chemxy / vega Goto Github PK
View Code? Open in Web Editor NEWthis is a repo for seng426 summer 2022 team14
this is a repo for seng426 summer 2022 team14
Resource Upload Feature is not Working
Wrong npm start script for the expressjs server: was ‘’NODE_ENV=development node index.js”, should be “node index.js NODE_ENV=development”
Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.
The website will crash if the wrong username and password are provided on the login page.
Scenario: User attempts to log in with invalid credentials
Given User is on the Login/SignUp page
When User enters a valid username into the username field
And User enters incorrect password
And User clicks on the Submit button
Then The user should see the prompt “Incorrect username and or password”
Write Selenium Tests for Frontend
Write Unit Tests for Backend Authentication
As a vega user, I should be able to manage my secrets, including the following actions:
Feature: Admin User should be able to manage the secrets of all users
Scenario: Admin User should see all secrets of all users
Given User logs in as admin
When User navigates to Manage Secret tab
Then User should see all secrets of all users
Scenario: Admin User should be able to delete all secrets of all users
Given User logs in as admin
When User navigates to Manage Secret tab
And User deletes a secret of a user
Then User should see the secret was deleted
Scenario: Admin User should be able to update all secrets of all users
Given User logs in as admin
When User navigates to Manage Secret tab
And User clicks on Edit of a secret entry of a user
And User changes the name of the secret
Then User should see the secret was updated
Scenario: Admin User should be able to create a secret for a user
Given User logs in as admin
When User navigates to Manage Secret tab
And User clicks on Create button
And User enters the name of the secret
And User enters the creation date/time of the secret
And User enters the data of the secret
And USer enters the user’s identity
And User clicks on OK button
Then User should see the newly-created secret in the secret list
Scenario: Admin User should see a report of all secrets
Given User logs in as admin
When User navigates to Report tab
Then User should see a report of all secrets
Scenario: Admin User should see a report of all secrets
Given User logs in as admin
When User navigates to Manage Secret tab
And User sets the threshold of the max secrets a user can add per day
Then User should see the threshold was updated
Add CORS support to both frontend and backend
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.
The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.
Ensure that your web server, application server, load balancer, etc. is configured to suppress "X-Powered-By" headers.
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
**Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.**
Scenario: User inputs an invalid Name
Given The user is on the Contact Us page
When User enters a name without acceptable syntax
And User enters a valid email
And User enters a valid message
And User clicks on Submit
Then An error message “! Please include an ‘@’ in the email address. ‘S’ is missing an ‘@’” gets prompted
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
The directive: frame-ancestors, form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything.
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.
**Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.**
Scenario: User creating a new account
Given User is on the Login/Signup page
When The user enters an unused username and password
And User clicks ‘Submit’
Then A new account is created with the entered credentials
as a developer, i would like to add ids to the web elements that could be tested by the selenium automation testing.
Scenario: User tries to submit empty form
Given User is on the Contact Us page
When The form fields are empty
Then The submit button must be unclickable
“About Us” navbar option not working.
Scenario: User would like to see the background information of our company“
Given User is on the Vega webpage
When User clicks on “About us” button
Then User is directed to the About us page
And The corresponding background information is presented to the User
Scenario: Log in fields are empty
Given User on the Login/SignUp page
When The Username field is empty
Then The submit button must be unclickable
Add CRUD functionalities to the News&Events component so that an administrator can perform the following actions:
Feature: Admins and employees should be able to manage News & Events entries.
Scenario: Admins should be able to create News & Events entries.
Given User logs in as admin
When User navigates to News & Events tab
And User clicks on Create button
And User enters the information of the entry
And User clicks on OK button
Then User should see the entry was created
Scenario: Admins should be able to edit News & Events entries.
Given User logs in as admin
When User navigates to News & Events tab
And User clicks on Edit of an entry
And User changes the information in the selected entry
Then User should see the entry was updated
Scenario: Employees should be able to create News & Events entries.
Given User logs in as employee
When User navigates to News & Events tab
And User clicks on Create button
And User enters the information of the entry
And User clicks on OK button
Then User should see the entry was created
Scenario: Employees should be able to edit News & Events entries.
Given User logs in as employee
When User navigates to News & Events tab
And User clicks on Edit of an entry
And User changes the information in the selected entry
Then User should see the entry was updated
Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server
Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance). Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.
Scenario: User tries to submit empty message
Given User is on the Contact Us page
When User enters a valid name
And User enters a valid email
And User leaves the message field blank
Then The submit button must be unclickable
Write Unit Tests for Backend
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.