Log in
Log in
Log in
Book a Demo
Get Started
671.6K 485.3K 8.3K
Back to Repositories

Validating Security Controls Implementation in Carbon App

This test suite implements security testing for the Carbon application, focusing on XSS prevention, security headers validation, and URL redirection verification. The tests ensure robust security measures and proper handling of potentially malicious inputs.

Test Coverage Overview

The security test suite provides comprehensive coverage of critical security aspects:

  • XSS attack prevention through URL parameters
  • Security header implementations validation
  • URL redirection functionality for key routes
  • Integration with external services like Project Wren
  • Privacy policy and terms page routing

Implementation Analysis

The testing approach utilizes Cypress’s powerful API for security validation. The implementation employs window event stubbing for XSS testing, HTTP request interceptors for header validation, and URL assertion patterns for redirection verification. The tests leverage Cypress’s built-in request handling and URL manipulation capabilities.

Technical Details

  • Testing Framework: Cypress
  • Test Type: Integration
  • Key Features: Window event stubbing, HTTP request interception, URL validation
  • Security Validations: XSS prevention, HTTP headers, URL redirects
  • External Dependencies: Project Wren integration

Best Practices Demonstrated

The test suite exemplifies security testing best practices by implementing comprehensive validation of potential attack vectors. It demonstrates proper isolation of security concerns, systematic header validation, and thorough URL redirect testing. The code organization follows a clear pattern of setup, action, and assertion for each security aspect.

carbon-app/carbon

cypress/integration/security.spec.js

            
/* global cy */
import { editorVisible } from '../support'

describe('security', () => {
  it('should not alert from bg query parameter', () => {
    const stub = cy.stub()
    cy.on('window:alert', stub)

    // https://github.com/carbon-app/carbon/issues/192
    cy.visit(`?bg=rgba(171, 184, 195, 1)</style><img src="" onerror="alert('xss')" /><!--`)

    editorVisible()

    expect(stub).not.to.be.called
  })
  it('security headers', () => {
    cy.request('/').should(response => {
      expect(response.headers).to.include({
        'x-frame-options': 'SAMEORIGIN',
        'x-xss-protection': '1; mode=block',
        'x-content-type-options': 'nosniff',
        'referrer-policy': 'no-referrer-when-downgrade',
        'feature-policy': "geolocation 'self'; microphone 'self'; camera 'self'",
      })
    })
  })
  it('/offsets -> Project Wren', () => {
    cy.visit(`/offsets`)
    cy.url().should(
      'eq',
      'https://www.wren.co/join/carbon?utm_campaign=share&utm_medium=profile_referral_link'
    )
  })
  it('/privacy -> Privacy policy', () => {
    cy.visit(`/privacy`)
    cy.url().should(
      'eq',
      'https://carbon-app.notion.site/PRIVACY-POLICY-65f08f57a8a14f91931d778f9a471a7d'
    )
  })
  it('/terms -> Terms', () => {
    cy.visit(`/terms`)
    cy.url().should(
      'eq',
      'https://carbon-app.notion.site/TERMS-OF-USE-d159661077fe4ef2974e6108b36aeece'
    )
  })
})