From ef719180afaceae4d11c2568a5243babf766fc64 Mon Sep 17 00:00:00 2001 From: ishabi Date: Mon, 25 Nov 2024 15:13:51 +0100 Subject: [PATCH] fix mongodb core tests --- ...yzer.express-mongo-sanitize.plugin.spec.js | 42 ++++++++-------- ...n-mongodb-analyzer.mongoose.plugin.spec.js | 1 + ...ion-mongodb-analyzer.mquery.plugin.spec.js | 48 +++++++++---------- packages/dd-trace/test/plugins/externals.json | 2 +- 4 files changed, 45 insertions(+), 48 deletions(-) diff --git a/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.express-mongo-sanitize.plugin.spec.js b/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.express-mongo-sanitize.plugin.spec.js index d7623bffc0..f104214210 100644 --- a/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.express-mongo-sanitize.plugin.spec.js +++ b/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.express-mongo-sanitize.plugin.spec.js @@ -9,6 +9,7 @@ const { prepareTestServerForIastInExpress } = require('../utils') const agent = require('../../../plugins/agent') describe('nosql injection detection in mongodb - whole feature', () => { + // https://github.com/fiznool/express-mongo-sanitize/issues/200 withVersions('mongodb', 'express', '>4.18.0 <5.0.0', expressVersion => { withVersions('mongodb', 'mongodb', mongodbVersion => { const mongodb = require(`../../../../../../versions/mongodb@${mongodbVersion}`) @@ -155,30 +156,27 @@ describe('nosql injection detection in mongodb - whole feature', () => { redactionEnabled: false }) - // https://github.com/fiznool/express-mongo-sanitize/issues/200 - if (semver.intersects(expressVersion, '<5.0.0')) { - withVersions('express-mongo-sanitize', 'express-mongo-sanitize', expressMongoSanitizeVersion => { - prepareTestServerForIastInExpress('Test with sanitization middleware', expressVersion, (expressApp) => { - const mongoSanitize = - require(`../../../../../../versions/express-mongo-sanitize@${expressMongoSanitizeVersion}`).get() - expressApp.use(mongoSanitize()) - }, (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => { - testThatRequestHasNoVulnerability({ - fn: async (req, res) => { - await collection.find({ - key: req.query.key - }) - - res.end() - }, - vulnerability: 'NOSQL_MONGODB_INJECTION', - makeRequest: (done, config) => { - axios.get(`http://localhost:${config.port}/?key=value`).catch(done) - } - }) + withVersions('express-mongo-sanitize', 'express-mongo-sanitize', expressMongoSanitizeVersion => { + prepareTestServerForIastInExpress('Test with sanitization middleware', expressVersion, (expressApp) => { + const mongoSanitize = + require(`../../../../../../versions/express-mongo-sanitize@${expressMongoSanitizeVersion}`).get() + expressApp.use(mongoSanitize()) + }, (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => { + testThatRequestHasNoVulnerability({ + fn: async (req, res) => { + await collection.find({ + key: req.query.key + }) + + res.end() + }, + vulnerability: 'NOSQL_MONGODB_INJECTION', + makeRequest: (done, config) => { + axios.get(`http://localhost:${config.port}/?key=value`).catch(done) + } }) }) - } + }) }) }) }) diff --git a/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mongoose.plugin.spec.js b/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mongoose.plugin.spec.js index 4df740cd89..f8b96557a1 100644 --- a/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mongoose.plugin.spec.js +++ b/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mongoose.plugin.spec.js @@ -10,6 +10,7 @@ const fs = require('fs') const { NODE_MAJOR } = require('../../../../../../version') describe('nosql injection detection in mongodb - whole feature', () => { + // https://github.com/fiznool/express-mongo-sanitize/issues/200 withVersions('mongoose', 'express', '>4.18.0 <5.0.0', expressVersion => { withVersions('mongoose', 'mongoose', '>4.0.0', mongooseVersion => { const specificMongooseVersion = require(`../../../../../../versions/mongoose@${mongooseVersion}`).version() diff --git a/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mquery.plugin.spec.js b/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mquery.plugin.spec.js index f4b1ee05b5..a91b428211 100644 --- a/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mquery.plugin.spec.js +++ b/packages/dd-trace/test/appsec/iast/analyzers/nosql-injection-mongodb-analyzer.mquery.plugin.spec.js @@ -9,6 +9,7 @@ const semver = require('semver') const fs = require('fs') describe('nosql injection detection with mquery', () => { + // https://github.com/fiznool/express-mongo-sanitize/issues/200 withVersions('mongodb', 'express', '>4.18.0 <5.0.0', expressVersion => { withVersions('mongodb', 'mongodb', mongodbVersion => { const mongodb = require(`../../../../../../versions/mongodb@${mongodbVersion}`) @@ -313,34 +314,31 @@ describe('nosql injection detection with mquery', () => { }, 'NOSQL_MONGODB_INJECTION') }) - // https://github.com/fiznool/express-mongo-sanitize/issues/200 - if (semver.intersects(expressVersion, '<5.0.0')) { - withVersions('express-mongo-sanitize', 'express-mongo-sanitize', expressMongoSanitizeVersion => { - prepareTestServerForIastInExpress('Test with sanitization middleware', expressVersion, (expressApp) => { - const mongoSanitize = - require(`../../../../../../versions/express-mongo-sanitize@${expressMongoSanitizeVersion}`).get() - expressApp.use(mongoSanitize()) - }, (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => { - testThatRequestHasNoVulnerability({ - fn: async (req, res) => { - const filter = { - name: req.query.key - } - try { - await require(tmpFilePath).vulnerableFindOne(collection, filter) - } catch (e) { - // do nothing - } - res.end() - }, - vulnerability: 'NOSQL_MONGODB_INJECTION', - makeRequest: (done, config) => { - axios.get(`http://localhost:${config.port}/?key=value`).catch(done) + withVersions('express-mongo-sanitize', 'express-mongo-sanitize', expressMongoSanitizeVersion => { + prepareTestServerForIastInExpress('Test with sanitization middleware', expressVersion, (expressApp) => { + const mongoSanitize = + require(`../../../../../../versions/express-mongo-sanitize@${expressMongoSanitizeVersion}`).get() + expressApp.use(mongoSanitize()) + }, (testThatRequestHasVulnerability, testThatRequestHasNoVulnerability) => { + testThatRequestHasNoVulnerability({ + fn: async (req, res) => { + const filter = { + name: req.query.key + } + try { + await require(tmpFilePath).vulnerableFindOne(collection, filter) + } catch (e) { + // do nothing } - }) + res.end() + }, + vulnerability: 'NOSQL_MONGODB_INJECTION', + makeRequest: (done, config) => { + axios.get(`http://localhost:${config.port}/?key=value`).catch(done) + } }) }) - } + }) }) }) }) diff --git a/packages/dd-trace/test/plugins/externals.json b/packages/dd-trace/test/plugins/externals.json index d045e07e1d..1b1d43150c 100644 --- a/packages/dd-trace/test/plugins/externals.json +++ b/packages/dd-trace/test/plugins/externals.json @@ -98,7 +98,7 @@ }, { "name": "express", - "versions": [">=4", ">=4.0.0 <4.3.0", ">=4.0.0 <5.0.0", ">=4.3.0 <5.0.0"] + "versions": [">=4", ">=4.0.0 <4.3.0", ">=4.0.0 <5.0.0", ">=4.3.0 <5.0.0", ">=5.0.0"] }, { "name": "body-parser",