@reliabilityworks/core 0.2.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/test/fixtures/monorepo/apps/web/next.config.js +28 -0
- package/test/fixtures/monorepo/apps/web/public/app.js.map +1 -0
- package/test/fixtures/monorepo/apps/web/public/test.pem +1 -0
- package/test/fixtures/monorepo/apps/web/src/next-rules.ts +44 -0
- package/test/nextjsRulesetCoverage.test.js +29 -0
package/package.json
CHANGED
|
@@ -1,3 +1,31 @@
|
|
|
1
1
|
module.exports = {
|
|
2
2
|
productionBrowserSourceMaps: true,
|
|
3
|
+
poweredByHeader: true,
|
|
4
|
+
reactStrictMode: false,
|
|
5
|
+
compress: false,
|
|
6
|
+
assetPrefix: 'http://cdn.example.com',
|
|
7
|
+
typescript: {
|
|
8
|
+
ignoreBuildErrors: true,
|
|
9
|
+
},
|
|
10
|
+
eslint: {
|
|
11
|
+
ignoreDuringBuilds: true,
|
|
12
|
+
},
|
|
13
|
+
images: {
|
|
14
|
+
dangerouslyAllowSVG: true,
|
|
15
|
+
domains: ['*'],
|
|
16
|
+
remotePatterns: [{ protocol: 'http', hostname: '**' }],
|
|
17
|
+
},
|
|
18
|
+
async headers() {
|
|
19
|
+
return [
|
|
20
|
+
{
|
|
21
|
+
source: '/api/:path*',
|
|
22
|
+
headers: [
|
|
23
|
+
{ key: 'Access-Control-Allow-Origin', value: '*' },
|
|
24
|
+
{ key: 'Access-Control-Allow-Credentials', value: 'true' },
|
|
25
|
+
{ key: 'Access-Control-Allow-Headers', value: '*' },
|
|
26
|
+
{ key: 'Access-Control-Allow-Methods', value: '*' },
|
|
27
|
+
],
|
|
28
|
+
},
|
|
29
|
+
]
|
|
30
|
+
},
|
|
3
31
|
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
not-a-real-key
|
|
@@ -3,3 +3,47 @@ export const nextRulesFixture = {
|
|
|
3
3
|
publicSecret: process.env.NEXT_PUBLIC_API_SECRET,
|
|
4
4
|
publicToken: process.env.NEXT_PUBLIC_SESSION_TOKEN,
|
|
5
5
|
}
|
|
6
|
+
|
|
7
|
+
export const dangerouslySetInnerHtmlFixture =
|
|
8
|
+
"dangerouslySetInnerHTML={{ __html: '<img src=x onerror=alert(1) />' }}"
|
|
9
|
+
|
|
10
|
+
export const nextjsSecurityFixtures = `
|
|
11
|
+
innerHTML = html
|
|
12
|
+
outerHTML = html
|
|
13
|
+
insertAdjacentHTML('beforeend', html)
|
|
14
|
+
document.write(html)
|
|
15
|
+
document.writeln(html)
|
|
16
|
+
setHeader('Content-Security-Policy', "script-src 'self' 'unsafe-inline'")
|
|
17
|
+
setHeader('Content-Security-Policy', "script-src 'self' 'unsafe-eval'")
|
|
18
|
+
window.postMessage('hello', '*')
|
|
19
|
+
eval(userInput)
|
|
20
|
+
new RegExp(userInput)
|
|
21
|
+
new Function('return 1')()
|
|
22
|
+
setTimeout('alert(1)', 0)
|
|
23
|
+
setInterval('alert(1)', 0)
|
|
24
|
+
process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0'
|
|
25
|
+
rejectUnauthorized: false
|
|
26
|
+
fetch('http://example.com')
|
|
27
|
+
axios.get('http://example.com')
|
|
28
|
+
exec('id')
|
|
29
|
+
execSync('id')
|
|
30
|
+
spawn('sh', ['-c', 'id'])
|
|
31
|
+
spawnSync('sh', ['-c', 'id'])
|
|
32
|
+
fork('worker.js')
|
|
33
|
+
crypto.createHash('md5')
|
|
34
|
+
crypto.createHash('sha1')
|
|
35
|
+
Math.random()
|
|
36
|
+
console.log(process.env.SECRET)
|
|
37
|
+
localStorage.setItem('auth_token', token)
|
|
38
|
+
sessionStorage.setItem('api_key', key)
|
|
39
|
+
document.cookie = 'session=abc'
|
|
40
|
+
cookie: { secure: false, httpOnly: false, sameSite: 'none', domain: '.example.com', path: '/' }
|
|
41
|
+
origin: '*'
|
|
42
|
+
res.setHeader('Location', req.query.next)
|
|
43
|
+
redirect(searchParams.get('next'))
|
|
44
|
+
debug: true
|
|
45
|
+
yaml.load(userInput)
|
|
46
|
+
vm.runInThisContext(code)
|
|
47
|
+
new vm.Script(code)
|
|
48
|
+
JSON.parse(req.body)
|
|
49
|
+
`
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
const assert = require('node:assert/strict')
|
|
2
|
+
const fs = require('node:fs/promises')
|
|
3
|
+
const path = require('node:path')
|
|
4
|
+
const test = require('node:test')
|
|
5
|
+
|
|
6
|
+
const { scanProject } = require('../dist/index.js')
|
|
7
|
+
|
|
8
|
+
test('nextjs ruleset has fixture coverage', async () => {
|
|
9
|
+
const fixtureRoot = path.join(__dirname, 'fixtures', 'monorepo', 'apps', 'web')
|
|
10
|
+
const rulesPath = path.join(__dirname, '..', '..', 'rulesets', 'nextjs', 'rules.json')
|
|
11
|
+
|
|
12
|
+
const raw = await fs.readFile(rulesPath, 'utf8')
|
|
13
|
+
const rules = JSON.parse(raw)
|
|
14
|
+
|
|
15
|
+
assert.ok(Array.isArray(rules))
|
|
16
|
+
assert.ok(rules.length >= 60, `Expected at least 60 nextjs rules, got ${rules.length}`)
|
|
17
|
+
|
|
18
|
+
const expectedIds = rules.map((r) => r.id)
|
|
19
|
+
const result = await scanProject({
|
|
20
|
+
rootDir: fixtureRoot,
|
|
21
|
+
pathBaseDir: fixtureRoot,
|
|
22
|
+
additionalRules: rules,
|
|
23
|
+
})
|
|
24
|
+
|
|
25
|
+
const foundIds = new Set(result.findings.map((finding) => finding.ruleId))
|
|
26
|
+
const missing = expectedIds.filter((id) => !foundIds.has(id))
|
|
27
|
+
|
|
28
|
+
assert.equal(missing.length, 0, `Missing nextjs fixture coverage for: ${missing.join(', ')}`)
|
|
29
|
+
})
|