npm - @reliabilityworks/core - Versions diffs - 0.2.0 → 0.4.0 - Mend

@reliabilityworks/core 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@reliabilityworks/core",
-  "version": "0.2.0",
+  "version": "0.4.0",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "scripts": {

package/test/expressRulesetCoverage.test.js ADDED Viewed

@@ -0,0 +1,29 @@
+const assert = require('node:assert/strict')
+const fs = require('node:fs/promises')
+const path = require('node:path')
+const test = require('node:test')
+const { scanProject } = require('../dist/index.js')
+test('express ruleset has fixture coverage', async () => {
+  const fixtureRoot = path.join(__dirname, 'fixtures', 'monorepo', 'apps', 'api')
+  const rulesPath = path.join(__dirname, '..', '..', 'rulesets', 'express', 'rules.json')
+  const raw = await fs.readFile(rulesPath, 'utf8')
+  const rules = JSON.parse(raw)
+  assert.ok(Array.isArray(rules))
+  assert.ok(rules.length >= 60, `Expected at least 60 express rules, got ${rules.length}`)
+  const expectedIds = rules.map((r) => r.id)
+  const result = await scanProject({
+    rootDir: fixtureRoot,
+    pathBaseDir: fixtureRoot,
+    additionalRules: rules,
+  })
+  const foundIds = new Set(result.findings.map((finding) => finding.ruleId))
+  const missing = expectedIds.filter((id) => !foundIds.has(id))
+  assert.equal(missing.length, 0, `Missing express fixture coverage for: ${missing.join(', ')}`)
+})

package/test/fixtures/monorepo/apps/api/express-rules.ts CHANGED Viewed

@@ -4,6 +4,71 @@ export const expressRulesFixture = {
   session: {
     cookie: {
       secure: false,
+      httpOnly: false,
+      sameSite: 'none',
+      domain: '.example.com',
+      path: '/',
     },
   },
 }
+export const expressSecurityFixtures = `
+app.set('trust proxy', true)
+trust proxy
+helmet()
+credentials: true
+Access-Control-Allow-Headers', '*'
+Access-Control-Allow-Methods', '*'
+X-Powered-By
+Content-Security-Policy', "script-src 'self' 'unsafe-inline'"
+Content-Security-Policy', "script-src 'self' 'unsafe-eval'"
+cookieParser('super-secret-cookie-parser')
+jwt.sign(payload, 'super-secret-jwt')
+algorithms: ['none']
+bcrypt.hash(password, 10)
+password === input
+bodyParser.json()
+express.json()
+express.urlencoded()
+upload.any()
+"/tmp/uploads"
+SELECT * FROM users + req.query.id
+$where
+new RegExp(req.query.q)
+res.redirect(req.query.next)
+res.redirect(302, req.query.next)
+debug: true
+morgan('dev')
+authorization console.log
+console.log(process.env.SECRET)
+eval(userInput)
+new Function('return 1')()
+exec('id')
+execSync('id')
+spawn('sh', ['-c', 'id'])
+spawnSync('sh', ['-c', 'id'])
+fork('worker.js')
+createHash('md5')
+createHash('sha1')
+Math.random()
+'http://example.com'
+process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0'
+rejectUnauthorized: false
+path.join(req.params.file)
+readFile(req.query.path)
+writeFile(req.query.path)
+http://localhost
+http://127.0.0.1
+169.254.169.254
+app.set('view engine', 'ejs')
+xml2js
+graphql-playground
+rateLimit()
+csrf: false
+secret: 'hardcoded-session-secret'
+passport-local
+allowlist
+req.body
+JSON.parse(req.body)
+new RegExp(userInput)
+`

package/test/fixtures/monorepo/apps/web/next.config.js CHANGED Viewed

@@ -1,3 +1,31 @@
 module.exports = {
   productionBrowserSourceMaps: true,
+  poweredByHeader: true,
+  reactStrictMode: false,
+  compress: false,
+  assetPrefix: 'http://cdn.example.com',
+  typescript: {
+    ignoreBuildErrors: true,
+  },
+  eslint: {
+    ignoreDuringBuilds: true,
+  },
+  images: {
+    dangerouslyAllowSVG: true,
+    domains: ['*'],
+    remotePatterns: [{ protocol: 'http', hostname: '**' }],
+  },
+  async headers() {
+    return [
+      {
+        source: '/api/:path*',
+        headers: [
+          { key: 'Access-Control-Allow-Origin', value: '*' },
+          { key: 'Access-Control-Allow-Credentials', value: 'true' },
+          { key: 'Access-Control-Allow-Headers', value: '*' },
+          { key: 'Access-Control-Allow-Methods', value: '*' },
+        ],
+      },
+    ]
+  },
 }

package/test/fixtures/monorepo/apps/web/public/app.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {}

package/test/fixtures/monorepo/apps/web/public/test.pem ADDED Viewed

	@@ -0,0 +1 @@
1	+ not-a-real-key

package/test/fixtures/monorepo/apps/web/src/next-rules.ts CHANGED Viewed

@@ -3,3 +3,47 @@ export const nextRulesFixture = {
   publicSecret: process.env.NEXT_PUBLIC_API_SECRET,
   publicToken: process.env.NEXT_PUBLIC_SESSION_TOKEN,
 }
+export const dangerouslySetInnerHtmlFixture =
+  "dangerouslySetInnerHTML={{ __html: '<img src=x onerror=alert(1) />' }}"
+export const nextjsSecurityFixtures = `
+innerHTML = html
+outerHTML = html
+insertAdjacentHTML('beforeend', html)
+document.write(html)
+document.writeln(html)
+setHeader('Content-Security-Policy', "script-src 'self' 'unsafe-inline'")
+setHeader('Content-Security-Policy', "script-src 'self' 'unsafe-eval'")
+window.postMessage('hello', '*')
+eval(userInput)
+new RegExp(userInput)
+new Function('return 1')()
+setTimeout('alert(1)', 0)
+setInterval('alert(1)', 0)
+process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0'
+rejectUnauthorized: false
+fetch('http://example.com')
+axios.get('http://example.com')
+exec('id')
+execSync('id')
+spawn('sh', ['-c', 'id'])
+spawnSync('sh', ['-c', 'id'])
+fork('worker.js')
+crypto.createHash('md5')
+crypto.createHash('sha1')
+Math.random()
+console.log(process.env.SECRET)
+localStorage.setItem('auth_token', token)
+sessionStorage.setItem('api_key', key)
+document.cookie = 'session=abc'
+cookie: { secure: false, httpOnly: false, sameSite: 'none', domain: '.example.com', path: '/' }
+origin: '*'
+res.setHeader('Location', req.query.next)
+redirect(searchParams.get('next'))
+debug: true
+yaml.load(userInput)
+vm.runInThisContext(code)
+new vm.Script(code)
+JSON.parse(req.body)
+`

package/test/nextjsRulesetCoverage.test.js ADDED Viewed

@@ -0,0 +1,29 @@
+const assert = require('node:assert/strict')
+const fs = require('node:fs/promises')
+const path = require('node:path')
+const test = require('node:test')
+const { scanProject } = require('../dist/index.js')
+test('nextjs ruleset has fixture coverage', async () => {
+  const fixtureRoot = path.join(__dirname, 'fixtures', 'monorepo', 'apps', 'web')
+  const rulesPath = path.join(__dirname, '..', '..', 'rulesets', 'nextjs', 'rules.json')
+  const raw = await fs.readFile(rulesPath, 'utf8')
+  const rules = JSON.parse(raw)
+  assert.ok(Array.isArray(rules))
+  assert.ok(rules.length >= 60, `Expected at least 60 nextjs rules, got ${rules.length}`)
+  const expectedIds = rules.map((r) => r.id)
+  const result = await scanProject({
+    rootDir: fixtureRoot,
+    pathBaseDir: fixtureRoot,
+    additionalRules: rules,
+  })
+  const foundIds = new Set(result.findings.map((finding) => finding.ruleId))
+  const missing = expectedIds.filter((id) => !foundIds.has(id))
+  assert.equal(missing.length, 0, `Missing nextjs fixture coverage for: ${missing.join(', ')}`)
+})