Merge pull request #41 from AikidoSec/patch-e2e-mongoose

Add end2end test for mongoose sample app
AikidoSec · Feb 27, 2024 · 9ab6667 · 9ab6667
2 parents 02f173f + 711a276
commit 9ab6667
Show file tree

Hide file tree

Showing 2 changed files with 117 additions and 4 deletions.
diff --git a/end2end/tests/express-mongoose.test.js b/end2end/tests/express-mongoose.test.js
@@ -0,0 +1,102 @@
+const t = require("tap");
+const { spawn } = require("node:child_process");
+const { resolve } = require("node:path");
+const timeout = require("../timeout");
+
+const pathToApp = resolve(
+  __dirname,
+  "../../sample-apps/express-mongoose",
+  "app.js"
+);
+
+t.test("it blocks in blocking mode", (t) => {
+  const server = spawn(`node`, [pathToApp, "4000"]);
+
+  server.on("close", () => {
+    t.end();
+  });
+
+  server.on("error", (err) => {
+    t.fail(err.message);
+  });
+
+  let stdout = "";
+  server.stdout.on("data", (data) => {
+    stdout += data.toString();
+  });
+
+  let stderr = "";
+  server.stderr.on("data", (data) => {
+    stderr += data.toString();
+  });
+
+  // Wait for the server to start
+  timeout(2000)
+    .then(() => {
+      return Promise.all([
+        fetch("http://localhost:4000/?search[$ne]=null", {
+          signal: AbortSignal.timeout(5000),
+        }),
+        fetch("http://localhost:4000/?search=title", {
+          signal: AbortSignal.timeout(5000),
+        }),
+      ]);
+    })
+    .then(([noSQLInjection, normalSearch]) => {
+      t.equal(noSQLInjection.status, 500);
+      t.equal(normalSearch.status, 200);
+      t.match(stdout, /Starting agent/);
+      t.match(stderr, /Aikido guard has blocked a NoSQL injection/);
+    })
+    .catch((error) => {
+      t.fail(error.message);
+    })
+    .finally(() => {
+      server.kill();
+    });
+});
+
+t.test("it does not block in dry mode", (t) => {
+  const server = spawn(`node`, [pathToApp, "4001"], {
+    env: { ...process.env, AIKIDO_NO_BLOCKING: "true" },
+  });
+
+  server.on("close", () => {
+    t.end();
+  });
+
+  let stdout = "";
+  server.stdout.on("data", (data) => {
+    stdout += data.toString();
+  });
+
+  let stderr = "";
+  server.stderr.on("data", (data) => {
+    stderr += data.toString();
+  });
+
+  // Wait for the server to start
+  timeout(2000)
+    .then(() =>
+      Promise.all([
+        fetch("http://localhost:4001/?search[$ne]=null", {
+          signal: AbortSignal.timeout(5000),
+        }),
+        fetch("http://localhost:4001/?search=title", {
+          signal: AbortSignal.timeout(5000),
+        }),
+      ])
+    )
+    .then(([noSQLInjection, normalSearch]) => {
+      t.equal(noSQLInjection.status, 200);
+      t.equal(normalSearch.status, 200);
+      t.match(stdout, /Starting agent/);
+      t.notMatch(stderr, /Aikido guard has blocked a NoSQL injection/);
+    })
+    .catch((error) => {
+      t.fail(error.message);
+    })
+    .finally(() => {
+      server.kill();
+    });
+});
diff --git a/sample-apps/express-mongoose/app.js b/sample-apps/express-mongoose/app.js
@@ -13,7 +13,7 @@ const cookieParser = require("cookie-parser");
 
 preventPrototypePollution();
 
-async function main() {
+async function main(port) {
   const app = express();
   // Normally you'd use environment variables for this
   await mongoose.connect("mongodb://root:[email protected]:27017");
@@ -69,8 +69,8 @@ async function main() {
 
   return new Promise((resolve, reject) => {
     try {
-      app.listen(4000, () => {
-        console.log("Listening on port 4000");
+      app.listen(port, () => {
+        console.log(`Listening on port ${port}`);
         resolve();
       });
     } catch (err) {
@@ -79,4 +79,15 @@ async function main() {
   });
 }
 
-main();
+function getPort() {
+  const port = parseInt(process.argv[2], 10) || 4000;
+
+  if (isNaN(port)) {
+    console.error("Invalid port");
+    process.exit(1);
+  }
+
+  return port;
+}
+
+main(getPort());