip = '2001:db8:3333:4444:5555:6666:7777:8888';
-      const result = handleIpAllowlist(sourceContext, ipDenylist);
-
-      // expect(core.logger.info).to.have.been.calledWith(`IP expired: ${ipAllowlist[1].name}, ${ipAllowlist[1].ip}`);
-      expect(result).to.be.undefined;
-    });
-
-    it('does nothing when there is no source context, or the list is empty', function () {
-      const results = [
-        handleIpDenylist(null, ipDenylist),
-        handleIpDenylist(sourceContext, [])
-      ];
-
-      expect(core.logger.info).not.to.have.been.called;
-      expect(results).to.deep.equal([undefined, undefined]);
-    });
-  });
-
-  describe(Rule.METHOD_TAMPERING, function () {
-    const ruleId = Rule.METHOD_TAMPERING;
-    [ProtectRuleMode.BLOCK, ProtectRuleMode.MONITOR].forEach((mode) => {
-      [
-        ['acl', true],
-        ['baseline-control', true],
-        ['checkin', true],
-        ['checkout', true],
-        ['connect', true],
-        ['copy', true],
-        ['delete', true],
-        ['get', true],
-        ['head', true],
-        ['label', true],
-        ['lock', true],
-        ['merge', true],
-        ['mkactivity', true],
-        ['mkcalendar', true],
-        ['mkcol', true],
-        ['mkworkspace', true],
-        ['move', true],
-        ['options', true],
-        ['orderpatch', true],
-        ['patch', true],
-        ['post', true],
-        ['propfind', true],
-        ['proppatch', true],
-        ['put', true],
-        ['report', true],
-        ['search', true],
-        ['trace', true],
-        ['uncheckout', true],
-        ['unlock', true],
-        ['update', true],
-        ['version-control', true],
-        ['attack', false],
-        ['unknown-verb', false],
-        ['$arbitrary', false],
-      ].forEach(([method, safe]) => {
-        it(`HTTP verb '${method.toUpperCase()}' is ${safe ? 'safe' : 'unsafe'}`, function () {
-          const sourceContext = {
-            policy: {
-              [ruleId]: mode
-            },
-            resultsMap: {}
-          };
-          const result = core.protect.inputAnalysis.handleMethodTampering(sourceContext, { method });
-          const blocked = BLOCKING_MODES.includes(mode);
-
-          if (safe) {
-            expect(sourceContext.resultsMap).to.be.empty;
-          } else {
-            expect(sourceContext.resultsMap[ruleId]).to.deep.equal([{
-              key: 'method',
-              value: method,
-              blocked,
-              exploitMetadata: null,
-              inputType: METHOD
-            }]);
-            if (blocked) {
-              expect(result).to.deep.equal(['block', ruleId]);
-              expect(sourceContext.securityException).to.deep.equal(['block', ruleId]);
-            }
-          }
-        });
-      });
-    });
-  });
-
-  describe('commonObjectAnalyzer', function () {
-    it('does nothing when there are no results found in commonObjectAnalyzer()', function () {
-      const body = {
-        x: { y: 'z' },
-      };
-      const { inputAnalysis } = core.protect;
-
-      expect(inputAnalysis.handleParsedBody(sourceContext, body)).to.be.undefined;
-    });
-
-    it.skip('returns when wrong arguments are passed to getValueAtKey()', function () {
-      // TODO?
-    });
-  });
-});
-
-describe('input analysis', function () {
-  describe('handlers with mock agent-lib', function () {
-    let core,
-      inputAnalysis,
-      server,
-      serverEmit,
-      req,
-      res,
-      reqEmitter,
-      expectedReqData,
-      connectInputs,
-      scoreRequestConnect,
-      srcReturnValue;
-
-    beforeEach(function () {
-      ({ core } = initProtectFixture());
-
-      Object.assign(core.config.protect.rules, {
-        'cmd-injection': { mode: 'block' }
-      });
-      core.logger = mocks.logger();
-      core.scopes = mocks.scopes();
-
-      srcReturnValue = {
-        trackRequest: true,
-        resultsList: [{
-          score: 90.0,
-          ruleId: 'cmd-injection',
-        }],
-      };
-      scoreRequestConnect = sinon.stub().callsFake(() => srcReturnValue);
-
-      sinon.stub(Protect, 'instantiateAgentLib').returns({
-        // indirection so it can be changed in each test
-        scoreRequestConnect,
-        RuleType: agentLib.constants.RuleType,
-        InputType: agentLib.constants.InputType,
-        // DbType,
-      });
-
-      core.protect = Protect(core);
-
-      sinon.spy(core.protect.inputAnalysis, 'handleConnect');
-
-      inputAnalysis = require('./install/http')(core);
-      inputAnalysis.install();
-
-      // mock Server thing...
-      server = {};
-      serverEmit = sinon.stub();
-      server.prototype = { emit: serverEmit };
-
-      // mock req, res
-      reqEmitter = new EventEmitter();
-      req = {
-        url: '/',
-        method: 'GET',
-        rawHeaders: ['host', 'vogon.com', 'content-type', 'text/json'],
-        // this needs to look sort of like a real incoming message
-        emit: (...args) => reqEmitter.emit(...args),
-        _events: {},
-        socket: { _readableState: { autoDestroy: false } },
-        resume: sinon.stub(),
-      };
-      res = {
-        end: sinon.stub(),
-        writeHead: sinon.stub(),
-        headersSent: false,
-      };
-
-      // setup a few expected results. these can be modified as needed by
-      // different tests.
-      expectedReqData = {
-        method: req.method,
-        headers: req.rawHeaders.map((h, i) => i & 1 ? h : h.toLowerCase()),
-        rawUrl: req.url,
-        pathname: '/',
-        search: '',
-      };
-      // it's the search string in request parlance but known as query string
-      // here.
-      connectInputs = Object.assign({}, expectedReqData);
-      delete connectInputs.search;
-      connectInputs.queries = expectedReqData.search;
-    });
-
-    // i don't see how to unit test this; xport.Server.prototype.emit()
-    // i.e., the real patching function. i think verifying that function
-    // will require an integration test of some sort.
-    // it('should handle requests on http, https, and http2', ...)
-
-    // initiateRequestHandling() sets up everything but the inputs for all analysis
-    // of this request.
-    it('handleRequestConnect works as expected', function () {
-      const sourceContext = core.protect.makeSourceContext(req, res);
-      sinon.spy(core.protect, 'throwSecurityException');
-
-      const connectInputs = {
-        method: req.method,
-        headers: req.rawHeaders.map((h, i) => i & 1 ? h : h.toLowerCase()),
-        rawUrl: req.url,
-        pathname: '/',
-        search: '',
-      };
-
-      const block = core.protect.inputAnalysis.handleConnect(sourceContext, connectInputs);
-
-      expect(scoreRequestConnect).to.have.been.calledOnce;
-      expect(core.protect.throwSecurityException).not.to.have.been.called;
-      expect(block).to.deep.equal(['block', 'cmd-injection']);
-    });
-
-    it('handleRequestConnect() does not block when no attack', function () {
-      const sourceContext = core.protect.makeSourceContext(req, res);
-      sinon.spy(sourceContext, 'block');
-
-      const connectInputs = {
-        method: req.method,
-        headers: req.rawHeaders.map((h, i) => i & 1 ? h : h.toLowerCase()),
-        rawUrl: req.url,
-        pathname: '/',
-        search: '',
-      };
-
-      srcReturnValue = {
-        trackRequest: false,
-      };
-
-      core.protect.inputAnalysis.handleConnect(sourceContext, connectInputs);
-
-      expect(scoreRequestConnect).to.have.been.calledOnce;
-      expect(sourceContext.block).not.to.have.been.called;
-    });
-  });
-
-  describe('handlers with real agent-lib', function () {
-    let core, al, req, res, reqEmitter, expectedReqData, connectInputs;
-
-    beforeEach(function () {
-      ({ core } = initProtectFixture());
-
-      al = core.protect.agentLib;
-      Object.assign(core.config.protect.rules, {
-        'cmd-injection': { mode: 'block' }
-      });
-
-      // return the real agentLib instantiation.
-      sinon.stub(Protect, 'instantiateAgentLib').returns(al);
-
-      core.protect = Protect(core);
-
-      sinon.spy(core.protect.inputAnalysis, 'handleConnect');
-
-      // mock req, res
-      reqEmitter = new EventEmitter();
-      req = {
-        url: '/',
-        method: 'GET',
-        rawHeaders: ['host', 'vogon.com', 'content-type', 'text/json'],
-        // this needs to look sort of like a real incoming message
-        emit: (...args) => reqEmitter.emit(...args),
-        _events: {},
-        socket: { _readableState: { autoDestroy: false } },
-        resume: sinon.stub(),
-      };
-      res = {
-        end: sinon.stub(),
-        writeHead: sinon.stub(),
-        headersSent: false,
-      };
-
-      // setup a few expected results. these can be modified as needed by
-      // different tests.
-      expectedReqData = {
-        method: req.method,
-        headers: req.rawHeaders.map((h, i) => i & 1 ? h : h.toLowerCase()),
-        rawUrl: req.url,
-        pathname: '/',
-        search: '',
-      };
-      // it's the search string in request parlance but known as query string
-      // here.
-      connectInputs = Object.assign({}, expectedReqData);
-      delete connectInputs.search;
-      connectInputs.queries = expectedReqData.search;
-    });
-
-    describe('handleParsedBody()', function () {
-      it('logs at debug level if the body is not an object', function () {
-        const ruleId = 'reflected-xss';
-        const sourceContext = core.protect.makeSourceContext(req, res);
-        sourceContext.policy = {
-          rulesMask: al.RuleType[ruleId],
-          [ruleId]: 'block',
-        };
-        const { inputAnalysis } = core.protect;
-
-        const parsedBody = 'not-an-object';
-        inputAnalysis.handleParsedBody(sourceContext, parsedBody);
-
-        const text = 'handleParsedBody() called with non-object';
-        expect(core.logger.debug).to.have.been.calledOnceWith({ parsedBody }, text);
-      });
-
-      it('scores the object as JSON', function () {
-        const ruleId = 'nosql-injection-mongo';
-        const sourceContext = core.protect.makeSourceContext(req, res);
-        sourceContext.policy = {
-          ...emptySc.policy,
-          rulesMask: al.RuleType[ruleId],
-          [ruleId]: 'block',
-        };
-
-        const body = {
-          xyzzy: { $ne: { x: 'y' } }
-        };
-        const { inputAnalysis } = core.protect;
-
-        inputAnalysis.handleParsedBody(sourceContext, body);
-        checkNosqlHandleBodyResults(sourceContext, al, body, { mongoContext: true });
-      });
-
-      it('scores the object as urlencoded', function () {
-        const ruleId = 'nosql-injection-mongo';
-        const sourceContext = core.protect.makeSourceContext(req, res);
-        sourceContext.policy = {
-          ...emptySc.policy,
-          rulesMask: al.RuleType[ruleId],
-          [ruleId]: 'block',
-        };
-
-        sourceContext.reqData.contentType = 'x-www-form-urlencoded';
-        const body = {
-          xyzzy: { $ne: { x: 'y' } }
-        };
-        const { inputAnalysis } = core.protect;
-
-        inputAnalysis.handleParsedBody(sourceContext, body);
-        const options = { mongoContext: true, type: 'urlencoded' };
-        checkNosqlHandleBodyResults(sourceContext, al, body, options);
-      });
-    });
-
-    it('handleRequestEnd works as expected', function () {
-      const sourceContext = {
-        resultsMap: {
-          'path-traversal': [
-            {
-              ruleId: 'path-traversal',
-              inputType: 'HeaderValue',
-              path: [
-                'just-key'
-              ],
-              key: 'just-key',
-              value: 'powerful vector',
-              score: 90,
-              idsList: [
-                '10A-1 & 12'
-              ],
-              mappedId: 'path-traversal',
-              blocked: false,
-              exploitMetadata: []
-            },
-            {
-              ruleId: 'path-traversal',
-              inputType: 'HeaderValue',
-              path: [
-                'hello'
-              ],
-              key: 'hello',
-              value: ';echo put /etc/passwd | tftp host',
-              score: 10,
-              idsList: [
-                '10A-1 & 12'
-              ],
-              mappedId: 'path-traversal',
-              blocked: false,
-              exploitMetadata: []
-            },
-            {
-              ruleId: 'path-traversal',
-              inputType: 'HeaderKey',
-              path: [
-                'hello'
-              ],
-              key: 'hello',
-              value: ';echo put /etc/passwd | tftp host',
-              score: 10,
-              idsList: [
-                '10A-1 & 12'
-              ],
-              mappedId: 'path-traversal',
-              blocked: false,
-              exploitMetadata: []
-            },
-            {
-              ruleId: 'path-traversal',
-              inputType: 'ParameterValue',
-              path: [
-                'hello'
-              ],
-              key: 'hello',
-              value: ';echo put /etc/passwd | tftp host',
-              score: 10,
-              idsList: [
-                '10A-1 & 12'
-              ],
-              mappedId: 'path-traversal',
-              blocked: false,
-              exploitMetadata: []
-            },
-            {
-              ruleId: 'path-traversal',
-              inputType: 'CookieValue',
-              path: [
-                'hello'
-              ],
-              key: 'hello',
-              value: ';echo put /etc/passwd | tftp host',
-              score: 10,
-              idsList: [
-                '10A-1 & 12'
-              ],
-              mappedId: 'path-traversal',
-              blocked: false,
-              exploitMetadata: []
-            }
-          ],
-          'sql-injection': [
-            {
-              ruleId: 'sql-injection',
-              inputType: 'HeaderValue',
-              path: [
-                'hello'
-              ],
-              key: 'hello',
-              value: ';echo put /etc/passwd | tftp host',
-              score: 10,
-              idsList: [],
-              mappedId: 'sql-injection',
-              blocked: false,
-              exploitMetadata: []
-            },
-            {
-              ruleId: 'sql-injection',
-              inputType: 'HeaderValue',
-              path: [
-                'postman-token'
-              ],
-              key: 'postman-token',
-              value: '8f0ee1c6-81e1-4a2e-93fe-1337907ccc6f',
-              score: 10,
-              idsList: [],
-              mappedId: 'sql-injection',
-              blocked: false,
-              exploitMetadata: []
-            },
-            {
-              ruleId: 'sql-injection',
-              inputType: 'CookieValue',
-              path: [
-                'hello'
-              ],
-              key: 'hello',
-              value: ';echo put /etc/passwd | tftp host',
-              score: 10,
-              idsList: [
-                '10A-1 & 12'
-              ],
-              mappedId: 'path-traversal',
-              blocked: false,
-              exploitMetadata: []
-            }
-          ],
-          'cmd-injection': [
-            {
-              ruleId: 'cmd-injection',
-              inputType: 'CookieValue',
-              path: [
-                'hello'
-              ],
-              key: 'hello',
-              value: 'test&whoami',
-              score: 10,
-              idsList: [
-                '10A-1 & 12'
-              ],
-              mappedId: 'cmd-injection',
-              blocked: false,
-              exploitMetadata: []
-            }
-          ],
-        },
-        policy: {
-          rulesMask: 511,
-          [Rule.PATH_TRAVERSAL]: ProtectRuleMode.MONITOR,
-          [Rule.SQL_INJECTION]: ProtectRuleMode.MONITOR,
-          [Rule.CMD_INJECTION]: ProtectRuleMode.BLOCK
-        }
-      };
-
-      core.protect.inputAnalysis.handleRequestEnd(sourceContext, connectInputs);
-
-      expect(sourceContext.resultsMap[Rule.PATH_TRAVERSAL]).to.eql([
-        {
-          ruleId: 'path-traversal',
-          inputType: 'HeaderValue',
-          path: [
-            'just-key'
-          ],
-          key: 'just-key',
-          value: 'powerful vector',
-          score: 90,
-          idsList: [
-            '10A-1 & 12'
-          ],
-          mappedId: 'path-traversal',
-          blocked: false,
-          exploitMetadata: []
-        },
-        {
-          ruleId: 'path-traversal',
-          inputType: 'HeaderValue',
-          path: [
-            'hello'
-          ],
-          key: 'hello',
-          value: ';echo put /etc/passwd | tftp host',
-          score: 10,
-          idsList: [
-            '10A-1 & 12'
-          ],
-          mappedId: 'path-traversal',
-          blocked: false,
-          exploitMetadata: []
-        },
-        {
-          ruleId: 'path-traversal',
-          inputType: 'HeaderKey',
-          path: [
-            'hello'
-          ],
-          key: 'hello',
-          value: ';echo put /etc/passwd | tftp host',
-          score: 10,
-          idsList: [
-            '10A-1 & 12'
-          ],
-          mappedId: 'path-traversal',
-          blocked: false,
-          exploitMetadata: []
-        },
-        {
-          ruleId: 'path-traversal',
-          inputType: 'ParameterValue',
-          path: [
-            'hello'
-          ],
-          key: 'hello',
-          value: ';echo put /etc/passwd | tftp host',
-          score: 10,
-          idsList: [
-            '10A-1 & 12'
-          ],
-          mappedId: 'path-traversal',
-          blocked: false,
-          exploitMetadata: []
-        },
-        {
-          ruleId: 'path-traversal',
-          inputType: 'CookieValue',
-          path: [
-            'hello'
-          ],
-          key: 'hello',
-          value: ';echo put /etc/passwd | tftp host',
-          score: 10,
-          idsList: [
-            '10A-1 & 12'
-          ],
-          mappedId: 'path-traversal',
-          blocked: false,
-          exploitMetadata: []
-        },
-        {
-          ruleId: 'path-traversal',
-          inputType: 'ParameterValue',
-          path: [
-            'hello'
-          ],
-          key: 'hello',
-          value: ';echo put /etc/passwd | tftp host',
-          score: 90,
-          idsList: [
-            '10A-1-0',
-            '3000-12'
-          ],
-          mappedId: 'path-traversal',
-          blocked: false,
-          exploitMetadata: []
-        },
-        {
-          ruleId: 'path-traversal',
-          inputType: 'HeaderValue',
-          path: [
-            'hello'
-          ],
-          key: 'hello',
-          value: ';echo put /etc/passwd | tftp host',
-          score: 90,
-          idsList: [
-            '10A-1-0',
-            '3000-12'
-          ],
-          mappedId: 'path-traversal',
-          blocked: false,
-          exploitMetadata: []
-        },
-        {
-          ruleId: 'path-traversal',
-          inputType: 'CookieValue',
-          path: [
-            'hello'
-          ],
-          key: 'hello',
-          value: ';echo put /etc/passwd | tftp host',
-          score: 90,
-          idsList: [
-            '10A-1-0',
-            '3000-12'
-          ],
-          mappedId: 'path-traversal',
-          blocked: false,
-          exploitMetadata: []
-        },
-        {
-          ruleId: 'path-traversal',
-          inputType: 'HeaderKey',
-          path: [
-            'hello'
-          ],
-          key: 'hello',
-          value: ';echo put /etc/passwd | tftp host',
-          score: 90,
-          idsList: [
-            '10A-1-0',
-            '3000-12'
-          ],
-          mappedId: 'path-traversal',
-          blocked: false,
-          exploitMetadata: []
-        }
-      ]);
-    });
-  });
-});
-
-function checkNosqlHandleBodyResults(sourceContext, agentLib, body, opts = {}) {
-  let keyType = 'JsonKey';
-  let bodyType = 'json';
-  if (opts.type === 'urlencoded') {
-    keyType = 'ParameterKey';
-    bodyType = 'urlencoded';
-  }
-  let obj = body;
-  const path = [];
-  let next = Object.keys(body)[0];
-  while (next !== '$ne' && next !== '$finalize') {
-    path.push(next);
-    obj = obj[next];
-    next = Object.keys(obj)[0];
-  }
-  const inputToCheck = obj[next];
-
-  expect(sourceContext.trackRequest).to.be.true;
-  expect(sourceContext.securityException).to.be.undefined;
-  expect(sourceContext.bodyType).to.equal(bodyType);
-  expect(sourceContext.resultsMap).an('object').keys('nosql-injection-mongo');
-
-  const nosql = sourceContext.resultsMap['nosql-injection-mongo'];
-  expect(nosql).an('array').length(1);
-  expect(nosql[0].ruleId).to.equal('nosql-injection-mongo');
-  expect(nosql[0].inputType).to.equal(keyType);
-  expect(nosql[0].path).an('array').to.deep.equal(path);
-  expect(nosql[0].value).to.equal('$ne');
-  expect(nosql[0].score).to.equal(10);
-  expect(nosql[0].mappedId).to.equal('nosql-injection');
-  expect(nosql[0].blocked).to.be.false;
-  expect(nosql[0].exploitMetadata).to.deep.equal([]);
-
-  if (opts.mongoContext) {
-    expect(nosql[0].mongoContext).an('object').keys('inputToCheck').to.deep.equal({ inputToCheck });
-  }
-}