@sectester/runner 0.32.0 → 0.33.0

package/README.md

@@ -82,7 +82,12 @@ Below you will find a list of parameters that can be used to configure a `Scan`:
 | `targetTimeout`        | Measure timeout responses from the target application globally, and stop the scan if the target is unresponsive for longer than the specified time. By default, 5min.                         |
 | `name`                 | The scan name. The method and hostname by default, e.g. `GET example.com`.                                                                                                                    |
 
-Finally, run a scan against your application:
+#### Endpoint scan
+
+To scan an existing endpoint in your application, invoke the run method with a `TargetOptions` argument.
+For `TargetOptions` details, please refer to this [link](https://github.com/NeuraLegion/sectester-js/tree/master/packages/scan#defining-a-target-for-attack).
+
+Example:
 
 ```ts
 await scan.run({
@@ -92,7 +97,28 @@ await scan.run({
 });
 ```
 
-The `run` method takes a single argument (for details, see [here](https://github.com/NeuraLegion/sectester-js/tree/master/packages/scan#defining-a-target-for-attack)), and returns promise that is resolved if scan finishes without any vulnerability found, and is rejected otherwise (on founding issue that meets threshold, on timeout, on scanning error).
+#### Function scan
+
+To focus on the security aspects of a particular function in your application, you can perform a function-specific scan.
+This automatically creates an auxiliary target with a POST endpoint under the hood.
+
+Example:
+
+```ts
+const inputSample = {
+  from: '2022-11-30',
+  to: '2024-06-21'
+};
+// assuming `calculateWeekdays` is your function under test
+const fn = ({ from, to }) => calculateWeekdays(from, to);
+
+const scan = runner.createScan({ tests: [TestType.DATE_MANIPULATION] });
+await scan.run({ inputSample, fn });
+```
+
+#### Scan execution details
+
+The `run` method returns promise that is resolved if scan finishes without any vulnerability found, and is rejected otherwise (on founding issue that meets threshold, on timeout, on scanning error).
 
 If any vulnerabilities are found, they will be pretty printed to stdout or stderr (depending on severity) by [reporter](https://github.com/NeuraLegion/sectester-js/tree/master/packages/reporter).
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sectester/runner",
-  "version": "0.32.0",
+  "version": "0.33.0",
   "description": "Run scanning for vulnerabilities just from your unit tests on CI phase.",
   "repository": {
     "type": "git",
@@ -33,6 +33,7 @@
     "brightsec"
   ],
   "dependencies": {
+    "fastify": "~4.15.0",
     "tslib": "~2.6.3"
   },
   "peerDependencies": {

package/src/lib/FunctionScanTarget.d.ts

@@ -0,0 +1,8 @@
+export declare class FunctionScanTarget {
+    private readonly server;
+    start<T>(fn: (input: T) => Promise<unknown>): Promise<{
+        url: string;
+    }>;
+    stop(): Promise<void>;
+    private handleRequest;
+}

package/src/lib/FunctionScanTarget.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FunctionScanTarget = void 0;
+const tslib_1 = require("tslib");
+const fastify_1 = tslib_1.__importDefault(require("fastify"));
+class FunctionScanTarget {
+    constructor() {
+        this.server = (0, fastify_1.default)();
+    }
+    async start(fn) {
+        this.server.post('/', (request, reply) => this.handleRequest(request, reply, fn));
+        const url = await this.server.listen({ port: 0, host: '127.0.0.1' });
+        return { url };
+    }
+    async stop() {
+        await this.server.close();
+    }
+    async handleRequest(request, reply, fn) {
+        try {
+            const result = await fn(request.body);
+            await reply.send(result !== null && result !== void 0 ? result : '');
+        }
+        catch (err) {
+            await reply.status(500).send(err);
+        }
+    }
+}
+exports.FunctionScanTarget = FunctionScanTarget;
+//# sourceMappingURL=FunctionScanTarget.js.map

package/src/lib/FunctionScanTarget.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"FunctionScanTarget.js","sourceRoot":"","sources":["../../../../../packages/runner/src/lib/FunctionScanTarget.ts"],"names":[],"mappings":";;;;AAAA,8DAAgE;AAEhE,MAAa,kBAAkB;IAA/B;QACmB,WAAM,GAAG,IAAA,iBAAO,GAAE,CAAC;IA8BtC,CAAC;IA5BQ,KAAK,CAAC,KAAK,CAChB,EAAkC;QAElC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,KAAK,EAAE,EAAE,CACvC,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,EAAE,EAAE,CAAC,CACvC,CAAC;QAEF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC;QAErE,OAAO,EAAE,GAAG,EAAE,CAAC;IACjB,CAAC;IAEM,KAAK,CAAC,IAAI;QACf,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;IAC5B,CAAC;IAEO,KAAK,CAAC,aAAa,CACzB,OAAuB,EACvB,KAAmB,EACnB,EAAkC;QAElC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAS,CAAC,CAAC;YAC3C,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,aAAN,MAAM,cAAN,MAAM,GAAI,EAAE,CAAC,CAAC;QACjC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;CACF;AA/BD,gDA+BC"}

package/src/lib/SecScan.d.ts

@@ -1,5 +1,9 @@
 import { Formatter } from '@sectester/reporter';
 import { ScanFactory, ScanSettingsOptions, Severity, TargetOptions } from '@sectester/scan';
+export interface FunctionScanOptions<T> {
+    inputSample: T;
+    fn: (input: T) => Promise<unknown>;
+}
 export declare class SecScan {
     private readonly settings;
     private readonly scanFactory;
@@ -7,9 +11,10 @@ export declare class SecScan {
     private _threshold;
     private _timeout;
     constructor(settings: Omit<ScanSettingsOptions, 'target'>, scanFactory: ScanFactory, formatter: Formatter);
-    run(target: TargetOptions): Promise<void>;
+    run<T>(options: TargetOptions | FunctionScanOptions<T>): Promise<void>;
     threshold(severity: Severity): SecScan;
     timeout(value: number): SecScan;
     private assert;
     private findExpectedIssue;
+    private isFunctionScanOptions;
 }

package/src/lib/SecScan.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SecScan = void 0;
+const FunctionScanTarget_1 = require("./FunctionScanTarget");
 const IssueFound_1 = require("./IssueFound");
 const scan_1 = require("@sectester/scan");
 class SecScan {
@@ -11,10 +12,27 @@ class SecScan {
         this._threshold = scan_1.Severity.LOW;
         this._timeout = 600000;
     }
-    async run(target) {
+    async run(options) {
+        let functionScanTarget;
+        let targetOptions;
+        if (this.isFunctionScanOptions(options)) {
+            functionScanTarget = new FunctionScanTarget_1.FunctionScanTarget();
+            const { url } = await functionScanTarget.start(options.fn);
+            targetOptions = {
+                url,
+                method: 'POST',
+                body: options.inputSample,
+                ...(typeof options.inputSample === 'object'
+                    ? { headers: { 'content-type': 'application/json' } }
+                    : {})
+            };
+        }
+        else {
+            targetOptions = options;
+        }
         const scan = await this.scanFactory.createScan({
             ...this.settings,
-            target
+            target: targetOptions
         }, {
             timeout: this._timeout
         });
@@ -24,6 +42,7 @@ class SecScan {
         }
         finally {
             await scan.stop();
+            await (functionScanTarget === null || functionScanTarget === void 0 ? void 0 : functionScanTarget.stop());
         }
     }
     threshold(severity) {
@@ -46,6 +65,9 @@ class SecScan {
             return issues.find(x => { var _a; return (_a = scan_1.severityRanges.get(this._threshold)) === null || _a === void 0 ? void 0 : _a.includes(x.severity); });
         }
     }
+    isFunctionScanOptions(x) {
+        return !!x.fn;
+    }
 }
 exports.SecScan = SecScan;
 //# sourceMappingURL=SecScan.js.map

package/src/lib/SecScan.js.map

@@ -1 +1 @@
-{"version":3,"file":"SecScan.js","sourceRoot":"","sources":["../../../../../packages/runner/src/lib/SecScan.ts"],"names":[],"mappings":";;;AAAA,6CAA0C;AAE1C,0CAQyB;AAEzB,MAAa,OAAO;IAIlB,YACmB,QAA6C,EAC7C,WAAwB,EACxB,SAAoB;QAFpB,aAAQ,GAAR,QAAQ,CAAqC;QAC7C,gBAAW,GAAX,WAAW,CAAa;QACxB,cAAS,GAAT,SAAS,CAAW;QAN/B,eAAU,GAAG,eAAQ,CAAC,GAAG,CAAC;QAC1B,aAAQ,GAAG,MAAO,CAAC;IAMxB,CAAC;IAEG,KAAK,CAAC,GAAG,CAAC,MAAqB;QACpC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,UAAU,CAC5C;YACE,GAAG,IAAI,CAAC,QAAQ;YAChB,MAAM;SACP,EACD;YACE,OAAO,EAAE,IAAI,CAAC,QAAQ;SACvB,CACF,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAEnC,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;gBAAS,CAAC;YACT,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;IACH,CAAC;IAEM,SAAS,CAAC,QAAkB;QACjC,IAAI,CAAC,UAAU,GAAG,QAAQ,CAAC;QAE3B,OAAO,IAAI,CAAC;IACd,CAAC;IAEM,OAAO,CAAC,KAAa;QAC1B,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC;QAEtB,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,KAAK,CAAC,MAAM,CAAC,IAAU;QAC7B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;QAEjD,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,IAAI,uBAAU,CAAC,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,IAAU;QACxC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QAEnC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,WACrB,OAAA,MAAA,qBAAc,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,0CAAE,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAA,EAAA,CAC1D,CAAC;QACJ,CAAC;IACH,CAAC;CACF;AA3DD,0BA2DC"}
+{"version":3,"file":"SecScan.js","sourceRoot":"","sources":["../../../../../packages/runner/src/lib/SecScan.ts"],"names":[],"mappings":";;;AAAA,6DAA0D;AAC1D,6CAA0C;AAE1C,0CAQyB;AAOzB,MAAa,OAAO;IAIlB,YACmB,QAA6C,EAC7C,WAAwB,EACxB,SAAoB;QAFpB,aAAQ,GAAR,QAAQ,CAAqC;QAC7C,gBAAW,GAAX,WAAW,CAAa;QACxB,cAAS,GAAT,SAAS,CAAW;QAN/B,eAAU,GAAG,eAAQ,CAAC,GAAG,CAAC;QAC1B,aAAQ,GAAG,MAAO,CAAC;IAMxB,CAAC;IAEG,KAAK,CAAC,GAAG,CACd,OAA+C;QAE/C,IAAI,kBAAkD,CAAC;QAEvD,IAAI,aAA4B,CAAC;QACjC,IAAI,IAAI,CAAC,qBAAqB,CAAI,OAAO,CAAC,EAAE,CAAC;YAC3C,kBAAkB,GAAG,IAAI,uCAAkB,EAAE,CAAC;YAC9C,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,kBAAkB,CAAC,KAAK,CAAI,OAAO,CAAC,EAAE,CAAC,CAAC;YAE9D,aAAa,GAAG;gBACd,GAAG;gBACH,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,OAAO,CAAC,WAAW;gBACzB,GAAG,CAAC,OAAO,OAAO,CAAC,WAAW,KAAK,QAAQ;oBACzC,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE;oBACrD,CAAC,CAAC,EAAE,CAAC;aACR,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,aAAa,GAAG,OAAO,CAAC;QAC1B,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,UAAU,CAC5C;YACE,GAAG,IAAI,CAAC,QAAQ;YAChB,MAAM,EAAE,aAAa;SACtB,EACD;YACE,OAAO,EAAE,IAAI,CAAC,QAAQ;SACvB,CACF,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAEnC,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;gBAAS,CAAC;YACT,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAClB,MAAM,CAAA,kBAAkB,aAAlB,kBAAkB,uBAAlB,kBAAkB,CAAE,IAAI,EAAE,CAAA,CAAC;QACnC,CAAC;IACH,CAAC;IAEM,SAAS,CAAC,QAAkB;QACjC,IAAI,CAAC,UAAU,GAAG,QAAQ,CAAC;QAE3B,OAAO,IAAI,CAAC;IACd,CAAC;IAEM,OAAO,CAAC,KAAa;QAC1B,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC;QAEtB,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,KAAK,CAAC,MAAM,CAAC,IAAU;QAC7B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;QAEjD,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,IAAI,uBAAU,CAAC,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,IAAU;QACxC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QAEnC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,WACrB,OAAA,MAAA,qBAAc,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,0CAAE,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAA,EAAA,CAC1D,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,qBAAqB,CAAI,CAAM;QACrC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAChB,CAAC;CACF;AArFD,0BAqFC"}