@reliabilityworks/core 0.3.0 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
const assert = require('node:assert/strict')
|
|
2
|
+
const fs = require('node:fs/promises')
|
|
3
|
+
const path = require('node:path')
|
|
4
|
+
const test = require('node:test')
|
|
5
|
+
|
|
6
|
+
const { scanProject } = require('../dist/index.js')
|
|
7
|
+
|
|
8
|
+
test('express ruleset has fixture coverage', async () => {
|
|
9
|
+
const fixtureRoot = path.join(__dirname, 'fixtures', 'monorepo', 'apps', 'api')
|
|
10
|
+
const rulesPath = path.join(__dirname, '..', '..', 'rulesets', 'express', 'rules.json')
|
|
11
|
+
|
|
12
|
+
const raw = await fs.readFile(rulesPath, 'utf8')
|
|
13
|
+
const rules = JSON.parse(raw)
|
|
14
|
+
|
|
15
|
+
assert.ok(Array.isArray(rules))
|
|
16
|
+
assert.ok(rules.length >= 60, `Expected at least 60 express rules, got ${rules.length}`)
|
|
17
|
+
|
|
18
|
+
const expectedIds = rules.map((r) => r.id)
|
|
19
|
+
const result = await scanProject({
|
|
20
|
+
rootDir: fixtureRoot,
|
|
21
|
+
pathBaseDir: fixtureRoot,
|
|
22
|
+
additionalRules: rules,
|
|
23
|
+
})
|
|
24
|
+
|
|
25
|
+
const foundIds = new Set(result.findings.map((finding) => finding.ruleId))
|
|
26
|
+
const missing = expectedIds.filter((id) => !foundIds.has(id))
|
|
27
|
+
|
|
28
|
+
assert.equal(missing.length, 0, `Missing express fixture coverage for: ${missing.join(', ')}`)
|
|
29
|
+
})
|
|
@@ -4,6 +4,71 @@ export const expressRulesFixture = {
|
|
|
4
4
|
session: {
|
|
5
5
|
cookie: {
|
|
6
6
|
secure: false,
|
|
7
|
+
httpOnly: false,
|
|
8
|
+
sameSite: 'none',
|
|
9
|
+
domain: '.example.com',
|
|
10
|
+
path: '/',
|
|
7
11
|
},
|
|
8
12
|
},
|
|
9
13
|
}
|
|
14
|
+
|
|
15
|
+
export const expressSecurityFixtures = `
|
|
16
|
+
app.set('trust proxy', true)
|
|
17
|
+
trust proxy
|
|
18
|
+
helmet()
|
|
19
|
+
credentials: true
|
|
20
|
+
Access-Control-Allow-Headers', '*'
|
|
21
|
+
Access-Control-Allow-Methods', '*'
|
|
22
|
+
X-Powered-By
|
|
23
|
+
Content-Security-Policy', "script-src 'self' 'unsafe-inline'"
|
|
24
|
+
Content-Security-Policy', "script-src 'self' 'unsafe-eval'"
|
|
25
|
+
cookieParser('super-secret-cookie-parser')
|
|
26
|
+
jwt.sign(payload, 'super-secret-jwt')
|
|
27
|
+
algorithms: ['none']
|
|
28
|
+
bcrypt.hash(password, 10)
|
|
29
|
+
password === input
|
|
30
|
+
bodyParser.json()
|
|
31
|
+
express.json()
|
|
32
|
+
express.urlencoded()
|
|
33
|
+
upload.any()
|
|
34
|
+
"/tmp/uploads"
|
|
35
|
+
SELECT * FROM users + req.query.id
|
|
36
|
+
$where
|
|
37
|
+
new RegExp(req.query.q)
|
|
38
|
+
res.redirect(req.query.next)
|
|
39
|
+
res.redirect(302, req.query.next)
|
|
40
|
+
debug: true
|
|
41
|
+
morgan('dev')
|
|
42
|
+
authorization console.log
|
|
43
|
+
console.log(process.env.SECRET)
|
|
44
|
+
eval(userInput)
|
|
45
|
+
new Function('return 1')()
|
|
46
|
+
exec('id')
|
|
47
|
+
execSync('id')
|
|
48
|
+
spawn('sh', ['-c', 'id'])
|
|
49
|
+
spawnSync('sh', ['-c', 'id'])
|
|
50
|
+
fork('worker.js')
|
|
51
|
+
createHash('md5')
|
|
52
|
+
createHash('sha1')
|
|
53
|
+
Math.random()
|
|
54
|
+
'http://example.com'
|
|
55
|
+
process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0'
|
|
56
|
+
rejectUnauthorized: false
|
|
57
|
+
path.join(req.params.file)
|
|
58
|
+
readFile(req.query.path)
|
|
59
|
+
writeFile(req.query.path)
|
|
60
|
+
http://localhost
|
|
61
|
+
http://127.0.0.1
|
|
62
|
+
169.254.169.254
|
|
63
|
+
app.set('view engine', 'ejs')
|
|
64
|
+
xml2js
|
|
65
|
+
graphql-playground
|
|
66
|
+
rateLimit()
|
|
67
|
+
csrf: false
|
|
68
|
+
secret: 'hardcoded-session-secret'
|
|
69
|
+
passport-local
|
|
70
|
+
allowlist
|
|
71
|
+
req.body
|
|
72
|
+
JSON.parse(req.body)
|
|
73
|
+
new RegExp(userInput)
|
|
74
|
+
`
|