Tests for InsecureHelmet

Author: aegilops

javascript/ql/test/query-tests/Security/CWE-693/InsecureHelment.expected

@@ -0,0 +1,2 @@
+| InsecureHelmetBad.js:7:5:7:32 | content ... : false | Helmet route handler, called with $@ set to 'false' | InsecureHelmetBad.js:7:5:7:32 | content ... : false | contentSecurityPolicy |
+| InsecureHelmetBad.js:8:5:8:21 | frameguard: false | Helmet route handler, called with $@ set to 'false' | InsecureHelmetBad.js:8:5:8:21 | frameguard: false | frameguard |

javascript/ql/test/query-tests/Security/CWE-693/InsecureHelment.qlref

@@ -0,0 +1 @@
+Security/CWE-693/InsecureHelmet.ql

javascript/ql/test/query-tests/Security/CWE-693/InsecureHelmetBad.js

@@ -0,0 +1,17 @@
+const express = require("express");
+const helmet = require("helmet");
+
+const app = express();
+
+app.use(helmet({
+    contentSecurityPolicy: false, // BAD: switch off default CSP
+    frameguard: false // BAD: switch off default frameguard
+}));
+
+app.get("/", (req, res) => {
+  res.send("Hello, world!");
+});
+
+app.listen(3000, () => {
+  console.log("App is listening on port 3000");
+});

javascript/ql/test/query-tests/Security/CWE-693/InsecureHelmetGood.js

@@ -0,0 +1,14 @@
+const express = require("express");
+const helmet = require("helmet");
+
+const app = express();
+
+app.use(helmet());  // GOOD: use the defaults
+
+app.get("/", (req, res) => {
+  res.send("Hello, world!");
+});
+
+app.listen(3000, () => {
+  console.log("App is listening on port 3000");
+});