Skip to content

Commit 4cf2e8e

Browse files
authored
Merge pull request #229 from coder13/agent/codeql-fixture-security
Harden security test fixtures
2 parents 7bbbacb + f268adb commit 4cf2e8e

2 files changed

Lines changed: 17 additions & 2 deletions

File tree

server/api/friends.test.js

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,10 @@
33

44
const http = require('http');
55
const express = require('express');
6+
const rateLimit = require('express-rate-limit');
67

78
const createFriendsRouter = require('./friends');
9+
const { apiRateLimitOptions } = require('../middlewares/apiRateLimit');
810

911
const request = (server, {
1012
authenticated = true, body, method = 'GET', path = '/api/friends',
@@ -58,6 +60,7 @@ describe('friend REST routes', () => {
5860
};
5961
const app = express();
6062
app.use(express.json());
63+
app.use(rateLimit(apiRateLimitOptions()));
6164
app.use((req, res, next) => {
6265
req.isAuthenticated = () => req.headers.authorization === 'test-session';
6366
if (req.isAuthenticated()) {

server/middlewares/csrf.test.js

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ const lusca = require('lusca');
88

99
const request = (server, { cookie, headers, method = 'GET', path = '/' } = {}) => new Promise((resolve, reject) => {
1010
const req = http.request({
11-
headers: { ...(cookie ? { cookie } : {}), ...headers },
11+
headers: { 'x-forwarded-proto': 'https', ...(cookie ? { cookie } : {}), ...headers },
1212
host: '127.0.0.1',
1313
method,
1414
path,
@@ -19,6 +19,7 @@ const request = (server, { cookie, headers, method = 'GET', path = '/' } = {}) =
1919
res.on('end', () => resolve({
2020
body: body ? JSON.parse(body) : null,
2121
cookie: res.headers['set-cookie'] && res.headers['set-cookie'][0].split(';')[0],
22+
setCookie: res.headers['set-cookie'] && res.headers['set-cookie'][0],
2223
status: res.statusCode,
2324
}));
2425
});
@@ -31,7 +32,17 @@ describe('CSRF protection', () => {
3132

3233
beforeEach((done) => {
3334
const app = express();
34-
app.use(session({ resave: false, saveUninitialized: false, secret: 'test-secret' }));
35+
app.set('trust proxy', 1);
36+
app.use(session({
37+
cookie: {
38+
httpOnly: true,
39+
sameSite: 'strict',
40+
secure: true,
41+
},
42+
resave: false,
43+
saveUninitialized: false,
44+
secret: 'test-secret',
45+
}));
3546
app.use(lusca.csrf());
3647
app.get('/csrf-token', (req, res) => res.json({ csrfToken: req.csrfToken() }));
3748
app.post('/change', (req, res) => res.json({ changed: true }));
@@ -51,6 +62,7 @@ describe('CSRF protection', () => {
5162
expect(tokenResponse.status).toBe(200);
5263
expect(tokenResponse.body.csrfToken).toEqual(expect.any(String));
5364
expect(tokenResponse.cookie).toEqual(expect.stringContaining('connect.sid='));
65+
expect(tokenResponse.setCookie).toEqual(expect.stringContaining('Secure'));
5466

5567
expect(await request(server, {
5668
cookie: tokenResponse.cookie,

0 commit comments

Comments
 (0)