✨ automated testing

Author: ctcpip

security/server/index.cjs

@@ -0,0 +1,26 @@
+const express = require('express');
+const app = express();
+const xssApp = express();
+const port = 3333;
+const xssPort = 3334;
+const cors = require('cors');
+
+xssApp.use(cors());
+
+xssApp.get('/jqueryxss', (req, res) => {
+	// res.set('content-type', 'text/javascript');
+	res.writeHead(200, { 'Content-Type': 'text/javascript' });
+	res.write(`triggerCVE('2015-9251');`)
+	res.end()
+});
+
+xssApp.listen(xssPort, () => {
+  console.log(`listening on port ${xssPort} (xss endpoint)`);
+});
+
+app.use(express.static('../site'));
+
+app.listen(port, () => {
+  console.log(`listening on port ${port} (test site)`);
+});
+

security/server/index.js

@@ -1,7 +1,7 @@
 {
   "private": true,
   "scripts": {
-    "serve": "node index.js"
+    "serve": "node index.cjs"
   },
   "dependencies": {
     "cors": "^2.8.5",

security/server/package.json

@@ -0,0 +1,19 @@
+const cveMap = new Map([
+  ['2011-4969', { versions: ['1.2.6', '1.3.2', '1.4.4', '1.5.2'] }],
+  ['2012-6708', { versions: ['1.2.6', '1.3.2', '1.4.4', '1.5.2', '1.6.4', '1.7.2', '1.8.3'] }],
+	['2015-9251', { versions: ['1.2.6', '1.3.2', '1.4.4', '1.5.2', '1.6.4', '1.7.2', '1.8.3', '1.12.4', '2.2.4'] }],
+	['2019-11358', { versions: ['1.2.6', '1.3.2', '1.4.4', '1.5.2', '1.6.4', '1.7.2', '1.8.3', '1.12.4', '2.2.4'] }],
+	['2020-7656', { versions: ['1.2.6', '1.3.2', '1.4.4', '1.5.2', '1.6.4', '1.7.2', '1.8.3'] }],
+	['2020-11022', { versions: ['1.2.6', '1.3.2', '1.4.4', '1.5.2', '1.6.4', '1.7.2', '1.8.3', '1.12.4', '2.2.4'] }],
+	['2020-11023', { versions: ['1.2.6', '1.3.2', '1.4.4', '1.5.2', '1.6.4', '1.7.2', '1.8.3', '1.12.4', '2.2.4'] }],
+	['2020-23064', { versions: ['2.2.4'] }],
+]);
+
+const jQueryVersions = new Set(Array.from(cveMap, ([name, value]) => (value.versions)).flat());
+
+function getPatchedVersion(version){
+	const versionParts = version.split('.');
+	return`${versionParts[0]}.${versionParts[1]}.${Number(versionParts[2]) + 1}-sec`;
+}
+
+export { cveMap, getPatchedVersion, jQueryVersions };

security/site/cve-data.mjs

@@ -6,7 +6,7 @@
     <meta http-equiv="X-UA-Compatible" content="ie=edge" />
     <title>jQuery Security Acceptance Tests</title>
     <link rel="stylesheet" href="styles.css" />
-    <script src="main.js" defer></script>
+    <script type="module" src="main.mjs"></script>
   </head>
   <body>
 		<header>

security/site/index.html

@@ -1,3 +1,7 @@
+import { cveMap, getPatchedVersion, jQueryVersions } from './cve-data.mjs'
+
+const dis = this;
+
 function log(txt){
   console.log(txt);
 }
@@ -27,17 +31,6 @@ window.alert = function(...args) {
   // windowAlert(...args);
 };
 
-const cveMap = new Map([
-  ['2011-4969', { versions: ['1.2.6', '1.3.2', '1.4.4', '1.5.2'] }],
-  ['2012-6708', { versions: ['1.2.6', '1.3.2', '1.4.4', '1.5.2', '1.6.4', '1.7.2', '1.8.3'] }],
-	['2015-9251', { versions: ['1.2.6', '1.3.2', '1.4.4', '1.5.2', '1.6.4', '1.7.2', '1.8.3', '1.12.4', '2.2.4'] }],
-	['2019-11358', { versions: ['1.2.6', '1.3.2', '1.4.4', '1.5.2', '1.6.4', '1.7.2', '1.8.3', '1.12.4', '2.2.4'] }],
-	['2020-7656', { versions: ['1.2.6', '1.3.2', '1.4.4', '1.5.2', '1.6.4', '1.7.2', '1.8.3'] }],
-	['2020-11022', { versions: ['1.2.6', '1.3.2', '1.4.4', '1.5.2', '1.6.4', '1.7.2', '1.8.3', '1.12.4', '2.2.4'] }],
-	['2020-11023', { versions: ['1.2.6', '1.3.2', '1.4.4', '1.5.2', '1.6.4', '1.7.2', '1.8.3', '1.12.4', '2.2.4'] }],
-	['2020-23064', { versions: ['2.2.4'] }],
-]);
-
 const cveTemplate = `
 <div class="cve">
 	<div class="cve__header">
@@ -61,20 +54,19 @@ for (const cve of cveMap) {
 	const cveID = `CVE-${cve[0]}`;
 	const t = document.createElement('template');
   t.innerHTML = cveTemplate;
+	t.content.querySelector('.cve').id = cveID;
 	t.content.querySelector('.cve__header').textContent = cveID;
 	const b = t.content.querySelector('button');
 	b.textContent = cveID;
 	b.addEventListener('click', function (){
 		log(`called ${cveID}`)
-		window[cveID.replaceAll('-', '_')](cve);
+		window.doNotPolluteTheGlobalNamespace[cveID.replaceAll('-', '_')](cve);
 		setTimeout(() => updateCVE(cve), 100);
 	});
 	cveButtons.push(b);
 	cveContainer.append(t.content);
 }
 
-const jQueryVersions = new Set(Array.from(cveMap, ([name, value]) => (value.versions)).flat());
-
 for (const v of jQueryVersions) {
 	const o = document.createElement('option');
 	o.textContent = v;
@@ -84,12 +76,24 @@ for (const v of jQueryVersions) {
 const VERSION = 'VERSION';
 const PATCHED = 'PATCHED';
 
-const sessionVersion = sessionStorage.getItem(VERSION);
-const sessionPatched = sessionStorage.getItem(PATCHED);
+const qs = (new URL(document.location)).searchParams;
+const qsVersion = qs.get(VERSION);
+const qsPatched = qs.get(PATCHED);
+
+if(qsVersion) {
+	selVersion.value = qsVersion;
+	chkPatched.checked = qsPatched === 'true';
+}
+else {
+
+	const sessionVersion = sessionStorage.getItem(VERSION);
+	const sessionPatched = sessionStorage.getItem(PATCHED);
+
+	if(sessionVersion) {
+		selVersion.value = sessionVersion;
+		chkPatched.checked = sessionPatched === 'true';
+	}
 
-if(sessionVersion) {
-	selVersion.value = sessionVersion;
-	chkPatched.checked = sessionPatched === 'true';
 }
 
 changeVersion();
@@ -120,8 +124,7 @@ function changeVersion() {
 		document.querySelectorAll('.cve').forEach(e => e.classList.remove('hide'));
 	};
 
-	const versionParts = version.split('.');
-	const loadVersion = patched ? `${versionParts[0]}.${versionParts[1]}.${Number(versionParts[2]) + 1}-sec` : version;
+	const loadVersion = patched ? getPatchedVersion(version) : version;
 
 	s.onerror = function() {
 		if(typeof jQuery !== 'undefined') {
@@ -194,6 +197,7 @@ function CVE_2011_4969(cve){
 		handleJQuerySyntaxError(e);
 	}
 
+	history.replaceState(null, null, ' ');  // clear out location.hash completely
 
 }
 
@@ -219,7 +223,7 @@ function CVE_2012_6708(cve) {
 }
 
 function CVE_2015_9251(cve) {
-  $.get("http://localhost:4000/jqueryxss", function( content ) {
+  $.get("http://localhost:3334/jqueryxss", function( content ) {
     // since we are relying on an external resource for this test, guard against regression
 		const expected = `triggerCVE('${cve[0]}');`;
     const expectedContentFound = content === expected;
@@ -228,7 +232,6 @@ function CVE_2015_9251(cve) {
       error('CVE-2015-9251 CANNOT BE VERIFIED!');
     }
   });
-	// log('CVE-2015-9251 is not reproducible in 1.2.6, so ignore this test');
 }
 
 function CVE_2019_11358(cve) {
@@ -266,3 +269,15 @@ function CVE_2020_23064(cve) {
 	// this is a duplicate of CVE-2020-11023
 	CVE_2020_11023(cve);
 }
+
+window.triggerCVE = triggerCVE;
+window.doNotPolluteTheGlobalNamespace = {
+	CVE_2011_4969,
+	CVE_2012_6708,
+	CVE_2015_9251,
+	CVE_2019_11358,
+	CVE_2020_7656,
+	CVE_2020_11022,
+	CVE_2020_11023,
+	CVE_2020_23064,
+};

security/site/main.js security/site/main.mjssecurity/site/main.js renamed to security/site/main.mjs

@@ -0,0 +1,80 @@
+import os from 'node:os';
+import { execSync } from 'node:child_process';
+import { setTimeout } from 'node:timers/promises';
+import assert from 'node:assert';
+import { JSDOM } from 'jsdom';
+import { cveMap, getPatchedVersion, jQueryVersions } from '../site/cve-data.mjs'
+
+let failedAssertions = 0;
+
+console.log('\nrunning jQuery security tests...\n');
+
+const platform = os.platform();
+console.log(`platform detected: ${platform}`);
+
+const baseURL = 'http://127.0.0.1:3333/index.html';
+const timeout = 5 * 1000;
+
+let cmd;
+
+if(platform === 'darwin'){
+  cmd = `"/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome" --headless=old --virtual-time-budget=${timeout} --run-all-compositor-stages-before-draw --dump-dom `;
+}
+else {
+	// presume *nix
+}
+
+for (const v of jQueryVersions) {
+	try {
+		test(v);
+		test(v, true);
+	} catch (e) {
+		if(e instanceof assert.AssertionError) {
+			console.error(e);
+			failedAssertions += 1;
+		}
+		else {
+			throw e;
+		}
+	}
+}
+
+
+function test(version, patched) {
+
+	const effectiveVersion = patched ? getPatchedVersion(version) : version;
+
+	console.log(`
+--------------------------------------------------------------------------------
+	validating jQuery v${effectiveVersion}
+--------------------------------------------------------------------------------
+`)
+
+	let p;
+
+	try {
+		p = execSync(`${cmd}"${baseURL}?VERSION=${version}&PATCHED=${patched}"`);
+	} catch (error) {
+		console.error(e);
+	}
+
+	const dom = new JSDOM(p.toString());
+
+	const d = dom.window.document;
+
+	assert.strictEqual(d.querySelector('#loaded-jQuery').textContent, effectiveVersion, `loaded jQuery v${effectiveVersion}`);
+
+	for (const cve of cveMap) {
+		if(cve[1].versions.includes(version)) {
+			const status = d.querySelector(`#CVE-${cve[0]} .cve__footer-status`).textContent;
+			console.log(status);
+		}
+	}
+
+}
+
+console.log('\n...done\n');
+
+if(failedAssertions) {
+	process.exitCode = 1;
+}