Add sources tests

DataDog · Jun 19, 2023 · eb54394 · eb54394
1 parent cc53a8a
commit eb54394
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 5 deletions.
diff --git a/packages/dd-trace/test/appsec/iast/taint-tracking/plugin.express.plugin.spec.js b/packages/dd-trace/test/appsec/iast/taint-tracking/plugin.express.plugin.spec.js
@@ -0,0 +1,55 @@
+'use strict'
+
+const { prepareTestServerForIastInExpress } = require('../utils')
+const axios = require('axios')
+
+function noop () {}
+describe('Taint tracking plugin sources express tests', () => {
+  withVersions('express', 'express', '>=4.8.0', version => {
+    prepareTestServerForIastInExpress('in express', version,
+      (testThatRequestHasVulnerability, _, config) => {
+        describe('tainted body', () => {
+          function makePostRequest (done) {
+            axios.post(`http://localhost:${config.port}/`, {
+              command: 'echo 1'
+            }).catch(done)
+          }
+
+          testThatRequestHasVulnerability((req) => {
+            const childProcess = require('child_process')
+            childProcess.exec(req.body.command, noop)
+          }, 'COMMAND_INJECTION', 1, () => {
+          }, makePostRequest)
+        })
+
+        describe('tainted query param', () => {
+          function makeRequestWithParams (done) {
+            axios.get(`http://localhost:${config.port}/?command=echo`).catch(done)
+          }
+
+          testThatRequestHasVulnerability((req) => {
+            const childProcess = require('child_process')
+            childProcess.exec(req.query.command, noop)
+          }, 'COMMAND_INJECTION', 1, () => {
+          }, makeRequestWithParams)
+        })
+
+        describe('tainted header', () => {
+          function makeRequestWithHeaders (done) {
+            axios.get(`http://localhost:${config.port}/`, {
+              headers: {
+                'x-iast-test-command': 'echo 1'
+              }
+            }).catch(done)
+          }
+
+          testThatRequestHasVulnerability((req) => {
+            const childProcess = require('child_process')
+            childProcess.exec(req.headers['x-iast-test-command'], noop)
+          }, 'COMMAND_INJECTION', 1, () => {
+          }, makeRequestWithHeaders)
+        })
+      }
+    )
+  })
+})
diff --git a/packages/dd-trace/test/appsec/iast/utils.js b/packages/dd-trace/test/appsec/iast/utils.js
@@ -146,7 +146,7 @@ function checkNoVulnerabilityInRequest (vulnerability, config, done) {
     .catch(done)
   axios.get(`http://localhost:${config.port}/`).catch(done)
 }
-function checkVulnerabilityInRequest (vulnerability, occurrencesAndLocation, cb, config, done) {
+function checkVulnerabilityInRequest (vulnerability, occurrencesAndLocation, cb, makeRequest, config, done) {
   let location
   let occurrences = occurrencesAndLocation
   if (typeof occurrencesAndLocation === 'object') {
@@ -195,7 +195,11 @@ function checkVulnerabilityInRequest (vulnerability, occurrencesAndLocation, cb,
     })
     .then(done)
     .catch(done)
-  axios.get(`http://localhost:${config.port}/`).catch(done)
+  if (makeRequest) {
+    makeRequest(done)
+  } else {
+    axios.get(`http://localhost:${config.port}/`).catch(done)
+  }
 }
 
 function prepareTestServerForIast (description, tests, iastConfig) {
@@ -247,7 +251,7 @@ function prepareTestServerForIast (description, tests, iastConfig) {
       it(`should have ${vulnerability} vulnerability`, function (done) {
         this.timeout(5000)
         app = fn
-        checkVulnerabilityInRequest(vulnerability, occurrences, cb, config, done)
+        checkVulnerabilityInRequest(vulnerability, occurrences, cb, undefined, config, done)
       })
     }
 
@@ -278,7 +282,10 @@ function prepareTestServerForIastInExpress (description, expressVersion, tests)
 
     before((done) => {
       const express = require(`../../../../../versions/express@${expressVersion}`).get()
+      const bodyParser = require(`../../../../../versions/body-parser`).get()
       const expressApp = express()
+      expressApp.use(bodyParser.json())
+
       expressApp.all('/', listener)
       getPort().then(newPort => {
         config.port = newPort
@@ -300,11 +307,11 @@ function prepareTestServerForIastInExpress (description, expressVersion, tests)
       return agent.close({ ritmReset: false })
     })
 
-    function testThatRequestHasVulnerability (fn, vulnerability, occurrences, cb) {
+    function testThatRequestHasVulnerability (fn, vulnerability, occurrences, cb, makeRequest) {
       it(`should have ${vulnerability} vulnerability`, function (done) {
         this.timeout(5000)
         app = fn
-        checkVulnerabilityInRequest(vulnerability, occurrences, cb, config, done)
+        checkVulnerabilityInRequest(vulnerability, occurrences, cb, makeRequest, config, done)
       })
     }