@contrast/protect 1.54.0 → 1.54.2

package/lib/error-handlers/install/koa2.test.js

@@ -1,83 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const SecurityException = require('../../security-exception');
-
-describe('protect error-handlers koa2', function () {
-  let core,
-    errorHandler,
-    Koa,
-    onerror,
-    store,
-    ctx;
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.config = mocks.config();
-    core.logger = mocks.logger();
-    core.scopes = scopes(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    core.depHooks = mocks.depHooks();
-    core.patcher = patcher(core);
-
-    store = {
-      protect: {
-        block: sinon.stub(),
-        securityException: ['block', 'cmd-injection']
-      }
-    };
-
-    Koa = function () { };
-
-    Koa.prototype.handleRequest = function () { };
-
-    core.depHooks.resolve.yields(Koa);
-
-    errorHandler = require('./koa2')(core);
-    errorHandler.install();
-
-    onerror = sinon.stub();
-    ctx = {
-      onerror,
-    };
-    Koa.prototype.handleRequest(ctx);
-  });
-
-  it('should block the request when there is SecurityException', function () {
-    const error = SecurityException.create();
-
-    core.scopes.sources.run(store, () => {
-      ctx.onerror(error);
-      expect(core.logger.info).not.to.have.been.called;
-      expect(store.protect.block).to.have.been.calledWith('block', 'cmd-injection');
-      expect(ctx.body).to.equal('');
-    });
-  });
-
-  it('should not block the request when there is SecurityException but sourceContext is missing', function () {
-    const error = SecurityException.create();
-
-    core.scopes.sources.run({}, () => {
-      ctx.onerror(error);
-      expect(core.logger.info).to.have.been.calledWith(
-        { funcKey: 'protect-error-handling:koa.ctx.onerror' },
-        'source context not found; unable to handle response'
-      );
-    });
-  });
-
-  it('should skip the instrumentation when there is no SecurityException', function () {
-    const error = new Error('Error');
-
-    core.scopes.sources.run({}, () => {
-      ctx.onerror(error);
-      expect(core.logger.info).not.to.have.been.called;
-      expect(store.protect.block).not.to.have.been.called;
-    });
-  });
-});

package/lib/error-handlers/install/restify.test.js

@@ -1,57 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { initProtectFixture } = require('@contrast/test/fixtures');
-const SecurityException = require('../../security-exception');
-
-describe('protect error-handlers restify v8+', function () {
-  let core, simulateRequestScope, Server, store;
-
-  beforeEach(function () {
-    ({ core, simulateRequestScope } = initProtectFixture());
-
-    Server = { prototype: { _onHandlerError: sinon.stub().returnsArg(0) } };
-    store = { protect: { block: sinon.stub(), securityException: ['block'] } };
-
-    core.depHooks.resolve
-      .withArgs({ name: 'restify', file: 'lib/server.js', version: '>=8 <12' })
-      .yields(Server);
-
-    core.protect.errorHandlers.restifyErrorHandler.install();
-  });
-
-  it('blocks the request when a security exception is handled', function () {
-    const err = SecurityException.create();
-
-    simulateRequestScope(() => {
-      Server.prototype._onHandlerError(err);
-
-      expect(store.protect.block).to.have.been.calledWith(...store.protect.securityException);
-    }, store);
-  });
-
-  it('does not block the request when context is missing', function () {
-    const err = SecurityException.create();
-
-    simulateRequestScope(() => {
-      Server.prototype._onHandlerError(err);
-      expect(store.protect.block).not.to.have.been.called;
-      expect(core.logger.info).to.have.been.calledWith(
-        sinon.match.object,
-        'source context not found; unable to handle response',
-      );
-    }, {});
-  });
-
-  it('does not handle other errors', function () {
-    const err = new Error();
-
-    simulateRequestScope(() => {
-      const result = Server.prototype._onHandlerError(err);
-      expect(store.protect.block).not.to.have.been.called;
-      expect(core.logger.info).not.to.have.been.called;
-      expect(result).to.equal(err);
-    }, store);
-  });
-});

package/lib/get-source-context.test.js

@@ -1,35 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const { initProtectFixture } = require('@contrast/test/fixtures');
-
-describe('protect get-source-context', function () {
-  let core, getSourceContext;
-
-  beforeEach(function () {
-    ({ core } = initProtectFixture());
-    ({ getSourceContext } = core.protect);
-  });
-
-  it('returns the sourceContext when there is `allowed` property in it', function () {
-    core.scopes.sources.run({ protect: { test: 'store' } }, () => {
-      const result = getSourceContext();
-      expect(result).to.deep.equal({ test: 'store' });
-    });
-  });
-
-  it('logs a debug log when the sourceContext is missing and returns null', function () {
-    core.scopes.sources.run({ protect: null }, () => {
-      const result = getSourceContext();
-      expect(result).to.null;
-    });
-  });
-
-  it('returns null when the protect store has a thruthy `allowed` property', function () {
-    core.scopes.sources.run({ protect: { allowed: true } }, () => {
-      const result = getSourceContext();
-      expect(core.logger.debug).not.to.have.been.called;
-      expect(result).to.null;
-    });
-  });
-});

package/lib/hardening/handlers.test.js

@@ -1,89 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const mocks = require('@contrast/test/mocks');
-const { create: createSecurityException } = require('../security-exception');
-const handlersFactory = require('./handlers');
-
-describe('protect hardening handlers', function () {
-  let core, handlers, map, sourceContext;
-
-  const exception = createSecurityException();
-  const sinkContext = {
-    name: 'node-serialize.unserialize',
-    value: '"foo":"_$$ND_FUNC$$_while(true)',
-    get stack() {
-      return [{
-        file: 'index.js',
-        lineNumber: 123,
-        method: '',
-        type: 'Function',
-      }];
-    },
-  };
-
-  function makePolicy(mode) {
-    return {
-      'untrusted-deserialization': mode,
-    };
-  }
-
-  beforeEach(function () {
-    map = {};
-    sourceContext = {
-      resultsMap: map,
-    };
-    core = mocks.core();
-    core.protect = mocks.protect();
-    core.protect.hardening = {};
-    core.protect.throwSecurityException.throws(exception);
-    handlers = handlersFactory(core);
-  });
-
-  ['block', 'block_at_perimeter'].forEach((mode) => {
-    it(`${mode}`, function () {
-      sourceContext.policy = makePolicy(mode);
-
-      expect(function () {
-        handlers.handleUntrustedDeserialization(sourceContext, sinkContext);
-      }).to.throw(exception.constructor);
-
-      expect(map).to.have.deep.property('untrusted-deserialization', [{
-        blocked: true,
-        exploitMetadata: [{ deserializer: 'node-serialize.unserialize', command: false }],
-        sinkContext,
-        value: sinkContext.value,
-      }]);
-    });
-  });
-
-  it('monitor', function () {
-    sourceContext.policy = makePolicy('monitor');
-
-    handlers.handleUntrustedDeserialization(sourceContext, sinkContext);
-
-    expect(map).to.have.deep.property('untrusted-deserialization', [{
-      blocked: false,
-      exploitMetadata: [{ deserializer: 'node-serialize.unserialize', command: false }],
-      sinkContext,
-      value: sinkContext.value,
-    }]);
-  });
-
-  it('off', function () {
-    sourceContext.policy = makePolicy('off');
-
-    handlers.handleUntrustedDeserialization(sourceContext, sinkContext);
-
-    expect(map).not.to.have.deep.property('untrusted-deserialization');
-  });
-
-  it('returns if the result value type is incorrect', function () {
-    sourceContext.policy = makePolicy('monitor');
-    sinkContext.value = true;
-
-    handlers.handleUntrustedDeserialization(sourceContext, sinkContext);
-
-    expect(map).not.to.have.deep.property('untrusted-deserialization');
-  });
-});

package/lib/hardening/index.test.js

@@ -1,31 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const proxyquire = require('proxyquire');
-const mocks = require('@contrast/test/mocks');
-
-describe('protect hardening', function () {
-  let modulesMock, installStub, core, hardening;
-  beforeEach(function () {
-    installStub = sinon.stub();
-    modulesMock = (propertyName) => function (core) {
-      if (propertyName) {
-        core.protect.hardening[propertyName] = { install: installStub };
-      }
-    };
-    core = mocks.core();
-    core.protect = mocks.protect();
-
-    hardening = proxyquire('.', {
-      './handlers': modulesMock,
-      './install/node-serialize0': modulesMock('nodeSerialize0Instrumentation'),
-      // Total of 2 modules required - 1 handlers and 1 module to be installed
-    });
-  });
-
-  it('calls the install method on nodeSerialize0Instrumentation', function () {
-    hardening(core).install();
-    expect(installStub).to.have.been.calledOnce;
-  });
-});

package/lib/hardening/install/node-serialize0.test.js

@@ -1,58 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const sinon = require('sinon');
-const patcher = require('@contrast/patcher');
-const scopes = require('@contrast/scopes');
-const mocks = require('@contrast/test/mocks');
-const instrumentationFactory = require('./node-serialize0');
-
-describe('protect hardening node-serialize0', function () {
-  let core, mockLib, hardening;
-
-  beforeEach(function () {
-    mockLib = {
-      unserialize() { }
-    };
-
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.depHooks = mocks.depHooks();
-    core.depHooks.resolve.yields(mockLib);
-    core.patcher = patcher(core);
-    core.scopes = scopes(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    hardening = core.protect.hardening;
-
-    instrumentationFactory(core).install();
-  });
-
-  it('calls hardening handler when called in sources scope', function () {
-    const value = '"foo":"_$$ND_FUNC$$_while(true)';
-    const sourceContext = {};
-    const store = { protect: sourceContext };
-    const sinkContext = {
-      name: 'node-serialize.unserialize',
-      value,
-      stacktraceOpts: { constructorOpt: mockLib.unserialize, prependFrames: [sinon.match.func] }
-    };
-
-    core.scopes.sources.run(store, function () {
-      mockLib.unserialize(value);
-    });
-
-    expect(hardening.handleUntrustedDeserialization).to.have.been.calledWith(
-      sourceContext,
-      sinkContext
-    );
-  });
-
-  it('hardening handler is not called when out of sources scope', function () {
-    const value = '"foo":"_$$ND_FUNC$$_while(true)';
-
-    mockLib.unserialize(value);
-
-    expect(hardening.handleUntrustedDeserialization).not.to.have.been.called;
-  });
-});

package/lib/index.test.js

@@ -1,53 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const proxyquire = require('proxyquire');
-const mocks = require('@contrast/test/mocks');
-
-const moduleMock = (moduleName, mock) => (deps) => {
-  deps.protect[moduleName] = mock[moduleName];
-};
-
-describe('protect', function () {
-  let core, protectMock, protectModule, modulesWithInstall;
-
-  beforeEach(function () {
-    protectMock = mocks.protect();
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.config = mocks.config();
-    core.scopes = mocks.scopes();
-    core.config.protect.rules = {
-      ['nosql-injection']: { mode: 'monitor' },
-      ['cmd-injection']: { mode: 'block' },
-      ['path-traversal']: { mode: 'off' }
-    };
-    core.config.protect.rules.disabled_rules = ['sql-injection'];
-    core.rewriter = mocks.rewriter();
-    protectModule = proxyquire('.', {
-      './input-analysis': moduleMock('inputAnalysis', protectMock),
-      './input-tracing': moduleMock('inputTracing', protectMock),
-      './semantic-analysis': moduleMock('semanticAnalysis', protectMock),
-      './hardening': moduleMock('hardening', protectMock),
-      './error-handlers': moduleMock('errorHandlers', protectMock),
-    });
-    modulesWithInstall = ['inputAnalysis', 'inputTracing', 'hardening', 'errorHandlers'];
-  });
-
-  it('installs components and initializes policy', function () {
-    core.config.getEffectiveValue.withArgs('protect.enable').returns(true);
-    protectModule(core).install();
-
-    modulesWithInstall.forEach((module) => {
-      expect(protectMock[module].install).to.have.been.calledOnce;
-    });
-
-    expect(core.protect.getPolicy()).to.deep.include({
-      rulesMask: 48,
-      'cmd-injection': 'block',
-      'nosql-injection': 'monitor',
-    });
-
-    expect(core.rewriter.install).to.have.been.calledWith('protect');
-  });
-});