feat: harden security headers and use crypto module for uuid and hash…

…es (#535)
stryker-mutator · Mar 8, 2024 · 6798b9d · 6798b9d
1 parent bc3f165
commit 6798b9d
Show file tree

Hide file tree

Showing 8 changed files with 86 additions and 86 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/website-backend/.vscode/tasks.json b/packages/website-backend/.vscode/tasks.json
@@ -5,7 +5,7 @@
     {
       "label": "🐱‍👤 run server with nodemon",
       "type": "npm",
-      "script": "start",
+      "script": "start:watch",
       "isBackground": true,
       "group": "build",
       "options": {

diff --git a/packages/website-backend/package.json b/packages/website-backend/package.json
@@ -8,6 +8,7 @@
   },
   "scripts": {
     "start": "node dist/src/index.js",
+    "start:watch": "node --watch dist/src/index.js",
     "test": "c8 --check-coverage --reporter=html --report-dir=reports/coverage --lines 80 --functions 75 --branches 61 mocha --node-option enable-source-maps \"dist/test/**/*.js\"",
     "stryker": "stryker run"
   },
@@ -31,27 +32,22 @@
     "@stryker-mutator/dashboard-frontend": "0.13.4",
     "ajv": "8.12.0",
     "ajv-formats": "2.1.1",
-    "body-parser": "1.20.2",
     "compression": "1.7.4",
     "express": "4.18.3",
     "express-jwt": "8.4.1",
-    "js-sha512": "0.9.0",
+    "helmet": "7.1.0",
     "passport": "0.7.0",
-    "passport-github2": "0.1.12",
-    "sha512": "0.0.1",
-    "uuid": "9.0.1"
+    "passport-github2": "0.1.12"
   },
   "devDependencies": {
     "@nestjs/schematics": "10.1.1",
     "@nestjs/testing": "10.3.3",
-    "@types/body-parser": "1.19.5",
     "@types/compression": "1.7.5",
     "@types/express": "4.17.21",
     "@types/jsonwebtoken": "9.0.6",
     "@types/passport": "1.0.16",
     "@types/passport-github2": "1.2.9",
     "@types/supertest": "6.0.2",
-    "@types/uuid": "9.0.8",
     "mutation-testing-report-schema": "3.0.2",
     "supertest": "6.3.4"
   },

diff --git a/packages/website-backend/src/index.ts b/packages/website-backend/src/index.ts
@@ -5,17 +5,19 @@ import Configuration from './services/Configuration.js';
 import { githubStrategy } from './middleware/security.middleware.js';
 import { INestApplication } from '@nestjs/common';
 import DataAccess from './services/DataAccess.js';
-import parser from 'body-parser';
 import compression from 'compression';
+import helmet from 'helmet';
+import { NestExpressApplication } from '@nestjs/platform-express';
 
 async function bootstrap() {
-  const app = await NestFactory.create(AppModule);
+  const app = await NestFactory.create<NestExpressApplication>(AppModule);
   app.setGlobalPrefix('/api');
 
+  configureSecurityHeaders(app);
   configureAzureStorage(app);
   configurePassport(app);
 
-  app.use(parser.json({ limit: '100mb' }));
+  app.useBodyParser('json', { limit: '100mb' });
   app.use(compression());
   await app.listen(1337);
 }
@@ -44,4 +46,25 @@ function configurePassport(app: INestApplication) {
   app.use(passport.initialize());
 }
 
+function configureSecurityHeaders(app: INestApplication) {
+  app.enableCors({ origin: true, credentials: true });
+  app.use(
+    helmet({
+      contentSecurityPolicy: {
+        directives: {
+          imgSrc: [
+            `'self'`,
+            'data:',
+            'https://stryker-mutator.io',
+            'avatars.githubusercontent.com',
+            'img.shields.io',
+          ],
+          scriptSrc: [`'self'`, `'unsafe-inline'`],
+          scriptSrcAttr: [`'unsafe-inline'`],
+        },
+      },
+    }),
+  );
+}
+
 bootstrap();
diff --git a/packages/website-backend/src/types.ts b/packages/website-backend/src/types.ts
diff --git a/packages/website-backend/src/utils/utils.ts b/packages/website-backend/src/utils/utils.ts
@@ -1,7 +1,6 @@
-import { v4 as uuidV4 } from 'uuid';
-import { sha512_256 } from 'js-sha512';
 import { InvalidSlugError, Slug } from '@stryker-mutator/dashboard-common';
 import { NotFoundException } from '@nestjs/common';
+import { createHash, randomUUID } from 'crypto';
 
 export function parseSlug(slug: string) {
   try {
@@ -35,10 +34,10 @@ export default {
   },
 
   generateApiKey(): string {
-    return uuidV4();
+    return randomUUID();
   },
 
   generateHashValue(value: string): string {
-    return sha512_256(value);
+    return createHash('sha512-256').update(value).digest('hex');
   },
 };
diff --git a/packages/website-backend/test/helpers/types.ts b/packages/website-backend/test/helpers/types.ts
diff --git a/packages/website-backend/test/unit/utils/utils.spec.ts b/packages/website-backend/test/unit/utils/utils.spec.ts
@@ -0,0 +1,36 @@
+import { expect } from 'chai';
+import utils from '../../../src/utils/utils.js';
+
+describe('utils', () => {
+  describe(utils.generateApiKey.name, () => {
+    it('should generate a random UUID', () => {
+      const result = utils.generateApiKey();
+      expect(result).matches(
+        /[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89ab][a-f0-9]{3}-[a-f0-9]{12}/,
+      );
+    });
+
+    it('should generate a different UUID each time', () => {
+      const result1 = utils.generateApiKey();
+      const result2 = utils.generateApiKey();
+      expect(result1).not.eq(result2);
+    });
+  });
+
+  describe(utils.generateHashValue.name, () => {
+    it('should generate the same hash for the same input', () => {
+      const result = utils.generateHashValue(
+        '6eb108e0-439a-4ed6-abf4-bed07411d970',
+      );
+      expect(result).eq(
+        '75af68c90547024e9b2ee9ae0e01d6ccad69846e3f457f1b4462654ad2dc71c8',
+      );
+    });
+
+    it('should generate a different hash value for different input', () => {
+      const result1 = utils.generateHashValue('test1');
+      const result2 = utils.generateHashValue('test2');
+      expect(result1).not.eq(result2);
+    });
+  });
+});