Add end2end test for code injection using new Function(...)

hansott · hansott · commit 2a7ca88db521 · 2025-03-19T12:08:56.000+01:00
diff --git a/end2end/tests/express-mongodb.test.js b/end2end/tests/express-mongodb.test.js
@@ -21,7 +21,7 @@ t.test("it blocks in blocking mode", (t) => {
   });
 
   server.on("error", (err) => {
-    t.fail(err.message);
+    t.fail(err);
   });
 
   let stdout = "";
@@ -47,17 +47,27 @@ t.test("it blocks in blocking mode", (t) => {
         fetch("http://127.0.0.1:4000/?search=title", {
           signal: AbortSignal.timeout(5000),
         }),
+        fetch("http://127.0.0.1:4000/hello/hans", {
+          signal: AbortSignal.timeout(5000),
+        }),
+        fetch(`http://127.0.0.1:4000/hello/${encodeURIComponent(`hans" //`)}`, {
+          signal: AbortSignal.timeout(5000),
+        }),
       ]);
     })
-    .then(([noSQLInjection, jsInjection, normalSearch]) => {
-      t.equal(noSQLInjection.status, 500);
-      t.equal(jsInjection.status, 500);
-      t.equal(normalSearch.status, 200);
-      t.match(stdout, /Starting agent/);
-      t.match(stderr, /Zen has blocked a NoSQL injection/);
-    })
+    .then(
+      ([noSQLInjection, jsInjection, normalSearch, safeName, unsafeName]) => {
+        t.equal(noSQLInjection.status, 500);
+        t.equal(jsInjection.status, 500);
+        t.equal(normalSearch.status, 200);
+        t.equal(safeName.status, 200);
+        t.equal(unsafeName.status, 500);
+        t.match(stdout, /Starting agent/);
+        t.match(stderr, /Zen has blocked a NoSQL injection/);
+      }
+    )
     .catch((error) => {
-      t.fail(error.message);
+      t.fail(error);
     })
     .finally(() => {
       server.kill();
@@ -96,17 +106,27 @@ t.test("it does not block in dry mode", (t) => {
         fetch("http://127.0.0.1:4001/?search=title", {
           signal: AbortSignal.timeout(5000),
         }),
+        fetch("http://127.0.0.1:4001/hello/hans", {
+          signal: AbortSignal.timeout(5000),
+        }),
+        fetch(`http://127.0.0.1:4001/hello/${encodeURIComponent(`hans" //`)}`, {
+          signal: AbortSignal.timeout(5000),
+        }),
       ])
     )
-    .then(([noSQLInjection, jsInjection, normalSearch]) => {
-      t.equal(noSQLInjection.status, 200);
-      t.equal(jsInjection.status, 200);
-      t.equal(normalSearch.status, 200);
-      t.match(stdout, /Starting agent/);
-      t.notMatch(stderr, /Zen has blocked a NoSQL injection/);
-    })
+    .then(
+      ([noSQLInjection, jsInjection, normalSearch, safeName, unsafeName]) => {
+        t.equal(noSQLInjection.status, 200);
+        t.equal(jsInjection.status, 200);
+        t.equal(normalSearch.status, 200);
+        t.equal(safeName.status, 200);
+        t.equal(unsafeName.status, 200);
+        t.match(stdout, /Starting agent/);
+        t.notMatch(stderr, /Zen has blocked a NoSQL injection/);
+      }
+    )
     .catch((error) => {
-      t.fail(error.message);
+      t.fail(error);
     })
     .finally(() => {
       server.kill();
@@ -141,7 +161,7 @@ t.test("it blocks in blocking mode (with open telemetry enabled)", (t) => {
   });
 
   server.on("error", (err) => {
-    t.fail(err.message);
+    t.fail(err);
   });
 
   let stdout = "";
@@ -174,7 +194,7 @@ t.test("it blocks in blocking mode (with open telemetry enabled)", (t) => {
       t.match(stderr, /Zen has blocked a NoSQL injection/);
     })
     .catch((error) => {
-      t.fail(error.message);
+      t.fail(error);
     })
     .finally(() => {
       server.kill("SIGINT");
@@ -237,7 +257,7 @@ t.test("it does not block in dry mode (with open telemetry enabled)", (t) => {
       t.notMatch(stderr, /Zen has blocked a NoSQL injection/);
     })
     .catch((error) => {
-      t.fail(error.message);
+      t.fail(error);
     })
     .finally(() => {
       server.kill("SIGINT");
diff --git a/sample-apps/express-mongodb/app.js b/sample-apps/express-mongodb/app.js
@@ -186,6 +186,24 @@ async function main(port) {
     })
   );
 
+  app.get(
+    "/hello/:name",
+    asyncHandler(async (req, res) => {
+      const { name } = req.params;
+
+      if (!name) {
+        return res.status(400).end();
+      }
+
+      // This code is vulnerable to code injection
+      // This is just a sample app to demonstrate the vulnerability
+      // Do not use this code in production
+      const welcome = new Function(`return "Hello, your name is ${name}!"`);
+
+      res.send(welcome());
+    })
+  );
+
   return new Promise((resolve, reject) => {
     try {
       app.listen(port, () => {
