test(security): add security tests for article and profile endpoints

.github/workflows/bright.yml

@@ -0,0 +1,29 @@
+name: CI
+
+on:
+  pull_request:
+    branches:
+      - '**'
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    env:
+      BRIGHT_HOSTNAME: ${{ vars.BRIGHT_HOSTNAME }}
+      BRIGHT_TOKEN: ${{ secrets.BRIGHT_TOKEN }}
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    - name: Set up Node.js
+      uses: actions/setup-node@v2
+      with:
+        node-version: '14'
+
+    - name: Install dependencies
+      run: npm install
+
+    - name: Run tests
+      run: npm test -- test/sec/*

test/sec/delete-articles-example-article-comments-1.test.js

@@ -0,0 +1,40 @@
+'use strict'
+const t = require('tap')
+const startServer = require('../setup-server')
+const { SecRunner, TestType, AttackParamLocation, Severity } = require('@sectester/runner')
+
+let runner
+
+// Increase the timeout for the tests
+jest.setTimeout(15 * 60 * 1000) // 15 minutes
+
+t.test('DELETE /articles/example-article/comments/1', async t => {
+  let server
+
+  t.beforeEach(async () => {
+    server = await startServer()
+    runner = new SecRunner({
+      hostname: process.env.BRIGHT_HOSTNAME
+    })
+    await runner.init()
+  })
+
+  t.teardown(async () => {
+    await runner.clear()
+    await server.close()
+  })
+
+  await runner.createScan({
+    tests: [TestType.BROKEN_ACCESS_CONTROL, TestType.JWT, 'id_enumeration'],
+    attackParamLocations: [AttackParamLocation.PATH]
+  })
+  .threshold(Severity.MEDIUM)
+  .timeout(15 * 60 * 1000)
+  .run({
+    method: 'DELETE',
+    url: 'http://localhost:3000/articles/example-article/comments/1',
+    headers: { 'Authorization': 'Token required_jwt_token' }
+  })
+
+  t.end()
+})

test/sec/delete-articles-slug-favorite.test.js

@@ -0,0 +1,40 @@
+'use strict'
+const t = require('tap')
+const startServer = require('../setup-server')
+const { SecRunner, TestType, AttackParamLocation, Severity } = require('@sectester/runner')
+
+let runner
+
+// Increase the timeout for the tests
+jest.setTimeout(15 * 60 * 1000) // 15 minutes
+
+t.test('DELETE /articles/:slug/favorite', async t => {
+  let server
+
+  t.beforeEach(async () => {
+    server = await startServer()
+    runner = new SecRunner({
+      hostname: process.env.BRIGHT_HOSTNAME
+    })
+    await runner.init()
+  })
+
+  t.teardown(async () => {
+    await runner.clear()
+    await server.close()
+  })
+
+  await runner.createScan({
+    tests: [TestType.JWT, TestType.BROKEN_ACCESS_CONTROL, 'CSRF', TestType.HTTP_METHOD_FUZZING],
+    attackParamLocations: [AttackParamLocation.HEADER, AttackParamLocation.PATH]
+  })
+  .threshold(Severity.MEDIUM)
+  .timeout(15 * 60 * 1000)
+  .run({
+    method: 'DELETE',
+    url: `${server.baseUrl}/articles/:slug/favorite`,
+    headers: { 'Authorization': 'Token jwt.token.here' }
+  })
+
+  t.end()
+})

test/sec/delete-articles-slug.test.js

@@ -0,0 +1,44 @@
+'use strict'
+const t = require('tap')
+const startServer = require('../setup-server')
+const { SecRunner, TestType, AttackParamLocation, Severity } = require('@sectester/runner')
+
+let runner
+
+// Increase the timeout for the tests
+jest.setTimeout(15 * 60 * 1000) // 15 minutes
+
+t.test('DELETE /articles/:slug', async t => {
+  let server
+
+  t.beforeEach(async () => {
+    server = await startServer()
+    runner = new SecRunner({
+      hostname: process.env.BRIGHT_HOSTNAME
+    })
+    await runner.init()
+  })
+
+  t.teardown(async () => {
+    await runner.clear()
+    await server.close()
+  })
+
+  t.test('Security tests', async t => {
+    await runner.createScan({
+      tests: [TestType.BROKEN_ACCESS_CONTROL, TestType.JWT, 'csrf', TestType.SQLI],
+      attackParamLocations: [AttackParamLocation.HEADER, AttackParamLocation.PATH]
+    })
+    .threshold(Severity.MEDIUM)
+    .timeout(15 * 60 * 1000)
+    .run({
+      method: 'DELETE',
+      url: `${server.baseUrl}/articles/:slug`,
+      headers: { 'Authorization': 'Token jwt.token.here' }
+    })
+
+    t.end()
+  })
+
+  t.end()
+})

test/sec/delete-profiles-johndoe-follow.test.js

@@ -0,0 +1,46 @@
+'use strict'
+const t = require('tap')
+const startServer = require('../setup-server')
+const { SecRunner, TestType, AttackParamLocation, Severity } = require('@sectester/runner')
+
+let runner
+
+// Increase the timeout for the tests
+jest.setTimeout(15 * 60 * 1000) // 15 minutes
+
+t.test('DELETE /profiles/johndoe/follow', async t => {
+  let server
+
+  t.beforeEach(async () => {
+    server = await startServer()
+    runner = new SecRunner({
+      hostname: process.env.BRIGHT_HOSTNAME
+    })
+    await runner.init()
+  })
+
+  t.teardown(async () => {
+    await runner.clear()
+    await server.close()
+  })
+
+  t.test('Security tests', async t => {
+    await runner.createScan({
+      tests: [TestType.JWT, TestType.BROKEN_ACCESS_CONTROL, 'csrf'],
+      attackParamLocations: [AttackParamLocation.HEADER, AttackParamLocation.BODY]
+    })
+    .threshold(Severity.MEDIUM)
+    .timeout(15 * 60 * 1000)
+    .run({
+      method: 'DELETE',
+      url: `${server.baseUrl}/profiles/johndoe/follow`,
+      headers: {
+        Authorization: 'Token required_jwt_token'
+      }
+    })
+
+    t.end()
+  })
+
+  t.end()
+})

test/sec/get-api-user.test.js

@@ -0,0 +1,44 @@
+'use strict'
+const t = require('tap')
+const startServer = require('../setup-server')
+const { SecRunner, TestType, AttackParamLocation, Severity } = require('@sectester/runner')
+
+let runner
+
+// Increase the timeout for the tests
+jest.setTimeout(15 * 60 * 1000) // 15 minutes
+
+t.test('Security tests for GET /api/user', async t => {
+  let server
+
+  t.beforeEach(async () => {
+    server = await startServer()
+    runner = new SecRunner({
+      hostname: process.env.BRIGHT_HOSTNAME
+    })
+    await runner.init()
+  })
+
+  t.teardown(async () => {
+    await runner.clear()
+    await server.close()
+  })
+
+  t.test('GET /api/user', async t => {
+    await runner.createScan({
+      tests: [TestType.BROKEN_ACCESS_CONTROL, TestType.JWT, 'EXCESSIVE_DATA_EXPOSURE'],
+      attackParamLocations: [AttackParamLocation.HEADER]
+    })
+    .threshold(Severity.MEDIUM)
+    .timeout(15 * 60 * 1000)
+    .run({
+      method: 'GET',
+      url: 'http://localhost:3000/api/user',
+      headers: { 'Authorization': 'Bearer <token>' }
+    })
+
+    t.end()
+  })
+
+  t.end()
+})

test/sec/get-articles-example-article-comments.test.js

@@ -0,0 +1,44 @@
+'use strict'
+const t = require('tap')
+const startServer = require('../setup-server')
+const { SecRunner, TestType, AttackParamLocation, Severity } = require('@sectester/runner')
+
+let runner
+
+// Increase the timeout for the tests
+jest.setTimeout(15 * 60 * 1000) // 15 minutes
+
+t.test('Security tests for GET /articles/example-article/comments', async t => {
+  let server
+
+  t.beforeEach(async () => {
+    server = await startServer()
+    runner = new SecRunner({
+      hostname: process.env.BRIGHT_HOSTNAME
+    })
+    await runner.init()
+  })
+
+  t.teardown(async () => {
+    await runner.clear()
+    await server.close()
+  })
+
+  t.test('GET /articles/example-article/comments', async t => {
+    await runner.createScan({
+      tests: [TestType.JWT, 'excessive_data_exposure', 'broken_access_control'],
+      attackParamLocations: [AttackParamLocation.HEADER, AttackParamLocation.PATH]
+    })
+    .threshold(Severity.MEDIUM)
+    .timeout(15 * 60 * 1000)
+    .run({
+      method: 'GET',
+      url: 'http://localhost:3000/articles/example-article/comments',
+      headers: { 'Authorization': 'Token optional_jwt_token' }
+    })
+
+    t.end()
+  })
+
+  t.end()
+})

test/sec/get-articles-feed.test.js

@@ -0,0 +1,45 @@
+'use strict'
+const t = require('tap')
+const startServer = require('../setup-server')
+const { SecRunner, TestType, AttackParamLocation, Severity } = require('@sectester/runner')
+
+let runner
+
+// Increase the timeout for the tests
+jest.setTimeout(15 * 60 * 1000) // 15 minutes
+
+t.test('Security tests for GET /articles/feed', async t => {
+  let server
+
+  t.beforeEach(async () => {
+    server = await startServer()
+    runner = new SecRunner({
+      hostname: process.env.BRIGHT_HOSTNAME
+    })
+    await runner.init()
+  })
+
+  t.teardown(async () => {
+    await runner.clear()
+    await server.close()
+  })
+
+  t.test('GET /articles/feed', async t => {
+    await runner.createScan({
+      tests: [TestType.JWT, 'excessive_data_exposure', 'broken_access_control', TestType.HTTP_METHOD_FUZZING],
+      attackParamLocations: [AttackParamLocation.QUERY]
+    })
+    .threshold(Severity.MEDIUM)
+    .timeout(15 * 60 * 1000)
+    .run({
+      method: 'GET',
+      url: '/articles/feed',
+      headers: { 'Authorization': 'Token jwt.token.here' },
+      queryString: { limit: 'number', offset: 'number' }
+    })
+
+    t.end()
+  })
+
+  t.end()
+})

test/sec/get-articles-slug.test.js

@@ -0,0 +1,48 @@
+'use strict'
+const t = require('tap')
+const startServer = require('../setup-server')
+const { SecRunner, TestType, AttackParamLocation, Severity } = require('@sectester/runner')
+
+let runner
+
+// Increase the timeout for the tests
+jest.setTimeout(15 * 60 * 1000) // 15 minutes
+
+t.test('Security tests for GET /articles/:slug', async t => {
+  let server
+
+  t.beforeEach(async () => {
+    server = await startServer()
+    runner = new SecRunner({
+      hostname: process.env.BRIGHT_HOSTNAME
+    })
+    await runner.init()
+  })
+
+  t.teardown(async () => {
+    await runner.clear()
+    await server.close()
+  })
+
+  t.test('GET /articles/:slug', async t => {
+    await runner.createScan({
+      tests: [
+        TestType.BROKEN_ACCESS_CONTROL,
+        TestType.EXCESSIVE_DATA_EXPOSURE,
+        'id_enumeration',
+        TestType.XSS
+      ],
+      attackParamLocations: [AttackParamLocation.PATH]
+    })
+    .threshold(Severity.MEDIUM)
+    .timeout(15 * 60 * 1000)
+    .run({
+      method: 'GET',
+      url: `${server.baseUrl}/articles/test-slug`
+    })
+
+    t.end()
+  })
+
+  t.end()
+})