Add end2end test for mysql sample app

AikidoSec · Feb 28, 2024 · 38e5e80 · 38e5e80
1 parent d978981
commit 38e5e80
Show file tree

Hide file tree

Showing 2 changed files with 123 additions and 4 deletions.
diff --git a/end2end/tests/express-mysql.test.js b/end2end/tests/express-mysql.test.js
@@ -0,0 +1,108 @@
+const t = require("tap");
+const { spawn } = require("node:child_process");
+const { resolve } = require("node:path");
+const timeout = require("../timeout");
+
+const pathToApp = resolve(
+  __dirname,
+  "../../sample-apps/express-mysql",
+  "app.js"
+);
+
+t.test("it blocks in blocking mode", (t) => {
+  const server = spawn(`node`, [pathToApp, "4000"]);
+
+  server.on("close", () => {
+    t.end();
+  });
+
+  server.on("error", (err) => {
+    t.fail(err.message);
+  });
+
+  let stdout = "";
+  server.stdout.on("data", (data) => {
+    stdout += data.toString();
+  });
+
+  let stderr = "";
+  server.stderr.on("data", (data) => {
+    stderr += data.toString();
+  });
+
+  // Wait for the server to start
+  timeout(2000)
+    .then(() => {
+      return Promise.all([
+        fetch(
+          `http://localhost:4000/?petname=${encodeURIComponent("Njuska'); DELETE FROM cats;-- H")}`,
+          {
+            signal: AbortSignal.timeout(5000),
+          }
+        ),
+        fetch("http://localhost:4000/?petname=Njuska", {
+          signal: AbortSignal.timeout(5000),
+        }),
+      ]);
+    })
+    .then(([noSQLInjection, normalSearch]) => {
+      t.equal(noSQLInjection.status, 500);
+      t.equal(normalSearch.status, 200);
+      t.match(stdout, /Starting agent/);
+      t.match(stderr, /Aikido guard has blocked a SQL injection/);
+    })
+    .catch((error) => {
+      t.fail(error.message);
+    })
+    .finally(() => {
+      server.kill();
+    });
+});
+
+t.test("it does not block in dry mode", (t) => {
+  const server = spawn(`node`, [pathToApp, "4001"], {
+    env: { ...process.env, AIKIDO_NO_BLOCKING: "true" },
+  });
+
+  server.on("close", () => {
+    t.end();
+  });
+
+  let stdout = "";
+  server.stdout.on("data", (data) => {
+    stdout += data.toString();
+  });
+
+  let stderr = "";
+  server.stderr.on("data", (data) => {
+    stderr += data.toString();
+  });
+
+  // Wait for the server to start
+  timeout(2000)
+    .then(() =>
+      Promise.all([
+        fetch(
+          `http://localhost:4001/?petname=${encodeURIComponent("Njuska'); DELETE FROM cats;-- H")}`,
+          {
+            signal: AbortSignal.timeout(5000),
+          }
+        ),
+        fetch("http://localhost:4001/?petname=Njuska", {
+          signal: AbortSignal.timeout(5000),
+        }),
+      ])
+    )
+    .then(([noSQLInjection, normalSearch]) => {
+      t.equal(noSQLInjection.status, 200);
+      t.equal(normalSearch.status, 200);
+      t.match(stdout, /Starting agent/);
+      t.notMatch(stderr, /Aikido guard has blocked a SQL injection/);
+    })
+    .catch((error) => {
+      t.fail(error.message);
+    })
+    .finally(() => {
+      server.kill();
+    });
+});
diff --git a/sample-apps/express-mysql/app.js b/sample-apps/express-mysql/app.js
@@ -46,7 +46,7 @@ async function createConnection() {
   return connection;
 }
 
-async function main() {
+async function main(port) {
   const db = await createConnection();
   const cats = new Cats(db);
 
@@ -67,8 +67,8 @@ async function main() {
 
   return new Promise((resolve, reject) => {
     try {
-      app.listen(4000, () => {
-        console.log("Listening on port 4000");
+      app.listen(port, () => {
+        console.log(`Listening on port ${port}`);
         resolve();
       });
     } catch (err) {
@@ -77,4 +77,15 @@ async function main() {
   });
 }
 
-main();
+function getPort() {
+  const port = parseInt(process.argv[2], 10) || 4000;
+
+  if (isNaN(port)) {
+    console.error("Invalid port");
+    process.exit(1);
+  }
+
+  return port;
+}
+
+main(getPort());