From 11d16d79de7fd2e119e79ea42caa82c487c8808c Mon Sep 17 00:00:00 2001 From: Ugaitz Urien Date: Mon, 19 Jun 2023 17:01:38 +0200 Subject: [PATCH] Add sources tests (#3249) * Add sources tests * styles --- .../plugin.express.plugin.spec.js | 53 +++++++++++++++++++ packages/dd-trace/test/appsec/iast/utils.js | 17 ++++-- 2 files changed, 65 insertions(+), 5 deletions(-) create mode 100644 packages/dd-trace/test/appsec/iast/taint-tracking/plugin.express.plugin.spec.js diff --git a/packages/dd-trace/test/appsec/iast/taint-tracking/plugin.express.plugin.spec.js b/packages/dd-trace/test/appsec/iast/taint-tracking/plugin.express.plugin.spec.js new file mode 100644 index 00000000000..f2a8193d1be --- /dev/null +++ b/packages/dd-trace/test/appsec/iast/taint-tracking/plugin.express.plugin.spec.js @@ -0,0 +1,53 @@ +'use strict' + +const { prepareTestServerForIastInExpress } = require('../utils') +const axios = require('axios') + +function noop () {} + +describe('Taint tracking plugin sources express tests', () => { + withVersions('express', 'express', '>=4.8.0', version => { + prepareTestServerForIastInExpress('in express', version, + (testThatRequestHasVulnerability, _, config) => { + describe('tainted body', () => { + function makePostRequest (done) { + axios.post(`http://localhost:${config.port}/`, { + command: 'echo 1' + }).catch(done) + } + + testThatRequestHasVulnerability((req) => { + const childProcess = require('child_process') + childProcess.exec(req.body.command, noop) + }, 'COMMAND_INJECTION', 1, noop, makePostRequest) + }) + + describe('tainted query param', () => { + function makeRequestWithQueryParam (done) { + axios.get(`http://localhost:${config.port}/?command=echo`).catch(done) + } + + testThatRequestHasVulnerability((req) => { + const childProcess = require('child_process') + childProcess.exec(req.query.command, noop) + }, 'COMMAND_INJECTION', 1, noop, makeRequestWithQueryParam) + }) + + describe('tainted header', () => { + function makeRequestWithHeader (done) { + axios.get(`http://localhost:${config.port}/`, { + headers: { + 'x-iast-test-command': 'echo 1' + } + }).catch(done) + } + + testThatRequestHasVulnerability((req) => { + const childProcess = require('child_process') + childProcess.exec(req.headers['x-iast-test-command'], noop) + }, 'COMMAND_INJECTION', 1, noop, makeRequestWithHeader) + }) + } + ) + }) +}) diff --git a/packages/dd-trace/test/appsec/iast/utils.js b/packages/dd-trace/test/appsec/iast/utils.js index 3bed8af71a9..6eacca0c208 100644 --- a/packages/dd-trace/test/appsec/iast/utils.js +++ b/packages/dd-trace/test/appsec/iast/utils.js @@ -146,7 +146,7 @@ function checkNoVulnerabilityInRequest (vulnerability, config, done) { .catch(done) axios.get(`http://localhost:${config.port}/`).catch(done) } -function checkVulnerabilityInRequest (vulnerability, occurrencesAndLocation, cb, config, done) { +function checkVulnerabilityInRequest (vulnerability, occurrencesAndLocation, cb, makeRequest, config, done) { let location let occurrences = occurrencesAndLocation if (typeof occurrencesAndLocation === 'object') { @@ -195,7 +195,11 @@ function checkVulnerabilityInRequest (vulnerability, occurrencesAndLocation, cb, }) .then(done) .catch(done) - axios.get(`http://localhost:${config.port}/`).catch(done) + if (makeRequest) { + makeRequest(done) + } else { + axios.get(`http://localhost:${config.port}/`).catch(done) + } } function prepareTestServerForIast (description, tests, iastConfig) { @@ -247,7 +251,7 @@ function prepareTestServerForIast (description, tests, iastConfig) { it(`should have ${vulnerability} vulnerability`, function (done) { this.timeout(5000) app = fn - checkVulnerabilityInRequest(vulnerability, occurrences, cb, config, done) + checkVulnerabilityInRequest(vulnerability, occurrences, cb, undefined, config, done) }) } @@ -278,7 +282,10 @@ function prepareTestServerForIastInExpress (description, expressVersion, tests) before((done) => { const express = require(`../../../../../versions/express@${expressVersion}`).get() + const bodyParser = require(`../../../../../versions/body-parser`).get() const expressApp = express() + expressApp.use(bodyParser.json()) + expressApp.all('/', listener) getPort().then(newPort => { config.port = newPort @@ -300,11 +307,11 @@ function prepareTestServerForIastInExpress (description, expressVersion, tests) return agent.close({ ritmReset: false }) }) - function testThatRequestHasVulnerability (fn, vulnerability, occurrences, cb) { + function testThatRequestHasVulnerability (fn, vulnerability, occurrences, cb, makeRequest) { it(`should have ${vulnerability} vulnerability`, function (done) { this.timeout(5000) app = fn - checkVulnerabilityInRequest(vulnerability, occurrences, cb, config, done) + checkVulnerabilityInRequest(vulnerability, occurrences, cb, makeRequest, config, done) }) }