@contrast/protect 1.54.0 → 1.54.1

package/lib/make-source-context.test.js

@@ -1,219 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const { Rule, Event } = require('@contrast/common');
-const { initProtectFixture } = require('@contrast/test/fixtures');
-
-/* eslint-disable newline-per-chained-call */
-
-describe('protect make-source-context', function () {
-  let core;
-
-  beforeEach(function () {
-    ({ core } = initProtectFixture());
-    core.config.protect.rules = makeProtectRulesConfig('monitor');
-  });
-
-  describe('makeSourceContext() for policy', function () {
-    it('builds policy with rulesMask and modes', function () {
-      require('../../protect')(core);
-
-      const [req, res] = makeReqRes({}, {});
-      const sc = core.protect.makeSourceContext(req, res);
-
-      expect(sc.block).to.be.a('function');
-      expect(sc.policy).to.deep.equal({
-        rulesMask: 511,
-        exclusions: {
-          ignoreQuerystring: false,
-          querystringPolicy: null,
-          ignoreBody: false,
-          bodyPolicy: null,
-          header: [],
-          cookie: [],
-          parameter: [],
-        },
-        ...Object.values(Rule).reduce((acc, ruleId) => ({ ...acc, [ruleId]: 'monitor' }), {}),
-      });
-      expect(sc.exclusions).to.deep.equal([]);
-      expect(sc.virtualPatchesEvaluators).to.deep.equal([]);
-      expect(sc.trackRequest).to.equal(false);
-      expect(sc.securityException).to.be.undefined;
-      expect(sc.bodyType).to.be.undefined;
-      expect(sc.resultsMap).to.eql(Object.create(null));
-    });
-  });
-
-  describe('makeSourceContext() for req, res', function () {
-    const ruleId = 'reflected-xss';
-    const expectedMode = 'monitor';
-    const expectedRulesMask = 4;
-
-    const tests = [
-      { desc: 'works with unmodified req', req: {}, res: {} },
-      { desc: 'handles an uppercase header name', req: { rawHeaders: ['Accept', '*'] }, res: {} },
-      { desc: 'does not modify a header value', req: { rawHeaders: ['Accept', 'TEXT/HTmL'] }, res: {} },
-      { desc: 'handles an empty url', req: { url: '' }, res: {} },
-      { desc: 'handles search params', req: { url: '/mimsy?borogroves' }, res: {} },
-      { desc: 'handles only search params', req: { url: '?alice' }, res: {} },
-      { desc: 'detects multipart content-type', req: { rawHeaders: ['Content-type', 'multipart/x-www-form-urlencoded'] }, res: {} },
-      { desc: 'blocks when headers not sent', req: {}, res: { writeHead: sinon.stub(), end: sinon.stub() } },
-      { desc: 'blocks when headers sent', req: {}, res: { writeHead: sinon.stub(), end: sinon.stub(), headersSent: true } },
-    ];
-
-    tests.forEach((t) => {
-      it(t.desc, function () {
-        core.config.protect.rules = makeProtectRulesConfig('off');
-        core.config.protect.rules['reflected-xss'] = { mode: 'monitor' };
-
-        require('../../protect')(core);
-
-        const [req, res] = makeReqRes(t.req, t.res);
-
-        // default to setting headers but not including a content-type
-        let contentType = '';
-        if (!t.req.rawHeaders) {
-          // the test doesn't set the headers so they are the default
-          contentType = 'application/x-www-form-urlencoded';
-        } else if (t.req.rawHeaders[t.req.rawHeaders.length - 1].startsWith('multipart')) {
-          // the test does set the content-type header (inferred)
-          contentType = t.req.rawHeaders[t.req.rawHeaders.length - 1];
-        }
-        const headers = req.rawHeaders.map((h, ix) => ix & 1 ? h : h.toLowerCase());
-
-        // this is what is really being tested.
-        const sc = core.protect.makeSourceContext(req, res);
-
-
-        const expectedReqData = {
-          method: 'get',
-          headers,
-          uriPath: '/',
-          queries: '',
-          httpVersion: '1',
-          ip: '127.1.1.0',
-          contentType,
-        };
-        if (t.req.rawHeaders) {
-          expectedReqData.headers = t.req.rawHeaders.map((h, i) => {
-            if (i & 1 && h.startsWith('multipart')) {
-              expectedReqData.contentType = h;
-            }
-            return i & 1 ? h : h.toLowerCase();
-          });
-        }
-        if (t.req.url !== undefined) {
-          expectedReqData.uriPath = t.req.url;
-          expectedReqData.queries = '';
-          const ix = t.req.url.indexOf('?');
-          if (ix >= 0) {
-            expectedReqData.uriPath = t.req.url.slice(0, ix);
-            expectedReqData.queries = t.req.url.slice(ix + 1);
-          }
-        }
-
-        // check that req and res make the expected abstract request
-        expect(sc).property('reqData').to.deep.equal(expectedReqData);
-
-        // if a block test, does it work as expected?
-        if (t.res.writeHead) {
-          sc.block('mode', 'reflected-xss');
-          if (!t.res.headersSent) {
-            expect(t.res.writeHead.callCount).to.equal(1);
-          } else {
-            expect(t.res.writeHead.callCount).to.equal(0);
-          }
-          expect(t.res.end.callCount).to.equal(1);
-        }
-
-        // check constant items
-        expect(sc.block).to.be.a('function');
-        expect(sc.policy.rulesMask).to.equal(expectedRulesMask);
-        expect(sc.policy[ruleId]).to.equal(expectedMode);
-        expect(sc.exclusions).to.deep.equal([]);
-        expect(sc.virtualPatchesEvaluators).to.deep.equal([]);
-
-        expect(sc.trackRequest).to.equal(false);
-        expect(sc.securityException).to.be.undefined;
-        expect(sc.bodyType).to.be.undefined;
-        expect(sc.resultsMap).to.eql(Object.create(null));
-      });
-    });
-  });
-
-  describe('handles a case where the returned policy is null so the request is allowed', function () {
-    beforeEach(function () {
-      require('../../protect')(core);
-      const exclusionDtm = {
-        urls: [
-          '.*'
-        ],
-        matchStrategy: 'ONLY',
-        protect_rules: [],
-        modes: [
-          'defend'
-        ],
-        name: 'UrlExclusionAllRules'
-      };
-
-      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-        exclusions: {
-          input: [],
-          url: [exclusionDtm]
-        }
-      });
-    });
-
-    it('returns an sourceContext with only allowed property set to true', function () {
-      const sc = core.protect.makeSourceContext(...makeReqRes());
-
-      expect(sc).to.deep.equal({ allowed: true });
-    });
-  });
-});
-
-//
-// make a req and res pair
-//
-function makeReqRes(req = {}, res = {}) {
-  const defaultReq = {
-    method: 'get',
-    url: '/',
-    httpVersion: '1',
-    socket: {
-      remoteAddress: '127.1.1.0'
-    },
-    rawHeaders: getRawHeaders(),
-  };
-
-  const defaultRes = {
-    headersSent: false,
-    writeHead() { },
-    end() { },
-  };
-
-  return [
-    Object.assign({}, defaultReq, req),
-    Object.assign({}, defaultRes, res),
-  ];
-}
-
-function getRawHeaders() {
-  return [
-    'accept', 'text/html',
-    'accept-encoding', 'gzip, deflate, br',
-    'user-agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.',
-    'content-type', 'application/x-www-form-urlencoded'
-  ];
-}
-
-//
-// create the config for protect's rules
-//
-function makeProtectRulesConfig(mode = 'monitor') {
-  return Object.values(Rule).reduce((acc, ruleId) => ({
-    ...acc,
-    [ruleId]: { mode }
-  }), { disabled_rules: [] });
-}

package/lib/policy.test.js

@@ -1,446 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const sinon = require('sinon');
-const {
-  ConfigSource: { ENVIRONMENT_VARIABLE }, ConfigSource
-} = require('@contrast/config');
-const { Rule, Event } = require('@contrast/common');
-const { initProtectFixture } = require('@contrast/test/fixtures');
-const mocks = require('@contrast/test/mocks');
-const exclusionSettingsMessage = require('@contrast/test/data/server-settings/exclusions.json');
-const policyFactory = require('./policy');
-
-describe('protect policy', function () {
-  let core;
-
-  beforeEach(function () {
-    [
-      ['cmd-injection', 'block'],
-      ['path-traversal', 'off'],
-      ['reflected-xss', 'block_at_perimeter'],
-      ['sql-injection', 'monitor'],
-    ].forEach(([ruleId, mode]) => {
-      process.env[`CONTRAST__PROTECT__RULES__${ruleId.toUpperCase().replace('-', '_')}__MODE`] = mode;
-    });
-
-    ({ core } = initProtectFixture());
-    [
-      ['cmd-injection', 'block'],
-      ['path-traversal', 'off'],
-      ['reflected-xss', 'block_at_perimeter'],
-      ['sql-injection', 'monitor'],
-    ].forEach(([ruleId, mode]) => {
-      const name = `protect.rules.${ruleId.replace('-', '_')}.mode`;
-      core.config.setValue(name, mode, ENVIRONMENT_VARIABLE);
-    });
-
-    core.protect = mocks.protect();
-  });
-
-  describe('initialzation and updates', function () {
-    beforeEach(function () {
-      core.config.protect.rules.disabled_rules = ['sql-injection'];
-      [
-        ['cmd-injection', 'block'],
-        ['path-traversal', 'off'],
-        ['reflected-xss', 'block_at_perimeter'],
-        ['sql-injection', 'monitor'],
-      ].forEach(([ruleId, mode]) => {
-        core.config.setValue(`protect.rules.${ruleId}.mode`, mode, ENVIRONMENT_VARIABLE);
-      });
-
-      policyFactory(core);
-    });
-
-    it('initializes policy from configuration', function () {
-      const policy = core.protect.getPolicy();
-
-      expect(policy).to.deep.include({
-        rulesMask: 20,
-        'bot-blocker': 'off',
-        'cmd-injection': 'block',
-        'cmd-injection-command-backdoors': 'off',
-        'cmd-injection-semantic-chained-commands': 'off',
-        'cmd-injection-semantic-dangerous-paths': 'off',
-        'ip-denylist': 'off',
-        'method-tampering': 'off',
-        'nosql-injection': 'off',
-        'nosql-injection-mongo': 'off',
-        'path-traversal': 'off',
-        'path-traversal-semantic-file-security-bypass': 'off',
-        'reflected-xss': 'block_at_perimeter',
-        'sql-injection': 'off',
-        'ssjs-injection': 'off',
-        'ssrf': 'off',
-        'unsafe-code-execution': 'off',
-        'unsafe-file-upload': 'off',
-        'untrusted-deserialization': 'off',
-        'unvalidated-redirect': 'off',
-        'virtual-patch': 'off',
-        'xxe': 'off',
-        exclusions: {
-          bodyPolicy: null,
-          cookie: [],
-          header: [],
-          ignoreBody: false,
-          ignoreQuerystring: false,
-          parameter: [],
-          querystringPolicy: null,
-        }
-      });
-    });
-
-    it('updates policy from app settings and server features', function () {
-      let policy = core.protect.getPolicy();
-
-      expect(policy).to.deep.include({
-        rulesMask: 20,
-        'bot-blocker': 'off',
-        'cmd-injection': 'block',
-        'cmd-injection-command-backdoors': 'off',
-        'cmd-injection-semantic-chained-commands': 'off',
-        'cmd-injection-semantic-dangerous-paths': 'off',
-        'ip-denylist': 'off',
-        'method-tampering': 'off',
-        'nosql-injection': 'off',
-        'nosql-injection-mongo': 'off',
-        'path-traversal': 'off',
-        'path-traversal-semantic-file-security-bypass': 'off',
-        'reflected-xss': 'block_at_perimeter',
-        'sql-injection': 'off',
-        'ssjs-injection': 'off',
-        'ssrf': 'off',
-        'unsafe-code-execution': 'off',
-        'unsafe-file-upload': 'off',
-        'untrusted-deserialization': 'off',
-        'unvalidated-redirect': 'off',
-        'virtual-patch': 'off',
-        'xxe': 'off',
-        exclusions: {
-          bodyPolicy: null,
-          cookie: [],
-          header: [],
-          ignoreBody: false,
-          ignoreQuerystring: false,
-          parameter: [],
-          querystringPolicy: null,
-        }
-      });
-
-      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-        protect: {
-          rules: {
-            'cmd-injection': { mode: 'MONITOR' },
-            'method-tampering': { mode: 'BLOCK_AT_PERIMETER' },
-            'nosql-injection': { mode: 'MONITOR' },
-            'ssjs-injection': { mode: 'BLOCK' },
-          }
-        }
-      });
-
-      policy = core.protect.getPolicy();
-
-      expect(policy).to.deep.include({
-        rulesMask: 436,
-        'bot-blocker': 'off',
-        'cmd-injection': 'block',
-        'cmd-injection-command-backdoors': 'off',
-        'cmd-injection-semantic-chained-commands': 'off',
-        'cmd-injection-semantic-dangerous-paths': 'off',
-        'ip-denylist': 'off',
-        'method-tampering': 'block_at_perimeter',
-        'nosql-injection': 'monitor',
-        'nosql-injection-mongo': 'monitor',
-        'path-traversal': 'off',
-        'path-traversal-semantic-file-security-bypass': 'off',
-        'reflected-xss': 'block_at_perimeter',
-        'sql-injection': 'off',
-        'ssjs-injection': 'block',
-        'ssrf': 'off',
-        'unsafe-code-execution': 'off',
-        'unsafe-file-upload': 'off',
-        'untrusted-deserialization': 'off',
-        'unvalidated-redirect': 'off',
-        'virtual-patch': 'off',
-        'xxe': 'off',
-        exclusions: {
-          bodyPolicy: null,
-          cookie: [],
-          header: [],
-          ignoreBody: false,
-          ignoreQuerystring: false,
-          parameter: [],
-          querystringPolicy: null,
-        }
-      });
-
-      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-        protect: {
-          rules: {
-            bot_blocker: {
-              enable: true
-            }
-          }
-        }
-      });
-
-      policy = core.protect.getPolicy();
-
-      expect(policy).to.deep.include({
-        rulesMask: 500,
-        'bot-blocker': 'block_at_perimeter',
-        'cmd-injection': 'block',
-        'cmd-injection-command-backdoors': 'off',
-        'cmd-injection-semantic-chained-commands': 'off',
-        'cmd-injection-semantic-dangerous-paths': 'off',
-        'ip-denylist': 'off',
-        'method-tampering': 'block_at_perimeter',
-        'nosql-injection': 'monitor',
-        'nosql-injection-mongo': 'monitor',
-        'path-traversal': 'off',
-        'path-traversal-semantic-file-security-bypass': 'off',
-        'reflected-xss': 'block_at_perimeter',
-        'sql-injection': 'off',
-        'ssjs-injection': 'block',
-        'ssrf': 'off',
-        'unsafe-code-execution': 'off',
-        'unsafe-file-upload': 'off',
-        'untrusted-deserialization': 'off',
-        'unvalidated-redirect': 'off',
-        'virtual-patch': 'off',
-        'xxe': 'off',
-        exclusions: {
-          bodyPolicy: null,
-          cookie: [],
-          header: [],
-          ignoreBody: false,
-          ignoreQuerystring: false,
-          parameter: [],
-          querystringPolicy: null,
-        }
-      });
-    });
-
-    describe('special case: nosql-injection-mongo', function() {
-      it('nosql-injection-mongo will not get updated by nosql-injection settings if set in config', function () {
-        core.config.setValue(`protect.rules.${Rule.NOSQL_INJECTION_MONGO}.mode`, 'block', ConfigSource.USER_CONFIGURATION_FILE);
-        const getPolicy = policyFactory(core);
-        let policy = getPolicy();
-
-        expect(policy).to.deep.include({
-          'nosql-injection': 'off',
-          'nosql-injection-mongo': 'block',
-        });
-
-        core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-          protect: {
-            rules: {
-              'nosql-injection': { mode: 'MONITOR' },
-            }
-          }
-        });
-
-        policy = core.protect.getPolicy();
-        expect(policy).to.deep.include({
-          'nosql-injection': 'monitor',
-          'nosql-injection-mongo': 'block',
-        });
-      });
-
-      it('nosql-injection-mongo will inherit nosql-injection config if unset itself', function () {
-        core.config.setValue(`protect.rules.${Rule.NOSQL_INJECTION}.mode`, 'block', ConfigSource.USER_CONFIGURATION_FILE);
-        const getPolicy = policyFactory(core);
-        const policy = getPolicy();
-
-        expect(policy).to.deep.include({
-          'nosql-injection': 'block',
-          'nosql-injection-mongo': 'block',
-        });
-      });
-    });
-  });
-
-  describe('policy building accounts for UI-defined exclusions', function () {
-    beforeEach(function () {
-      core.config.protect.rules['path-traversal'].mode = 'monitor';
-      core.config.protect.rules['sql-injection'].mode = 'monitor';
-      core.config.protect.rules['cmd-injection'].mode = 'monitor';
-      core.config.protect.rules['reflected-xss'].mode = 'monitor';
-      core.config.protect.rules.disabled_rules = [];
-      policyFactory(core);
-      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, exclusionSettingsMessage);
-    });
-
-    const baseline = {
-      rulesMask: 30,
-      'bot-blocker': 'off',
-      'cmd-injection': 'monitor',
-      'cmd-injection-command-backdoors': 'off',
-      'cmd-injection-semantic-chained-commands': 'off',
-      'cmd-injection-semantic-dangerous-paths': 'off',
-      'ip-denylist': 'off',
-      'method-tampering': 'off',
-      'nosql-injection': 'off',
-      'nosql-injection-mongo': 'off',
-      'path-traversal': 'monitor',
-      'path-traversal-semantic-file-security-bypass': 'off',
-      'reflected-xss': 'monitor',
-      'sql-injection': 'monitor',
-      'ssjs-injection': 'off',
-      'unsafe-code-execution': 'off',
-      'unsafe-file-upload': 'off',
-      'untrusted-deserialization': 'off',
-      'virtual-patch': 'off',
-      'xxe': 'off',
-      exclusions: {
-        ignoreQuerystring: false,
-        querystringPolicy: null,
-        ignoreBody: false,
-        bodyPolicy: null,
-        cookie: [],
-        header: [],
-        parameter: [{
-          policy: { 'sql-injection': 'off' }
-        }],
-      }
-    };
-
-    [
-      { uriPath: 'baseline', expectedPolicy: baseline },
-      { uriPath: '/url-exclusion-all-rules', expectedPolicy: null },
-      {
-        uriPath: '/url-exclusion-some-rules',
-        expectedPolicy: {
-          ...baseline,
-          rulesMask: 28,
-          'path-traversal': 'off',
-        }
-      },
-      {
-        uriPath: '/input-exclusion-some-rules',
-        expectedPolicy: {
-          ...baseline,
-          exclusions: {
-            parameter: [{
-              policy: {
-                'sql-injection': 'off',
-              }
-            }]
-          }
-        }
-      },
-      {
-        uriPath: '/input-exclusion-more-rules',
-        expectedPolicy: {
-          ...baseline,
-          exclusions: {
-            header: [{
-              policy: {
-                'cmd-injection': 'off',
-                'sql-injection': 'off',
-                'path-traversal': 'off',
-                'reflected-xss': 'off',
-              }
-            }],
-            parameter: [{
-              policy: { 'sql-injection': 'off' }
-            }, {
-              policy: {
-                'cmd-injection': 'off',
-                'sql-injection': 'off',
-                'path-traversal': 'off',
-              }
-            }]
-          }
-        }
-      },
-      {
-        uriPath: '/input-exclusion-body-some-rules',
-        expectedPolicy: {
-          ...baseline,
-          exclusions: {
-            bodyPolicy: {
-              'cmd-injection': 'off',
-              'sql-injection': 'off',
-              'path-traversal': 'off',
-              'reflected-xss': 'off',
-            }
-          }
-        }
-      },
-      {
-        uriPath: '/input-exclusion-body-all-rules',
-        expectedPolicy: {
-          ...baseline,
-          exclusions: {
-            ignoreBody: true
-          }
-        }
-      },
-      {
-        uriPath: '/input-exclusion-querystring-some-rules',
-        expectedPolicy: {
-          ...baseline,
-          exclusions: {
-            querystringPolicy: {
-              'nosql-injection-mongo': 'off',
-              'sql-injection': 'off',
-              'path-traversal': 'off',
-              'reflected-xss': 'off',
-            }
-          }
-        }
-      },
-      {
-        uriPath: '/input-exclusion-querystring-all-rules',
-        expectedPolicy: {
-          ...baseline,
-          exclusions: {
-            ignoreQuerystring: true
-          }
-        },
-      },
-      {
-        uriPath: '/input-exclusion-cookie-all-rules',
-        expectedPolicy: {
-          ...baseline,
-          exclusions: {
-            cookie: [{
-              name: '.*',
-            }],
-          }
-        }
-      }
-    ].forEach(({ uriPath, expectedPolicy }) => {
-      it(`builds exclusions correctly for uriPath=${uriPath}`, function () {
-        expect(core.protect.getPolicy({ uriPath })).to.be.like(expectedPolicy);
-
-      });
-    });
-  });
-
-  describe('handles errors during exclusion compilation', function () {
-    it('catches the error and logs a message for it', function () {
-      const exclusionDtm = {
-        urls: [
-          '.*******'
-        ],
-        matchStrategy: 'ONLY',
-        protect_rules: [],
-        modes: [
-          'defend'
-        ],
-        name: 'UrlExclusionAllRules'
-      };
-
-      core.messages.emit(Event.SERVER_SETTINGS_UPDATE, {
-        exclusions: {
-          input: [],
-          url: [exclusionDtm]
-        }
-      });
-      expect(core.logger.error).to.have.been.calledOnceWithExactly({ err: sinon.match.any, exclusionDtm }, 'failed to process exclusion');
-    });
-  });
-});