-
Notifications
You must be signed in to change notification settings - Fork 40
Expand file tree
/
Copy pathexpress-mongodb.code-injection.test.js
More file actions
106 lines (93 loc) · 2.46 KB
/
express-mongodb.code-injection.test.js
File metadata and controls
106 lines (93 loc) · 2.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
const t = require("tap");
const { spawn } = require("child_process");
const { resolve } = require("path");
const timeout = require("../timeout");
const pathToApp = resolve(
__dirname,
"../../sample-apps/express-mongodb",
"app.js"
);
t.setTimeout(60000);
t.test("it blocks in blocking mode", (t) => {
const server = spawn(`node`, [pathToApp, "4000"], {
env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_BLOCK: "true" },
});
server.on("close", () => {
t.end();
});
server.on("error", (err) => {
t.fail(err);
});
let stdout = "";
server.stdout.on("data", (data) => {
stdout += data.toString();
});
let stderr = "";
server.stderr.on("data", (data) => {
stderr += data.toString();
});
// Wait for the server to start
timeout(2000)
.then(() => {
return Promise.all([
fetch("http://127.0.0.1:4000/hello/hans", {
signal: AbortSignal.timeout(5000),
}),
fetch(`http://127.0.0.1:4000/hello/${encodeURIComponent(`hans" //`)}`, {
signal: AbortSignal.timeout(5000),
}),
]);
})
.then(([safeName, unsafeName]) => {
t.equal(safeName.status, 200);
t.equal(unsafeName.status, 500);
t.match(stdout, /Starting agent/);
t.match(stdout, /Zen has blocked a JavaScript injection/);
})
.catch((error) => {
t.fail(error);
})
.finally(() => {
server.kill();
});
});
t.test("it does not block in dry mode", (t) => {
const server = spawn(`node`, [pathToApp, "4001"], {
env: { ...process.env, AIKIDO_DEBUG: "true" },
});
server.on("close", () => {
t.end();
});
let stdout = "";
server.stdout.on("data", (data) => {
stdout += data.toString();
});
let stderr = "";
server.stderr.on("data", (data) => {
stderr += data.toString();
});
// Wait for the server to start
timeout(2000)
.then(() =>
Promise.all([
fetch("http://127.0.0.1:4001/hello/hans", {
signal: AbortSignal.timeout(5000),
}),
fetch(`http://127.0.0.1:4001/hello/${encodeURIComponent(`hans" //`)}`, {
signal: AbortSignal.timeout(5000),
}),
])
)
.then(([safeName, unsafeName]) => {
t.equal(safeName.status, 200);
t.equal(unsafeName.status, 200);
t.match(stdout, /Starting agent/);
t.match(stdout, /Zen has detected a JavaScript injection/);
})
.catch((error) => {
t.fail(error);
})
.finally(() => {
server.kill();
});
});