Add security header testing scripts (both Node.js and Bash versions)

2025-03-01 18:24:46 -05:00 · 2025-03-01 18:24:46 -05:00 · c0502bc1a4
parent a88c7c6ccf
commit c0502bc1a4
3 changed files with 553 additions and 1 deletions
--- a/package.json
+++ b/package.json
@ -53,7 +53,11 @@
  },
  "scripts": {
    "start": "node server.js",
-    "test": "mocha --recursive"
+    "test": "mocha --recursive",
+    "test:security": "node test-security.js",
+    "test:security:bash": "./test-security.sh",
+    "test:security:csp": "node test-security.js --test=csp",
+    "test:security:cors": "node test-security.js --test=cors"
  },
  "repository": {
    "type": "git",
--- a/test-security.js
+++ b/test-security.js
@ -0,0 +1,251 @@
+#!/usr/bin/env node
+
+/**
+ * Security Headers Testing Script for Hastebin
+ * 
+ * This script tests various security header configurations by:
+ * 1. Starting the server with different security settings
+ * 2. Making HTTP requests to check the headers
+ * 3. Validating basic functionality works
+ * 4. Reporting results
+ * 
+ * Usage: 
+ *   node test-security.js
+ * 
+ * Or run specific tests:
+ *   node test-security.js --test=csp,cors
+ */
+
+const { exec, spawn } = require('child_process');
+const http = require('http');
+const assert = require('assert').strict;
+const { promisify } = require('util');
+const execAsync = promisify(exec);
+
+// Configuration
+const PORT = 7777;
+const HOST = 'localhost';
+const SERVER_START_WAIT = 2000; // Time to wait for server to start (ms)
+
+// Test cases
+const TESTS = {
+  basic: {
+    name: 'Basic Security Headers',
+    env: { NODE_ENV: 'production' },
+    expectedHeaders: {
+      'content-security-policy': true,
+      'x-content-type-options': 'nosniff',
+      'x-frame-options': 'DENY',
+      'x-xss-protection': '1; mode=block',
+      'referrer-policy': 'strict-origin-when-cross-origin',
+      'permissions-policy': true
+    }
+  },
+  csp: {
+    name: 'Content Security Policy',
+    env: { NODE_ENV: 'production', HASTEBIN_ENABLE_CSP: 'true' },
+    expectedHeaders: {
+      'content-security-policy': (value) => {
+        return value.includes("script-src 'self'") && 
+               value.includes("'nonce-") && 
+               (value.includes("'unsafe-hashes'") || true);
+      }
+    }
+  },
+  noCsp: {
+    name: 'Disabled CSP',
+    env: { NODE_ENV: 'production', HASTEBIN_ENABLE_CSP: 'false' },
+    expectedHeaders: {
+      'content-security-policy': false
+    }
+  },
+  cors: {
+    name: 'Cross-Origin Isolation',
+    env: { NODE_ENV: 'production', HASTEBIN_ENABLE_CROSS_ORIGIN_ISOLATION: 'true' },
+    expectedHeaders: {
+      'cross-origin-embedder-policy': 'require-corp',
+      'cross-origin-resource-policy': 'same-origin',
+      'cross-origin-opener-policy': 'same-origin'
+    }
+  },
+  hsts: {
+    name: 'HTTP Strict Transport Security',
+    env: { NODE_ENV: 'production', HASTEBIN_ENABLE_HSTS: 'true' },
+    expectedHeaders: {
+      'strict-transport-security': true
+    }
+  },
+  devMode: {
+    name: 'Development Mode',
+    env: { NODE_ENV: 'development' },
+    expectedHeaders: {
+      'content-security-policy': true,
+      'x-content-type-options': 'nosniff'
+    }
+  },
+  devBypass: {
+    name: 'Development Mode with CSP Bypass',
+    env: { NODE_ENV: 'development', HASTEBIN_BYPASS_CSP_IN_DEV: 'true' },
+    expectedHeaders: {
+      'content-security-policy': value => value.includes("'unsafe-inline'")
+    }
+  }
+};
+
+// Helper to make HTTP requests and check headers
+async function checkHeaders(testCase) {
+  return new Promise((resolve, reject) => {
+    const req = http.request({
+      hostname: HOST,
+      port: PORT,
+      path: '/',
+      method: 'GET'
+    }, (res) => {
+      const headers = res.headers;
+      const failures = [];
+      
+      // Check expected headers
+      for (const [header, expected] of Object.entries(testCase.expectedHeaders)) {
+        if (expected === false) {
+          // Header should not be present
+          if (header in headers) {
+            failures.push(`Expected header '${header}' to be absent, but found: ${headers[header]}`);
+          }
+        } else if (expected === true) {
+          // Header should be present (any value)
+          if (!(header in headers)) {
+            failures.push(`Expected header '${header}' to be present, but it was missing`);
+          }
+        } else if (typeof expected === 'function') {
+          // Custom validator function
+          if (!(header in headers) || !expected(headers[header])) {
+            failures.push(`Header '${header}' failed validation: ${headers[header]}`);
+          }
+        } else {
+          // Exact value match
+          if (headers[header] !== expected) {
+            failures.push(`Header '${header}' expected '${expected}' but got '${headers[header]}'`);
+          }
+        }
+      }
+      
+      if (failures.length > 0) {
+        reject(new Error(failures.join('\n')));
+      } else {
+        resolve(true);
+      }
+    });
+    
+    req.on('error', (err) => {
+      reject(new Error(`Request failed: ${err.message}`));
+    });
+    
+    req.end();
+  });
+}
+
+// Test functionality by creating and retrieving a document
+async function testFunctionality() {
+  // Create a document
+  const createResult = await execAsync(`curl -s -X POST http://${HOST}:${PORT}/documents -d "Security Test Document"`);
+  const { key } = JSON.parse(createResult.stdout);
+  
+  if (!key || typeof key !== 'string') {
+    throw new Error('Failed to create document - invalid response');
+  }
+  
+  // Retrieve the document
+  const getResult = await execAsync(`curl -s http://${HOST}:${PORT}/raw/${key}`);
+  
+  if (getResult.stdout.trim() !== "Security Test Document") {
+    throw new Error(`Document retrieval failed - expected "Security Test Document" but got "${getResult.stdout.trim()}"`);
+  }
+  
+  return true;
+}
+
+// Run a single test
+async function runTest(testName) {
+  if (!(testName in TESTS)) {
+    console.error(`Unknown test: ${testName}`);
+    return false;
+  }
+  
+  const test = TESTS[testName];
+  console.log(`\n🔒 Running test: ${test.name} (${testName})`);
+  
+  // Start server with test configuration
+  const env = { ...process.env, ...test.env };
+  const serverProcess = spawn('node', ['test-local.js'], { 
+    env, 
+    stdio: 'ignore',
+    detached: true
+  });
+  
+  // Wait for server to start
+  await new Promise(resolve => setTimeout(resolve, SERVER_START_WAIT));
+  
+  try {
+    // Check headers
+    await checkHeaders(test);
+    console.log(`✅ Headers check passed for ${test.name}`);
+    
+    // Check functionality
+    await testFunctionality();
+    console.log(`✅ Functionality check passed for ${test.name}`);
+    
+    return true;
+  } catch (error) {
+    console.error(`❌ Test failed: ${error.message}`);
+    return false;
+  } finally {
+    // Kill server process and its children
+    process.kill(-serverProcess.pid);
+    serverProcess.unref();
+  }
+}
+
+// Run all tests or specified tests
+async function runTests() {
+  console.log('🔒 Hastebin Security Headers Test Suite 🔒');
+  
+  // Check if specific tests were requested
+  const testArg = process.argv.find(arg => arg.startsWith('--test='));
+  let testsToRun = Object.keys(TESTS);
+  
+  if (testArg) {
+    testsToRun = testArg.replace('--test=', '').split(',');
+  }
+  
+  let passed = 0;
+  let failed = 0;
+  
+  for (const testName of testsToRun) {
+    try {
+      const success = await runTest(testName);
+      if (success) {
+        passed++;
+      } else {
+        failed++;
+      }
+    } catch (error) {
+      console.error(`❌ Test execution error: ${error.message}`);
+      failed++;
+    }
+    
+    // Small delay between tests
+    await new Promise(resolve => setTimeout(resolve, 1000));
+  }
+  
+  console.log('\n📊 Test Results:');
+  console.log(`✅ ${passed} tests passed`);
+  console.log(`❌ ${failed} tests failed`);
+  
+  process.exit(failed > 0 ? 1 : 0);
+}
+
+// Run tests
+runTests().catch(err => {
+  console.error('Test suite error:', err);
+  process.exit(1);
+}); 
--- a/test-security.sh
+++ b/test-security.sh
@ -0,0 +1,297 @@
+#!/bin/bash
+
+# Security Headers Testing Script for Hastebin
+# This script tests various security header configurations by running curl commands
+# to verify headers are correctly set and the application works properly.
+
+# Colors for output
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[0;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Configuration
+PORT=7777
+HOST=localhost
+SERVER_START_WAIT=5 # seconds
+KILL_WAIT=2 # seconds
+
+# Utility functions
+print_header() {
+  echo -e "\n${BLUE}$1${NC}"
+  echo -e "${BLUE}$(printf '=%.0s' $(seq 1 ${#1}))${NC}"
+}
+
+print_success() {
+  echo -e "${GREEN}✅ $1${NC}"
+}
+
+print_error() {
+  echo -e "${RED}❌ $1${NC}"
+}
+
+print_info() {
+  echo -e "${YELLOW}ℹ️ $1${NC}"
+}
+
+# Kill any running server instance
+kill_server() {
+  pkill -f "node test-local.js" >/dev/null 2>&1
+  sleep $KILL_WAIT
+}
+
+# Start server with specified environment variables
+start_server() {
+  print_info "Starting server with: $1"
+  
+  # Use nohup to ensure the process continues running even if the script is interrupted
+  eval "HASTEBIN_STORAGE_TYPE=file $1 node test-local.js > /tmp/hastebin-test.log 2>&1 &"
+  
+  # Store the PID for later cleanup
+  SERVER_PID=$!
+  
+  # Wait for server to start and log the process ID
+  print_info "Started server process with PID: $SERVER_PID, waiting ${SERVER_START_WAIT}s..."
+  sleep $SERVER_START_WAIT
+  
+  # Check if the server is actually running
+  if ! ps -p $SERVER_PID > /dev/null; then
+    print_error "Server failed to start! Check logs at /tmp/hastebin-test.log"
+    cat /tmp/hastebin-test.log | head -n 20
+    return 1
+  fi
+  
+  return 0
+}
+
+# Check if a header exists and matches expected value
+check_header() {
+  local header="$1"
+  local expected="$2"
+  local response="$3"
+  
+  # Extract the header value from response
+  local value=$(echo "$response" | grep -i "^$header:" | sed "s/^$header: //i" | tr -d '\r')
+  
+  if [ -z "$value" ]; then
+    if [ "$expected" == "ABSENT" ]; then
+      return 0
+    else
+      print_error "Header '$header' is missing"
+      return 1
+    fi
+  else
+    if [ "$expected" == "ABSENT" ]; then
+      print_error "Header '$header' should be absent but found: $value"
+      return 1
+    elif [ "$expected" == "ANY" ]; then
+      return 0
+    elif [[ "$value" == *"$expected"* ]]; then
+      return 0
+    else
+      print_error "Header '$header' expected to contain '$expected' but got '$value'"
+      return 1
+    fi
+  fi
+}
+
+# Test functionality by creating and retrieving a document
+test_functionality() {
+  print_info "Testing document creation and retrieval..."
+  
+  # Try multiple times with backoff
+  for attempt in 1 2 3; do
+    # Create a document
+    local create_response=$(curl -s -X POST http://$HOST:$PORT/documents -d "Security Test Document")
+    echo "Create response: $create_response"
+    
+    # Extract the key using a more reliable method
+    local key=$(echo $create_response | sed -n 's/.*"key":"\([^"]*\)".*/\1/p')
+    
+    if [ -n "$key" ]; then
+      print_info "Created document with key: $key"
+      
+      # Retrieve the document
+      local get_response=$(curl -s http://$HOST:$PORT/raw/$key)
+      
+      if [ "$get_response" == "Security Test Document" ]; then
+        print_success "Document creation and retrieval successful"
+        return 0
+      else
+        print_error "Document retrieval failed - expected 'Security Test Document' but got '$get_response'"
+      fi
+    else
+      print_error "Failed to extract key from response: $create_response"
+    fi
+    
+    # If we reach here, something failed - wait and retry
+    sleep_time=$((attempt * 2))
+    print_info "Attempt $attempt failed, waiting ${sleep_time}s before retry..."
+    sleep $sleep_time
+  done
+  
+  print_error "Failed to create or retrieve document after 3 attempts"
+  return 1
+}
+
+# Run a single test
+run_test() {
+  local test_name="$1"
+  local env_vars="$2"
+  local headers_to_check="$3"
+  
+  print_header "Running test: $test_name"
+  
+  # Kill any existing server and start a new one with the specified env
+  kill_server
+  if ! start_server "$env_vars"; then
+    print_error "Could not start server for test '$test_name'"
+    return 1
+  fi
+  
+  # Get headers - retry a few times if needed
+  local response=""
+  for attempt in 1 2 3; do
+    response=$(curl -I -s http://$HOST:$PORT/)
+    if [[ "$response" == *"HTTP/1."* ]]; then
+      break
+    fi
+    sleep 2
+  done
+  
+  if [[ "$response" != *"HTTP/1."* ]]; then
+    print_error "Could not get response from server"
+    return 1
+  fi
+  
+  # Check each header
+  local failed=0
+  
+  # Parse the headers to check and their expected values
+  local IFS=','
+  read -ra HEADER_CHECKS <<< "$headers_to_check"
+  for check in "${HEADER_CHECKS[@]}"; do
+    local header=$(echo $check | cut -d: -f1)
+    local expected=$(echo $check | cut -d: -f2)
+    
+    if ! check_header "$header" "$expected" "$response"; then
+      failed=1
+    else
+      print_success "Header '$header' check passed"
+    fi
+  done
+  
+  # Test functionality
+  if ! test_functionality; then
+    failed=1
+  fi
+  
+  if [ $failed -eq 0 ]; then
+    print_success "Test '$test_name' passed"
+    return 0
+  else
+    print_error "Test '$test_name' failed"
+    return 1
+  fi
+}
+
+# Run tests
+run_tests() {
+  print_header "🔒 Hastebin Security Headers Test Suite 🔒"
+  
+  # Parse command line arguments
+  local test_filter=""
+  if [[ "$1" == --test=* ]]; then
+    test_filter="${1#--test=}"
+  fi
+  
+  local passed=0
+  local failed=0
+  
+  # Run selected tests
+  
+  # Filter by name if specified
+  if [[ -z "$test_filter" || "$test_filter" == *"basic"* ]]; then
+    if run_test "Basic Security Headers" "NODE_ENV=production" "content-security-policy:ANY,x-content-type-options:nosniff,x-frame-options:DENY,x-xss-protection:1; mode=block,referrer-policy:strict-origin-when-cross-origin,permissions-policy:ANY"; then
+      passed=$((passed+1))
+    else
+      failed=$((failed+1))
+    fi
+  fi
+  
+  if [[ -z "$test_filter" || "$test_filter" == *"csp"* ]]; then
+    if run_test "Content Security Policy" "NODE_ENV=production HASTEBIN_ENABLE_CSP=true" "content-security-policy:script-src"; then
+      passed=$((passed+1))
+    else
+      failed=$((failed+1))
+    fi
+  fi
+  
+  if [[ -z "$test_filter" || "$test_filter" == *"noCsp"* ]]; then
+    if run_test "Disabled CSP" "NODE_ENV=production HASTEBIN_ENABLE_CSP=false" "content-security-policy:ABSENT"; then
+      passed=$((passed+1))
+    else
+      failed=$((failed+1))
+    fi
+  fi
+  
+  if [[ -z "$test_filter" || "$test_filter" == *"cors"* ]]; then
+    if run_test "Cross-Origin Isolation" "NODE_ENV=production HASTEBIN_ENABLE_CROSS_ORIGIN_ISOLATION=true" "cross-origin-embedder-policy:require-corp,cross-origin-resource-policy:same-origin,cross-origin-opener-policy:same-origin"; then
+      passed=$((passed+1))
+    else
+      failed=$((failed+1))
+    fi
+  fi
+  
+  if [[ -z "$test_filter" || "$test_filter" == *"hsts"* ]]; then
+    if run_test "HTTP Strict Transport Security" "NODE_ENV=production HASTEBIN_ENABLE_HSTS=true" "strict-transport-security:max-age"; then
+      passed=$((passed+1))
+    else
+      failed=$((failed+1))
+    fi
+  fi
+  
+  if [[ -z "$test_filter" || "$test_filter" == *"devMode"* ]]; then
+    if run_test "Development Mode" "NODE_ENV=development" "content-security-policy:ANY,x-content-type-options:nosniff"; then
+      passed=$((passed+1))
+    else
+      failed=$((failed+1))
+    fi
+  fi
+  
+  if [[ -z "$test_filter" || "$test_filter" == *"devBypass"* ]]; then
+    if run_test "Development Mode with CSP Bypass" "NODE_ENV=development HASTEBIN_BYPASS_CSP_IN_DEV=true" "content-security-policy:unsafe-inline"; then
+      passed=$((passed+1))
+    else
+      failed=$((failed+1))
+    fi
+  fi
+  
+  # Cleanup any remaining server process
+  kill_server
+  
+  # Print summary
+  print_header "📊 Test Results:"
+  print_success "$passed tests passed"
+  if [ $failed -gt 0 ]; then
+    print_error "$failed tests failed"
+    return 1
+  fi
+  
+  return 0
+}
+
+# Show help if requested
+if [ $# -gt 0 ] && [ "$1" == "--help" ]; then
+  echo "Usage: $0 [--test=test1,test2,...]"
+  echo "Available tests: basic, csp, noCsp, cors, hsts, devMode, devBypass"
+  exit 0
+fi
+
+# Run tests with any arguments passed
+run_tests "$@"
+result=$?
+
+# Exit with status
+exit $result