From 0e039c834282bbd582ca968d464c8efd0fddf82f Mon Sep 17 00:00:00 2001 From: ishabi Date: Mon, 25 Nov 2024 13:48:51 +0100 Subject: [PATCH] escape express5 in testing express-mongo-sanitize --- ...yzer.express-mongo-sanitize.plugin.spec.js | 43 +++++++++--------- ...ion-mongodb-analyzer.mquery.plugin.spec.js | 45 ++++++++++--------- 2 files changed, 47 insertions(+), 41 deletions(-) diff --git a/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.express-mongo-sanitize.plugin.spec.js b/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.express-mongo-sanitize.plugin.spec.js index e05537ce04b..d8fec87586d 100644 --- a/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.express-mongo-sanitize.plugin.spec.js +++ b/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.express-mongo-sanitize.plugin.spec.js @@ -9,7 +9,7 @@ const { prepareTestServerForIastInExpress } = require('../utils') const agent = require('../../../plugins/agent') describe('nosql injection detection in mongodb - whole feature', () => { - withVersions('express', 'express', '>4.18.0', expressVersion => { + withVersions('express', 'express', '>4.18.0 <5.0.0', expressVersion => { withVersions('mongodb', 'mongodb', mongodbVersion => { const mongodb = require(`../../../../../../versions/mongodb@${mongodbVersion}`) @@ -155,27 +155,30 @@ describe('nosql injection detection in mongodb - whole feature', () => { redactionEnabled: false }) - withVersions('express-mongo-sanitize', 'express-mongo-sanitize', expressMongoSanitizeVersion => { - prepareTestServerForIastInExpress('Test with sanitization middleware', expressVersion, (expressApp) => { - const mongoSanitize = - require(`../../../../../../versions/express-mongo-sanitize@${expressMongoSanitizeVersion}`).get() - expressApp.use(mongoSanitize()) - }, (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => { - testThatRequestHasNoVulnerability({ - fn: async (req, res) => { - await collection.find({ - key: req.query.key - }) - - res.end() - }, - vulnerability: 'NOSQL_MONGODB_INJECTION', - makeRequest: (done, config) => { - axios.get(`http://localhost:${config.port}/?key=value`).catch(done) - } + // https://github.com/fiznool/express-mongo-sanitize/issues/200 + if (semver.intersects(expressVersion, '<5.0.0')) { + withVersions('express-mongo-sanitize', 'express-mongo-sanitize', expressMongoSanitizeVersion => { + prepareTestServerForIastInExpress('Test with sanitization middleware', expressVersion, (expressApp) => { + const mongoSanitize = + require(`../../../../../../versions/express-mongo-sanitize@${expressMongoSanitizeVersion}`).get() + expressApp.use(mongoSanitize()) + }, (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => { + testThatRequestHasNoVulnerability({ + fn: async (req, res) => { + await collection.find({ + key: req.query.key + }) + + res.end() + }, + vulnerability: 'NOSQL_MONGODB_INJECTION', + makeRequest: (done, config) => { + axios.get(`http://localhost:${config.port}/?key=value`).catch(done) + } + }) }) }) - }) + } }) }) }) diff --git a/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mquery.plugin.spec.js b/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mquery.plugin.spec.js index 7cf71f7a86e..7a004adace0 100644 --- a/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mquery.plugin.spec.js +++ b/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mquery.plugin.spec.js @@ -313,31 +313,34 @@ describe('nosql injection detection with mquery', () => { }, 'NOSQL_MONGODB_INJECTION') }) - withVersions('express-mongo-sanitize', 'express-mongo-sanitize', expressMongoSanitizeVersion => { - prepareTestServerForIastInExpress('Test with sanitization middleware', expressVersion, (expressApp) => { - const mongoSanitize = + // https://github.com/fiznool/express-mongo-sanitize/issues/200 + if (semver.intersects(expressVersion, '<5.0.0')) { + withVersions('express-mongo-sanitize', 'express-mongo-sanitize', expressMongoSanitizeVersion => { + prepareTestServerForIastInExpress('Test with sanitization middleware', expressVersion, (expressApp) => { + const mongoSanitize = require(`../../../../../../versions/express-mongo-sanitize@${expressMongoSanitizeVersion}`).get() - expressApp.use(mongoSanitize()) - }, (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => { - testThatRequestHasNoVulnerability({ - fn: async (req, res) => { - const filter = { - name: req.query.key - } - try { - await require(tmpFilePath).vulnerableFindOne(collection, filter) - } catch (e) { - // do nothing + expressApp.use(mongoSanitize()) + }, (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => { + testThatRequestHasNoVulnerability({ + fn: async (req, res) => { + const filter = { + name: req.query.key + } + try { + await require(tmpFilePath).vulnerableFindOne(collection, filter) + } catch (e) { + // do nothing + } + res.end() + }, + vulnerability: 'NOSQL_MONGODB_INJECTION', + makeRequest: (done, config) => { + axios.get(`http://localhost:${config.port}/?key=value`).catch(done) } - res.end() - }, - vulnerability: 'NOSQL_MONGODB_INJECTION', - makeRequest: (done, config) => { - axios.get(`http://localhost:${config.port}/?key=value`).catch(done) - } + }) }) }) - }) + } }) }) })