Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simon id/test ci #5169

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
144 changes: 144 additions & 0 deletions integration-tests/appsec/test.spec.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
'use strict'

const { assert } = require('chai')
const path = require('path')
const axios = require('axios')

const {
createSandbox,
FakeAgent,
spawnProc
} = require('../helpers')

const { NODE_MAJOR } = require('../../version')

const describe = NODE_MAJOR <= 16 ? globalThis.describe.skip : globalThis.describe

describe('multer', () => {
let sandbox, cwd, startupTestFile, agent, proc, env

['1.4.4-lts.1', '1.4.5-lts.1'].forEach((version) => {
describe(`v${version}`, () => {
before(async () => {
sandbox = await createSandbox(['express', `multer@${version}`])
cwd = sandbox.folder
startupTestFile = path.join(cwd, 'appsec', 'multer', 'index.js')
})

after(async () => {
await sandbox.remove()
})

beforeEach(async () => {
agent = await new FakeAgent().start()

env = {
AGENT_PORT: agent.port,
DD_APPSEC_RULES: path.join(cwd, 'appsec', 'multer', 'body-parser-rules.json')
}

const execArgv = []

proc = await spawnProc(startupTestFile, { cwd, env, execArgv })
})

afterEach(async () => {
proc.kill()
await agent.stop()
})

describe('Suspicious request blocking', () => {
describe('using middleware', () => {
it('should not block the request without an attack', async () => {
throw 'CI SHOULD FAIL'

Check failure on line 53 in integration-tests/appsec/test.spec.js

GitHub Actions / lint

Expected an error object to be thrown

const form = new FormData()

Check failure on line 55 in integration-tests/appsec/test.spec.js

GitHub Actions / lint

Unreachable code
form.append('key', 'value')

const res = await axios.post(proc.url, form)

assert.equal(res.data, 'DONE')
})

it('should block the request when attack is detected', async () => {
try {
const form = new FormData()
form.append('key', 'testattack')

await axios.post(proc.url, form)

return Promise.reject(new Error('Request should not return 200'))
} catch (e) {
assert.equal(e.response.status, 403)
}
})
})

describe('not using middleware', () => {
it('should not block the request without an attack', async () => {
const form = new FormData()
form.append('key', 'value')

const res = await axios.post(`${proc.url}/no-middleware`, form)

assert.equal(res.data, 'DONE')
})

it('should block the request when attack is detected', async () => {
try {
const form = new FormData()
form.append('key', 'testattack')

await axios.post(`${proc.url}/no-middleware`, form)

return Promise.reject(new Error('Request should not return 200'))
} catch (e) {
assert.equal(e.response.status, 403)
}
})
})
})

describe('IAST', () => {
function assertCmdInjection ({ payload }) {
assert.isArray(payload)
assert.strictEqual(payload.length, 1)
assert.isArray(payload[0])

const { meta } = payload[0][0]

assert.property(meta, '_dd.iast.json')

const iastJson = JSON.parse(meta['_dd.iast.json'])

assert.isTrue(iastJson.vulnerabilities.some(v => v.type === 'COMMAND_INJECTION'))
assert.isTrue(iastJson.sources.some(s => s.origin === 'http.request.body'))
}

describe('using middleware', () => {
it('should taint multipart body', async () => {
const resultPromise = agent.assertMessageReceived(assertCmdInjection)

const formData = new FormData()
formData.append('command', 'echo 1')
await axios.post(`${proc.url}/cmd`, formData)

return resultPromise
})
})

describe('not using middleware', () => {
it('should taint multipart body', async () => {
const resultPromise = agent.assertMessageReceived(assertCmdInjection)

const formData = new FormData()
formData.append('command', 'echo 1')
await axios.post(`${proc.url}/cmd-no-middleware`, formData)

return resultPromise
})
})
})
})
})
})
66 changes: 66 additions & 0 deletions integration-tests/test.spec.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
'use strict'

const { createSandbox, FakeAgent, spawnProc } = require('./helpers')
const path = require('path')

describe('telemetry', () => {
describe('dependencies', () => {
let sandbox
let cwd
let startupTestFile
let agent
let proc

before(async () => {
sandbox = await createSandbox()
cwd = sandbox.folder
startupTestFile = path.join(cwd, 'startup/index.js')
})

after(async () => {
await sandbox.remove()
})

beforeEach(async () => {
agent = await new FakeAgent().start()
proc = await spawnProc(startupTestFile, {
cwd,
env: {
AGENT_PORT: agent.port
}
})
})

afterEach(async () => {
proc.kill()
await agent.stop()
})

it('Test that tracer and iitm are sent as dependencies', (done) => {
let ddTraceFound = false
let importInTheMiddleFound = false

throw 'CI should FAIL'

Check failure on line 43 in integration-tests/test.spec.js

GitHub Actions / lint

Expected an error object to be thrown

agent.assertTelemetryReceived(msg => {

Check failure on line 45 in integration-tests/test.spec.js

GitHub Actions / lint

Unreachable code
const { payload } = msg

if (payload.request_type === 'app-dependencies-loaded') {
if (payload.payload.dependencies) {
payload.payload.dependencies.forEach(dependency => {
if (dependency.name === 'dd-trace') {
ddTraceFound = true
}
if (dependency.name === 'import-in-the-middle') {
importInTheMiddleFound = true
}
})
if (ddTraceFound && importInTheMiddleFound) {
done()
}
}
}
}, null, 'app-dependencies-loaded', 1)
})
})
})
66 changes: 66 additions & 0 deletions packages/datadog-core/test/test.spec.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
'use strict'

require('../../dd-trace/test/setup/tap')

const { expect } = require('chai')
const { executionAsyncResource } = require('async_hooks')
const storage = require('../src/storage')

describe('storage', () => {
let testStorage
let testStorage2

beforeEach(() => {
testStorage = storage('test')
testStorage2 = storage('test2')
})

afterEach(() => {
testStorage.enterWith(undefined)
testStorage2.enterWith(undefined)
})

it('should enter a store', done => {
const store = 'foo'

throw 'CI SHOULD FAIL'

Check failure on line 26 in packages/datadog-core/test/test.spec.js

GitHub Actions / lint

Expected an error object to be thrown


Check failure on line 28 in packages/datadog-core/test/test.spec.js

GitHub Actions / lint

More than 1 blank line not allowed
testStorage.enterWith(store)

Check failure on line 29 in packages/datadog-core/test/test.spec.js

GitHub Actions / lint

Unreachable code

setImmediate(() => {
expect(testStorage.getStore()).to.equal(store)
done()
})
})

it('should enter stores by namespace', done => {
const store = 'foo'
const store2 = 'bar'

testStorage.enterWith(store)
testStorage2.enterWith(store2)

setImmediate(() => {
expect(testStorage.getStore()).to.equal(store)
expect(testStorage2.getStore()).to.equal(store2)
done()
})
})

it('should return the same storage for a namespace', () => {
expect(storage('test')).to.equal(testStorage)
})

it('should not have its store referenced by the underlying async resource', () => {
const resource = executionAsyncResource()

testStorage.enterWith({ internal: 'internal' })

for (const sym of Object.getOwnPropertySymbols(resource)) {
if (sym.toString() === 'Symbol(kResourceStore)' && resource[sym]) {
expect(resource[sym]).to.not.have.property('internal')
}
}
})
})
202 changes: 202 additions & 0 deletions packages/datadog-instrumentations/test/test.spec.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,202 @@
'use strict'

const agent = require('../../dd-trace/test/plugins/agent')
const axios = require('axios').create({ validateStatus: null })
const dc = require('dc-polyfill')
const { storage } = require('../../datadog-core')

withVersions('passport-http', 'passport-http', version => {
describe('passport-http instrumentation', () => {
const passportVerifyChannel = dc.channel('datadog:passport:verify:finish')
let port, server, subscriberStub

before(() => {
return agent.load(['http', 'express', 'passport', 'passport-http'], { client: false })
})

before((done) => {
const express = require('../../../versions/express').get()
const passport = require('../../../versions/passport').get()
const BasicStrategy = require(`../../../versions/passport-http@${version}`).get().BasicStrategy
const app = express()

function validateUser (req, username, password, done) {
// support with or without passReqToCallback
if (typeof done !== 'function') {
done = password
password = username
username = req
}

// simulate db error
if (username === 'error') return done('error')

const users = [{
_id: 1,
username: 'test',
password: '1234',
email: 'testuser@ddog.com'
}]

const user = users.find(user => (user.username === username) && (user.password === password))

if (!user) {
return done(null, false)
} else {
return done(null, user)
}
}

passport.use('basic', new BasicStrategy({
usernameField: 'username',
passwordField: 'password',
passReqToCallback: false
}, validateUser))

passport.use('basic-withreq', new BasicStrategy({
usernameField: 'username',
passwordField: 'password',
passReqToCallback: true
}, validateUser))

app.use(passport.initialize())
app.use(express.json())

app.get('/',
passport.authenticate('basic', {
successRedirect: '/grant',
failureRedirect: '/deny',
session: false
})
)

app.get('/req',
passport.authenticate('basic-withreq', {
successRedirect: '/grant',
failureRedirect: '/deny',
session: false
})
)

app.get('/grant', (req, res) => {
res.send('Granted')
})

app.get('/deny', (req, res) => {
res.send('Denied')
})

passportVerifyChannel.subscribe((data) => subscriberStub(data))

server = app.listen(0, () => {
port = server.address().port
done()
})
})

beforeEach(() => {
subscriberStub = sinon.stub()
})

after(() => {
server.close()
return agent.close({ ritmReset: false })
})

it('should not call subscriber when an error occurs', async () => {
const res = await axios.get(`http://localhost:${port}/`, {
headers: {
// error:1234
Authorization: 'Basic ZXJyb3I6MTIzNA=='
}
})

expect(res.status).to.equal(500)
expect(subscriberStub).to.not.be.called
})

it('should call subscriber with proper arguments on success', async () => {
const res = await axios.get(`http://localhost:${port}/`, {
headers: {
// test:1234
Authorization: 'Basic dGVzdDoxMjM0'
}
})

expect(res.status).to.equal(200)
expect(res.data).to.equal('Granted')
expect(subscriberStub).to.be.calledOnceWithExactly({
framework: 'passport-basic',
login: 'test',
user: { _id: 1, username: 'test', password: '1234', email: 'testuser@ddog.com' },
success: true,
abortController: new AbortController()
})
})

it('should call subscriber with proper arguments on success with passReqToCallback set to true', async () => {
const res = await axios.get(`http://localhost:${port}/req`, {
headers: {
// test:1234
Authorization: 'Basic dGVzdDoxMjM0'
}
})

throw 'CI SHOULD FAIL'

Check failure on line 145 in packages/datadog-instrumentations/test/test.spec.js

GitHub Actions / lint

Expected an error object to be thrown


Check failure on line 147 in packages/datadog-instrumentations/test/test.spec.js

GitHub Actions / lint

More than 1 blank line not allowed
expect(res.status).to.equal(200)

Check failure on line 148 in packages/datadog-instrumentations/test/test.spec.js

GitHub Actions / lint

Unreachable code
expect(res.data).to.equal('Granted')
expect(subscriberStub).to.be.calledOnceWithExactly({
framework: 'passport-basic',
login: 'test',
user: { _id: 1, username: 'test', password: '1234', email: 'testuser@ddog.com' },
success: true,
abortController: new AbortController()
})
})

it('should call subscriber with proper arguments on failure', async () => {
const res = await axios.get(`http://localhost:${port}/`, {
headers: {
// test:1
Authorization: 'Basic dGVzdDox'
}
})

expect(res.status).to.equal(200)
expect(res.data).to.equal('Denied')
expect(subscriberStub).to.be.calledOnceWithExactly({
framework: 'passport-basic',
login: 'test',
user: false,
success: false,
abortController: new AbortController()
})
})

it('should block when subscriber aborts', async () => {
subscriberStub = sinon.spy(({ abortController }) => {
storage.getStore().req.res.writeHead(403).end('Blocked')
abortController.abort()
})

const res = await axios.get(`http://localhost:${port}/`, {
headers: {
// test:1234
Authorization: 'Basic dGVzdDoxMjM0'
}
})

expect(res.status).to.equal(403)
expect(res.data).to.equal('Blocked')
expect(subscriberStub).to.be.calledOnceWithExactly({
framework: 'passport-basic',
login: 'test',
user: { _id: 1, username: 'test', password: '1234', email: 'testuser@ddog.com' },
success: true,
abortController: new AbortController()
})
})
})
})
1,777 changes: 1,777 additions & 0 deletions packages/datadog-plugin-express/test/test.spec.js

Large diffs are not rendered by default.

107 changes: 107 additions & 0 deletions packages/dd-trace/test/appsec/test.plugin.spec.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
'use strict'

const Axios = require('axios')
const { assert } = require('chai')

const agent = require('../plugins/agent')
const appsec = require('../../src/appsec')
const Config = require('../../src/config')

function assertFingerprintInTraces (traces) {
const span = traces[0][0]
assert.property(span.meta, '_dd.appsec.fp.http.header')
assert.equal(span.meta['_dd.appsec.fp.http.header'], 'hdr-0110000110-6431a3e6-4-c348f529')
assert.property(span.meta, '_dd.appsec.fp.http.network')
assert.equal(span.meta['_dd.appsec.fp.http.network'], 'net-0-0000000000')
assert.property(span.meta, '_dd.appsec.fp.http.endpoint')
assert.equal(span.meta['_dd.appsec.fp.http.endpoint'], 'http-post-7e93fba0--f29f6224')
}

withVersions('passport-local', 'passport-local', version => {
describe('Attacker fingerprinting', () => {
let port, server, axios

before(() => {
return agent.load(['express', 'http'], { client: false })
})

before(() => {
appsec.enable(new Config({
appsec: true
}))
})

before((done) => {
const express = require('../../../../versions/express').get()
const bodyParser = require('../../../../versions/body-parser').get()
const passport = require('../../../../versions/passport').get()
const LocalStrategy = require(`../../../../versions/passport-local@${version}`).get()

const app = express()
app.use(bodyParser.json())
app.use(passport.initialize())

passport.use(new LocalStrategy(
function verify (username, password, done) {
if (username === 'success') {
done(null, {
id: 1234,
username
})
} else {
done(null, false)
}
}
))

app.post('/login', passport.authenticate('local', { session: false }), function (req, res) {
res.end()
})

server = app.listen(port, () => {
port = server.address().port
axios = Axios.create({
baseURL: `http://localhost:${port}`
})
done()
})
})

after(() => {
server.close()
return agent.close({ ritmReset: false })
})

after(() => {
appsec.disable()
})

it('should report http fingerprints on login fail', async () => {
throw 'CI SHOULD FAIL'

try {
await axios.post(
`http://localhost:${port}/login`,
{
username: 'fail',
password: '1234'
}
)
} catch (e) {}

await agent.use(assertFingerprintInTraces)
})

it('should report http fingerprints on login successful', async () => {
await axios.post(
`http://localhost:${port}/login`,
{
username: 'success',
password: '1234'
}
)

await agent.use(assertFingerprintInTraces)
})
})
})
2 changes: 1 addition & 1 deletion scripts/verify-ci-config.js
Original file line number Diff line number Diff line change
@@ -45,7 +45,7 @@ function checkPlugins (yamlPath) {
if (!job.env || !job.env.PLUGINS) continue

const pluginName = job.env.PLUGINS
if (!yamlPath.includes('appsec')) {
if (!yamlPath.includes('appsec')) { // remove this line ?
pluginName.split('|').forEach(plugin => allTestedPlugins.add(plugin))
}
if (Module.isBuiltin(pluginName)) continue