feat: add support for Reflected XSS

adonisjs · Oct 26, 2019 · 0c7e5ab · 0c7e5ab
1 parent 4e8a997
commit 0c7e5ab
Show file tree

Hide file tree

Showing 6 changed files with 135 additions and 6 deletions.
diff --git a/adonis-typings/index.ts b/adonis-typings/index.ts
@@ -33,8 +33,9 @@ declare module '@ioc:Adonis/Addons/Shield' {
   // X-XSS-Protection
   export type XSSOptions = {
     enabled: boolean,
-    enableOnOldIE: boolean,
-    reportUri: string,
+    enableOnOldIE?: boolean,
+    reportUri?: string,
+    mode?: 'block' | null,
   }
 
   // X-Download-Options

diff --git a/src/hsts.ts b/src/hsts.ts
@@ -12,6 +12,7 @@
 import ms from 'ms'
 import { HstsOptions } from '@ioc:Adonis/Addons/Shield'
 import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
+import { noop } from './noop'
 
 const DEFAULT_MAX_AGE = 180 * 24 * 60 * 60
 
@@ -37,8 +38,7 @@ function normalizeMaxAge (maxAge?: string | number): number {
  */
 export function hsts (options: HstsOptions) {
   if (!options.enabled) {
-    return function hstsMiddlewareFn (_ctx: HttpContextContract) {
-    }
+    return noop
   }
 
   const maxAge = normalizeMaxAge(options.maxAge)

diff --git a/src/noSniff.ts b/src/noSniff.ts
@@ -11,15 +11,15 @@
 
 import { ContentTypeSniffingOptions } from '@ioc:Adonis/Addons/Shield'
 import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
+import { noop } from './noop'
 
 /**
  * Adds `X-Content-Type-Options` header based upon given
  * user options
  */
 export function noSniff (options: ContentTypeSniffingOptions) {
   if (!options.enabled) {
-    return function noSniffMiddlewareFn (_ctx: HttpContextContract) {
-    }
+    return noop
   }
 
   return function noSniffMiddlewareFn ({ response }: HttpContextContract) {

diff --git a/src/noop.ts b/src/noop.ts
@@ -0,0 +1,12 @@
+/*
+ * @adonisjs/shield
+ *
+ * (c) Harminder Virk <virk@adonisjs.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+*/
+
+import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
+export function noop (_ctx: HttpContextContract) {
+}
diff --git a/src/xssProtection.ts b/src/xssProtection.ts
@@ -0,0 +1,70 @@
+/*
+ * @adonisjs/shield
+ *
+ * (c) Harminder Virk <virk@adonisjs.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+*/
+
+/// <reference path="../adonis-typings/index.ts" />
+
+import { XSSOptions } from '@ioc:Adonis/Addons/Shield'
+import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'
+import { noop } from './noop'
+
+/**
+ * A boolean to know if user agent is of IE8
+ */
+function isOldIE (userAgent?: string) {
+  if (!userAgent) {
+    return false
+  }
+
+  const match = /msie\s*(\d{1,2})/i.exec(userAgent)
+  return match ? parseFloat(match[1]) < 9 : false
+}
+
+/**
+ * Adds `X-Content-Type-Options` header based upon given
+ * user options
+ */
+export function xssProtection (options: XSSOptions) {
+  if (!options.enabled) {
+    return noop
+  }
+
+  let isBlock = true
+  if (options.mode === null) {
+    isBlock = false
+  }
+
+  let value = '1'
+  if (isBlock) {
+    value += '; mode=block'
+  }
+
+  if (options.reportUri) {
+    value += `; report=${options.reportUri}`
+  }
+
+  /**
+   * Returned when `X-XSS-Protection` is enabled on all browser
+   */
+  if (options.enableOnOldIE) {
+    return function xssProtectionMiddlewareFn ({ response }: HttpContextContract) {
+      response.header('X-XSS-Protection', value)
+    }
+  }
+
+  /**
+   * Returned when disabled for IE < 9 needs
+   */
+  return function xssProtectionMiddlewareFn ({ request, response }: HttpContextContract) {
+    if (isOldIE(request.header('user-agent'))) {
+      response.header('X-XSS-Protection', '0')
+    } else {
+      response.header('X-XSS-Protection', value)
+    }
+  }
+}
diff --git a/test/xss-protections.spec.ts b/test/xss-protections.spec.ts
@@ -0,0 +1,46 @@
+/*
+ * @adonisjs/shield
+ *
+ * (c) Harminder Virk <virk@adonisjs.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+*/
+
+import test from 'japa'
+import { HttpContext } from '@adonisjs/http-server/build/standalone'
+import { xssProtection } from '../src/xssProtection'
+
+test.group('Xss Protection', () => {
+  test('return noop function when enabled is false', (assert) => {
+    const middlewareFn = xssProtection({ enabled: false })
+    const ctx = HttpContext.create('/', {}, {}, {}, {})
+    middlewareFn(ctx)
+
+    assert.isUndefined(ctx.response.getHeader('X-XSS-Protection'))
+  })
+
+  test('set X-XSS-Protection header', (assert) => {
+    const middlewareFn = xssProtection({ enabled: true })
+    const ctx = HttpContext.create('/', {}, {}, {}, {})
+    middlewareFn(ctx)
+
+    assert.equal(ctx.response.getHeader('X-XSS-Protection'), '1; mode=block')
+  })
+
+  test('disable block mode', (assert) => {
+    const middlewareFn = xssProtection({ enabled: true, mode: null })
+    const ctx = HttpContext.create('/', {}, {}, {}, {})
+    middlewareFn(ctx)
+
+    assert.equal(ctx.response.getHeader('X-XSS-Protection'), '1')
+  })
+
+  test('set report uri', (assert) => {
+    const middlewareFn = xssProtection({ enabled: true, reportUri: '/' })
+    const ctx = HttpContext.create('/', {}, {}, {}, {})
+    middlewareFn(ctx)
+
+    assert.equal(ctx.response.getHeader('X-XSS-Protection'), '1; mode=block; report=/')
+  })
+})