UNPKG

drek

Version:

A static-code-analysis tool that can be used to perform security-focused code reviews. It enables an auditor to swiftly map the attack-surface of a large application, with an emphasis on identifying development anti-patterns and footguns.

github.com/chrisallenlane/drek

chrisallenlane/drek

74 lines (59 loc) 2.01 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
const path = require('path'); const scan = require('../app/util-scan'); const test = require('tape'); // mock a file to scan for matches const file = path.resolve(__dirname, './mock/app/about.php'); // mock signatures const signatures = [ { signature: '\\s\\$_FILES' , filetypes: [ 'php' ] }, { signature: '\\s\\$_GET' , filetypes: [ 'php' ] }, { signature: '\\s\\$_POST' , filetypes: [ 'php' ] }, ]; test('util-scan: should produce the appropriate matches', function (t) { t.plan(12); // mock the CLI options const options = { '--lines-after' : '5', '--lines-before' : '5', }; // perform the scan const matches = scan(file, [], options, signatures); // $_GET match t.equals(matches[0].id , 1); t.equals(matches[0].filetype , 'php'); t.equals(matches[0].search , '\\s\\$_GET'); t.equals(matches[0].line , 12); t.equals(matches[0].start , 7); t.equals(matches[0].end , 18); // $_POST match t.equals(matches[1].id , 2); t.equals(matches[1].filetype , 'php'); t.equals(matches[1].search , '\\s\\$_POST'); t.equals(matches[1].line , 10); t.equals(matches[1].start , 5); t.equals(matches[1].end , 16); }); test('util-scan: should respect --lines-before and --lines-after', function (t) { t.plan(12); // mock the CLI options const options = { '--lines-after' : '1', '--lines-before' : '1', }; // perform the scan const matches = scan(file, [], options, signatures); // $_GET match t.equals(matches[0].id , 1); t.equals(matches[0].filetype , 'php'); t.equals(matches[0].search , '\\s\\$_GET'); t.equals(matches[0].line , 12); t.equals(matches[0].start , 11); t.equals(matches[0].end , 14); // $_POST match t.equals(matches[1].id , 2); t.equals(matches[1].filetype , 'php'); t.equals(matches[1].search , '\\s\\$_POST'); t.equals(matches[1].line , 10); t.equals(matches[1].start , 9); t.equals(matches[1].end , 12); });