escape express5 in testing express-mongo-sanitize

DataDog · Nov 25, 2024 · 0e039c8 · 0e039c8
1 parent 0959528
commit 0e039c8
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 41 deletions.
diff --git a/...sec/iast/analyzers/nosql-injection-mongodb-analyzer.express-mongo-sanitize.plugin.spec.js b/...sec/iast/analyzers/nosql-injection-mongodb-analyzer.express-mongo-sanitize.plugin.spec.js
@@ -9,7 +9,7 @@ const { prepareTestServerForIastInExpress } = require('../utils')
 const agent = require('../../../plugins/agent')
 
 describe('nosql injection detection in mongodb - whole feature', () => {
-  withVersions('express', 'express', '>4.18.0', expressVersion => {
+  withVersions('express', 'express', '>4.18.0 <5.0.0', expressVersion => {
     withVersions('mongodb', 'mongodb', mongodbVersion => {
       const mongodb = require(`../../../../../../versions/mongodb@${mongodbVersion}`)
 
@@ -155,27 +155,30 @@ describe('nosql injection detection in mongodb - whole feature', () => {
           redactionEnabled: false
         })
 
-      withVersions('express-mongo-sanitize', 'express-mongo-sanitize', expressMongoSanitizeVersion => {
-        prepareTestServerForIastInExpress('Test with sanitization middleware', expressVersion, (expressApp) => {
-          const mongoSanitize =
-            require(`../../../../../../versions/express-mongo-sanitize@${expressMongoSanitizeVersion}`).get()
-          expressApp.use(mongoSanitize())
-        }, (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => {
-          testThatRequestHasNoVulnerability({
-            fn: async (req, res) => {
-              await collection.find({
-                key: req.query.key
-              })
-
-              res.end()
-            },
-            vulnerability: 'NOSQL_MONGODB_INJECTION',
-            makeRequest: (done, config) => {
-              axios.get(`http://localhost:${config.port}/?key=value`).catch(done)
-            }
+      // https://github.com/fiznool/express-mongo-sanitize/issues/200
+      if (semver.intersects(expressVersion, '<5.0.0')) {
+        withVersions('express-mongo-sanitize', 'express-mongo-sanitize', expressMongoSanitizeVersion => {
+          prepareTestServerForIastInExpress('Test with sanitization middleware', expressVersion, (expressApp) => {
+            const mongoSanitize =
+              require(`../../../../../../versions/express-mongo-sanitize@${expressMongoSanitizeVersion}`).get()
+            expressApp.use(mongoSanitize())
+          }, (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => {
+            testThatRequestHasNoVulnerability({
+              fn: async (req, res) => {
+                await collection.find({
+                  key: req.query.key
+                })
+
+                res.end()
+              },
+              vulnerability: 'NOSQL_MONGODB_INJECTION',
+              makeRequest: (done, config) => {
+                axios.get(`http://localhost:${config.port}/?key=value`).catch(done)
+              }
+            })
           })
         })
-      })
+      }
     })
   })
 })
diff --git a/...d-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mquery.plugin.spec.js b/...d-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mquery.plugin.spec.js
@@ -313,31 +313,34 @@ describe('nosql injection detection with mquery', () => {
             }, 'NOSQL_MONGODB_INJECTION')
           })
 
-        withVersions('express-mongo-sanitize', 'express-mongo-sanitize', expressMongoSanitizeVersion => {
-          prepareTestServerForIastInExpress('Test with sanitization middleware', expressVersion, (expressApp) => {
-            const mongoSanitize =
+        // https://github.com/fiznool/express-mongo-sanitize/issues/200
+        if (semver.intersects(expressVersion, '<5.0.0')) {
+          withVersions('express-mongo-sanitize', 'express-mongo-sanitize', expressMongoSanitizeVersion => {
+            prepareTestServerForIastInExpress('Test with sanitization middleware', expressVersion, (expressApp) => {
+              const mongoSanitize =
                 require(`../../../../../../versions/express-mongo-sanitize@${expressMongoSanitizeVersion}`).get()
-            expressApp.use(mongoSanitize())
-          }, (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => {
-            testThatRequestHasNoVulnerability({
-              fn: async (req, res) => {
-                const filter = {
-                  name: req.query.key
-                }
-                try {
-                  await require(tmpFilePath).vulnerableFindOne(collection, filter)
-                } catch (e) {
-                  // do nothing
+              expressApp.use(mongoSanitize())
+            }, (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => {
+              testThatRequestHasNoVulnerability({
+                fn: async (req, res) => {
+                  const filter = {
+                    name: req.query.key
+                  }
+                  try {
+                    await require(tmpFilePath).vulnerableFindOne(collection, filter)
+                  } catch (e) {
+                    // do nothing
+                  }
+                  res.end()
+                },
+                vulnerability: 'NOSQL_MONGODB_INJECTION',
+                makeRequest: (done, config) => {
+                  axios.get(`http://localhost:${config.port}/?key=value`).catch(done)
                 }
-                res.end()
-              },
-              vulnerability: 'NOSQL_MONGODB_INJECTION',
-              makeRequest: (done, config) => {
-                axios.get(`http://localhost:${config.port}/?key=value`).catch(done)
-              }
+              })
             })
           })
-        })
+        }
       })
     })
   })