@contrast/protect 1.54.0 → 1.54.2

package/lib/input-tracing/index.test.js

@@ -1,62 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const sinon = require('sinon');
-const proxyquire = require('proxyquire');
-
-const MODULES = [
-  'childProcess',
-  'eval',
-  'fs',
-  'function',
-  'http',
-  'http2',
-  'marsdb',
-  'mongodb',
-  'mssql',
-  'mysql',
-  'postgres',
-  'sequelize',
-  'spdy',
-  'sqlite3',
-  'vm',
-];
-
-describe('protect input-tracing', function () {
-  let core, inputTracing;
-
-  beforeEach(function () {
-    core = {};
-    core.protect = {};
-
-    const hooksMock = (hookProp) => (core) => {
-      core.protect.inputTracing[hookProp] = { install: sinon.stub() };
-    };
-
-    inputTracing = proxyquire('.', {
-      './install/child-process': hooksMock('childProcess'),
-      './install/eval': hooksMock('eval'),
-      './install/fs': hooksMock('fs'),
-      './install/function': hooksMock('function'),
-      './install/http': hooksMock('http'),
-      './install/http2': hooksMock('http2'),
-      './install/marsdb': hooksMock('marsdb'),
-      './install/mongodb': hooksMock('mongodb'),
-      './install/mssql': hooksMock('mssql'),
-      './install/mysql': hooksMock('mysql'),
-      './install/postgres': hooksMock('postgres'),
-      './install/sequelize': hooksMock('sequelize'),
-      './install/spdy': hooksMock('spdy'),
-      './install/sqlite3': hooksMock('sqlite3'),
-      './install/vm': hooksMock('vm'),
-    })(core);
-  });
-
-  it('calls the install() method of the required hooks', function () {
-    inputTracing.install();
-
-    MODULES.forEach((module) => {
-      expect(inputTracing[module].install).to.have.been.called;
-    });
-  });
-});

package/lib/input-tracing/install/child-process.test.js

@@ -1,133 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks/');
-
-describe('protect input-tracing child-process', function () {
-  const cpInstr = require('./child-process');
-  const store = { protect: {} };
-  let cp, origCp, core;
-
-  beforeEach(function () {
-    origCp = {
-      exec: sinon.stub(),
-      execSync: sinon.stub()
-    };
-    cp = {
-      exec: origCp.exec,
-      execSync: origCp.execSync
-    };
-
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.depHooks = mocks.depHooks();
-    core.depHooks.resolve.yields(cp);
-    core.scopes = mocks.scopes();
-    core.scopes.sources = {
-      getStore: sinon.stub().returns(store)
-    };
-    core.patcher = patcher(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-
-    cpInstr(core);
-
-    core.protect.inputTracing.cpInstrumentation.install();
-  });
-
-  describe('handleCommandInjection() is called with expected values', function () {
-    const methodArgs = ['foo', 'bar'];
-
-    ['exec', 'execSync'].forEach((method) => {
-      const name = `child_process.${method}`;
-
-      it(`${name}`, function () {
-        cp[method](...methodArgs);
-
-        const value = methodArgs[0];
-
-        expect(core.protect.inputTracing.handleCommandInjection).to.have.been.calledWith(
-          store.protect,
-          { name, value, stacktraceOpts: { constructorOpt: cp[method], prependFrames: [sinon.match.func] } }
-        );
-        expect(core.protect.semanticAnalysis.handleCommandInjectionCommandBackdoors).to.have.been.calledWith(
-          store.protect,
-          { name, value, stacktraceOpts: { constructorOpt: cp[method], prependFrames: [sinon.match.func] } }
-        );
-        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticChainedCommands).to.have.been.calledWith(
-          store.protect,
-          { name, value, stacktraceOpts: { constructorOpt: cp[method], prependFrames: [sinon.match.func] } }
-        );
-        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticDangerous).to.have.been.calledWith(
-          store.protect,
-          { name, value, stacktraceOpts: { constructorOpt: cp[method], prependFrames: [sinon.match.func] } }
-        );
-        expect(core.protect.semanticAnalysis.handlePathTraversalFileSecurityBypass).to.have.been.calledWith(
-          store.protect,
-          { name, value, stacktraceOpts: { constructorOpt: cp[method], prependFrames: [sinon.match.func] } }
-        );
-      });
-    });
-  });
-
-  describe('handleCommandInjection() is not called when method args are not relevant', function () {
-    const methodArgs = [1, undefined];
-
-    ['exec', 'execSync'].forEach((method) => {
-      const name = `child_process.${method}`;
-
-      it(name, function () {
-        cp[method](...methodArgs);
-
-        expect(core.protect.inputTracing.handleCommandInjection).not.to.have.been.called;
-        expect(core.protect.semanticAnalysis.handleCommandInjectionCommandBackdoors).not.to.have.been.called;
-        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticChainedCommands).not.to.have.been.called;
-        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticDangerous).not.to.have.been.called;
-      });
-    });
-  });
-
-  describe('handleCommandInjection() is not called when instrumentation is locked', function () {
-    const methodArgs = ['foo', 'bar'];
-
-    beforeEach(function () {
-      core.scopes.instrumentation.isLocked.returns(true);
-    });
-
-    ['exec', 'execSync'].forEach((method) => {
-      const name = `child_process.${method}`;
-
-      it(name, function () {
-        cp[method](...methodArgs);
-
-        expect(core.protect.inputTracing.handleCommandInjection).not.to.have.been.called;
-        expect(core.protect.semanticAnalysis.handleCommandInjectionCommandBackdoors).not.to.have.been.called;
-        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticChainedCommands).not.to.have.been.called;
-        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticDangerous).not.to.have.been.called;
-      });
-    });
-  });
-
-  describe('handleCommandInjection() is not called when there is no Protect sourceContext', function () {
-    const methodArgs = ['foo', 'bar'];
-
-    beforeEach(function () {
-      core.scopes.sources.getStore.returns({ protect: null });
-    });
-
-    ['exec', 'execSync'].forEach((method) => {
-      const name = `child_process.${method}`;
-
-      it(name, function () {
-        cp[method](...methodArgs);
-
-        expect(core.protect.inputTracing.handleCommandInjection).not.to.have.been.called;
-        expect(core.protect.semanticAnalysis.handleCommandInjectionCommandBackdoors).not.to.have.been.called;
-        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticChainedCommands).not.to.have.been.called;
-        expect(core.protect.semanticAnalysis.handleCmdInjectionSemanticDangerous).not.to.have.been.called;
-      });
-    });
-  });
-});

package/lib/input-tracing/install/eval.test.js

@@ -1,78 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-
-describe('protect input-tracing eval', function () {
-  const evalInstr = require('./eval');
-  const store = { protect: {} };
-  let evalArg, core;
-
-  beforeEach(function () {
-    evalArg = 'function() { return "hi"; }';
-
-    if (!global.ContrastMethods) {
-      global.ContrastMethods = {};
-    }
-    global.ContrastMethods.eval = sinon.stub();
-
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.depHooks = mocks.depHooks();
-    core.depHooks.resolve.yields(global.ContrastMethods.eval);
-    core.scopes = mocks.scopes();
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-    core.patcher = patcher(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-
-    evalInstr(core);
-
-    core.protect.inputTracing.evalInstrumentation.install();
-  });
-
-  afterEach(function () {
-    Reflect.deleteProperty(global.ContrastMethods);
-  });
-
-  it('ssjsInjection() is called with expected values', function () {
-    global.ContrastMethods.eval(evalArg);
-
-    expect(core.protect.inputTracing.ssjsInjection).to.have.been.calledWith(
-      store.protect,
-      { name: 'eval', value: evalArg, stacktraceOpts: { constructorOpt: sinon.match.func, prependFrames: [sinon.match.func] } }
-    );
-  });
-
-  it('ssjsInjection() is not called when method args are not relevant', function () {
-    global.ContrastMethods.eval(1, evalArg);
-
-    expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
-  });
-
-  it('ssjsInjection() is not called when instrumentation is locked', function () {
-    core.scopes.instrumentation.isLocked.returns(true);
-
-    global.ContrastMethods.eval(evalArg);
-
-    expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
-  });
-
-  it('ssjsInjection() is not called when there is no Protect sourceContext', function () {
-    core.scopes.sources.getStore.returns({ protect: null });
-
-    global.ContrastMethods.eval(evalArg);
-
-    expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
-  });
-
-  it('logs an error when there is no `global.ContrastMethods.eval` method', function () {
-    global.ContrastMethods.eval = null;
-
-    core.protect.inputTracing.evalInstrumentation.install();
-
-    expect(core.logger.error).to.have.been.calledOnceWith('Cannot install `eval` instrumentation - Contrast method DNE');
-  });
-});

package/lib/input-tracing/install/fs.test.js

@@ -1,108 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const { FS_METHODS } = require('@contrast/common');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-
-describe('protect input-tracing fs', function () {
-  const store = { protect: {} };
-  let fs, fsPromises, core;
-
-  beforeEach(function () {
-    fs = {
-      promises: {}
-    };
-    fsPromises = {};
-
-    for (const { name, promises, sync } of FS_METHODS) {
-      fs[name] = sinon.stub();
-      if (sync) {
-        fs[`${name}Sync`] = sinon.stub();
-      }
-      if (promises) {
-        fsPromises[name] = sinon.stub();
-        fs.promises[name] = sinon.stub();
-      }
-    }
-
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.depHooks = mocks.depHooks();
-    core.depHooks.resolve.withArgs(sinon.match({ name: 'fs' })).yields(fs);
-    core.depHooks.resolve.withArgs(sinon.match({ name: 'fs/promises' })).yields(fsPromises);
-    core.scopes = mocks.scopes();
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-    core.patcher = patcher(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-
-    require('./fs')(core).install();
-  });
-
-  for (const { name, promises, sync, indices } of FS_METHODS) {
-    const methodsUnderTest = [{ name: `fs.${name}`, getFn: () => fs[name] }];
-    if (sync) {
-      methodsUnderTest.push({ name: `fs.${name}Sync`, getFn: () => fs[`${name}Sync`] });
-    }
-    if (promises) {
-      methodsUnderTest.push({ name: `fsPromises.${name}`, getFn: () => fsPromises[name] });
-      methodsUnderTest.push({ name: `fs.promises.${name}`, getFn: () => fs.promises[name] });
-    }
-
-    for (const { name, getFn } of methodsUnderTest) {
-      describe(name, function () {
-        it('handlePathTraversal() is called with expected values', function () {
-          const method = getFn();
-          const methodArgs = ['foo', 'bar'];
-          method(...methodArgs);
-
-          for (const idx of indices) {
-            const value = methodArgs[idx];
-
-            expect(core.protect.inputTracing.handlePathTraversal).to.have.been.calledWith(
-              store.protect,
-              {
-                name,
-                value,
-                stacktraceOpts: {
-                  constructorOpt: method,
-                  prependFrames: [sinon.match.func]
-                }
-              }
-            );
-          }
-        });
-
-        it('handlePathTraversal() is not called when method args are not relevant', function () {
-          const method = getFn();
-          const methodArgs = [1, undefined];
-          method(...methodArgs);
-
-          expect(core.protect.inputTracing.handlePathTraversal).not.to.have.been.called;
-        });
-
-
-        it('handlePathTraversal() is not called when instrumentation is locked', function () {
-          const method = getFn();
-          const methodArgs = ['foo', 'bar'];
-          core.scopes.instrumentation.isLocked.returns(true);
-          method(...methodArgs);
-
-          expect(core.protect.inputTracing.handlePathTraversal).not.to.have.been.called;
-        });
-
-
-        it('handlePathTraversal() is not called when there is no Protect sourceContext', function () {
-          const method = getFn();
-          const methodArgs = ['foo', 'bar'];
-          core.scopes.sources.getStore.returns({ protect: null });
-          method(...methodArgs);
-
-          expect(core.protect.inputTracing.handlePathTraversal).not.to.have.been.called;
-        });
-      });
-    }
-  }
-});

package/lib/input-tracing/install/function.test.js

@@ -1,81 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-
-describe('protect input-tracing function', function () {
-  const functionInstr = require('./function');
-  const store = { protect: {} };
-  let constructorArg, core;
-
-  beforeEach(function () {
-    constructorArg = 'return "hi";';
-
-    if (!global.ContrastMethods) {
-      global.ContrastMethods = {};
-    }
-    global.ContrastMethods.Function = sinon.stub();
-
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.depHooks = mocks.depHooks();
-    core.depHooks.resolve.yields(global.ContrastMethods.Function);
-    core.scopes = mocks.scopes();
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-    core.patcher = patcher(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-
-    functionInstr(core);
-
-    core.protect.inputTracing.functionInstrumentation.install();
-  });
-
-  afterEach(function () {
-    Reflect.deleteProperty(global.ContrastMethods);
-  });
-
-  it('ssjsInjection() is called with expected values', function () {
-    global.ContrastMethods.Function(constructorArg);
-
-    expect(core.protect.inputTracing.ssjsInjection).to.have.been.calledWith(
-      store.protect,
-      { name: 'Function', value: constructorArg, stacktraceOpts: { constructorOpt: sinon.match.func, prependFrames: [sinon.match.func] } }
-    );
-  });
-
-  it('ssjsInjection() is called only with the value for the function body', function () {
-    global.ContrastMethods.Function('a', 'return a');
-
-    expect(core.protect.inputTracing.ssjsInjection).to.have.been.calledOnceWithExactly(
-      store.protect,
-      { name: 'Function', value: 'return a', stacktraceOpts: { constructorOpt: sinon.match.func, prependFrames: [sinon.match.func] } }
-    );
-  });
-
-  it('ssjsInjection() is not called when instrumentation is locked', function () {
-    core.scopes.instrumentation.isLocked.returns(true);
-
-    global.ContrastMethods.Function(constructorArg);
-
-    expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
-  });
-
-  it('ssjsInjection() is not called when there is no Protect sourceContext', function () {
-    core.scopes.sources.getStore.returns({ protect: null });
-
-    global.ContrastMethods.Function(constructorArg);
-
-    expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
-  });
-
-  it('logs an error when there is no `global.ContrastMethods.eval` method', function () {
-    global.ContrastMethods.Function = null;
-
-    core.protect.inputTracing.functionInstrumentation.install();
-
-    expect(core.logger.error).to.have.been.calledOnceWith('Cannot install `Function` instrumentation - Contrast method DNE');
-  });
-});

package/lib/input-tracing/install/http.test.js

@@ -1,85 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-
-describe('protect input-tracing http', function () {
-  let core, inputTracing;
-  const store = { protect: {} };
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.patcher = patcher(core);
-    core.scopes = scopes(core);
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-    core.depHooks = mocks.depHooks();
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    ({ protect: { inputTracing } } = core);
-
-  });
-
-  describe('http', function () {
-    let http;
-
-    beforeEach(function () {
-      http = function () { };
-      http.ServerResponse = function () { };
-      http.ServerResponse.prototype.end = sinon.stub();
-      http.ServerResponse.prototype.write = sinon.stub();
-      core.depHooks.resolve.yields(http);
-      require('./http')(core).install();
-    });
-
-    ['write', 'end'].forEach((method) => {
-      describe(`instruments ServerResponse.${method}()`, function () {
-        it('handleReflectedXss() is called with valid expected values', function () {
-          const serverResponse = new http.ServerResponse();
-          const value = '" onmouseover="alert(3)"';
-          serverResponse[method](value);
-
-          expect(inputTracing.handleReflectedXss).to.have.been.calledOnce;
-          expect(inputTracing.handleReflectedXss).to.have.been.calledWith(
-            {},
-            {
-              name: `http.ServerResponse.prototype.${method}`,
-              value,
-              stacktraceOpts: {
-                constructorOpt: serverResponse[method]
-              }
-            }
-          );
-        });
-
-        it('handleReflectedXss() is not called if instrumentation is locked', function () {
-          sinon.stub(core.scopes.instrumentation, 'isLocked').returns(true);
-          const serverResponse = new http.ServerResponse();
-          const value = '" onmouseover="alert(3)"';
-          serverResponse[method](value);
-
-          expect(inputTracing.handleReflectedXss).not.to.have.been.called;
-        });
-
-        it('handleReflectedXss() is not called if there is no sourceContext', function () {
-          core.scopes.sources.getStore.returns({ protect: undefined });
-          const serverResponse = new http.ServerResponse();
-          const value = '" onmouseover="alert(3)"';
-          serverResponse[method](value);
-
-          expect(inputTracing.handleReflectedXss).not.to.have.been.called;
-        });
-
-        it('handleReflectedXss() is not called if there is no value', function () {
-          const serverResponse = new http.ServerResponse();
-          serverResponse[method]();
-
-          expect(inputTracing.handleReflectedXss).not.to.have.been.called;
-        });
-      });
-    });
-  });
-});

package/lib/input-tracing/install/http2.test.js

@@ -1,83 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-
-describe('protect input-tracing http2', function () {
-  let core, inputTracing;
-  const store = { protect: {} };
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.patcher = patcher(core);
-    core.scopes = scopes(core);
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-    core.depHooks = mocks.depHooks();
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    ({ protect: { inputTracing } } = core);
-  });
-
-  describe('http2', function () {
-    let http2;
-
-    beforeEach(function () {
-      http2 = function () { };
-      http2.Http2ServerResponse = function () { };
-      http2.Http2ServerResponse.prototype.end = sinon.stub();
-      http2.Http2ServerResponse.prototype.write = sinon.stub();
-      core.depHooks.resolve.yields(http2);
-      require('./http2')(core).install();
-    });
-
-    ['write', 'end'].forEach((method) => {
-      it('handleReflectedXss() is not called if there is no value', function () {
-        const serverResponse = new http2.Http2ServerResponse();
-        serverResponse[method]();
-
-        expect(inputTracing.handleReflectedXss).not.to.have.been.called;
-      });
-
-      it('handleReflectedXss() is not called if there is no sourceContext', function () {
-        core.scopes.sources.getStore.returns({ protect: undefined });
-        const serverResponse = new http2.Http2ServerResponse();
-        const value = "<script>alert('xss');</script>";
-        serverResponse[method](value);
-
-        expect(inputTracing.handleReflectedXss).not.to.have.been.called;
-      });
-
-      it('handleReflectedXss() is not called if instrumentation is locked', function () {
-        sinon.stub(core.scopes.instrumentation, 'isLocked').returns(true);
-        const serverResponse = new http2.Http2ServerResponse();
-        const value = "<script>alert('xss');</script>";
-        serverResponse[method](value);
-
-        expect(inputTracing.handleReflectedXss).not.to.have.been.called;
-      });
-
-      describe(`instruments Http2ServerResponse.${method}()`, function () {
-        it('handleReflectedXss() is called with valid expected values', function () {
-          const serverResponse = new http2.Http2ServerResponse();
-          const value = "<script>alert('xss');</script>";
-          serverResponse[method](value);
-
-          expect(inputTracing.handleReflectedXss).to.have.been.calledOnceWith(
-            {},
-            {
-              name: `http2.Http2ServerResponse.prototype.${method}`,
-              value,
-              stacktraceOpts: {
-                constructorOpt: serverResponse[method]
-              }
-            }
-          );
-        });
-      });
-    });
-  });
-});