Tests for InsecureHelmet

2026-04-25 08:45:14 +02:00 · 2024-05-20 12:05:42 +01:00
parent 3a885eaf9f
commit 8300aeb0a0
4 changed files with 34 additions and 0 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-693/InsecureHelment.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-693/InsecureHelment.expected
@@ -0,0 +1,2 @@
+| InsecureHelmetBad.js:7:5:7:32 | content ... : false | Helmet route handler, called with $@ set to 'false' | InsecureHelmetBad.js:7:5:7:32 | content ... : false | contentSecurityPolicy |
+| InsecureHelmetBad.js:8:5:8:21 | frameguard: false | Helmet route handler, called with $@ set to 'false' | InsecureHelmetBad.js:8:5:8:21 | frameguard: false | frameguard |
--- a/javascript/ql/test/query-tests/Security/CWE-693/InsecureHelment.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-693/InsecureHelment.qlref
@@ -0,0 +1 @@
+Security/CWE-693/InsecureHelmet.ql
--- a/javascript/ql/test/query-tests/Security/CWE-693/InsecureHelmetBad.js
+++ b/javascript/ql/test/query-tests/Security/CWE-693/InsecureHelmetBad.js
@@ -0,0 +1,17 @@
+const express = require("express");
+const helmet = require("helmet");
+
+const app = express();
+
+app.use(helmet({
+    contentSecurityPolicy: false, // BAD: switch off default CSP
+    frameguard: false // BAD: switch off default frameguard
+}));
+
+app.get("/", (req, res) => {
+  res.send("Hello, world!");
+});
+
+app.listen(3000, () => {
+  console.log("App is listening on port 3000");
+});
--- a/javascript/ql/test/query-tests/Security/CWE-693/InsecureHelmetGood.js
+++ b/javascript/ql/test/query-tests/Security/CWE-693/InsecureHelmetGood.js
@@ -0,0 +1,14 @@
+const express = require("express");
+const helmet = require("helmet");
+
+const app = express();
+
+app.use(helmet());  // GOOD: use the defaults
+
+app.get("/", (req, res) => {
+  res.send("Hello, world!");
+});
+
+app.listen(3000, () => {
+  console.log("App is listening on port 3000");
+});