@contrast/protect 1.54.0 → 1.54.2

package/lib/input-tracing/install/postgres.test.js

@@ -1,117 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-
-describe('protect input-tracing postgres', function () {
-  const sourceContext = {};
-  const store = { protect: sourceContext };
-  const query = 'SELECT "foo"';
-
-  let core, inputTracing;
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.patcher = patcher(core);
-    core.scopes = scopes(core);
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-    core.depHooks = mocks.depHooks();
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    ({ protect: { inputTracing } } = core);
-  });
-
-  describe('pg.Client.prototype.query', function () {
-    let Client;
-
-    beforeEach(function () {
-      Client = function () { };
-      Client.prototype.query = sinon.stub();
-      core.depHooks.resolve.withArgs(sinon.match({ name: 'pg' })).yields(Client);
-      require('./postgres')(core).install();
-    });
-
-    it('handleSqlInjection() is called with expected values', function () {
-      const conn = new Client();
-      conn.query(query);
-      conn.query({ text: query });
-
-      const sinkContext = { name: 'pg.Client.prototype.query', value: query };
-
-      expect(inputTracing.handleSqlInjection.callCount).to.equal(2);
-      [0, 1].forEach(callNum => {
-        expect(inputTracing.handleSqlInjection.getCall(callNum).calledWithExactly(store, sinkContext));
-      });
-    });
-
-    it('handleSqlInjection() is not called if there is no sourceContext', function () {
-      core.scopes.sources.getStore.returns({ protect: undefined });
-
-      const conn = new Client();
-      conn.query(query);
-      conn.query({ text: query });
-
-      expect(inputTracing.handleSqlInjection).not.to.have.been.called;
-    });
-
-    it('handleSqlInjection() is not called if the sql value is empty or not a string', function () {
-      const conn = new Client();
-      conn.query('');
-      conn.query(100);
-      conn.query({ text: '' });
-      conn.query({ text: 100 });
-
-      expect(inputTracing.handleSqlInjection).not.to.have.been.called;
-    });
-  });
-
-  describe('pg-pool.Pool.prototype.query', function () {
-    let Pool;
-
-    beforeEach(function () {
-      Pool = function () { };
-      Pool.prototype.query = sinon.stub();
-      core.depHooks.resolve.withArgs(sinon.match({ name: 'pg-pool' })).yields(Pool);
-
-      require('./postgres')(core).install();
-    });
-
-    it('handleSqlInjection() is called with expected values', function () {
-      const pool = new Pool();
-      pool.query(query);
-      pool.query({ text: query });
-
-      const sinkContext = { name: 'pg-pool.Pool.prototype.query', value: query };
-
-      expect(inputTracing.handleSqlInjection.callCount).to.equal(2);
-      [0, 1].forEach(callNum => {
-        expect(inputTracing.handleSqlInjection.getCall(callNum).calledWithExactly(store, sinkContext));
-      });
-    });
-
-    it('handleSqlInjection() is not called if there is no sourceContext', function () {
-      core.scopes.sources.getStore.returns({ protect: undefined });
-
-      const pool = new Pool();
-      const value = 'SELECT "foo"';
-      pool.query(value);
-      pool.query({ text: value });
-
-      expect(inputTracing.handleSqlInjection).not.to.have.been.called;
-    });
-
-    it('handleSqlInjection() is not called if the sql value is empty or not a string', function () {
-      const pool = new Pool();
-      pool.query('');
-      pool.query(100);
-      pool.query({ text: '' });
-      pool.query({ text: 100 });
-
-      expect(inputTracing.handleSqlInjection).not.to.have.been.called;
-    });
-  });
-});

package/lib/input-tracing/install/sequelize.test.js

@@ -1,78 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-
-describe('protect input-tracing sequelize', function () {
-  let core, inputTracing;
-  const store = { protect: {} };
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.patcher = patcher(core);
-    core.scopes = scopes(core);
-    core.depHooks = mocks.depHooks();
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    ({ protect: { inputTracing } } = core);
-
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-  });
-
-  describe('sequelize', function () {
-    let sequelize;
-
-    beforeEach(function () {
-      sequelize = function () { };
-      sequelize.prototype.query = sinon.stub();
-      core.depHooks.resolve.yields(sequelize);
-      require('./sequelize')(core).install();
-    });
-
-    describe('instruments sequelize.query()', function () {
-      it('handleSqlInjection() is called with valid expected values', function () {
-        const conn = new sequelize();
-        const value = 'SELECT "foo"';
-        conn.query(value);
-        conn.query({ query: value });
-
-        expect(inputTracing.handleSqlInjection).to.have.been.calledTwice;
-        expect(inputTracing.handleSqlInjection).to.have.been.calledWith(
-          {},
-          { name: 'sequelize.prototype.query', value, stacktraceOpts: { constructorOpt: conn.query, prependFrames: [sinon.match.func] } }
-        );
-      });
-
-      it('handleSqlInjection() is not called if instrumentation is locked', function () {
-        sinon.stub(core.scopes.instrumentation, 'isLocked').returns(true);
-        const conn = new sequelize();
-        const value = 'SELECT "foo"';
-        conn.query(value);
-
-        expect(inputTracing.handleSqlInjection).not.to.have.been.called;
-      });
-
-      it('handleSqlInjection() is not called if there is no sourceContext', function () {
-        core.scopes.sources.getStore.returns({ protect: undefined });
-        const conn = new sequelize();
-        const value = 'SELECT "foo"';
-        conn.query(value);
-
-        expect(inputTracing.handleSqlInjection).not.to.have.been.called;
-      });
-
-      it('handleSqlInjection() is not called if the sql value is empty or not a string', function () {
-        const conn = new sequelize();
-        conn.query('');
-        conn.query(100);
-        conn.query({ query: '' });
-
-        expect(inputTracing.handleSqlInjection).not.to.have.been.called;
-      });
-    });
-  });
-});

package/lib/input-tracing/install/spdy.test.js

@@ -1,76 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-
-describe('protect input-tracing spdy', function () {
-  let core, inputTracing;
-  const store = { protect: {} };
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.patcher = patcher(core);
-    core.scopes = scopes(core);
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-    core.depHooks = mocks.depHooks();
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    ({ protect: { inputTracing } } = core);
-  });
-
-  describe('spdy', function () {
-    let spdy;
-
-    beforeEach(function () {
-      spdy = function () {};
-      spdy.response = {};
-      spdy.response.end = sinon.stub();
-      spdy.response.spdyStream = { once: sinon.stub() };
-      core.depHooks.resolve.yields(spdy);
-      require('./spdy')(core).install();
-    });
-
-    it('handleReflectedXss() is not called if there is no value', function () {
-      spdy.response.end();
-
-      expect(inputTracing.handleReflectedXss).not.to.have.been.called;
-    });
-
-    it('handleReflectedXss() is not called if there is no sourceContext', function () {
-      core.scopes.sources.getStore.returns({ protect: undefined });
-      const value = "<script>alert('xss');</script>";
-      spdy.response.end(value);
-
-      expect(inputTracing.handleReflectedXss).not.to.have.been.called;
-    });
-
-    it('handleReflectedXss() is not called if instrumentation is locked', function () {
-      sinon.stub(core.scopes.instrumentation, 'isLocked').returns(true);
-      const value = "<script>alert('xss');</script>";
-      spdy.response.end(value);
-
-      expect(inputTracing.handleReflectedXss).not.to.have.been.called;
-    });
-
-    it('handleReflectedXss() is called with valid expected values', function () {
-      const value = "<script>alert('xss');</script>";
-      spdy.response.end(value);
-
-      expect(inputTracing.handleReflectedXss).to.have.been.calledOnceWith(
-        {},
-        {
-          name: 'spdy.response.end',
-          value,
-          stacktraceOpts: {
-            constructorOpt: spdy.response.end
-          }
-        }
-      );
-    });
-
-  });
-});

package/lib/input-tracing/install/sqlite3.test.js

@@ -1,88 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-
-describe('protect input-tracing sqlite3', function () {
-  const store = { protect: {} };
-
-  let core, inputTracing;
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.patcher = patcher(core);
-    core.scopes = scopes(core);
-    core.depHooks = mocks.depHooks();
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    ({ protect: { inputTracing } } = core);
-
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-  });
-
-  describe('sqlite3', function () {
-    let sqlite3;
-
-    beforeEach(function () {
-      sqlite3 = {
-        // eslint-disable-next-line object-shorthand
-        Database: function () { }
-      };
-      sqlite3.Database.prototype = {
-        all: sinon.stub(),
-        run: sinon.stub(),
-        get: sinon.stub(),
-        each: sinon.stub(),
-        exec: sinon.stub(),
-        prepare: sinon.stub()
-      };
-      core.depHooks.resolve.yields(sqlite3);
-      require('./sqlite3')(core).install();
-    });
-
-    ['all', 'run', 'get', 'each', 'exec', 'prepare'].forEach((method) => {
-      describe(`instruments connection.${method}()`, function () {
-        it('handleSqlInjection() is called with valid expected values', function () {
-          const db = new sqlite3.Database();
-          const value = 'SELECT "foo"';
-          db[method](value);
-
-          expect(inputTracing.handleSqlInjection).to.have.been.calledWith(
-            {},
-            { name: `sqlite3.Database.prototype.${method}`, value, stacktraceOpts: { constructorOpt: db[method], prependFrames: [sinon.match.func] } }
-          );
-        });
-
-        it('handleSqlInjection() is not called if instrumentation is locked', function () {
-          sinon.stub(core.scopes.instrumentation, 'isLocked').returns(true);
-          const db = new sqlite3.Database();
-          const value = 'SELECT "foo"';
-          db[method](value);
-
-          expect(inputTracing.handleSqlInjection).not.to.have.been.called;
-        });
-
-        it('handleSqlInjection() is not called if there is no sourceContext', function () {
-          core.scopes.sources.getStore.returns({ protect: undefined });
-          const db = new sqlite3.Database();
-          const value = 'SELECT "foo"';
-          db[method](value);
-
-          expect(inputTracing.handleSqlInjection).not.to.have.been.called;
-        });
-
-        it('handleSqlInjection() is not called if the sql value is empty or not a string', function () {
-          const db = new sqlite3.Database();
-          db[method]('');
-          db[method](100);
-
-          expect(inputTracing.handleSqlInjection).not.to.have.been.called;
-        });
-      });
-    });
-  });
-});

package/lib/input-tracing/install/vm.test.js

@@ -1,176 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-
-describe('protect input-tracing vm', function () {
-  const store = { protect: {} };
-  let vm, origVm, core;
-
-  const testSetup = [
-    {
-      methods: ['Script', 'compileFunction', 'runInContext', 'runInNewContext', 'runInThisContext'],
-      vulnerableArgs: [{ type: 'string', index: 0 }],
-    },
-    {
-      methods: ['runInContext', 'runInNewContext'],
-      vulnerableArgs: [{ type: 'string', index: 0 }, { type: 'object', index: 1 }],
-    },
-    {
-      methods: ['createContext'],
-      vulnerableArgs: [{ type: 'object', index: 0 }],
-    },
-    {
-      methods: ['Script.prototype.runInContext', 'Script.prototype.runInNewContext'],
-      vulnerableArgs: [{ type: 'object', index: 0 }],
-    }
-  ];
-
-  function methodPick(vm, method) {
-    let fn = vm[method];
-
-    if (method.includes('.')) {
-      fn = vm;
-      method.split('.').forEach((prop) => {
-        fn = fn[prop];
-      });
-    }
-
-    return fn;
-  }
-
-  beforeEach(function () {
-    vm = {};
-    origVm = {
-      Script: sinon.stub(),
-      createContext: sinon.stub(),
-      compileFunction: sinon.stub(),
-      runInContext: sinon.stub(),
-      runInNewContext: sinon.stub(),
-      runInThisContext: sinon.stub(),
-    };
-    Object.assign(vm, origVm);
-    origVm['Script.prototype.runInContext'] = sinon.stub();
-    origVm['Script.prototype.runInNewContext'] = sinon.stub();
-    vm.Script.prototype.runInContext = origVm['Script.prototype.runInContext'];
-    vm.Script.prototype.runInNewContext = origVm['Script.prototype.runInNewContext'];
-
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.depHooks = mocks.depHooks();
-    core.depHooks.resolve.yields(vm);
-    core.scopes = mocks.scopes();
-    sinon.stub(core.scopes.sources, 'getStore').returns(store);
-    core.patcher = patcher(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-
-    require('./vm')(core);
-
-    core.protect.inputTracing.vmInstrumentation.install();
-  });
-
-  describe('ssjsInjection() is called with expected values', function () {
-    testSetup.forEach(({ methods, vulnerableArgs }) => {
-      const methodArgs = [];
-
-      vulnerableArgs.forEach((arg) => {
-        const argValue = arg.type == 'string' ? 'function() { return "hi"; }' : { prop: 'foobar' };
-        methodArgs[arg.index] = argValue;
-      });
-
-      methods.forEach((method) => {
-        const name = `vm.${method}`;
-
-        it(name, function () {
-          const fn = methodPick(vm, method);
-          fn(...methodArgs);
-
-          expect(core.protect.inputTracing.ssjsInjection).to.have.callCount(vulnerableArgs.length);
-          vulnerableArgs.forEach(({ index }) => {
-            const value = methodArgs[index];
-
-            expect(core.protect.inputTracing.ssjsInjection).to.have.been.calledWith(
-              store.protect,
-              { name, value, stacktraceOpts: { constructorOpt: fn, prependFrames: [origVm[method]] } }
-            );
-          });
-        });
-      });
-    });
-  });
-
-  describe('ssjsInjection() is not called when method args are not relevant', function () {
-    const methodArgs = [1, undefined];
-
-    testSetup.forEach(({ methods }) => {
-      methods.forEach((method) => {
-        const name = `vm.${method}`;
-
-        it(name, function () {
-          const fn = methodPick(vm, method);
-
-          fn(...methodArgs);
-
-          expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
-        });
-      });
-    });
-  });
-
-  describe('ssjsInjection() is not called when instrumentation is locked', function () {
-    beforeEach(function () {
-      core.scopes.instrumentation.isLocked.returns(true);
-    });
-
-    testSetup.forEach(({ methods, vulnerableArgs }) => {
-      const methodArgs = [];
-
-      vulnerableArgs.forEach((arg) => {
-        const argValue = arg.type == 'string' ? 'function() { return "hi"; }' : { prop: 'function() { return "hi"; }' };
-        methodArgs[arg.index] = argValue;
-      });
-
-      methods.forEach((method) => {
-        const name = `vm.${method}`;
-
-        it(name, function () {
-          const fn = methodPick(vm, method);
-
-          fn(...methodArgs);
-
-          expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
-        });
-      });
-    });
-  });
-
-  describe('ssjsInjection() is not called when there is no Protect sourceContext', function () {
-    beforeEach(function () {
-      core.scopes.sources.getStore.returns({ protect: null });
-    });
-
-    testSetup.forEach(({ methods, vulnerableArgs }) => {
-      const methodArgs = [];
-
-      vulnerableArgs.forEach((arg) => {
-        const argValue = arg.type == 'string' ? 'function() { return "hi"; }' : { prop: 'function() { return "hi"; }' };
-        methodArgs[arg.index] = argValue;
-      });
-
-      methods.forEach((method) => {
-        const name = `vm.${method}`;
-
-        it(name, function () {
-          const fn = methodPick(vm, method);
-
-          fn(...methodArgs);
-
-          expect(core.protect.inputTracing.ssjsInjection).not.to.have.been.called;
-        });
-      });
-    });
-  });
-});

package/lib/make-response-blocker.test.js

@@ -1,99 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const { symbols: { kMetrics } } = require('@contrast/common');
-const mocks = require('@contrast/test/mocks');
-const patcher = require('@contrast/patcher');
-
-describe('protect make-response-blocker', function () {
-
-  let res, core, makeResponseBlocker;
-  beforeEach(function () {
-
-    res = {
-      end: sinon.stub(),
-      headersSent: false,
-      writeHead: sinon.stub()
-    };
-
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.patcher = patcher(core);
-    core.protect = {};
-
-    sinon.spy(core.patcher, 'unwrap');
-    makeResponseBlocker = require('./make-response-blocker')(core);
-  });
-
-  it('Sends a blocked response', function () {
-    const block = makeResponseBlocker(res);
-    block('block', 'sql-injection');
-    expect(core.patcher.unwrap).to.have.been.calledWith(res.writeHead);
-    expect(core.patcher.unwrap).to.have.been.calledWith(res.end);
-    expect(res.writeHead).to.have.been.calledWith(403);
-    expect(res.end).to.have.been.calledWith('');
-    expect(core.logger.info).to.have.been.calledWith(
-      { mode: 'BLOCK', ruleId: 'sql-injection' },
-      'Request blocked'
-    );
-  });
-
-  it('Sets blocked property', function () {
-    const block = makeResponseBlocker(res);
-    block('block', 'sql-injection');
-    expect(makeResponseBlocker.blocked.has(res)).to.be.true;
-  });
-
-  it('Set core.protect.makeResponseBlocker', function () {
-    expect(core.protect.makeResponseBlocker).to.equal(makeResponseBlocker);
-  });
-
-  it('Blocks on the same "res" object only once', function () {
-    const block = makeResponseBlocker(res);
-    block('block', 'sql-injection');
-    block('block', 'cmd-injection');
-    expect(makeResponseBlocker.blocked.has(res));
-    expect(res.end).to.have.been.calledOnce;
-    expect(res.writeHead).to.have.been.calledOnce;
-    expect(core.logger.info).to.have.been.calledOnce;
-  });
-
-  it('Adds multiple responses to blocked set', function () {
-    const res1 = Object.assign({}, res);
-    const res2 = Object.assign({}, res);
-    const block1 = makeResponseBlocker(res1);
-    const block2 = makeResponseBlocker(res2);
-    block1('block', 'sql-injection');
-    block2('block', 'cmd-injection');
-    expect(makeResponseBlocker.blocked.has(res1));
-    expect(makeResponseBlocker.blocked.has(res2));
-  });
-
-  it('Does not call writeHead when headers already sent', function () {
-    const block = makeResponseBlocker(res);
-    res.headersSent = true;
-    block('block_at_perimeter', 'reflected-xss');
-    expect(res.writeHead).not.to.have.been.called;
-    expect(res.end).to.have.been.calledWith('');
-  });
-
-  it('Logs error when exception thrown', function () {
-    const err = new Error('error');
-    res.end.throws(err);
-    const block = makeResponseBlocker(res);
-    block('block', 'path-traversal');
-    expect(core.logger.error).to.have.been.calledWith(
-      { err, mode: 'BLOCK', ruleId: 'path-traversal' },
-      'Error blocking request'
-    );
-  });
-
-  it('removes the `metrics` object if present', function () {
-    const block = makeResponseBlocker(res);
-    res[kMetrics] = { timeout: setTimeout(sinon.stub(), 1) };
-    block('block', 'sql-injection');
-
-    expect(res).not.to.have.property(kMetrics);
-  });
-});