Implement safe parsing when body is not base64-encoded (#3)

* Implement safe parsing when `body` is not base64-encoded

* Address comments and clean up logic

Author: selectiveduplicate

.rspec

@@ -0,0 +1 @@
+--require spec_helper

.ruby-version

@@ -0,0 +1 @@
+3.1.2

Gemfile

@@ -1,3 +1,7 @@
 source 'https://rubygems.org'
 
 gem 'moesif_api'
+
+group :development, :test do
+  gem 'rspec'
+end

Gemfile.lock

@@ -3,6 +3,7 @@ GEM
   specs:
     addressable (2.8.1)
       public_suffix (>= 2.0.2, < 6.0)
+    diff-lcs (1.5.1)
     domain_name (0.5.20190701)
       unf (>= 0.0.5, < 1.0.0)
     http-accept (1.7.0)
@@ -28,6 +29,19 @@ GEM
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.1)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.3)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.1)
     unf (0.1.4)
       unf_ext
     unf_ext (0.0.8.2)
@@ -37,6 +51,7 @@ PLATFORMS
 
 DEPENDENCIES
   moesif_api
+  rspec
 
 BUNDLED WITH
    2.1.4

lib/moesif_aws_lambda/moesif_aws_middleware.rb

@@ -58,8 +58,31 @@ def decompress_body(body)
       Zlib::GzipReader.new(StringIO.new(body)).read
     end
 
-    def base64_encode_body(body)
-      return Base64.encode64(body), "base64"
+    def base64_encode_body(data)
+      return Base64.encode64(data), "base64"
+    end
+
+    def is_base64_str(body)
+      if not body.instance_of?(String)
+        return false
+      end
+      if body.length % 4 != 0
+        return false
+      end
+
+      b64_regex = /^[A-Za-z0-9+\/]+={0,2}$/
+
+      if not body.match?(b64_regex)
+        return false
+      end
+
+      begin
+        _ = Base64.decode64(body)
+        return true
+      rescue
+        return false
+      end
+
     end
 
     def @moesif_helpers.log_debug(message)
@@ -68,7 +91,27 @@ def @moesif_helpers.log_debug(message)
       end
     end
 
-    def parse_body(body, headers)
+    def process_body(body_wrapper, headers)
+      # the `event` object can either be a Hash or a String
+      if body_wrapper.instance_of?(Hash) and body_wrapper.key?("body")
+        body = body_wrapper.fetch("body")
+        begin
+          if body_wrapper.fetch("isBase64Encoded", false) and is_base64_str(body)
+            return body, "base64"
+          else
+            return safe_json_parse(body, headers)
+          end
+          rescue
+            return base64_encode_body(body)
+        end
+      elsif body_wrapper.instance_of?(String)
+        return base64_encode_body(body_wrapper)
+      else
+        return nil, nil
+      end
+    end
+
+    def safe_json_parse(body, headers)
       begin
         if (body.instance_of?(Hash) || body.instance_of?(Array))
           parsed_body = body
@@ -187,8 +230,12 @@ def handle(event:, context:)
         event_req.headers = req_headers
 
         if @log_body
-          event_req.body = event["body"]
-          event_req.transfer_encoding = event["isBase64Encoded"] ? "base64" : "json"
+          if event.key?("body") and event.fetch("isBase64Encoded") and is_base64_str(event.fetch("body"))
+            event_req.body= event.fetch("body") 
+            event_req.transfer_encoding = "base64"
+          else
+            event_req.body, event_req.transfer_encoding = process_body(event, req_headers)
+          end
         end
 
         # RESPONSEE

moesif_aws_lambda.gemspec

@@ -8,6 +8,7 @@ Gem::Specification.new do |s|
   s.homepage = 'https://moesif.com'
   s.license = 'Apache-2.0'
   s.add_development_dependency('test-unit', '~> 3.5', '>= 3.5.0')
+  s.add_development_dependency('rspec', '~> 3.5')
   s.add_dependency('moesif_api', '~> 1.2.14')
   s.required_ruby_version = '>= 2.5'
   s.files = Dir['{lib}/**/*', 'README*', 'LICENSE*']

spec/moesif_aws_middleware_spec.rb

@@ -0,0 +1,130 @@
+require 'rspec'
+require 'json'
+require_relative '../lib/moesif_aws_lambda'
+
+class AwsContext
+  attr_accessor :aws_request_id, :function_name
+
+  def initialize
+    @function_name = 'test function'
+    @function_version = '123421'
+    @aws_request_id = Time.now.to_i
+  end
+end
+
+fake_event_str = {
+  'rawPath' => '/test/route',
+  'headers' => {
+    'foo' => 'bar'
+  },
+  'requestContext' => {
+    'http' => {
+      'method' => 'post'
+    }
+  },
+  'isBase64Encoded' => true,
+  'body' => 'hello world'
+}
+fake_event_hash = {
+  'rawPath' => '/test/route',
+  'headers' => {
+    'foo' => 'bar'
+  },
+  'requestContext' => {
+    'http' => {
+      'method' => 'post'
+    }
+  },
+  'isBase64Encoded' => true,
+  'body' => {
+    'msg' => 'Hello world!',
+    'city' => 'New York',
+    'year' => 2024
+  }
+}
+fake_event_json = {
+  'rawPath' => '/test/route',
+  'headers' => {
+    'foo' => 'bar'
+  },
+  'requestContext' => {
+    'http' => {
+      'method' => 'post'
+    }
+  },
+  'isBase64Encoded' => true,
+  'body' => '{
+    "foo": "bar",
+    "year": 2024
+  }'
+}
+fake_event_b64 = {
+  'rawPath' => '/test/route',
+  'headers' => {
+    'foo' => 'bar'
+  },
+  'requestContext' => {
+    'http' => {
+      'method' => 'post'
+    }
+  },
+  'isBase64Encoded' => true,
+  'body' => 'eyJmb28iOiJiYXIifQ=='
+}
+
+describe Moesif::MoesifAwsMiddleware do
+  handler = Proc.new{ |event:, context:|
+    { event: JSON.generate(event), context: JSON.generate(context.inspect), my_test: 12_342 }
+  }
+  options = {
+    'application_id' => '',
+    'debug' => true
+  }
+
+  let(:moesif) { Moesif::MoesifAwsMiddleware.new(handler, options) }
+
+  describe '#process_body' do
+    it 'parses a string body correctly' do
+      body, transfer_encoding = moesif.process_body(fake_event_str, fake_event_str.fetch('headers'))
+      expect(transfer_encoding).to eq('base64')
+      expect(body == 'aGVsbG8gd29ybGQ=')
+    end
+    it 'parses a hash body correctly' do
+      body, transfer_encoding = moesif.process_body(fake_event_hash, fake_event_hash.fetch('headers'))
+      expect(transfer_encoding).to eq('json')
+      expect(body.instance_of?(Hash)).to be true
+    end
+    it 'parses a JSON body correctly' do
+      body, transfer_encoding = moesif.process_body(fake_event_json, fake_event_json.fetch('headers'))
+      expect(transfer_encoding).to eq('json')
+      expect(body.instance_of?(Hash)).to be true
+    end
+    it 'parses a valid base64-encoded body correctly' do
+      body, transfer_encoding = moesif.process_body(fake_event_b64, fake_event_b64.fetch('headers'))
+      expect(transfer_encoding).to eq('base64')
+      expect(body).to eq('eyJmb28iOiJiYXIifQ==')
+    end
+  end
+
+  describe '#is_base64_str' do
+    it 'returns true for a valid base64-encoded string' do
+      valid_base64 = 'eyJmb28iOiJiYXIifQ=='
+      expect(moesif.is_base64_str(valid_base64)).to be true
+    end
+    it 'returns false for an invalid base64-encoded string' do
+      invalid_base64 = {
+        'name' => 'Alex',
+        'age' => 27
+      }
+      expect(moesif.is_base64_str(invalid_base64)).to be false
+    end
+  end
+
+  describe '.handle' do
+    it 'returns a Lambda result as a Hash object' do
+      result = moesif.handle(event: fake_event_str, context: AwsContext.new)
+      puts result
+      expect(result.instance_of?(Hash)).to be true
+    end
+  end
+end

spec/spec_helper.rb

@@ -0,0 +1,98 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause
+# this file to always be loaded, without a need to explicitly require it in any
+# files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need
+# it.
+#
+# See https://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+  # This option will default to `:apply_to_host_groups` in RSpec 4 (and will
+  # have no way to turn it off -- the option exists only for backwards
+  # compatibility in RSpec 3). It causes shared context metadata to be
+  # inherited by the metadata hash of host groups and examples, rather than
+  # triggering implicit auto-inclusion in groups with matching metadata.
+  config.shared_context_metadata_behavior = :apply_to_host_groups
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+=begin
+  # This allows you to limit a spec run to individual examples or groups
+  # you care about by tagging them with `:focus` metadata. When nothing
+  # is tagged with `:focus`, all examples get run. RSpec also provides
+  # aliases for `it`, `describe`, and `context` that include `:focus`
+  # metadata: `fit`, `fdescribe` and `fcontext`, respectively.
+  config.filter_run_when_matching :focus
+
+  # Allows RSpec to persist some state between runs in order to support
+  # the `--only-failures` and `--next-failure` CLI options. We recommend
+  # you configure your source control system to ignore this file.
+  config.example_status_persistence_file_path = "spec/examples.txt"
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  # https://rspec.info/features/3-12/rspec-core/configuration/zero-monkey-patching-mode/
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = "doc"
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+=end
+end