chore(ci): label security tests and generate summary report MONGOSH-1787 (#2030)

Author: addaleax

.github/workflows/cron-tasks.yml

@@ -66,6 +66,12 @@ jobs:
           git add .evergreen.yml
           git commit --no-allow-empty -m "chore: update evergreen config" || true
 
+      - name: Update Security Test Summary
+        run: |
+          npm run update-security-test-summary
+          git add docs/security-test-summary.md
+          git commit --no-allow-empty -m "chore: update security test summary" || true
+
       - name: Regenerate CLI usage text in README files
         run: |
           npm run update-cli-usage-text packages/*/*.md *.md

docs/security-test-summary.md

@@ -0,0 +1,57 @@
+# MongoDB Shell Security Testing Summary
+
+This document lists specific instances of security-relevant testing that is being
+performed for the MongoDB Shell. All parts of the MongoDB Shell source code
+are subject to integration and unit testing on every change made to the project,
+including the specific instances listed below.
+
+# Security Tests
+
+## Loading the MongoDB `crypt_shared` library securely
+
+mongosh loads the `crypt_shared` MongoDB library at runtime. In order to do so securely,
+we verify that the path resolution logic used for it adheres to expectations, and e.g.
+the shared library will not be loaded if it comes with incorrect filesystem permissions.
+
+<!-- Source File: `packages/cli-repl/src/crypt-library-paths.spec.ts` -->
+
+
+## Authentication End-to-End Tests
+
+While mongosh is a client-side application and therefore, in many cases not responsible
+for correct authentication, we still consider any failure in our authentication tests
+a potential warning sign for security-relevant impact.
+
+<!-- Source File: `packages/e2e-tests/test/e2e-auth.spec.ts` -->
+
+
+## OIDC Authentication End-to-End Tests
+
+In addition to our regular tests for the different authentication mechanisms supported
+by MongoDB, we give special consideration to our OpenID Connect database authentication
+feature, as it involves client applications performing actions based on directions
+received from the database server.
+
+Additional, since the shell supports connections to multiple different endpoints in the
+same application, these tests ensure that OIDC authentication for distinct endpoints
+happens in isolation.
+
+<!-- Source File: `packages/e2e-tests/test/e2e-oidc.spec.ts` -->
+
+
+## TLS End-to-End Tests
+
+Our TLS tests verify that core security properties of TLS connections
+are applied appropriately for mongosh, in particular certificate validation
+and compliance with user-specified behavior that is specific to TLS connectivity.
+
+<!-- Source File: `packages/e2e-tests/test/e2e-tls.spec.ts` -->
+
+
+## Shell History Redaction Tests
+
+The MongoDB Shell redacts items from the shell history file when it detects
+potentially sensitive information in them. Our tests verify this behavior.
+
+<!-- Source File: `packages/history/src/history.spec.ts` -->
+

package.json

@@ -54,6 +54,7 @@
     "update-node-js-versions": "npx @pkgjs/nv ls v20 > .evergreen/node-20-latest.json && npx @pkgjs/nv ls v16 > .evergreen/node-16-latest.json",
     "update-evergreen-config": "npm run test-evergreen-expansions && node .evergreen/generate-evergreen-yml.js .evergreen/evergreen.yml.in > .evergreen.yml",
     "update-cli-usage-text": "node scripts/update-cli-usage-text.js",
+    "update-security-test-summary": "ts-node scripts/generate-security-test-summary.ts > docs/security-test-summary.md",
     "mark-ci-required-optional-dependencies": "ts-node scripts/mark-ci-required-optional-dependencies.ts",
     "write-node-js-dep": "node scripts/write-nodejs-dep > .sbom/node-js-dep.json",
     "scan-node-js": "mongodb-sbom-tools scan-node-js --version=$NODE_JS_VERSION > .sbom/node-js-vuln.json",

packages/cli-repl/src/crypt-library-paths.spec.ts

@@ -10,6 +10,13 @@ import { EventEmitter } from 'events';
 import { promises as fs } from 'fs';
 import path from 'path';
 
+/**
+ * @securityTest Loading the MongoDB `crypt_shared` library securely
+ *
+ * mongosh loads the `crypt_shared` MongoDB library at runtime. In order to do so securely,
+ * we verify that the path resolution logic used for it adheres to expectations, and e.g.
+ * the shared library will not be loaded if it comes with incorrect filesystem permissions.
+ */
 describe('getCryptLibraryPaths', function () {
   let bus: MongoshBus;
   let events: any[];

packages/e2e-tests/test/e2e-auth.spec.ts

@@ -84,6 +84,13 @@ function createAssertUserAuth(
   };
 }
 
+/**
+ * @securityTest Authentication End-to-End Tests
+ *
+ * While mongosh is a client-side application and therefore, in many cases not responsible
+ * for correct authentication, we still consider any failure in our authentication tests
+ * a potential warning sign for security-relevant impact.
+ */
 describe('Auth e2e', function () {
   skipIfApiStrict(); // connectionStatus is unversioned.
 

packages/e2e-tests/test/e2e-oidc.spec.ts

@@ -12,6 +12,18 @@ import { expect } from 'chai';
 import { createServer as createHTTPSServer } from 'https';
 import { getCertPath, useTmpdir } from './repl-helpers';
 
+/**
+ * @securityTest OIDC Authentication End-to-End Tests
+ *
+ * In addition to our regular tests for the different authentication mechanisms supported
+ * by MongoDB, we give special consideration to our OpenID Connect database authentication
+ * feature, as it involves client applications performing actions based on directions
+ * received from the database server.
+ *
+ * Additionally, since the shell supports connections to multiple different endpoints in the
+ * same application, these tests ensure that OIDC authentication for distinct endpoints
+ * happens in isolation.
+ */
 describe('OIDC auth e2e', function () {
   skipIfApiStrict(); // connectionStatus is unversioned.
 

packages/e2e-tests/test/e2e-tls.spec.ts

@@ -38,6 +38,13 @@ const SERVER_KEY = getCertPath('server.bundle.pem');
 const SERVER_INVALIDHOST_KEY = getCertPath('server-invalidhost.bundle.pem');
 const CRL_INCLUDING_SERVER = getCertPath('ca-server.crl');
 
+/**
+ * @securityTest TLS End-to-End Tests
+ *
+ * Our TLS tests verify that core security properties of TLS connections
+ * are applied appropriately for mongosh, in particular certificate validation
+ * and compliance with user-specified behavior that is specific to TLS connectivity.
+ */
 describe('e2e TLS', function () {
   let homedir: string;
   let env: Record<string, string>;

packages/e2e-tests/test/e2e.spec.ts

@@ -1530,6 +1530,7 @@ describe('e2e', function () {
           expect((await fs.stat(historyPath)).mode & 0o077).to.equal(0);
         });
 
+        // Security-relevant test -- description covered `history` package tests.
         it('redacts secrets', async function () {
           await shell.executeLine('db.auth("myusername", "mypassword")');
           await shell.executeLine('a = 42');

packages/history/src/history.spec.ts

@@ -1,6 +1,12 @@
 import { changeHistory } from './history';
 import { expect } from 'chai';
 
+/**
+ * @securityTest Shell History Redaction Tests
+ *
+ * The MongoDB Shell redacts items from the shell history file when it detects
+ * potentially sensitive information in them. Our tests verify this behavior.
+ */
 describe('changeHistory', function () {
   const history = ['db.shipwrecks.findOne()', 'use ships'];
 

packages/service-provider-server/src/cli-service-provider.spec.ts

@@ -1008,6 +1008,7 @@ describe('CliServiceProvider', function () {
     });
   });
 
+  // Security-relevant tests -- description covered in e2e-oidc tests.
   describe('processDriverOptions', function () {
     it('shares user configuration options from an existing CliServiceProvider instance', function () {
       const cloneableOidcOptions = {