@contrast/protect 1.54.0 → 1.54.1

package/lib/input-analysis/install/fastify.test.js

@@ -1,96 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const SecurityException = require('../../security-exception');
-const secEx = SecurityException.create();
-const fastifyInstr = require('./fastify');
-
-describe('protect input-analysis fastify v3.x', function () {
-  let core, inputAnalysis, fastify, serverMock, reqMock, resMock, doneMock;
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.scopes = scopes(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    core.depHooks = mocks.depHooks();
-    core.patcher = patcher(core);
-
-    reqMock = {
-      query: { foo: 'bar' },
-      cookies: { foo: 'bar' },
-      params: { foo: 'bar' },
-      body: { foo: 'bar' },
-    };
-    resMock = {};
-    doneMock = sinon.stub();
-    serverMock = {
-      addHook: sinon.stub().yields(reqMock, resMock, doneMock),
-    };
-
-    const fastifyOrig = () => serverMock;
-    core.depHooks.resolve.callsFake(function (desc, cb) {
-      fastify = cb(fastifyOrig);
-    });
-
-    inputAnalysis = core.protect.inputAnalysis;
-    fastifyInstr(core).install();
-  });
-
-  describe('preValidationHook', function () {
-    it('adds hook and calls appropriate analysis handlers', function () {
-      core.scopes.sources.run({ protect: {} }, () => {
-        fastify();
-      });
-
-      expect(serverMock.addHook).to.have.been.called;
-      expect(doneMock).to.have.been.called;
-      expect(core.logger.debug).not.to.have.been.called;
-
-      expect(inputAnalysis.handleQueryParams).to.have.been.called;
-      expect(inputAnalysis.handleUrlParams).to.have.been.called;
-      expect(inputAnalysis.handleCookies).to.have.been.called;
-      expect(inputAnalysis.handleParsedBody).to.have.been.called;
-    });
-
-    it('input analysis does not occur if there is no protect source context', function () {
-      fastify();
-      expect(doneMock).to.have.been.called;
-
-      expect(inputAnalysis.handleQueryParams).not.to.have.been.called;
-      expect(inputAnalysis.handleUrlParams).not.to.have.been.called;
-      expect(inputAnalysis.handleCookies).not.to.have.been.called;
-      expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
-    });
-
-    it('handles a case with SecurityException from the input-analysis', function () {
-      inputAnalysis.handleQueryParams.throws(secEx);
-      core.scopes.sources.run({ protect: {} }, () => {
-        fastify();
-      });
-
-      expect(doneMock).to.have.been.calledOnceWith(secEx);
-    });
-
-    it('handles a case with a normal error in the input analysis', function () {
-      const err = new Error('Input Analysis Error');
-
-      inputAnalysis.handleQueryParams.throws(err);
-      core.scopes.sources.run({ protect: {} }, () => {
-        fastify();
-      });
-
-      expect(core.logger.error).to.have.been.calledWith(
-        { err, funcKey: 'protect-input-analysis:fastify.build' },
-        'Unexpected error during input analysis'
-      );
-      expect(doneMock).to.have.been.calledOnce;
-      expect(doneMock).not.to.have.been.calledWith(err);
-    });
-  });
-});

package/lib/input-analysis/install/formidable1.test.js

@@ -1,114 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const formidableInstr = require('./formidable1');
-
-describe('protect input-analysis formidable v1.x', function () {
-  let core, inputAnalysis, parseMock, patchedParse, req, cbStub;
-
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.scopes = scopes(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    core.depHooks = mocks.depHooks();
-    core.patcher = patcher(core);
-
-    inputAnalysis = core.protect.inputAnalysis;
-    req = { fields: { parameter: 'parsed' }, files: { fileField: { name: 'some-file' } } };
-    parseMock = (req, cb) => {
-      if (typeof cb === 'function') {
-        cb(null, req.fields, req.files);
-      }
-    };
-    cbStub = sinon.stub();
-    sinon.spy(core.patcher, 'patch');
-
-    formidableInstr(core).install();
-    patchedParse = core.depHooks.resolve.yield({ IncomingForm: { prototype: { parse: parseMock } } })[0].IncomingForm.prototype.parse;
-    core.patcher.patch.resetHistory();
-  });
-
-  it('calls patcher on the `.parse` method', function () {
-    core.depHooks.resolve.yield({ IncomingForm: { prototype: { parse: parseMock } } });
-
-    expect(core.patcher.patch).to.have.been.calledOnce;
-    expect(core.patcher.patch).to.have.been.calledWithMatch(sinon.match.func, {
-      name: 'Formidable.IncomingForm.prototype.parse',
-      patchType: 'protect-input-analysis',
-      pre: sinon.match.func
-    });
-  });
-
-  it('calls `.handleParsedBody` and `handleFileUploadName` when parsing is successful and in right context', function () {
-    core.scopes.sources.run({ protect: {} }, () => {
-      patchedParse(req, cbStub);
-    });
-
-    expect(cbStub).to.have.been.calledOnce;
-    expect(inputAnalysis.handleParsedBody).to.have.been.calledOnce;
-    expect(inputAnalysis.handleParsedBody).to.have.been.calledWithMatch({ parsedBody: req.fields }, req.fields);
-    expect(inputAnalysis.handleFileUploadName).to.have.been.calledOnce;
-    expect(inputAnalysis.handleFileUploadName).to.have.been.calledWithMatch({ parsedBody: req.fields }, ['some-file']);
-  });
-
-
-  it('calls `handleFileUploadName` when parsing is successful with multiple files and in right context', function () {
-    req.files = { filesField: [{ name: 'some-file-1' }, { name: 'some-file-2' }] };
-    core.scopes.sources.run({ protect: {} }, () => {
-      patchedParse(req, cbStub);
-    });
-
-    expect(inputAnalysis.handleFileUploadName).to.have.been.calledOnce;
-    expect(inputAnalysis.handleFileUploadName).to.have.been.calledWithMatch({ parsedBody: req.fields }, ['some-file-1', 'some-file-2']);
-  });
-
-  it('calls `.handleParsedBody` when parsing is successful and in right context, but there are no files', function () {
-    req.files = null;
-    core.scopes.sources.run({ protect: {} }, () => {
-      patchedParse(req, cbStub);
-    });
-
-    expect(cbStub).to.have.been.calledOnce;
-    expect(inputAnalysis.handleParsedBody).to.have.been.calledOnce;
-    expect(inputAnalysis.handleParsedBody).to.have.been.calledWithMatch({ parsedBody: req.fields }, req.fields);
-    expect(core.logger.debug).not.to.have.been.called;
-  });
-
-  it('does not call `.handleParsedBody` when not in context', function () {
-    core.scopes.sources.run({}, () => {
-      patchedParse(req, cbStub);
-    });
-
-    expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
-    expect(cbStub).to.have.been.calledOnce;
-  });
-
-  it('does not call `.handleParsedBody` when `formidable` there is a result, but only files are uploaded', function () {
-    req.fields = null;
-    core.scopes.sources.run({ protect: {} }, () => {
-      patchedParse(req, cbStub);
-    });
-
-    expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
-    expect(inputAnalysis.handleFileUploadName).to.have.been.calledOnce;
-    expect(inputAnalysis.handleFileUploadName).to.have.been.calledWithMatch({}, ['some-file']);
-    expect(cbStub).to.have.been.calledOnce;
-  });
-
-  it('does not call `.handleParsedBody` when `formidable` does not return a result', function () {
-    core.scopes.sources.run({ protect: {} }, () => {
-      patchedParse({}, cbStub);
-    });
-
-    expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
-    expect(core.logger.debug).not.to.have.been.called;
-    expect(cbStub).to.have.been.calledOnce;
-  });
-});

package/lib/input-analysis/install/hapi.test.js

@@ -1,292 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const { create, isSecurityException } = require('../../security-exception');
-
-describe('protect input-analysis hapi', function () {
-  let core,
-    hapiSources,
-    store,
-    inputAnalysis;
-
-  const Hapi = { name: 'hapi' };
-  const HapiHapi = { name: '@hapi/hapi' };
-  const HapiPez = { name: '@hapi/pez' };
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.config = mocks.config();
-    core.logger = mocks.logger();
-    core.scopes = scopes(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    core.depHooks = mocks.depHooks();
-    core.patcher = patcher(core);
-
-    inputAnalysis = core.protect.inputAnalysis;
-    sinon.spy(core.patcher, 'patch');
-    store = {
-      protect: {
-        block: sinon.stub(),
-        securityException: ['block', 'cmd-injection']
-      }
-    };
-
-    Hapi.server = function hapi(server) {
-      return server;
-    };
-    HapiHapi.server = function hapiHapi(server) {
-      return server;
-    };
-    HapiPez.Dispenser = function () { };
-    HapiPez.Dispenser.prototype.emit = function () { };
-
-    core.depHooks.resolve.withArgs(sinon.match({ name: Hapi.name })).yields(Hapi);
-    core.depHooks.resolve.withArgs(sinon.match({ name: HapiHapi.name })).yields(HapiHapi);
-    core.depHooks.resolve.withArgs(sinon.match({ name: HapiPez.name })).yields(HapiPez);
-
-    hapiSources = require('./hapi')(core);
-    hapiSources.install();
-  });
-
-  [Hapi, HapiHapi].forEach((module) => {
-    it(`skip instrumentation if server is missing - ${module.name}`, function () {
-      const { server } = module;
-
-      core.scopes.sources.run(store, () => {
-        server();
-        expect(core.logger.error).to.have.been.calledWith(
-          { funcKey: 'protect-input-analysis:hapi.server' },
-          'Hapi Server is called but there is no server instance!'
-        );
-      });
-    });
-  });
-
-  [Hapi, HapiHapi].forEach((module) => {
-    it(`should log onPreStart hapi version - ${module.name}`, function () {
-      const { server } = module;
-      const serverInstance = {
-        ext: sinon.stub(),
-      };
-
-      serverInstance.ext.withArgs('onPreStart', sinon.match.func).callsFake((string, method) => {
-        method({ version: '4.0.0' });
-      });
-
-      core.scopes.sources.run(store, () => {
-        server(serverInstance);
-        expect(core.logger.debug).to.have.been.calledWith('hapi version %s', '4.0.0');
-      });
-    });
-  });
-
-  [Hapi, HapiHapi].forEach((module) => {
-    it(`should handle url params, state (cookies), payload/body, query - ${module.name}`, function () {
-      const { server } = module;
-      const serverInstance = {
-        ext: sinon.stub(),
-      };
-
-      const params = { userId: 1 };
-      const state = { auth: 'vasko jabata' };
-      const payload = { name: 'vasko jabata' };
-      const query = { name: 'vasko jabata' };
-
-      serverInstance.ext.withArgs('onPreHandler', sinon.match.func).callsFake((string, method) => {
-        method({
-          params,
-          state,
-          payload,
-          query,
-        }, {
-          continue: () => { }
-        });
-      });
-
-      core.scopes.sources.run(store, () => {
-        server(serverInstance);
-
-        expect(store.protect.parsedParams).to.eql(params);
-        expect(store.protect.parsedCookies).to.eql(state);
-        expect(store.protect.parsedBody).to.eql(payload);
-        expect(store.protect.parsedQuery).to.eql(query);
-        expect(core.protect.inputAnalysis.handleUrlParams).to.have.been.calledWith(sinon.match.object, params);
-        expect(core.protect.inputAnalysis.handleCookies).to.have.been.calledWith(sinon.match.object, state);
-        expect(core.protect.inputAnalysis.handleParsedBody).to.have.been.calledWith(sinon.match.object, payload);
-        expect(core.protect.inputAnalysis.handleQueryParams).to.have.been.calledWith(sinon.match.object, query);
-      });
-    });
-  });
-
-  [Hapi, HapiHapi].forEach((module) => {
-    it(`error handling - ${module.name}`, function () {
-      const err = new Error('error');
-
-      const { server } = module;
-      const serverInstance = {
-        ext: sinon.stub(),
-      };
-
-      const params = { userId: 1 };
-
-      serverInstance.ext.withArgs('onPreHandler', sinon.match.func).callsFake((string, method) => {
-        method({
-          params,
-        }, {
-          continue: () => { }
-        });
-      });
-
-      core.protect.inputAnalysis.handleUrlParams.callsFake(() => {
-        throw err;
-      });
-
-      core.scopes.sources.run(store, () => {
-        server(serverInstance);
-        expect(core.logger.error).to.have.been.calledWith(
-          { err, funcKey: 'protect-input-analysis:hapi.server' },
-          'Unexpected error during input analysis',
-        );
-      });
-    });
-
-    it(`should throw SecurityException - ${module.name}`, function () {
-      const error = create();
-
-      const { server } = module;
-      const serverInstance = {
-        ext: sinon.stub(),
-      };
-
-      const params = { userId: 1 };
-
-      serverInstance.ext.withArgs('onPreHandler', sinon.match.func).callsFake((string, method) => {
-        method({
-          params,
-        }, {
-          continue: () => { }
-        });
-      });
-
-      core.protect.inputAnalysis.handleUrlParams.callsFake(() => {
-        throw error;
-      });
-
-      core.scopes.sources.run(store, () => {
-        try {
-          server(serverInstance);
-        } catch (error) {
-          expect(isSecurityException(error)).to.be.true;
-        }
-      });
-    });
-  });
-
-  [Hapi, HapiHapi].forEach((module) => {
-    it(`empty request - ${module.name}`, function () {
-      const { server } = module;
-      const serverInstance = {
-        ext: sinon.stub(),
-      };
-
-      const continueFunction = () => ({});
-      let result;
-      serverInstance.ext.withArgs('onPreHandler', sinon.match.func).callsFake((string, method) => {
-        result = method({}, {
-          continue: continueFunction
-        });
-      });
-
-      core.scopes.sources.run(store, () => {
-        server(serverInstance);
-        expect(result).to.eql(continueFunction);
-      });
-    });
-
-    it(`empty sourceContext - ${module.name}`, function () {
-      const { server } = module;
-      const serverInstance = {
-        ext: sinon.stub(),
-      };
-
-      const continueFunction = () => ({});
-      let result;
-      serverInstance.ext.withArgs('onPreHandler', sinon.match.func).callsFake((string, method) => {
-        result = method({}, {
-          continue: continueFunction
-        });
-      });
-
-      core.scopes.sources.run({}, () => {
-        server(serverInstance);
-        expect(result).to.eql(continueFunction);
-      });
-    });
-  });
-
-  describe('hapi/pez', function () {
-    it('works', function () {
-      HapiPez.Dispenser.prototype.emit();
-    });
-    it('calls patcher on the `.emit` method', function () {
-
-      expect(core.patcher.patch).to.have.callCount(3);
-      expect(core.patcher.patch).to.have.been.calledWithMatch(Hapi, 'server', {
-        name: 'hapi.server',
-        patchType: 'protect-input-analysis',
-        post: sinon.match.func
-      });
-      expect(core.patcher.patch).to.have.been.calledWithMatch(HapiHapi, 'server', {
-        name: 'hapi.server',
-        patchType: 'protect-input-analysis',
-        post: sinon.match.func
-      });
-      expect(core.patcher.patch).to.have.been.calledWithMatch(HapiPez.Dispenser.prototype, 'emit', {
-        name: 'Pez.Dispenser.prototype.emit',
-        patchType: 'protect-input-analysis',
-        pre: sinon.match.func
-      });
-    });
-
-    it('calls `.handleFileUploadName` when there is a multipart file and it is in right context', function () {
-      core.scopes.sources.run({ protect: {} }, () => {
-        HapiPez.Dispenser.prototype.emit('part', { filename: 'filename' });
-      });
-
-      expect(inputAnalysis.handleFileUploadName).to.have.been.calledOnce;
-      expect(inputAnalysis.handleFileUploadName).to.have.been.calledWithMatch({}, ['filename']);
-    });
-
-
-    it('does not call `.handleFileUploadName` when not in context', function () {
-      core.scopes.sources.run({}, () => {
-        HapiPez.Dispenser.prototype.emit('part', { filename: 'filename' });
-      });
-
-      expect(inputAnalysis.handleFileUploadName).not.to.have.been.called;
-    });
-
-    it('does not call `.handleFileUploadName` when `.emit` is not called with `part` event', function () {
-      core.scopes.sources.run({ protect: {} }, () => {
-        HapiPez.Dispenser.prototype.emit('not-part', { filename: 'filename' });
-      });
-
-      expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
-      expect(core.logger.debug).not.to.have.been.called;
-    });
-
-    it('does not call `.handleFileUploadName` when `.emit` call does not contain a filename', function () {
-      core.scopes.sources.run({ protect: {} }, () => {
-        HapiPez.Dispenser.prototype.emit('part', { filename: null });
-      });
-
-      expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
-      expect(core.logger.debug).not.to.have.been.called;
-    });
-  });
-});