dotCMS / core

Headless/Hybrid Content Management System for Enterprises
http://dotcms.com
Other
867 stars 467 forks source link

Add security tests to Postman collections #26759

Open mbiuki opened 1 year ago

mbiuki commented 1 year ago

Security team is going to add security tests to Postman collections located here: core/dotCMS/src/curl-test Plus every time there is a new PR related to Postman change (like adding a new resource or so), we check if there must be new security tests added

### OWASP TOP 10 SECURITY TESTS
- [ ] https://github.com/dotCMS/core/issues/27208
- [ ] https://github.com/dotCMS/core/issues/27209
- [ ] https://github.com/dotCMS/core/issues/27211
- [ ] https://github.com/dotCMS/core/issues/27210
- [ ] https://github.com/dotCMS/core/issues/27212
- [ ] https://github.com/dotCMS/core/issues/27213
- [ ] https://github.com/dotCMS/core/issues/27214
- [ ] https://github.com/dotCMS/core/issues/27215
- [ ] https://github.com/dotCMS/core/issues/27216
- [ ] https://github.com/dotCMS/core/issues/27217
- [ ] https://github.com/dotCMS/core/issues/27218
- [ ] https://github.com/dotCMS/core/issues/27219
- [ ] https://github.com/dotCMS/core/issues/27220
- [ ] https://github.com/dotCMS/core/issues/27221
- [ ] https://github.com/dotCMS/core/issues/27222
- [ ] https://github.com/dotCMS/core/issues/27223
- [ ] https://github.com/dotCMS/core/issues/27224
- [ ] https://github.com/dotCMS/core/issues/27225
- [ ] https://github.com/dotCMS/core/issues/27226
- [ ] https://github.com/dotCMS/core/issues/27227
- [ ] https://github.com/dotCMS/core/issues/27275
- [ ] https://github.com/dotCMS/core/issues/27276
- [ ] https://github.com/dotCMS/core/issues/27228
- [ ] https://github.com/dotCMS/core/issues/27229
- [ ] https://github.com/dotCMS/core/issues/27230
- [ ] https://github.com/dotCMS/core/issues/27231
- [ ] https://github.com/dotCMS/core/issues/27232
- [ ] https://github.com/dotCMS/core/issues/27233
- [ ] https://github.com/dotCMS/core/issues/27234
- [ ] https://github.com/dotCMS/core/issues/27235
- [ ] https://github.com/dotCMS/core/issues/27236
- [ ] https://github.com/dotCMS/core/issues/27237
- [ ] https://github.com/dotCMS/core/issues/27238
- [ ] https://github.com/dotCMS/core/issues/27239
- [ ] https://github.com/dotCMS/core/issues/27240
- [ ] https://github.com/dotCMS/core/issues/27241
- [ ] https://github.com/dotCMS/core/issues/27242
- [ ] https://github.com/dotCMS/core/issues/27243
- [ ] https://github.com/dotCMS/core/issues/27244
- [ ] https://github.com/dotCMS/core/issues/27245
- [ ] https://github.com/dotCMS/core/issues/27246
- [ ] https://github.com/dotCMS/core/issues/27247
- [ ] https://github.com/dotCMS/core/issues/27248
- [ ] https://github.com/dotCMS/core/issues/27249
- [ ] https://github.com/dotCMS/core/issues/27254
- [ ] https://github.com/dotCMS/core/issues/27250
- [ ] https://github.com/dotCMS/core/issues/27251
- [ ] https://github.com/dotCMS/core/issues/27252
- [ ] https://github.com/dotCMS/core/issues/27253
- [ ] https://github.com/dotCMS/core/issues/27255
- [ ] https://github.com/dotCMS/core/issues/27256
- [ ] https://github.com/dotCMS/core/issues/27257
- [ ] https://github.com/dotCMS/core/issues/27258
- [ ] https://github.com/dotCMS/core/issues/27259
- [ ] https://github.com/dotCMS/core/issues/27260
- [ ] https://github.com/dotCMS/core/issues/27261
- [ ] https://github.com/dotCMS/core/issues/27262
- [ ] https://github.com/dotCMS/core/issues/27263
- [ ] https://github.com/dotCMS/core/issues/27264
- [ ] https://github.com/dotCMS/core/issues/27265
- [ ] https://github.com/dotCMS/core/issues/27266
- [ ] https://github.com/dotCMS/core/issues/27267
- [ ] https://github.com/dotCMS/core/issues/27268
- [ ] https://github.com/dotCMS/core/issues/27269
- [ ] https://github.com/dotCMS/core/issues/27270
- [ ] https://github.com/dotCMS/core/issues/27271
- [ ] https://github.com/dotCMS/core/issues/27272
- [ ] https://github.com/dotCMS/core/issues/27273
- [ ] https://github.com/dotCMS/core/issues/27274
mbiuki commented 1 year ago

We would have to make sure that our security tests are OWASP Top 10 relevant: https://owasp.org/www-project-top-ten/

bryanboza commented 11 months ago

I'm worried about this...

In this case we add the test, but in case that we catch an XSS pattern, we are allowing to create the content ir template. We are just getting the error in the test but the functionality allow to create the content without problems. image

rsh1k commented 11 months ago

I'm worried about this...

In this case we add the test, but in case that we catch an XSS pattern, we are allowing to create the content ir template. We are just getting the error in the test but the functionality allow to create the content without problems. image

This is also true for container. I think this test is not needed as admin is allowed to put whatever he wants.