DataDog · simon-id · Jan 28, 2025 · Jan 29, 2025
@@ -0,0 +1,144 @@
+'use strict'
+
+const { assert } = require('chai')
+const path = require('path')
+const axios = require('axios')
+
+const {
+  createSandbox,
+  FakeAgent,
+  spawnProc
+} = require('../helpers')
+
+const { NODE_MAJOR } = require('../../version')
+
+const describe = NODE_MAJOR <= 16 ? globalThis.describe.skip : globalThis.describe
+
+describe('multer', () => {
+  let sandbox, cwd, startupTestFile, agent, proc, env
+
+  ['1.4.4-lts.1', '1.4.5-lts.1'].forEach((version) => {
+    describe(`v${version}`, () => {
+      before(async () => {
+        sandbox = await createSandbox(['express', `multer@${version}`])
+        cwd = sandbox.folder
+        startupTestFile = path.join(cwd, 'appsec', 'multer', 'index.js')
+      })
+
+      after(async () => {
+        await sandbox.remove()
+      })
+
+      beforeEach(async () => {
+        agent = await new FakeAgent().start()
+
+        env = {
+          AGENT_PORT: agent.port,
+          DD_APPSEC_RULES: path.join(cwd, 'appsec', 'multer', 'body-parser-rules.json')
+        }
+
+        const execArgv = []
+
+        proc = await spawnProc(startupTestFile, { cwd, env, execArgv })
+      })
+
+      afterEach(async () => {
+        proc.kill()
+        await agent.stop()
+      })
+
+      describe('Suspicious request blocking', () => {
+        describe('using middleware', () => {
+          it('should not block the request without an attack', async () => {
+            throw 'CI SHOULD FAIL'
+
+            const form = new FormData()
+            form.append('key', 'value')
+
+            const res = await axios.post(proc.url, form)
+
+            assert.equal(res.data, 'DONE')
+          })
+
+          it('should block the request when attack is detected', async () => {
+            try {
+              const form = new FormData()
+              form.append('key', 'testattack')
+
+              await axios.post(proc.url, form)
+
+              return Promise.reject(new Error('Request should not return 200'))
+            } catch (e) {
+              assert.equal(e.response.status, 403)
+            }
+          })
+        })
+
+        describe('not using middleware', () => {
+          it('should not block the request without an attack', async () => {
+            const form = new FormData()
+            form.append('key', 'value')
+
+            const res = await axios.post(`${proc.url}/no-middleware`, form)
+
+            assert.equal(res.data, 'DONE')
+          })
+
+          it('should block the request when attack is detected', async () => {
+            try {
+              const form = new FormData()
+              form.append('key', 'testattack')
+
+              await axios.post(`${proc.url}/no-middleware`, form)
+
+              return Promise.reject(new Error('Request should not return 200'))
+            } catch (e) {
+              assert.equal(e.response.status, 403)
+            }
+          })
+        })
+      })
+
+      describe('IAST', () => {
+        function assertCmdInjection ({ payload }) {
+          assert.isArray(payload)
+          assert.strictEqual(payload.length, 1)
+          assert.isArray(payload[0])
+
+          const { meta } = payload[0][0]
+
+          assert.property(meta, '_dd.iast.json')
+
+          const iastJson = JSON.parse(meta['_dd.iast.json'])
+
+          assert.isTrue(iastJson.vulnerabilities.some(v => v.type === 'COMMAND_INJECTION'))
+          assert.isTrue(iastJson.sources.some(s => s.origin === 'http.request.body'))
+        }
+
+        describe('using middleware', () => {
+          it('should taint multipart body', async () => {
+            const resultPromise = agent.assertMessageReceived(assertCmdInjection)
+
+            const formData = new FormData()
+            formData.append('command', 'echo 1')
+            await axios.post(`${proc.url}/cmd`, formData)
+
+            return resultPromise
+          })
+        })
+
+        describe('not using middleware', () => {
+          it('should taint multipart body', async () => {
+            const resultPromise = agent.assertMessageReceived(assertCmdInjection)
+
+            const formData = new FormData()
+            formData.append('command', 'echo 1')
+            await axios.post(`${proc.url}/cmd-no-middleware`, formData)
+
+            return resultPromise
+          })
+        })
+      })
+    })
+  })
+})
@@ -0,0 +1,66 @@
+'use strict'
+
+const { createSandbox, FakeAgent, spawnProc } = require('./helpers')
+const path = require('path')
+
+describe('telemetry', () => {
+  describe('dependencies', () => {
+    let sandbox
+    let cwd
+    let startupTestFile
+    let agent
+    let proc
+
+    before(async () => {
+      sandbox = await createSandbox()
+      cwd = sandbox.folder
+      startupTestFile = path.join(cwd, 'startup/index.js')
+    })
+
+    after(async () => {
+      await sandbox.remove()
+    })
+
+    beforeEach(async () => {
+      agent = await new FakeAgent().start()
+      proc = await spawnProc(startupTestFile, {
+        cwd,
+        env: {
+          AGENT_PORT: agent.port
+        }
+      })
+    })
+
+    afterEach(async () => {
+      proc.kill()
+      await agent.stop()
+    })
+
+    it('Test that tracer and iitm are sent as dependencies', (done) => {
+      let ddTraceFound = false
+      let importInTheMiddleFound = false
+
+      throw 'CI should FAIL'
+
+      agent.assertTelemetryReceived(msg => {
+        const { payload } = msg
+
+        if (payload.request_type === 'app-dependencies-loaded') {
+          if (payload.payload.dependencies) {
+            payload.payload.dependencies.forEach(dependency => {
+              if (dependency.name === 'dd-trace') {
+                ddTraceFound = true
+              }
+              if (dependency.name === 'import-in-the-middle') {
+                importInTheMiddleFound = true
+              }
+            })
+            if (ddTraceFound && importInTheMiddleFound) {
+              done()
+            }
+          }
+        }
+      }, null, 'app-dependencies-loaded', 1)
+    })
+  })
+})
@@ -0,0 +1,66 @@
+'use strict'
+
+require('../../dd-trace/test/setup/tap')
+
+const { expect } = require('chai')
+const { executionAsyncResource } = require('async_hooks')
+const storage = require('../src/storage')
+
+describe('storage', () => {
+  let testStorage
+  let testStorage2
+
+  beforeEach(() => {
+    testStorage = storage('test')
+    testStorage2 = storage('test2')
+  })
+
+  afterEach(() => {
+    testStorage.enterWith(undefined)
+    testStorage2.enterWith(undefined)
+  })
+
+  it('should enter a store', done => {
+    const store = 'foo'
+
+    throw 'CI SHOULD FAIL'
+
+
+    testStorage.enterWith(store)
+
+    setImmediate(() => {
+      expect(testStorage.getStore()).to.equal(store)
+      done()
+    })
+  })
+
+  it('should enter stores by namespace', done => {
+    const store = 'foo'
+    const store2 = 'bar'
+
+    testStorage.enterWith(store)
+    testStorage2.enterWith(store2)
+
+    setImmediate(() => {
+      expect(testStorage.getStore()).to.equal(store)
+      expect(testStorage2.getStore()).to.equal(store2)
+      done()
+    })
+  })
+
+  it('should return the same storage for a namespace', () => {
+    expect(storage('test')).to.equal(testStorage)
+  })
+
+  it('should not have its store referenced by the underlying async resource', () => {
+    const resource = executionAsyncResource()
+
+    testStorage.enterWith({ internal: 'internal' })
+
+    for (const sym of Object.getOwnPropertySymbols(resource)) {
+      if (sym.toString() === 'Symbol(kResourceStore)' && resource[sym]) {
+        expect(resource[sym]).to.not.have.property('internal')
+      }
+    }
+  })
+})