Skip to content
This repository was archived by the owner on Mar 20, 2020. It is now read-only.
/ test-bench-utils Public archive

Shared code for use in Contrast's Node.js test apps

0 stars 0 forks Branches Tags Activity
Star

Contrast-Security-OSS/test-bench-utils

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

123 Commits
lib
lib
 
 
.editorconfig
.editorconfig
 
 
.eslintrc.json
.eslintrc.json
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

@contrast/test-bench-utils

Shared code for use in Contrast's Node.js test apps.

NOTE:

When working on this module, require hooks will not run against the correct module if it is npm linked. In order for the module and application to share modules correctly it is recommended to install the application from a local path while developing, e.g.

{
  "dependencies": {
    "@contrast/test-bench-utils": "../test-bench-utils"
  }
}

Adding a shared sink to multiple apps

Under lib/routes.js, create a sink definition with the following form:

  [ruleName: string]: {
    base: string,                    // '/cmdInjection',
    name: string,                    // 'Command Injection',
    link: string,                    // 'https://www.owasp.org/index.php/Command_Injection',
    products: string[],              // ['Assess', 'Protect']
    inputs: string[],                // ['query'],
    sinks: Object<string, Function>, // sinks.commmandInjection
  }

Then create a file under lib/sinks/ that exports functions with a consistent signature:

  /**
   * @param {string} input user input string
   * @param {Object} opts
   * @param {boolean=} opts.safe are we calling the sink safely?
   * @param {boolean=} opts.noop are we calling the sink as a noop?
   */
  module.exports['sinkName'] = async function sink(input, { safe = false, noop = false } = {}) {};

The sink function will be called by the endpoint handler appropriately by each framework. By default, for the /unsafe endpoint the function is called with user input, and for the /safe and /noop endpoints it is called with the safe and noop options set to true, respectively.

Front-end content

If there is any custom data you want to provide to the test bench front end, you can export it from lib/content/. For example, we export the following XML string as a potential attack for the xxe rule:

lib/content/xxe.js

module.exports.attackXml = `
<!DOCTYPE read-fs [<!ELEMENT read-fs ANY >
<!ENTITY passwd SYSTEM "file:///etc/passwd" >]>
<users>
  <user>
    <read-fs>&passwd;</read-fs>
    <name>C.K Frode</name>
  </user>
</users>`;

This string is then used by the xxe.ejs view in @contrast/test-bench-content to render an input prepopulated with the attack value.

Views

After you have configured a sink within @contrast/test-bench-utils, you should add a shared view in @contrast/test-bench-content.

Test Bench Applications

Once you have configured the shared sink and view, consult the following instructions for including the shared functionality in each test bench app:

About

Shared code for use in Contrast's Node.js test apps

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

9 watching

Forks

0 forks
Report repository

Releases

23 tags

Packages

No packages published

Contributors 7

Languages