koa3

.github/workflows/build_v5_screener_imgs.yml

@@ -11,7 +11,7 @@ jobs:
       matrix:
         # not all apps support node versions below, but at the very
         # least they all build
-        apps: [express4,express5,fastify3,fastify4,koa,hapi20,hapi21]
+        apps: [express4,express5,fastify3,fastify4,koa2,koa3,hapi20,hapi21]
         version: [18, 20, 22, 24]
     steps:
       - name: Checkout

.secrets.baseline

@@ -262,24 +262,47 @@
         "line_number": 8
       }
     ],
-    "koa/view/partials/head.ejs": [
+    "koa2/view/partials/head.ejs": [
       {
         "type": "Base64 High Entropy String",
-        "filename": "koa/view/partials/head.ejs",
+        "filename": "koa2/view/partials/head.ejs",
         "hashed_secret": "f71d52453754cc48b1ea6758b7c7be2ad5db5fed",
         "is_verified": false,
         "line_number": 5
       },
       {
         "type": "Base64 High Entropy String",
-        "filename": "koa/view/partials/head.ejs",
+        "filename": "koa2/view/partials/head.ejs",
         "hashed_secret": "b6e33e516b08b57e594085eecdd78876b622f6d3",
         "is_verified": false,
         "line_number": 7
       },
       {
         "type": "Base64 High Entropy String",
-        "filename": "koa/view/partials/head.ejs",
+        "filename": "koa2/view/partials/head.ejs",
+        "hashed_secret": "2b55237e452a493bd3e853c509523254434517fe",
+        "is_verified": false,
+        "line_number": 8
+      }
+    ],
+    "koa3/view/partials/head.ejs": [
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "koa3/view/partials/head.ejs",
+        "hashed_secret": "f71d52453754cc48b1ea6758b7c7be2ad5db5fed",
+        "is_verified": false,
+        "line_number": 5
+      },
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "koa3/view/partials/head.ejs",
+        "hashed_secret": "b6e33e516b08b57e594085eecdd78876b622f6d3",
+        "is_verified": false,
+        "line_number": 7
+      },
+      {
+        "type": "Base64 High Entropy String",
+        "filename": "koa3/view/partials/head.ejs",
         "hashed_secret": "2b55237e452a493bd3e853c509523254434517fe",
         "is_verified": false,
         "line_number": 8

koa/package.json → koa2/package.json

@@ -1,5 +1,5 @@
 {
-  "name": "@contrast/koa-test-bench",
+  "name": "@contrast/koa2-test-bench",
   "private": true,
   "version": "3.38.0",
   "description": "Intentionally vulnerable Koa application",

koa3/README.md

@@ -0,0 +1,46 @@
+# @contrast/koa-test-bench
+An intentionally vulnerable `koa` application.
+
+## Running Locally
+Make sure you have [Node.js](http://nodejs.org/) installed or install a version
+of Node from [nvm](https://github.com/creationix/nvm).
+
+```sh
+git clone https://github.com/Contrast-Security-OSS/NodeTestBenches.git # or clone your own fork
+cd NodeTestBenches/koa
+npm install
+npm start
+```
+
+Your app should now be running on [localhost:3000](http://localhost:3000/).
+
+## Running with Contrast
+
+### Installation
+See [our documentation](https://docs.contrastsecurity.com/installation-nodeinstall.html) for installation instructions.
+
+After installation, the agent can be run with `npm run contrast`. For more
+information on configuration and which technologies the agent supports, see our
+[documentation](https://docs.contrastsecurity.com/installation-node.html#node-config).
+
+## Adding a shared vulnerability
+Once you have added shared functionality to
+[`@contrast/test-bench-utils`](https://github.com/Contrast-Security-OSS/NodeTestBenches/tree/main/test-bench-utils),
+you are ready to add an endpoint in the test bench application.
+
+Create a _routes/ruleName.js_ file and call the `controllerFactory` method:
+```js
+const controllerFactory = require('../../utils/controllerFactory');
+module.exports = controllerFactory('ruleName');
+```
+
+Check the documentation for `controllerFactory` under _utils/controllerFactory.js_
+usage information.
+
+Add a _view/ruleName.js_ file that includes the shared
+template from `@contrast/test-bench-utils`:
+```html
+<% include ../node_modules/@contrast/test-bench-utils/public/views/ruleName.ejs %>
+```
+
+Now run the app and make sure everything works as expected!

koa3/index.js

@@ -0,0 +1,76 @@
+const path = require('path');
+
+const Koa = require('koa');
+const Router = require('@koa/router');
+const app = new Koa();
+require('koa-qs')(app, 'extended', { allowDots: true });
+const router = new Router();
+const http2 = require('http2');
+const pem = require('pem');
+const render = require('koa-ejs');
+const serve = require('koa-static');
+const mount = require('koa-mount');
+const { bodyParser } = require('@koa/bodyparser');
+const cookieParser = require('koa-cookie');
+const { navRoutes } = require('@contrast/test-bench-utils');
+
+const { PORT = 3000, HOST = 'localhost', HTTP2 } = process.env;
+const isHttp2 = HTTP2 === '1' ? true : false;
+// setup static file serving
+app.use(mount('/assets', serve(`${__dirname}/public`)));
+
+// setup the ejs renderer
+render(app, {
+  root: path.join(__dirname, 'view'),
+  layout: 'layout',
+  viewExt: 'ejs',
+  cache: false,
+  async: false
+});
+
+// adding current year to be used in layout for copyright year
+app.use((ctx, next) => {
+  ctx.state = ctx.state || {};
+  ctx.state.navRoutes = navRoutes;
+  ctx.state.currentYear = new Date().getFullYear();
+  return next();
+});
+
+app.use(bodyParser());
+app.use(cookieParser.default());
+
+require('./routes/index')({ router });
+require('./routes/cookies')({ router });
+
+// dynamically register routes from shared config
+navRoutes.forEach(({ base }) => {
+  require(`./routes/${base.substring(1)}`)({ router });
+});
+
+app.use(router.routes());
+app.use(router.allowedMethods());
+
+function listener() {
+  const { address, port } = this.address();
+  const protocol = isHttp2 ? 'https' : 'http';
+  // eslint-disable-next-line no-console
+  console.log('Server listening on %s://%s:%d', protocol, address, port);
+}
+
+function createServer() {
+  if (!isHttp2) {
+    app.listen(PORT, HOST, listener);
+  } else {
+    pem.createCertificate({ days: 1, selfSigned: true }, (err, keys) => {
+      if (err) {
+        throw err;
+      }
+      const options = { key: keys.serviceKey, cert: keys.certificate };
+      http2
+        .createSecureServer(options, app.callback())
+        .listen(PORT, HOST, listener);
+    });
+  }
+}
+
+createServer();