test: Protect Prototype-Poisoning (#225)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **New Features**
- Added a new controller with a POST method to demonstrate object
poisoning prevention techniques.
- Introduced configurations for CSRF protection and handling proto
poisoning.
- Added configurations for `egg-tracer`, `@eggjs/tegg-plugin`, and
`@eggjs/tegg-config` plugins.

- **Bug Fixes**
- Implemented test cases to verify protection against proto poisoning in
the application.

- **Chores**
  - Updated GitHub Actions workflows:
    - Removed a scheduled job trigger in the CodeQL analysis workflow.
    - Added Node.js version 22 to the testing matrix.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

.github/workflows/codeql-analysis.yml

@@ -17,8 +17,6 @@ on:
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ "master" ]
-  schedule:
-    - cron: '24 9 * * 5'
 
 jobs:
   analyze:

.github/workflows/nodejs.yml

@@ -20,7 +20,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [ 16, 18, 20 ]
+        node-version: [ 16, 18, 20, 22 ]
     steps:
     - name: Checkout Git Source
       uses: actions/checkout@master

plugin/controller/test/fixtures/apps/proto-poisoning/app/controller/HelloController.ts

@@ -0,0 +1,29 @@
+import {
+  HTTPController,
+  HTTPMethod,
+  HTTPMethodEnum,
+  HTTPBody,
+} from '@eggjs/tegg';
+
+@HTTPController()
+export class HelloController {
+  @HTTPMethod({
+    method: HTTPMethodEnum.POST,
+    path: '/hello-proto-poisoning',
+  })
+  async get(@HTTPBody() body: any) {
+    // console.log(body, body.__proto__);
+    const params1 = Object.assign({}, body);
+    const params2 = {
+      ...body,
+    };
+    return {
+      params1,
+      params2,
+      body,
+      'params1.boom': params1.boom,
+      'params2.boom': params2.boom,
+      'body.boom': body.boom,
+    };
+  }
+}

plugin/controller/test/fixtures/apps/proto-poisoning/config/config.default.js

@@ -0,0 +1,14 @@
+module.exports = () => {
+  const config = {
+    keys: 'test key',
+    security: {
+      csrf: {
+        ignoreJSON: false,
+      },
+    },
+    bodyParser: {
+      onProtoPoisoning: 'remove',
+    },
+  };
+  return config;
+};

plugin/controller/test/fixtures/apps/proto-poisoning/config/plugin.js

@@ -0,0 +1,14 @@
+exports.tracer = {
+  package: 'egg-tracer',
+  enable: true,
+};
+
+exports.tegg = {
+  package: '@eggjs/tegg-plugin',
+  enable: true,
+};
+
+exports.teggConfig = {
+  package: '@eggjs/tegg-config',
+  enable: true,
+};

plugin/controller/test/fixtures/apps/proto-poisoning/package.json

@@ -0,0 +1,3 @@
+{
+  "name": "proto-poisoning"
+}

plugin/controller/test/http/proto-poisoning.test.ts

@@ -0,0 +1,47 @@
+import path from 'node:path';
+import { strict as assert } from 'node:assert';
+import mm from 'egg-mock';
+
+describe('plugin/controller/test/http/proto-poisoning.test.ts', () => {
+  let app;
+
+  beforeEach(() => {
+    mm(process.env, 'EGG_TYPESCRIPT', true);
+  });
+
+  afterEach(() => {
+    mm.restore();
+  });
+
+  before(async () => {
+    mm(process.env, 'EGG_TYPESCRIPT', true);
+    mm(process, 'cwd', () => {
+      return path.join(__dirname, '../..');
+    });
+    app = mm.app({
+      baseDir: path.join(__dirname, '../fixtures/apps/proto-poisoning'),
+      framework: require.resolve('egg'),
+    });
+    await app.ready();
+  });
+
+  after(() => {
+    return app.close();
+  });
+
+  it('should protect proto poisoning', async () => {
+    app.mockCsrf();
+    const res = await app.httpRequest()
+      .post('/hello-proto-poisoning')
+      .set('content-type', 'application/json')
+      .send(`{
+        "hello": "world",
+        "__proto__": { "boom": "💣" }
+      }`)
+      .expect(200);
+    console.log(res.body);
+    assert.equal(res.body['body.boom'], undefined, 'body.boom');
+    assert.equal(res.body['params2.boom'], undefined, 'params2.boom');
+    assert.equal(res.body['params1.boom'], undefined, 'params1.boom');
+  });
+});