Skip to content

Add end2end test for code injection using new Function(...) #554

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hansott merged 2 commits into from
Mar 19, 2025
Merged

Add end2end test for code injection using new Function(...) #554

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2a7ca88
Add end2end test for code injection using `new Function(...)`
hansott Mar 19, 2025
d667cef
Extract to new test and assert logs
hansott Mar 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 106 additions & 0 deletions end2end/tests/express-mongodb.code-injection.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
const t = require("tap");
const { spawn } = require("child_process");
const { resolve } = require("path");
const timeout = require("../timeout");

const pathToApp = resolve(
__dirname,
"../../sample-apps/express-mongodb",
"app.js"
);

t.setTimeout(60000);

t.test("it blocks in blocking mode", (t) => {
const server = spawn(`node`, [pathToApp, "4000"], {
env: { ...process.env, AIKIDO_DEBUG: "true", AIKIDO_BLOCK: "true" },
});

server.on("close", () => {
t.end();
});

server.on("error", (err) => {
t.fail(err);
});

let stdout = "";
server.stdout.on("data", (data) => {
stdout += data.toString();
});

let stderr = "";
server.stderr.on("data", (data) => {
stderr += data.toString();
});

// Wait for the server to start
timeout(2000)
.then(() => {
return Promise.all([
fetch("http://127.0.0.1:4000/hello/hans", {
signal: AbortSignal.timeout(5000),
}),
fetch(`http://127.0.0.1:4000/hello/${encodeURIComponent(`hans" //`)}`, {
signal: AbortSignal.timeout(5000),
}),
]);
})
.then(([safeName, unsafeName]) => {
t.equal(safeName.status, 200);
t.equal(unsafeName.status, 500);
t.match(stdout, /Starting agent/);
t.match(stdout, /Zen has blocked a JavaScript injection/);
})
.catch((error) => {
t.fail(error);
})
.finally(() => {
server.kill();
});
});

t.test("it does not block in dry mode", (t) => {
const server = spawn(`node`, [pathToApp, "4001"], {
env: { ...process.env, AIKIDO_DEBUG: "true" },
});

server.on("close", () => {
t.end();
});

let stdout = "";
server.stdout.on("data", (data) => {
stdout += data.toString();
});

let stderr = "";
server.stderr.on("data", (data) => {
stderr += data.toString();
});

// Wait for the server to start
timeout(2000)
.then(() =>
Promise.all([
fetch("http://127.0.0.1:4001/hello/hans", {
signal: AbortSignal.timeout(5000),
}),
fetch(`http://127.0.0.1:4001/hello/${encodeURIComponent(`hans" //`)}`, {
signal: AbortSignal.timeout(5000),
}),
])
)
.then(([safeName, unsafeName]) => {
t.equal(safeName.status, 200);
t.equal(unsafeName.status, 200);
t.match(stdout, /Starting agent/);
t.match(stdout, /Zen has detected a JavaScript injection/);
})
.catch((error) => {
t.fail(error);
})
.finally(() => {
server.kill();
});
});
12 changes: 6 additions & 6 deletions end2end/tests/express-mongodb.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ t.test("it blocks in blocking mode", (t) => {
});

server.on("error", (err) => {
t.fail(err.message);
t.fail(err);
});

let stdout = "";
Expand Down Expand Up @@ -57,7 +57,7 @@ t.test("it blocks in blocking mode", (t) => {
t.match(stderr, /Zen has blocked a NoSQL injection/);
})
.catch((error) => {
t.fail(error.message);
t.fail(error);
})
.finally(() => {
server.kill();
Expand Down Expand Up @@ -106,7 +106,7 @@ t.test("it does not block in dry mode", (t) => {
t.notMatch(stderr, /Zen has blocked a NoSQL injection/);
})
.catch((error) => {
t.fail(error.message);
t.fail(error);
})
.finally(() => {
server.kill();
Expand Down Expand Up @@ -141,7 +141,7 @@ t.test("it blocks in blocking mode (with open telemetry enabled)", (t) => {
});

server.on("error", (err) => {
t.fail(err.message);
t.fail(err);
});

let stdout = "";
Expand Down Expand Up @@ -174,7 +174,7 @@ t.test("it blocks in blocking mode (with open telemetry enabled)", (t) => {
t.match(stderr, /Zen has blocked a NoSQL injection/);
})
.catch((error) => {
t.fail(error.message);
t.fail(error);
})
.finally(() => {
server.kill("SIGINT");
Expand Down Expand Up @@ -237,7 +237,7 @@ t.test("it does not block in dry mode (with open telemetry enabled)", (t) => {
t.notMatch(stderr, /Zen has blocked a NoSQL injection/);
})
.catch((error) => {
t.fail(error.message);
t.fail(error);
})
.finally(() => {
server.kill("SIGINT");
Expand Down
18 changes: 18 additions & 0 deletions sample-apps/express-mongodb/app.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,24 @@ async function main(port) {
})
);

app.get(
"/hello/:name",
asyncHandler(async (req, res) => {
const { name } = req.params;

if (!name) {
return res.status(400).end();
}

// This code is vulnerable to code injection
// This is just a sample app to demonstrate the vulnerability
// Do not use this code in production
const welcome = new Function(`return "Hello, your name is ${name}!"`);

res.send(welcome());
})
);

return new Promise((resolve, reject) => {
try {
app.listen(port, () => {
Expand Down
Loading