@contrast/protect 1.54.0 → 1.54.2

package/lib/input-analysis/install/koa2.test.js

@@ -1,259 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const koaInstr = require('./koa2');
-
-describe('protect input-analysis koa v2.x', function () {
-  let core,
-    inputAnalysis,
-    koaMock,
-    routerMock,
-    legacyRouterMock,
-    cookieMock,
-    nextStub,
-    query,
-    params,
-    cookies;
-
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.scopes = scopes(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    core.depHooks = mocks.depHooks();
-    core.patcher = patcher(core);
-    sinon.spy(core.patcher, 'patch');
-
-    query = { parameter: 'parsed-query' };
-    params = { parameter: 'parsed-param' };
-    cookies = { parameter: 'parsed-cookie' };
-    koaMock = {
-      prototype: {
-        middleware: [],
-        use: (newMiddleware) => {
-          newMiddleware && koaMock.prototype.middleware && koaMock.prototype.middleware.push(newMiddleware);
-        },
-      }
-    };
-
-    routerMock = {
-      prototype: {
-        params: (parameters) => parameters || {}
-      }
-    };
-
-    legacyRouterMock = {
-      prototype: {
-        params: (parameters) => parameters || {}
-      }
-    };
-
-    cookieMock = {
-      default: (cookie) => (ctx, next) => {
-        ctx.cookie = cookie;
-        next();
-      }
-    };
-
-    const mockDict = {
-      ['koa']: koaMock,
-      ['koa-router']: legacyRouterMock,
-      ['@koa/router']: routerMock,
-      ['koa-cookie']: cookieMock
-    };
-
-    core.depHooks.resolve.callsFake(function (desc, cb) {
-      const cbArg = mockDict[desc.name];
-      if (cbArg) {
-        cb(cbArg);
-      }
-    });
-    nextStub = sinon.stub();
-
-    inputAnalysis = core.protect.inputAnalysis;
-    koaInstr(core).install();
-    core.patcher.patch.resetHistory();
-  });
-
-  it('calls patcher for every necessary instrumentation', function () {
-    koaInstr(core).install();
-    expect(core.patcher.patch).to.have.callCount(4);
-    expect(core.patcher.patch).to.have.been.calledWithMatch(koaMock.prototype, 'use', {
-      name: 'Koa.Application',
-      patchType: 'protect-input-analysis',
-      pre: sinon.match.func
-    });
-    expect(core.patcher.patch).to.have.been.calledWithMatch(legacyRouterMock.prototype, 'params', {
-      name: '[koa-router].layer.prototype',
-      patchType: 'protect-input-analysis',
-      post: sinon.match.func
-    });
-    expect(core.patcher.patch).to.have.been.calledWithMatch(routerMock.prototype, 'params', {
-      name: '[@koa/router].layer.prototype',
-      patchType: 'protect-input-analysis',
-      post: sinon.match.func
-    });
-    expect(core.patcher.patch).to.have.been.calledWithMatch(sinon.match.func, {
-      name: 'koa-cookie',
-      patchType: 'protect-input-analysis',
-      post: sinon.match.func
-    });
-  });
-
-  describe('contrastStartMiddleware', function () {
-    it('successfully injects contrastMiddleware', function () {
-      koaMock.prototype.use('test');
-
-      expect(koaMock.prototype.middleware.length).to.equal(2);
-      expect(koaMock.prototype.middleware[0]._isContrastStartMiddleware).to.be.true;
-    });
-
-    it('does not inject contrastMiddleware if there is one already injected', function () {
-      koaMock.prototype.middleware.push({ _isContrastStartMiddleware: true });
-      koaMock.prototype.use();
-
-      expect(koaMock.prototype.middleware.length).to.equal(1);
-    });
-
-    it('does not call `.handleQueryParams` if there is no query on the ctx for `contrastStartMiddleware`', function () {
-      koaMock.prototype.use();
-
-      const contrastStartMiddleware = koaMock.prototype.middleware[0];
-
-      core.scopes.sources.run({ protect: {} }, () => {
-        contrastStartMiddleware({}, nextStub);
-      });
-      expect(nextStub).to.have.been.calledOnce;
-      expect(inputAnalysis.handleQueryParams).not.to.have.been.called;
-    });
-
-    it('calls `.handleQueryParams` if there is query on the ctx for `contrastStartMiddleware`', function () {
-      koaMock.prototype.use();
-
-      const contrastStartMiddleware = koaMock.prototype.middleware[0];
-
-      core.scopes.sources.run({ protect: {} }, () => {
-        contrastStartMiddleware({ query }, nextStub);
-      });
-
-      expect(nextStub).to.have.been.calledOnce;
-      expect(inputAnalysis.handleQueryParams).to.have.been.calledOnce;
-      expect(inputAnalysis.handleQueryParams).to.have.been.calledWithMatch({ parsedQuery: query }, query);
-    });
-
-    it('does not call `.handleQueryParams` if there is query on the ctx for `contrastStartMiddleware`, but we have already analyzed it', function () {
-      koaMock.prototype.use();
-
-      const contrastStartMiddleware = koaMock.prototype.middleware[0];
-
-      core.scopes.sources.run({ protect: { parsedQuery: 'analyzed-query' } }, () => {
-        contrastStartMiddleware({ query }, nextStub);
-      });
-
-      expect(nextStub).to.have.been.calledOnce;
-      expect(inputAnalysis.handleQueryParams).not.to.have.been.called;
-    });
-
-    it('does not call `.handleQueryParams` if there is no context', function () {
-      koaMock.prototype.use();
-
-      const contrastStartMiddleware = koaMock.prototype.middleware[0];
-
-      core.scopes.sources.run({}, () => {
-        contrastStartMiddleware({ query }, nextStub);
-      });
-
-      expect(nextStub).to.have.been.calledOnce;
-      expect(inputAnalysis.handleQueryParams).not.to.have.been.called;
-    });
-
-  });
-
-  describe('koa routers post hook', function () {
-    let getParamsFn;
-    this.beforeEach(function () {
-      getParamsFn = function (routerName) {
-        return routerName == 'koa-router' ? legacyRouterMock.prototype.params : routerMock.prototype.params;
-      };
-    });
-    ['koa-router', '@koa/router'].forEach((router) => {
-      it(`[${router}] calls \`.handleUrlParams\` when parsing is successful and in the right context`, function () {
-        const paramsFn = getParamsFn(router);
-        core.scopes.sources.run({ protect: {} }, () => {
-          paramsFn(params);
-        });
-
-        expect(inputAnalysis.handleUrlParams).to.have.been.calledOnce;
-        expect(inputAnalysis.handleUrlParams).to.have.been.calledWithMatch({ parsedParams: params }, params);
-      });
-
-      it(`[${router}] does not call \`.handleUrlParams\` when there is no result from the parsing`, function () {
-        const paramsFn = getParamsFn(router);
-
-        core.scopes.sources.run({ protect: {} }, () => {
-          paramsFn(null);
-        });
-
-        expect(inputAnalysis.handleUrlParams).not.to.have.been.called;
-      });
-
-      it(`[${router}] does not call \`.handleUrlParams\` when there is no context`, function () {
-        const paramsFn = getParamsFn(router);
-
-        core.scopes.sources.run({}, () => {
-          paramsFn(params);
-        });
-
-        expect(inputAnalysis.handleUrlParams).not.to.have.been.called;
-      });
-    });
-  });
-
-  describe('koa-cookie patcher hooks', function () {
-    it('calls `.handleCookies` when parsing is successful and in right context', function () {
-      core.scopes.sources.run({ protect: {} }, () => {
-        const cParser = cookieMock.default(cookies);
-        cParser({}, nextStub);
-      });
-
-      expect(core.patcher.patch).to.have.been.calledOnce;
-      expect(core.patcher.patch).to.have.been.calledWithMatch(sinon.match.func, {
-        name: 'koa-cookie',
-        patchType: 'protect-input-analysis',
-        pre: sinon.match.func
-      });
-
-      expect(nextStub).to.have.been.calledOnce;
-      expect(inputAnalysis.handleCookies).to.have.been.calledOnce;
-      expect(inputAnalysis.handleCookies).to.have.been.calledWithMatch({ parsedCookies: cookies }, cookies);
-    });
-
-    it('does not call `.handleCookies` when not in context', function () {
-      core.scopes.sources.run({}, () => {
-        const cParser = cookieMock.default(cookies);
-        cParser({}, nextStub);
-      });
-
-      expect(inputAnalysis.handleCookies).not.to.have.been.called;
-      expect(nextStub).to.have.been.calledOnce;
-    });
-
-    it('does not call `.handleCookies` when `cookie-parser` does not return a result', function () {
-      core.scopes.sources.run({ protect: {} }, () => {
-        const cParser = cookieMock.default();
-        cParser({}, nextStub);
-      });
-
-      expect(inputAnalysis.handleCookies).not.to.have.been.called;
-      expect(core.logger.debug).not.to.have.been.called;
-      expect(nextStub).to.have.been.calledOnce;
-    });
-  });
-
-});

package/lib/input-analysis/install/multer1.test.js

@@ -1,209 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const SecurityException = require('../../security-exception');
-const secEx = SecurityException.create();
-const multerInstr = require('./multer1');
-
-
-describe('protect input-analysis multer v1.x', function () {
-  let core, inputAnalysis, multerMock, patchedMulter, payload, nextStub;
-
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.scopes = scopes(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    core.depHooks = mocks.depHooks();
-    core.patcher = patcher(core);
-
-    inputAnalysis = core.protect.inputAnalysis;
-    payload = { body: { parameter: 'parsed' }, file: { originalname: 'some-file' } };
-    multerMock = (payload) => (req, res, next) => {
-      if (payload) {
-        req.body = payload.body;
-        req.file = payload.file;
-        req.files = payload.files;
-      }
-
-      next();
-    };
-    nextStub = sinon.stub();
-    sinon.spy(core.patcher, 'patch');
-
-    multerInstr(core).install();
-    patchedMulter = core.depHooks.resolve.yield(multerMock)[0];
-
-    core.patcher.patch.resetHistory();
-  });
-
-  it('calls patcher on the `multer` module export', function () {
-    core.depHooks.resolve.yield(multerMock);
-
-    expect(core.patcher.patch).to.have.been.calledOnce;
-    expect(core.patcher.patch).to.have.been.calledWithMatch(multerMock, {
-      name: 'multer.make-middleware',
-      patchType: 'protect-input-analysis',
-      post: sinon.match.func
-    });
-  });
-
-  it('calls `.handleParsedBody` and `handleFileUploadName` when parsing is successful and in right context', function () {
-    core.scopes.sources.run({ protect: {} }, () => {
-      const cParser = patchedMulter(payload);
-      cParser({}, {}, nextStub);
-    });
-
-    expect(core.patcher.patch).to.have.been.calledOnce;
-    expect(core.patcher.patch).to.have.been.calledWithMatch(sinon.match.func, {
-      name: 'multerMiddleware',
-      patchType: 'protect-input-analysis',
-      pre: sinon.match.func
-    });
-
-    expect(nextStub).to.have.been.calledOnce;
-    expect(inputAnalysis.handleParsedBody).to.have.been.calledOnce;
-    expect(inputAnalysis.handleParsedBody).to.have.been.calledWithMatch({ parsedBody: payload.body }, payload.body);
-    expect(inputAnalysis.handleFileUploadName).to.have.been.calledOnce;
-    expect(inputAnalysis.handleFileUploadName).to.have.been.calledWithMatch({ parsedBody: payload.body }, ['some-file']);
-  });
-
-  it('calls `.handleParsedBody` when parsing is successful and in right context, but payload has no files', function () {
-    payload.file = null;
-    core.scopes.sources.run({ protect: {} }, () => {
-      const cParser = patchedMulter(payload);
-      cParser({}, {}, nextStub);
-    });
-
-    expect(core.patcher.patch).to.have.been.calledOnce;
-    expect(core.patcher.patch).to.have.been.calledWithMatch(sinon.match.func, {
-      name: 'multerMiddleware',
-      patchType: 'protect-input-analysis',
-      pre: sinon.match.func
-    });
-
-    expect(nextStub).to.have.been.calledOnce;
-    expect(inputAnalysis.handleParsedBody).to.have.been.calledOnce;
-    expect(inputAnalysis.handleParsedBody).to.have.been.calledWithMatch({ parsedBody: payload.body }, payload.body);
-    expect(core.logger.debug).not.to.have.been.called;
-  });
-
-  it('does not call `.handleParsedBody` when not in context', function () {
-    core.scopes.sources.run({}, () => {
-      const cParser = patchedMulter(payload);
-      cParser({}, {}, nextStub);
-    });
-
-    expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
-    expect(nextStub).to.have.been.calledOnce;
-  });
-
-  it('does not call `.handleParsedBody` when `multer` there is a result, but only files are uploaded', function () {
-    payload.body = null;
-    core.scopes.sources.run({ protect: {} }, () => {
-      const cParser = patchedMulter(payload);
-      cParser({}, {}, nextStub);
-    });
-
-    expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
-    expect(inputAnalysis.handleFileUploadName).to.have.been.calledOnce;
-    expect(inputAnalysis.handleFileUploadName).to.have.been.calledWithMatch({}, ['some-file']);
-    expect(nextStub).to.have.been.calledOnce;
-  });
-
-  it('handles case with multiple files uploaded in an array', function () {
-    core.scopes.sources.run({ protect: {} }, () => {
-      const cParser = patchedMulter({ files: [{ originalname: 'some-file-1' }, { originalname: 'some-file-2' }] });
-      cParser({}, {}, nextStub);
-    });
-
-    expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
-    expect(inputAnalysis.handleFileUploadName).to.have.been.calledOnce;
-    expect(inputAnalysis.handleFileUploadName).to.have.been.calledWithMatch({}, ['some-file-1', 'some-file-2']);
-    expect(nextStub).to.have.been.calledOnce;
-  });
-
-
-  it('handles case with multiple files uploaded in an object', function () {
-    core.scopes.sources.run({ protect: {} }, () => {
-      const cParser = patchedMulter({ files: { file1: { originalname: 'some-file-1' }, file2: { originalname: 'some-file-2' } } });
-      cParser({}, {}, nextStub);
-    });
-
-    expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
-    expect(inputAnalysis.handleFileUploadName).to.have.been.calledOnce;
-    expect(inputAnalysis.handleFileUploadName).to.have.been.calledWithMatch({}, ['some-file-1', 'some-file-2']);
-    expect(nextStub).to.have.been.calledOnce;
-  });
-
-  it('does not call `.handleParsedBody` when `multer` does not have a body or files', function () {
-    core.scopes.sources.run({ protect: {} }, () => {
-      const cParser = patchedMulter();
-      cParser({}, {}, nextStub);
-    });
-
-    expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
-    expect(core.logger.debug).not.to.have.been.called;
-    expect(nextStub).to.have.been.calledOnce;
-  });
-
-  it('handles a case with SecurityException from `.handleParsedBody`', function () {
-    inputAnalysis.handleParsedBody.throws(secEx);
-    core.scopes.sources.run({ protect: {} }, () => {
-      const cParser = patchedMulter(payload);
-      cParser({}, {}, nextStub);
-    });
-
-    expect(nextStub).to.have.been.calledOnceWith(secEx);
-  });
-
-  it('handles a case with SecurityException from `.handleFileUploadName`', function () {
-    inputAnalysis.handleFileUploadName.throws(secEx);
-    core.scopes.sources.run({ protect: {} }, () => {
-      const cParser = patchedMulter(payload);
-      cParser({}, {}, nextStub);
-    });
-
-    expect(nextStub).to.have.been.calledOnceWith(secEx);
-  });
-
-  it('handles a case with an error in the input analysis from `.handleParsedBody`', function () {
-    const err = new Error('Input Analysis Error');
-
-    inputAnalysis.handleParsedBody.throws(err);
-    core.scopes.sources.run({ protect: {} }, () => {
-      const cParser = patchedMulter(payload);
-      cParser({}, {}, nextStub);
-    });
-
-    expect(core.logger.error).to.have.been.calledWith(
-      { err, funcKey: 'protect-input-analysis:multerMiddleware' },
-      'Unexpected error during input analysis'
-    );
-    expect(nextStub).to.have.been.calledOnce;
-    expect(nextStub).not.to.have.been.calledWith(err);
-  });
-
-  it('handles a case with an error in the input analysis from `.handleFileUploadName`', function () {
-    const err = new Error('Input Analysis Error');
-
-    inputAnalysis.handleFileUploadName.throws(err);
-    core.scopes.sources.run({ protect: {} }, () => {
-      const cParser = patchedMulter(payload);
-      cParser({}, {}, nextStub);
-    });
-
-    expect(core.logger.error).to.have.been.calledWith(
-      { err, funcKey: 'protect-input-analysis:multerMiddleware' },
-      'Unexpected error during input analysis'
-    );
-    expect(nextStub).to.have.been.calledOnce;
-    expect(nextStub).not.to.have.been.calledWith(err);
-  });
-});

package/lib/input-analysis/install/qs6.test.js

@@ -1,79 +0,0 @@
-'use strict';
-
-const sinon = require('sinon');
-const { expect } = require('chai');
-const scopes = require('@contrast/scopes');
-const patcher = require('@contrast/patcher');
-const mocks = require('@contrast/test/mocks');
-const qsInstr = require('./qs6');
-
-describe('protect input-analysis qs v6.x', function () {
-  let core, inputAnalysis, qsMock, patchedQs, query;
-
-
-  beforeEach(function () {
-    core = mocks.core();
-    core.logger = mocks.logger();
-    core.scopes = scopes(core);
-    core.protect = mocks.protect();
-    require('../../get-source-context')(core);
-    core.depHooks = mocks.depHooks();
-    core.patcher = patcher(core);
-
-    inputAnalysis = core.protect.inputAnalysis;
-    query = 'non-parsed';
-    qsMock = {
-      parse: (query) => ({ query } || {})
-    };
-    sinon.spy(core.patcher, 'patch');
-
-    qsInstr(core).install();
-    patchedQs = core.depHooks.resolve.yield(qsMock)[0];
-    core.patcher.patch.resetHistory();
-  });
-
-  it('calls patcher on the `.parse` method', function () {
-    core.depHooks.resolve.yield(qsMock);
-
-    expect(core.patcher.patch).to.have.been.calledOnce;
-    expect(core.patcher.patch).to.have.been.calledWithMatch(qsMock, 'parse', {
-      name: 'qs',
-      patchType: 'protect-input-analysis',
-      post: sinon.match.func
-    });
-  });
-
-  it('calls `.handleQueryParams` when parsing is successful, in right context and with reqData.queries present', function () {
-    core.scopes.sources.run({ protect: { reqData: { queries: 'non-parsed' } } }, () => {
-      patchedQs.parse(query);
-    });
-
-    expect(inputAnalysis.handleQueryParams).to.have.been.calledOnce;
-    expect(inputAnalysis.handleQueryParams).to.have.been.calledWithMatch({ parsedQuery: { query } }, { query });
-  });
-
-  it('does not call `.handleQueryParams` when parsing is successful, in right context but with reqData.queries not present', function () {
-    core.scopes.sources.run({ protect: { reqData: { queries: '' } } }, () => {
-      patchedQs.parse(query);
-    });
-
-    expect(inputAnalysis.handleQueryParams).not.to.have.been.called;
-    expect(core.logger.debug).not.to.have.been.called;
-  });
-
-  it('does not call `.handleQueryParams` when not in context', function () {
-    core.scopes.sources.run({}, () => {
-      patchedQs.parse(query);
-    });
-
-    expect(inputAnalysis.handleQueryParams).not.to.have.been.called;
-  });
-
-  it('does not call `.handleQueryParams` when `qs` does not return a result', function () {
-    core.scopes.sources.run({ protect: {} }, () => {
-      patchedQs.parse(null);
-    });
-
-    expect(inputAnalysis.handleQueryParams).not.to.have.been.called;
-  });
-});

package/lib/input-analysis/install/restify.test.js

@@ -1,98 +0,0 @@
-'use strict';
-
-const { expect } = require('chai');
-const sinon = require('sinon');
-const { initProtectFixture } = require('@contrast/test/fixtures');
-const SecurityException = require('../../security-exception');
-
-describe('protect input-analysis restify v8+', function () {
-  let core, simulateRequestScope, inputAnalysis, Server, req;
-
-  beforeEach(function () {
-    ({ core, simulateRequestScope } = initProtectFixture());
-    inputAnalysis = core.protect.inputAnalysis;
-    sinon.stub(inputAnalysis, 'handleParsedBody');
-    sinon.stub(inputAnalysis, 'handleUrlParams');
-    sinon.stub(inputAnalysis, 'handleQueryParams');
-
-    // we stub the _afterUse method to return the error argument so we can check
-    // that it is called with our own SecurityException. We cannot check the
-    // stub's calls since depHooks and patcher mangle the `Server` variable.
-    Server = { prototype: { _afterUse: sinon.stub().returnsArg(0) } };
-    req = {};
-
-    core.depHooks.resolve
-      .withArgs({ name: 'restify', file: 'lib/server.js', version: '>=8 <12' })
-      .yields(Server);
-
-    inputAnalysis.restifyInstrumentation.install();
-  });
-
-  it('does not handle request when not in context', function () {
-    simulateRequestScope(() => {
-      const result = Server.prototype._afterUse(undefined, req);
-
-      expect(inputAnalysis.handleParsedBody).not.to.have.been.called;
-      expect(inputAnalysis.handleUrlParams).not.to.have.been.called;
-      expect(inputAnalysis.handleQueryParams).not.to.have.been.called;
-      expect(result).to.be.undefined;
-    }, {});
-  });
-
-  [
-    ['body', 'handleParsedBody', 'parsedBody'],
-    ['params', 'handleUrlParams', 'parsedParams'],
-    ['query', 'handleQueryParams', 'parsedQuery'],
-  ].forEach(([prop, method, ctxProp]) => {
-    describe(prop, function () {
-      it(`handles the request ${prop}`, function () {
-        simulateRequestScope(() => {
-          req[prop] = { foo: 'bar' };
-          Server.prototype._afterUse(undefined, req);
-
-          expect(inputAnalysis[method]).to.have.been.calledWith(sinon.match.object, req[prop]);
-        });
-      });
-
-      it(`handles the request ${prop} when already parsed`, function () {
-        const store = { protect: { [ctxProp]: { something: 'else ' } } };
-
-        simulateRequestScope(() => {
-          req[prop] = { foo: 'bar' };
-          Server.prototype._afterUse(undefined, req);
-
-          expect(inputAnalysis[method]).not.to.have.been.called;
-        }, store);
-      });
-
-      it('calls through to _afterUse with a new error when one is thrown', function () {
-        simulateRequestScope(() => {
-          req[prop] = { foo: 'bar' };
-          const err = SecurityException.create();
-          inputAnalysis[method].throws(err);
-          const result = Server.prototype._afterUse(undefined, req);
-
-          expect(inputAnalysis[method]).to.have.been.calledWith(sinon.match.object, req[prop]);
-          expect(core.logger.error).not.to.have.been.called;
-          expect(result).to.equal(err);
-        });
-      });
-
-      it('logs an error when an unknown one is thrown', function () {
-        simulateRequestScope(() => {
-          req[prop] = { foo: 'bar' };
-          const err = new Error('eek');
-          inputAnalysis[method].throws(err);
-          const result = Server.prototype._afterUse(undefined, req);
-
-          expect(inputAnalysis[method]).to.have.been.calledWith(sinon.match.object, req[prop]);
-          expect(core.logger.error).to.have.been.calledWith(
-            sinon.match({ err }),
-            'Unexpected error during input analysis',
-          );
-          expect(result).to.be.undefined;
-        });
-      });
-    });
-  });
-});