pay-js-commons/src/utils/middleware/csp.test.js at b02fe6379b94690777a6e89f3bd06b368fac8684 · alphagov/pay-js-commons · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
/* eslint-disable */
const request = require('supertest')
const express = require('express')
const sinon = require('sinon')
const { expect } = require('chai')

const loggingSpy = { info: sinon.spy() }
const sentrySpy = { captureEvent: sinon.spy() }

const {
  hasSubstr,
  rateLimitMiddleware,
  captureEventMiddleware,
  requestParseMiddleware,
  detectErrorsMiddleware
} = require('./csp')

const cspMiddlewareStack = [
  rateLimitMiddleware,
  requestParseMiddleware(2000, express),
  detectErrorsMiddleware(loggingSpy),
  captureEventMiddleware([
    'banned.com'// ignored domain
  ],
  loggingSpy,
  sentrySpy)
]

describe('CSP middleware', () => {
  describe('hasSubstr', () => {
    const testCase = 'lorem ipsum dolor sit amet'

    it('returns true when substring is detected', () => {
      const lookupStrings = ['ipsum']
      const result = hasSubstr(lookupStrings, testCase)
      expect(result).to.equal(true)
    })

    it('returns false when substring is not detected', () => {
      const lookupStrings = ['consectetur']
      const result = hasSubstr(lookupStrings, testCase)
      expect(result).to.equal(false)
    })

    it('ignores case when comparing', () => {
      const lookupStrings = ['DOLOR']
      const result = hasSubstr(lookupStrings, testCase)
      expect(result).to.equal(true)
    })

    it('handles multiple lookup strings', () => {
      const lookupStrings = ['consectetur', 'LOREM']
      const result = hasSubstr(lookupStrings, testCase)
      expect(result).to.equal(true)
    })
  })

  describe('CSP report endpoint', () => {
    const underTest = express()
    underTest.enable('trust proxy')
    underTest.set('trust proxy', 3)
    underTest.use('/test', cspMiddlewareStack)

    beforeEach(() => {
      loggingSpy.info.resetHistory()
      sentrySpy.captureEvent.resetHistory()
    })

    const validReportUriPayload = {
      'csp-report': {
        'document-uri': 'https://example.com/page-with-violation',
        'referrer': '',
        'violated-directive': 'script-src \'self\'',
        'effective-directive': 'script-src',
        'original-policy': 'default-src \'none\'; script-src \'self\'; object-src \'self\'; report-to: default',
        'disposition': 'enforce',
        'blocked-uri': 'https://evil.example.com/malicious.js',
        'line-number': 22,
        'column-number': 13,
        'source-file': 'https://example.com/script.js',
        'status-code': 200,
        'script-sample': ''
      }
    }

    const validReportingAPIPayload = [
      {
        'age': 2,
        'body': {
          'blockedURL': 'https://site2.example/script.js',
          'disposition': 'enforce',
          'documentURL': 'https://site.example',
          'effectiveDirective': 'script-src-elem',
          'originalPolicy': 'script-src \'self\'; object-src \'none\'; report-to main-endpoint;',
          'referrer': 'https://site.example',
          'sample': '',
          'statusCode': 200
        },
        'type': 'csp-violation',
        'url': 'https://site.example',
        'user_agent': 'Mozilla/5.0... Chrome/92.0.4504.0'
      }
    ]

    const validPayloads = [
      { arg: validReportUriPayload, expectedMessage: 'Blocked script-src \'self\' from https://evil.example.com/malicious.js', expectedReport: validReportUriPayload['csp-report'], type: 'report-uri' },
      { arg: validReportingAPIPayload, expectedMessage: 'Blocked script-src-elem from https://site2.example/script.js', expectedReport: validReportingAPIPayload[0]['body'], type: 'reporting api' }
    ]

    validPayloads.forEach(test => {
      it(`should return 204 and send to sentry if a valid ${test.type} csp report is present`, async () => {
        await request(underTest)
          .post('/test')
          .set('user-agent', 'supertest')
          .send(test.arg)
          .expect(204)

        expect(sentrySpy.captureEvent.calledOnce).to.be.true
        expect(sentrySpy.captureEvent.calledWith({
          message: test.expectedMessage,
          level: 'warning',
          extra: {
            'cspReport': test.expectedReport,
            'userAgent': 'supertest'
          }
        })).to.be.true
      })
    })

    it('should return 204 and not send to sentry if a valid csp report is present but the blocked-uri is ignored', async () => {
      await request(underTest)
        .post('/test')
        .set('user-agent', 'supertest')
        .send({
          'csp-report': {
            'blocked-uri': 'https://www.banned.com',
            'violated-directive': 'connect-src'
          }
        })
        .expect(204)

      expect(sentrySpy.captureEvent.notCalled).to.be.true
    })

    it('should return 400 if content-type is unexpected', async () => {
      await request(underTest)
        .post('/test')
        .set('content-type', 'application/x-www-form-urlencoded')
        .send(validReportUriPayload)
        .expect(400)
    })

    it('should return 400 if payload is too large', async () => {

      const largePayload = {
        ...validReportUriPayload,
        'large_value': 'some text here x1000'.repeat(1000)
      }

      await request(underTest)
        .post('/test')
        .send(largePayload)
        .expect(400)

      expect(loggingSpy.info.calledOnce).to.be.true
      expect(loggingSpy.info.calledWith('CSP violation request payload exceeds maximum size')).to.be.true
    })

    it('should return 400 if request is not JSON', async () => {
      await request(underTest)
        .post('/test')
        .set('content-type', 'application/json')
        .send('notJSON')
        .expect(400)

      expect(loggingSpy.info.calledOnce).to.be.true
      expect(loggingSpy.info.calledWith('CSP violation request payload did not match expected content type')).to.be.true
    })

    it('should return 400 if json does not included expected values', async () => {
      await request(underTest)
        .post('/test')
        .send({ key: 'value' })
        .expect(400)
    })

    it('should return 429 if too many requests are made and respect trust proxy settings', async () => {

      // X-Forwarded-For: <client>, <proxy1>, <proxy2>, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
      // make 10 requests for each 'IP', the 11th should be rate limited

      for (let i = 0; i < 10; i++) {
        await request(underTest)
          .post('/test')
          .set('x-forwarded-for', '1.2.3.4, 2.2.2.2, 3.3.3.3')
          .send(validReportingAPIPayload)
          .expect(204)

        await request(underTest)
          .post('/test')
          .set('x-forwarded-for', '5.6.7.8, 2.2.2.2, 3.3.3.3')
          .send(validReportUriPayload)
          .expect(204)
      }

      await request(underTest)
        .post('/test')
        .set('x-forwarded-for', '1.2.3.4, 2.2.2.2, 3.3.3.3')
        .send(validReportUriPayload)
        .expect(429)

      await request(underTest)
        .post('/test')
        .set('x-forwarded-for', '5.6.7.8, 2.2.2.2, 3.3.3.3')
        .send(validReportingAPIPayload)
        .expect(429)
    })
  })
})