From f122013d5a82747bcecd2b507cb932a5dd427641 Mon Sep 17 00:00:00 2001 From: Aleksandr Borovskii Date: Thu, 27 Mar 2025 20:46:02 +0100 Subject: [PATCH 1/4] test --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index d65e15af..33e038dc 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +test + Mosca   [![Build Status](https://travis-ci.org/mcollina/mosca.svg)](https://travis-ci.org/mcollina/mosca)  [![Coverage Status](https://coveralls.io/repos/mcollina/mosca/badge.svg)](https://coveralls.io/r/mcollina/mosca) ==================== From 0f6fcfa422c4a3c3615bdc3aaa07f0c1e9c5868d Mon Sep 17 00:00:00 2001 From: "bright-star-golf-test-org[bot]" <203250126+bright-star-golf-test-org[bot]@users.noreply.github.com> Date: Thu, 27 Mar 2025 20:02:23 +0000 Subject: [PATCH 2/4] chore: initialize PR with an empty commit skip-checks:true From cf3fd989ee0df0a25f71cd17eb84197e2222e0cc Mon Sep 17 00:00:00 2001 From: "bright-star-golf-test-org[bot]" <203250126+bright-star-golf-test-org[bot]@users.noreply.github.com> Date: Thu, 27 Mar 2025 20:03:25 +0000 Subject: [PATCH 3/4] ci: temporarily disable workflows while addressing security issues skip-checks:true From 2e5b08da4db153dd81c0074ace3dc0db41494862 Mon Sep 17 00:00:00 2001 From: "bright-star-golf-test-org[bot]" <203250126+bright-star-golf-test-org[bot]@users.noreply.github.com> Date: Thu, 27 Mar 2025 20:05:09 +0000 Subject: [PATCH 4/4] test: add auto-generated e2e security tests skip-checks:true --- .../tests/delete-rmuser-sampleuser.test.ts | 33 +++++++++++++++++ .brightsec/tests/post-adduser.test.ts | 35 +++++++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 .brightsec/tests/delete-rmuser-sampleuser.test.ts create mode 100644 .brightsec/tests/post-adduser.test.ts diff --git a/.brightsec/tests/delete-rmuser-sampleuser.test.ts b/.brightsec/tests/delete-rmuser-sampleuser.test.ts new file mode 100644 index 00000000..5e4aa666 --- /dev/null +++ b/.brightsec/tests/delete-rmuser-sampleuser.test.ts @@ -0,0 +1,33 @@ +import { test, before, after } from 'node:test'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; +import { SecRunner } from '@sectester/runner'; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +test('DELETE /rmuser/sampleUser', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['csrf', 'bopla', 'excessive_data_exposure', 'mass_assignment', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.PATH] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.DELETE, + url: `${baseUrl}/rmuser/sampleUser` + }); +}); diff --git a/.brightsec/tests/post-adduser.test.ts b/.brightsec/tests/post-adduser.test.ts new file mode 100644 index 00000000..bc023841 --- /dev/null +++ b/.brightsec/tests/post-adduser.test.ts @@ -0,0 +1,35 @@ +import { test, before, after } from 'node:test'; +import { Severity, AttackParamLocation, HttpMethod } from '@sectester/scan'; +import { SecRunner } from '@sectester/runner'; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +test('POST /adduser', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['mass_assignment', 'excessive_data_exposure', 'csrf', 'xss', 'secret_tokens'], + attackParamLocations: [AttackParamLocation.BODY] + }) + .threshold(Severity.CRITICAL) + .timeout(timeout) + .run({ + method: HttpMethod.POST, + url: `${baseUrl}/adduser`, + body: JSON.stringify({ username: 'sampleUser', password: 'samplePass' }), + headers: { 'Content-Type': 'application/json' } + }); +});