Skip to content

πŸ”’ Security: Fix dependency vulnerabilities & protect .env file #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
abhi41289 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

πŸ”’ Security: Fix dependency vulnerabilities & protect .env file #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Environment Configuration Template
# Copy this file to .env and fill in your actual values
# NEVER commit .env file to git (it contains secrets)

# Test Execution Environment (qa, dev, prod)
TEST_EXECUTION_ENV=qa

# Application URLs
GOOGLE_URL=https://www.google.com/

# Test Data
SEARCH_KEYWORDS=Playwright by Testers Talk

# Dynamics 365 Credentials (Optional - for global setup/teardown)
DYN365_USERNAME=your_username_here
DYN365_PASSWORD=your_password_here
DYN365_ORGURL=https://your-org.crm.dynamics.com
CSH_APPID=your_csh_app_id
CSW_APPID=your_csw_app_id
CASE_NUMBER=CAS-xxx
CASE_TITLE=Case_

# API Testing Base URL
BASE_API_URL=https://restful-booker.herokuapp.com

# Azure DevOps Test Plan Integration (Optional)
# Set UPDATE_TEST_PLAN=Yes to enable automatic test result updates
UPDATE_TEST_PLAN=No
PIPELINE=No
TEST_PLAN_ID=12345
TEST_SUITE_ID=67890
TEST_PLAN_GET_API=https://dev.azure.com/{Organization}/{Project}/_apis/testplan/Plans/{0}/Suites/{1}/TestPoint?testCaseId={2}&api-version=7.2-preview.2
TEST_PLAN_PATCH_API=https://dev.azure.com/{Organization}/{Project}/_apis/test/Plans/{0}/Suites/{1}/points/{2}?api-version=7.2-preview.2

# Azure DevOps Authentication
# Use Personal Access Token (PAT) for better security
AZURE_DEVOPS_USER=your_email@example.com
AZURE_DEVOPS_PASS=your_personal_access_token_here
7 changes: 6 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,9 @@ node_modules/
/allure-report
/allure-results
/.DS_Store
/test-data/.DS_Store
/test-data/.DS_Store

# Environment variables (contains secrets)
.env
.env.local
.env.*.local
141 changes: 141 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
# Security Policy

## πŸ”’ Security Improvements

This document tracks security enhancements made to the Playwright TypeScript Tutorial repository.

---

## Recent Security Fixes

### Dependency Vulnerabilities Resolved (2025-10)

#### 1. **Axios SSRF Vulnerability** βœ… FIXED
- **Package**: `axios`
- **Versions Affected**: 1.0.0 - 1.7.9
- **Severity**: HIGH
- **CVE**: GHSA-jr5f-v2jv-69x6
- **Issue**: Server-Side Request Forgery (SSRF) via absolute URLs
- **Fix**: Updated to `axios@1.12.2`

#### 2. **Axios DoS Vulnerability** βœ… FIXED
- **Package**: `axios`
- **Versions Affected**: 1.0.0 - 1.11.0
- **Severity**: HIGH (CVSS 7.5)
- **CVE**: GHSA-4hjh-wcwx-xvwj
- **Issue**: Denial of Service through lack of data size check
- **Fix**: Updated to `axios@1.12.2`

#### 3. **Form-Data Insecure Random** βœ… FIXED
- **Package**: `form-data` (indirect dependency)
- **Versions Affected**: 4.0.0 - 4.0.3
- **Severity**: CRITICAL
- **CVE**: GHSA-fjxv-7rqg-78g4
- **Issue**: Unsafe random function for boundary generation
- **Fix**: Auto-resolved via `npm audit fix`

#### 4. **Playwright Moderate Issues** βœ… FIXED
- **Package**: `@playwright/test`
- **Severity**: MODERATE
- **Fix**: Updated dependencies

---

### Credential Protection Enhancements

#### Environment Variables Security βœ… IMPLEMENTED
- **Issue**: `.env` file was tracked in git, exposing credentials
- **Fix**:
- Added `.env`, `.env.local`, `.env.*.local` to `.gitignore`
- Created `.env.example` template with dummy values
- Added security comments explaining proper usage

⚠️ **Note**: The `.env` file exists in git history. If you've committed real credentials:
1. Rotate all passwords/tokens immediately
2. Use Azure DevOps Personal Access Tokens (PAT) instead of passwords
3. For production use, consider using secret management tools (Azure Key Vault, AWS Secrets Manager)

---

## Known Issues

### xlsx Package Vulnerabilities (No Fix Available)
- **Package**: `xlsx@0.18.5`
- **Severity**: HIGH
- **CVEs**:
- GHSA-4r6h-8v6p-xvw6 (Prototype Pollution)
- GHSA-5pgg-2g8v-p4x9 (ReDoS)
- **Status**: No patch available from maintainer
- **Mitigation**: This package is used only for data-driven testing (reading Excel test data). Risk is minimal since:
- Not exposed to user input in production
- Only processes trusted test data files
- Running in isolated test environment

**Recommendation for Production**: If this codebase is adapted for production use, consider:
- Migrating Excel parsing to `exceljs` or `node-xlsx` (if patches become available)
- Converting Excel test data to JSON/CSV format
- Implementing input validation before parsing Excel files

---

## Security Best Practices

### For Development
1. **Never commit `.env` files** - Use `.env.example` templates
2. **Rotate credentials regularly** - Especially after code reviews/sharing
3. **Use minimal permissions** - Test accounts should have limited access
4. **Keep dependencies updated** - Run `npm audit` regularly

### For CI/CD
1. **Use secret management** - GitHub Secrets, Azure DevOps Secure Files
2. **Scan for secrets** - Use tools like `trufflehog` or `git-secrets`
3. **Enable Dependabot** - Automatic PR for security updates
4. **Run security scans** - Integrate `npm audit` in pipeline

### For Production Adaptation
1. **Implement input validation** - Use Zod/Joi schemas for all external data
2. **Add rate limiting** - Prevent abuse of API testing utilities
3. **Use structured logging** - Replace `console.log` with Winston/Pino
4. **Enable HTTPS only** - No plain HTTP connections
5. **Implement secret rotation** - Automate credential updates

---

## Reporting Security Issues

If you discover a security vulnerability:

1. **Do NOT open a public issue**
2. Email the maintainer directly (see package.json)
3. Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

We aim to respond within 48 hours and provide a fix within 7 days for critical issues.

---

## Security Audit History

| Date | Action | Status |
|------|--------|--------|
| 2025-10-21 | Initial security audit conducted | βœ… Complete |
| 2025-10-21 | Fixed axios SSRF/DoS vulnerabilities | βœ… Complete |
| 2025-10-21 | Implemented .env protection | βœ… Complete |
| 2025-10-21 | Documented xlsx known issue | βœ… Complete |

---

## Resources

- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [npm Security Best Practices](https://docs.npmjs.com/packages-and-modules/securing-your-code)
- [Playwright Security](https://playwright.dev/docs/library#browser-contexts)
- [GitHub Security Advisories](https://github.com/advisories)

---

**Last Updated**: 2025-10-21
**Maintained By**: Repository Owner
Loading