@contrast/protect 1.54.0 → 1.54.2

package/lib/input-analysis/install/http.test.js

@@ -1,270 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const EventEmitter = require('events');
-const Protect = require('../..');
-const { initProtectFixture } = require('@contrast/test/fixtures');
-
-describe('protect input-analysis http', function () {
-
-  describe('initialization', function () {
-    let core, httpInstr, mockServer;
-    // this captures the sinon stub before it is wrapped by Perf so we can
-    // determine if it was called/not called as expected. if we don't do this
-    // the core.depHooks.install() will be replaced by the Perf wrapper and
-    // sinon will complain that it's not a spy/call-to-spy.
-
-    beforeEach(function () {
-      ({ core } = initProtectFixture());
-
-      core.protect = Protect(core);
-      httpInstr = require('./http')(core);
-      httpInstr.around = sinon.stub();
-
-      sinon.stub(core.protect.errorHandlers, 'initDomain');
-
-      mockServer = {
-        Server: {
-          prototype: {
-            emit: () => { },
-            _events: {
-              request: 'REQUEST',
-            }
-          }
-        },
-        createServer() { },
-        createSecureServer() { }
-      };
-
-      core.depHooks.resolve.yields(mockServer);
-    });
-
-    it('should not be initialized after being required', function () {
-      expect(httpInstr.install).a('function');
-      // the next two lines are effectively: expect(core.depHooks.install).not.to.have.been.called;
-      const depHooksInstall = core.Perf.all.get('agentify').get('agentify:@contrast/dep-hooks:install');
-      expect(depHooksInstall).equal(undefined);
-      expect(core.depHooks.resolve).not.to.have.been.called;
-    });
-
-    it('should be initialized after being installed', function () {
-      httpInstr.install();
-      expect(core.depHooks.resolve).to.have.callCount(4);
-    });
-
-    describe('hook createServer', function () {
-      let postHook;
-
-      this.beforeEach(function () {
-        sinon.spy(core.patcher, 'patch');
-        httpInstr.install();
-        postHook = core.patcher.patch.getCall(3).lastArg.post;
-
-      });
-
-      it('should patch the Server prototype for http2', function () {
-        postHook({ result: Object.create(mockServer.Server.prototype) });
-
-        expect(core.patcher.patch).to.have.been.calledWith(mockServer.Server.prototype, 'emit', {
-          name: 'http2.Server.prototype.emit',
-          patchType: 'protect-input-analysis',
-          around: sinon.match.func,
-          funcKey: 'protect-input-analysis:http2.Server.prototype.emit'
-        });
-      });
-
-      it('should throw an error if we cannot patch the Server prototype for http2', function () {
-        postHook({ result: Object.create(null), funcKey: 'a' });
-        postHook({ result: null, funcKey: 'b' });
-        expect(core.logger.error).to.have.been.calledWith(
-          { funcKey: 'a' },
-          'Unable to patch %s, continuing without instrumentation',
-          'http2.Server.prototype',
-        );
-        expect(core.logger.error).to.have.been.calledWith(
-          { funcKey: 'b' },
-          'Unable to patch %s, continuing without instrumentation',
-          'http2.Server.prototype',
-        );
-
-      });
-    });
-
-    describe('around()', function () {
-      let core,
-        httpInstr,
-        server,
-        serverEmit,
-        req,
-        res,
-        reqEmitter,
-        context,
-        expectedReqData,
-        connectInputs;
-
-      beforeEach(function () {
-        ({ core } = initProtectFixture());
-
-        Object.assign(core.config.protect.rules, {
-          'cmd-injection': { mode: 'monitor' },
-          'reflected-xss': { mode: 'block' }
-        });
-        core.protect = Protect(core);
-
-        sinon.spy(core.protect.inputAnalysis, 'handleConnect');
-        sinon.spy(core.protect.inputAnalysis, 'handleIpDenylist');
-        sinon.spy(core.protect.inputAnalysis, 'handleIpAllowlist');
-
-        httpInstr = require('./http')(core);
-
-        sinon.spy(core.protect, 'makeSourceContext');
-
-        server = {};
-        serverEmit = sinon.stub();
-        server.prototype = { emit: serverEmit };
-        reqEmitter = new EventEmitter();
-        req = {
-          url: '/',
-          method: 'GET',
-          rawHeaders: ['host', 'vogon.com', 'content-type', 'application/json'],
-          // this needs to look sort of like a real incoming message
-          emit: (...args) => reqEmitter.emit(...args),
-          _events: {},
-          socket: { _readableState: { autoDestroy: false } },
-          resume: sinon.stub(),
-        };
-        res = {
-          end: sinon.stub(),
-          writeHead: sinon.stub(),
-          headersSent: false,
-          on: sinon.stub(),
-        };
-        context = {
-          instance: server,
-          method: serverEmit,
-          args: ['request', req, res],
-          funcKey: 'funcKey',
-        };
-
-        // setup a few expected results. these can be modified as needed by
-        // different tests.
-        expectedReqData = {
-          method: req.method.toLowerCase(),
-          headers: req.rawHeaders.map((h, i) => i & 1 ? h : h.toLowerCase()),
-          uriPath: '/',
-          url: '/',
-          queries: '',
-          contentType: '',
-        };
-        connectInputs = {
-          headers: expectedReqData.headers,
-          uriPath: expectedReqData.uriPath,
-          method: expectedReqData.method
-        };
-      });
-
-      it('does not handle non-requests', function () {
-        context = {
-          instance: server,
-          method: serverEmit,
-          args: ['foo', req, res]
-        };
-        const next = sinon.stub();
-        core.scopes.sources.run({ protect: {} }, () => httpInstr.around(next, context));
-        expect(core.protect.inputAnalysis.handleConnect).not.have.been.called;
-        expect(next).to.have.been.called;
-      });
-
-      it('works as expected', function () {
-        res.on = (eventName, fn) => {
-          fn();
-        };
-        core.scopes.sources.run({ protect: {} }, () => httpInstr.around(() => { }, context));
-        const sourceContext = core.protect.makeSourceContext.returnValues[0];
-        expect(core.protect.inputAnalysis.handleConnect).to.have.been.calledOnceWith(sourceContext, connectInputs);
-      });
-
-      it('debug logs if no async context', function () {
-        sinon.stub(core.scopes.sources, 'getStore').returns(undefined);
-        core.logger.debug = sinon.stub();
-        core.scopes.sources.run({ protect: {} }, () => httpInstr.around(() => { }, context));
-
-        expect(core.logger.debug).to.have.been.calledOnceWith({ funcKey: 'funcKey' }, 'request store not available during http input-analysis');
-      });
-
-      it('error logs on exceptions', function () {
-        const err = new Error('sometimes things do not work out');
-        core.protect.inputAnalysis.handleConnect.restore();
-        sinon.stub(core.protect.inputAnalysis, 'handleConnect').throws(err);
-        core.scopes.sources.run({ protect: {} }, () => httpInstr.around(() => { }, context));
-        expect(core.logger.error).to.have.been.calledWith({ err, funcKey: 'funcKey' }, 'Error during http input analysis');
-      });
-
-      it('connectInputs will contain not a cookies header', function () {
-        const withoutCookies = req.rawHeaders.slice();
-        req.rawHeaders.push('COOKIES', 'this;that;the other;thing');
-        expectedReqData.headers.push('cookies', 'this;that;the other;thing');
-        core.scopes.sources.run({ protect: {} }, () => httpInstr.around(() => { }, context));
-        const sourceContext = core.protect.makeSourceContext.returnValues[0];
-        connectInputs.headers = withoutCookies;
-        expect(core.protect.inputAnalysis.handleConnect).to.have.been.calledOnceWith(sourceContext, connectInputs);
-      });
-
-      it('does no analysis and just executes the request if the sourceContext has the allowed property set to true', function () {
-        core.protect.makeSourceContext = () => ({
-          allowed: true
-        });
-        core.scopes.sources.run({ protect: {} }, () => httpInstr.around(() => { }, context));
-
-        expect(core.protect.inputAnalysis.handleConnect).not.to.have.been.called;
-        expect(core.logger.debug).not.to.have.been.called;
-      });
-
-      it('does not emit the original event when blocked', function () {
-        req.url = '/need/<script>%20this&that';
-        core.scopes.sources.run({ protect: {} }, () => httpInstr.around(() => { }, context));
-
-        const block = ['block', 'reflected-xss'];
-
-        expect(core.protect.inputAnalysis.handleConnect).to.have.been.calledOnce.returned(block);
-        expect(core.logger.debug).to.have.been.calledWith({ block, funcKey: 'funcKey' }, 'request blocked by not emitting request event');
-      });
-
-      it('does not handle a request body when it is not JSON', function () {
-        req.rawHeaders = ['Content-Type', 'multipart/form-data'];
-        expectedReqData.headers = ['content-type', 'multipart/form-data'];
-        expectedReqData.contentType = 'multipart/form-data';
-        core.scopes.sources.run({ protect: {} }, () => httpInstr.around(() => { }, context));
-        const sourceContext = core.protect.makeSourceContext.returnValues[0];
-        connectInputs.headers = expectedReqData.headers;
-        expect(core.protect.inputAnalysis.handleConnect).to.have.been.calledOnceWith(sourceContext, connectInputs);
-      });
-
-      it('stores the virtualPatchesEvaluators in the protect store from inputAnalysis if there are some', function () {
-        core.protect.inputAnalysis.virtualPatchesEvaluators = [new Map([['a', 'b']]), new Map([['a', 'b'], ['c', 'd']])];
-        core.scopes.sources.run({ protect: {} }, () => httpInstr.around(() => { }, context));
-
-        const { virtualPatchesEvaluators } = core.protect.makeSourceContext.returnValues[0];
-
-        expect(virtualPatchesEvaluators.length).to.equal(2);
-        expect(virtualPatchesEvaluators[0].size).to.equal(1);
-        expect(virtualPatchesEvaluators[1].size).to.equal(2);
-      });
-
-      it('calls handleIpDenylist() if there is a IP Denylist', function () {
-        core.protect.inputAnalysis.ipDenylist = ['test-entry'];
-        core.scopes.sources.run({ protect: {} }, () => httpInstr.around(() => { }, context));
-
-        expect(core.protect.inputAnalysis.handleIpDenylist).to.have.been.called;
-      });
-
-      it('calls handleIpAllowlist() if there is a IP Denylist', function () {
-        core.protect.inputAnalysis.ipAllowlist = ['test-entry'];
-        core.scopes.sources.run({ protect: {} }, () => httpInstr.around(() => { }, context));
-
-        expect(core.protect.inputAnalysis.handleIpAllowlist).to.have.been.called;
-      });
-    });
-  });
-});

package/lib/input-analysis/install/koa-body5.test.js

@@ -1,92 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const koaBodyInstr = require('./koa-body5');
-
-describe('protect input-analysis koa-body v5.x', function () {
-  let core, inputAnalysis, koaBodyMock, patchedKoaBody, body, nextStub;
-
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.scopes = scopes(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    core.depHooks = mocks.depHooks();
-    core.patcher = patcher(core);
-
-    inputAnalysis = core.protect.inputAnalysis;
-    body = { parameter: 'parsed' };
-
-    koaBodyMock = (body) => (ctx, next) => {
-      ctx.request.body = body;
-      next();
-    };
-    nextStub = sinon.stub();
-    sinon.spy(core.patcher, 'patch');
-
-    koaBodyInstr(core).install();
-    patchedKoaBody = core.depHooks.resolve.yield(koaBodyMock)[0];
-    core.patcher.patch.resetHistory();
-  });
-
-  it('calls patcher on the `cookie-parser` module export', function () {
-    core.depHooks.resolve.yield(koaBodyMock);
-
-    expect(core.patcher.patch).to.have.been.calledOnce;
-    expect(core.patcher.patch).to.have.been.calledWithMatch(koaBodyMock, {
-      name: 'koa-body',
-      patchType: 'protect-input-analysis',
-      post: sinon.match.func
-    });
-  });
-
-  it('calls `.handleParsedBody` when parsing body is successful and in right context', function () {
-    core.scopes.sources.run({ protect: {} }, () => {
-      const bParser = patchedKoaBody(body);
-      bParser({ request: {} }, nextStub);
-    });
-
-    expect(core.patcher.patch).to.have.been.calledOnce;
-    expect(core.patcher.patch).to.have.been.calledWithMatch(sinon.match.func, {
-      name: 'koa-body',
-      patchType: 'protect-input-analysis',
-      pre: sinon.match.func
-    });
-
-    expect(nextStub).to.have.been.calledOnce;
-    expect(inputAnalysis.handleParsedBody).to.have.been.calledOnce;
-    expect(inputAnalysis.handleParsedBody).to.have.been.calledWithMatch({ parsedBody: body }, body);
-  });
-
-  it('does not call `.handleParsedBody` when not in context', function () {
-    core.scopes.sources.run({}, () => {
-      const cParser = patchedKoaBody(body);
-      cParser({ request: {} }, nextStub);
-    });
-
-    expect(inputAnalysis.handleCookies).not.to.have.been.called;
-    expect(nextStub).to.have.been.calledOnce;
-  });
-
-  it('does not call `.handleParsedBody` when `koa-body` does not return a result', function () {
-    core.scopes.sources.run({ protect: {} }, () => {
-      const cParser = patchedKoaBody();
-      cParser({ request: {} }, nextStub);
-    });
-
-    core.scopes.sources.run({ protect: {} }, () => {
-      const cParser = patchedKoaBody({});
-      cParser({ request: {} }, nextStub);
-    });
-
-    expect(inputAnalysis.handleCookies).not.to.have.been.called;
-    expect(core.logger.debug).not.to.have.been.called;
-    expect(nextStub).to.have.been.calledTwice;
-  });
-});

package/lib/input-analysis/install/koa-bodyparser4.test.js

@@ -1,92 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const koaBodyparserInstr = require('./koa-bodyparser4');
-
-describe('protect input-analysis koa-bodyparser v4.x', function () {
-  let core, inputAnalysis, koaBodyparserMock, patchedKoaBodyparser, body, nextStub;
-
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.scopes = scopes(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    core.depHooks = mocks.depHooks();
-    core.patcher = patcher(core);
-
-    inputAnalysis = core.protect.inputAnalysis;
-    body = { parameter: 'parsed' };
-
-    koaBodyparserMock = (body) => (ctx, next) => {
-      ctx.request.body = body;
-      next();
-    };
-    nextStub = sinon.stub();
-    sinon.spy(core.patcher, 'patch');
-
-    koaBodyparserInstr(core).install();
-    patchedKoaBodyparser = core.depHooks.resolve.yield(koaBodyparserMock)[0];
-    core.patcher.patch.resetHistory();
-  });
-
-  it('calls patcher on the `cookie-parser` module export', function () {
-    core.depHooks.resolve.yield(koaBodyparserMock);
-
-    expect(core.patcher.patch).to.have.been.calledOnce;
-    expect(core.patcher.patch).to.have.been.calledWithMatch(koaBodyparserMock, {
-      name: 'koa-bodyparser',
-      patchType: 'protect-input-analysis',
-      post: sinon.match.func
-    });
-  });
-
-  it('calls `.handleParsedBody` when parsing body is successful and in right context', function () {
-    core.scopes.sources.run({ protect: {} }, () => {
-      const bParser = patchedKoaBodyparser(body);
-      bParser({ request: {} }, nextStub);
-    });
-
-    expect(core.patcher.patch).to.have.been.calledOnce;
-    expect(core.patcher.patch).to.have.been.calledWithMatch(sinon.match.func, {
-      name: 'koa-bodyparser',
-      patchType: 'protect-input-analysis',
-      pre: sinon.match.func
-    });
-
-    expect(nextStub).to.have.been.calledOnce;
-    expect(inputAnalysis.handleParsedBody).to.have.been.calledOnce;
-    expect(inputAnalysis.handleParsedBody).to.have.been.calledWithMatch({ parsedBody: body }, body);
-  });
-
-  it('does not call `.handleParsedBody` when not in context', function () {
-    core.scopes.sources.run({}, () => {
-      const cParser = patchedKoaBodyparser(body);
-      cParser({ request: {} }, nextStub);
-    });
-
-    expect(inputAnalysis.handleCookies).not.to.have.been.called;
-    expect(nextStub).to.have.been.calledOnce;
-  });
-
-  it('does not call `.handleParsedBody` when `koa-bodyparser` does not return a result', function () {
-    core.scopes.sources.run({ protect: {} }, () => {
-      const cParser = patchedKoaBodyparser();
-      cParser({ request: {} }, nextStub);
-    });
-
-    core.scopes.sources.run({ protect: {} }, () => {
-      const cParser = patchedKoaBodyparser({});
-      cParser({ request: {} }, nextStub);
-    });
-
-    expect(inputAnalysis.handleCookies).not.to.have.been.called;
-    expect(core.logger.debug).not.to.have.been.called;
-    expect(nextStub).to.have.been.calledTwice;
-  });
-});