Generate apps with SecTester

.github/workflows/ci.yml

@@ -79,6 +79,9 @@ jobs:
             ${{ runner.os }}-build-${{ env.cache-name }}-
             ${{ runner.os }}-build-
             ${{ runner.os }}-
+      - name: Install npm and Nexploit Repeater
+        run: |
+          sudo npm install -g @neuralegion/nexploit-cli --unsafe-perm=true
       - name: Run setup script
         run: ./script/setup
       - name: Install Lucky CLI
@@ -91,3 +94,5 @@ jobs:
           crystal spec
         env:
           LUCKY_ENV: test
+          NEXPLOIT_TOKEN: ${{ secrets.BRIGHT_API_KEY }}
+          RUN_SEC_TESTER_SPECS: 1

.github/workflows/weekly.yml

@@ -1,9 +1,6 @@
 name: Lucky CLI Weekly CI
 
 on:
-  push:
-    branches: [main]
-  pull_request:
   schedule:
     - cron: "0 1 * * MON"
   workflow_dispatch:
@@ -44,6 +41,9 @@ jobs:
       - uses: actions/setup-node@v3.0.0
         with:
           node-version: "12.x"
+      - name: Install npm and Nexploit Repeater
+        run: |
+          sudo npm install -g @neuralegion/nexploit-cli --unsafe-perm=true
       - name: Run setup script
         run: ./script/setup
       - name: Install Lucky CLI

spec/integration/init_web_spec.cr

@@ -1,6 +1,7 @@
 require "../spec_helper"
 
 include ShouldRunSuccessfully
+include WithProjectCleanup
 
 describe "Initializing a new web project" do
   it "creates a full web app successfully" do
@@ -16,7 +17,8 @@ describe "Initializing a new web project" do
 
       File.delete("test-project/.env")
       compile_and_run_specs_on_test_project
-      File.read(".github/workflows/ci.yml").should contain "postgres"
+      File.read("test-project/Procfile").should contain "bin/app"
+      File.read("test-project/.github/workflows/ci.yml").should contain "postgres"
       File.read("test-project/public/mix-manifest.json").should contain "images/cat.gif"
       File.exists?("test-project/public/favicon.ico").should eq true
       File.exists?("test-project/.env").should eq true
@@ -139,20 +141,3 @@ private def compile_and_run_specs_on_test_project
     should_run_successfully "crystal spec"
   end
 end
-
-private def with_project_cleanup(project_directory = "test-project", skip_db_drop = false)
-  yield
-
-  FileUtils.cd(project_directory) {
-    output = IO::Memory.new
-    Process.run(
-      "lucky db.drop",
-      output: output,
-      shell: true
-    )
-
-    output.to_s.should contain("Done dropping")
-  } unless skip_db_drop
-ensure
-  FileUtils.rm_rf project_directory
-end

spec/integration/sec_tester_spec.cr

@@ -0,0 +1,23 @@
+require "../spec_helper"
+
+{% if env("RUN_SEC_TESTER_SPECS") == "1" %}
+  include ShouldRunSuccessfully
+  include WithProjectCleanup
+
+  describe "Apps with SecTester enabled" do
+    it "creates a full app with sec_tester enabled" do
+      puts "Web app with SecTester: Running integration spec. This might take awhile...".colorize(:yellow)
+      with_project_cleanup do
+        should_run_successfully "crystal run src/lucky.cr -- init.custom test-project --with-sec-test"
+
+        FileUtils.cd "test-project" do
+          File.read("spec/setup/sec_tester.cr").should contain "LuckySecTester"
+          File.read(".github/workflows/ci.yml").should contain "-Dwith_sec_tests"
+          File.read("spec/flows/security_spec.cr").should contain "dom_xss"
+          should_run_successfully "./script/setup"
+          should_run_successfully "crystal spec -Dwith_sec_tests"
+        end
+      end
+    end
+  end
+{% end %}

spec/support/with_project_cleanup.cr

@@ -0,0 +1,18 @@
+module WithProjectCleanup
+  private def with_project_cleanup(project_directory = "test-project", skip_db_drop = false) : Nil
+    yield
+
+    FileUtils.cd(project_directory) {
+      output = IO::Memory.new
+      Process.run(
+        "lucky db.drop",
+        output: output,
+        shell: true
+      )
+
+      output.to_s.should contain("Done dropping")
+    } unless skip_db_drop
+  ensure
+    FileUtils.rm_rf project_directory
+  end
+end

src/app_with_sec_tester/spec/flows/security_spec.cr.ecr

@@ -0,0 +1,117 @@
+{% skip_file unless flag?(:with_sec_tests) %}
+# Run these specs with `crystal spec -Dwith_sec_tests`
+
+require "../spec_helper"
+
+describe "SecTester" do
+  <%- if browser? -%>
+  <%- if generate_auth? -%>
+  it "tests the sign_in for dom based XSS" do
+    scan_with_cleanup do |scanner|
+      target = scanner.build_target(SignIns::New)
+      scanner.run_check(
+        scan_name: "ref: #{ENV["GITHUB_REF"]?} commit: #{ENV["GITHUB_SHA"]?} run id: #{ENV["GITHUB_RUN_ID"]?}",
+        tests: "dom_xss",
+        target: target
+      )
+    end
+  end
+
+  it "tests the sign_in page for SQLi, OSI, XSS attacks" do
+    scan_with_cleanup do |scanner|
+      target = scanner.build_target(SignIns::Create) do |t|
+        t.body = "user%3Aemail=test%40test.com&user%3Apassword=1234"
+      end
+      scanner.run_check(
+        scan_name: "ref: #{ENV["GITHUB_REF"]?} commit: #{ENV["GITHUB_SHA"]?} run id: #{ENV["GITHUB_RUN_ID"]?}",
+        tests: [
+          "sqli", # Testing for SQL Injection issues (https://docs.neuralegion.com/docs/sql-injection)
+          "osi",
+          "xss",
+        ],
+        target: target
+      )
+    end
+  end
+
+  it "tests the sign_up page for dom based XSS" do
+    scan_with_cleanup do |scanner|
+      target = scanner.build_target(SignUps::New)
+      scanner.run_check(
+        scan_name: "ref: #{ENV["GITHUB_REF"]?} commit: #{ENV["GITHUB_SHA"]?} run id: #{ENV["GITHUB_RUN_ID"]?}",
+        tests: "dom_xss",
+        target: target
+      )
+    end
+  end
+
+  it "tests the sign_up page for ALL attacks" do
+    scan_with_cleanup do |scanner|
+      target = scanner.build_target(SignUps::Create) do |t|
+        t.body = "user%3Aemail=aa%40aa.com&user%3Apassword=123456789&user%3Apassword_confirmation=123456789"
+      end
+      scanner.run_check(
+        scan_name: "ref: #{ENV["GITHUB_REF"]?} commit: #{ENV["GITHUB_SHA"]?} run id: #{ENV["GITHUB_RUN_ID"]?}",
+        tests: nil,
+        target: target
+      )
+    end
+  end
+  <%- end -%>
+  it "tests the home page for header, and cookie security issues" do
+    scan_with_cleanup do |scanner|
+      target = scanner.build_target(Home::Index)
+      scanner.run_check(
+        scan_name: "ref: #{ENV["GITHUB_REF"]?} commit: #{ENV["GITHUB_SHA"]?} run id: #{ENV["GITHUB_RUN_ID"]?}",
+        severity_threshold: :medium,
+        tests: [
+          "header_security",
+          "cookie_security"
+        ],
+        target: target
+      )
+    end
+  end
+
+  it "tests app.js for 3rd party issues" do
+    scan_with_cleanup do |scanner|
+      target = SecTester::Target.new(Lucky::RouteHelper.settings.base_uri + Lucky::AssetHelpers.asset("js/app.js"))
+      scanner.run_check(
+        scan_name: "ref: #{ENV["GITHUB_REF"]?} commit: #{ENV["GITHUB_SHA"]?} run id: #{ENV["GITHUB_RUN_ID"]?}",
+        tests: "retire_js",
+        target: target
+      )
+    end
+  end
+  <%- else -%>
+  <%- if generate_auth? -%>
+  it "tests the sign_in API for SQLi, and JWT attacks" do
+    scan_with_cleanup do |scanner|
+      api_headers = HTTP::Headers{"Content-Type" => "application/json", "Accept" => "application/json"}
+      target = scanner.build_target(Api::SignIns::Create, headers: api_headers) do |t|
+        t.body = {"user" => {"email" => "aa%40aa.com", "password" => "123456789"}}.to_json
+      end
+      scanner.run_check(
+        scan_name: "ref: #{ENV["GITHUB_REF"]?} commit: #{ENV["GITHUB_SHA"]?} run id: #{ENV["GITHUB_RUN_ID"]?}",
+        tests: [
+          "sqli",                 # Testing for SQL Injection issues (https://docs.neuralegion.com/docs/sql-injection)
+          "jwt",                  # Testing JWT usage (https://docs.neuralegion.com/docs/broken-jwt-authentication)
+          "xss",                  # Checking for Cross Site Scripting attacks (https://docs.neuralegion.com/docs/reflective-cross-site-scripting-rxss)
+          "ssrf",                 # Checking for SSRF (https://docs.neuralegion.com/docs/server-side-request-forgery-ssrf)
+          "proto_pollution",      # Checking for proto pollution based vulnerabilities (https://docs.neuralegion.com/docs/prototype-pollution)
+          "full_path_disclosure", # Checking for full path disclourse on api error (https://docs.neuralegion.com/docs/full-path-disclosure)
+        ],
+        target: target
+      )
+    end
+  end
+  <%- end -%>
+  <%- end -%>
+end
+
+private def scan_with_cleanup : Nil
+  scanner = LuckySecTester.new
+  yield scanner
+ensure
+  scanner.try &.cleanup
+end

src/app_with_sec_tester/spec/setup/sec_tester.cr

@@ -0,0 +1,8 @@
+require "lucky_sec_tester"
+
+# Signup for a `NEXTPLOT_TOKEN` at
+# [NeuraLegion](https://app.neuralegion.com/signup)
+# Read more about the SecTester on https://github.com/luckyframework/lucky_sec_tester
+LuckySecTester.configure do |setting|
+  setting.nexploit_token = ENV["NEXPLOIT_TOKEN"]
+end

src/generators/web.cr

@@ -4,12 +4,13 @@ class LuckyCli::Generators::Web
   include LuckyCli::GeneratorHelpers
 
   getter project_name : String
-  getter? api_only, generate_auth
+  getter? api_only, generate_auth, with_sec_tester
 
   def initialize(
     project_name : String,
     @api_only : Bool,
     @generate_auth : Bool,
+    @with_sec_tester : Bool = false,
     project_directory : String = "."
   )
     Dir.cd(File.expand_path(project_directory))
@@ -33,6 +34,7 @@ class LuckyCli::Generators::Web
     generate_default_crystal_project
     rename_shard_target_to_app
     add_deps_to_shard_file
+    add_dev_deps_to_shard_file
     remove_generated_src_files
     remove_generated_spec_files
     remove_default_readme
@@ -51,6 +53,10 @@ class LuckyCli::Generators::Web
       add_browser_authentication_to_src
     end
 
+    if with_sec_tester?
+      add_sec_tester_to_src
+    end
+
     setup_gitignore
     remove_default_license
     puts <<-TEXT
@@ -84,7 +90,7 @@ class LuckyCli::Generators::Web
   end
 
   private def add_default_lucky_structure_to_src
-    SrcTemplate.new(project_name, generate_auth: generate_auth?, api_only: api_only?)
+    SrcTemplate.new(project_name, generate_auth: generate_auth?, api_only: api_only?, with_sec_tester: with_sec_tester?)
       .render("./#{project_dir}", force: true)
   end
 
@@ -105,6 +111,11 @@ class LuckyCli::Generators::Web
     BrowserAuthenticationSrcTemplate.new.render("./#{project_dir}", force: true)
   end
 
+  private def add_sec_tester_to_src
+    AppWithSecTesterTemplate.new(generate_auth: generate_auth?, browser: browser?)
+      .render("./#{project_dir}", force: true)
+  end
+
   private def remove_generated_src_files
     remove_default_generated_if_exists("src")
   end
@@ -185,14 +196,33 @@ class LuckyCli::Generators::Web
           version: ~> 1.6.0
       DEPS_LIST
     end
+  end
 
-    if browser?
+  private def needs_development_dependencies?
+    browser? || with_sec_tester?
+  end
+
+  private def add_dev_deps_to_shard_file
+    if needs_development_dependencies?
       append_text to: "shard.yml", text: <<-DEPS_LIST
       development_dependencies:
-        lucky_flow:
-          github: luckyframework/lucky_flow
-          version: ~> 0.7.3
       DEPS_LIST
+
+      if browser?
+        append_text to: "shard.yml", text: <<-DEPS_LIST
+          lucky_flow:
+            github: luckyframework/lucky_flow
+            version: ~> 0.7.3
+        DEPS_LIST
+      end
+
+      if with_sec_tester?
+        append_text to: "shard.yml", text: <<-DEPS_LIST
+          lucky_sec_tester:
+            github: luckyframework/lucky_sec_tester
+            branch: main
+        DEPS_LIST
+      end
     end
   end
 

src/init_custom.cr

@@ -13,6 +13,7 @@ class LuckyCli::InitCustom < LuckyCli::Init
   private def generate_project(project_name)
     api_only = false
     authentication = true
+    with_sec_test = false
     project_directory = "."
     OptionParser.parse do |parser|
       parser.banner = <<-TEXT
@@ -21,11 +22,12 @@ class LuckyCli::InitCustom < LuckyCli::Init
       Examples:
 
         lucky init.custom my_project
-        lucky init.custom my_api --api --no-auth --dir ~/Projects/
+        lucky init.custom my_api --api --no-auth --with-sec-test --dir ~/Projects/
 
       TEXT
       parser.on("--api", "Generates an api-only web app") { api_only = true }
       parser.on("--no-auth", "Skips generating authentication") { authentication = false }
+      parser.on("--with-sec-test", "Adds in SecTest integration") { with_sec_test = true }
       parser.on("--dir DIRECTORY", "Specify the directory to generate your app in. Default is current directory") { |dir|
         project_directory = dir
       }
@@ -39,6 +41,7 @@ class LuckyCli::InitCustom < LuckyCli::Init
       project_name: project_name.to_s,
       api_only: api_only,
       generate_auth: authentication,
+      with_sec_tester: with_sec_test,
       project_directory: project_directory
     )
   end

src/lucky_cli/app_with_sec_tester_template.cr

@@ -0,0 +1,8 @@
+class AppWithSecTesterTemplate < Teeplate::FileTree
+  directory "#{__DIR__}/../app_with_sec_tester"
+
+  getter? generate_auth, browser
+
+  def initialize(@generate_auth : Bool, @browser : Bool)
+  end
+end

src/lucky_cli/src_template.cr

@@ -3,10 +3,10 @@ require "random/secure"
 class SrcTemplate < Teeplate::FileTree
   directory "#{__DIR__}/../web_app_skeleton"
   getter project_name
-  getter? api_only, generate_auth
+  getter? api_only, generate_auth, with_sec_tester
   getter crystal_project_name : String
 
-  def initialize(@project_name : String, @generate_auth : Bool, @api_only : Bool)
+  def initialize(@project_name : String, @generate_auth : Bool, @api_only : Bool, @with_sec_tester : Bool)
     @crystal_project_name = @project_name.gsub("-", "_")
   end