Merge pull request #357 from Contrast-Security-OSS/NODE-3651-express5

NODE-3651: Add Express 5

.github/workflows/build.yml

@@ -11,7 +11,7 @@ jobs:
       matrix:
         # not all apps support node versions below, but at the very
         # least they all build
-        apps: [express,fastify3,hapi18,hapi19,hapi20,koa,kraken,loopback,loopback4,restify,sails]
+        apps: [express4,express5,fastify3,hapi18,hapi19,hapi20,koa,kraken,loopback,loopback4,restify,sails]
         version: [14, 16, 18, 20]
     steps:
       - name: Checkout

.github/workflows/build_v5_screener_imgs.yml

@@ -11,7 +11,7 @@ jobs:
       matrix:
         # not all apps support node versions below, but at the very
         # least they all build
-        apps: [express,fastify3,fastify4,koa,hapi20,hapi21]
+        apps: [express4,express5,fastify3,fastify4,koa,hapi20,hapi21]
         version: [16, 18, 20, 22]
     steps:
       - name: Checkout

.github/workflows/ci_build.yml

@@ -33,7 +33,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        apps: [express,fastify3,fastify4,hapi18,hapi19,hapi20,koa,kraken,loopback,loopback4,restify,sails]
+        apps: [express4,express5,fastify3,fastify4,hapi18,hapi19,hapi20,koa,kraken,loopback,loopback4,restify,sails]
         version: [14, 16, 18, 20]
     steps:
       - name: Checkout

express4/README.md

@@ -0,0 +1,48 @@
+# @contrast/express4-test-bench
+An intentionally vulnerable `express` application.
+
+## Running Locally
+Make sure you have [Node.js](http://nodejs.org/) installed or install a version
+of Node from [nvm](https://github.com/creationix/nvm).
+
+```sh
+git clone https://github.com/Contrast-Security-OSS/NodeTestBenches.git # or clone your own fork
+cd NodeTestBenches/express
+npm install
+npm start
+```
+
+Your app should now be running on [localhost:3000](http://localhost:3000/).
+
+## Running with Contrast
+
+### Installation
+See [our documentation](https://docs.contrastsecurity.com/installation-nodeinstall.html)
+for installation instructions.
+
+### Running the agent
+After installation, the agent can be run with `npm run contrast`. For more
+information on configuration and which technologies the agent supports, see our
+[documentation](https://docs.contrastsecurity.com/installation-node.html#node-config).
+
+## Adding a shared vulnerability
+Once you have added shared functionality to
+[`@contrast/test-bench-utils`](https://github.com/Contrast-Security-OSS/NodeTestBenches/tree/main/test-bench-utils),
+you are ready to add an endpoint in the test bench application.
+
+Create a _vulnerabilities/ruleName/index.js_ file and call the `controllerFactory` method:
+```js
+const controllerFactory = require('../../utils/controllerFactory');
+module.exports = controllerFactory('ruleName');
+```
+
+Check the documentation for `controllerFactory` under _utils/controllerFactory.js_
+usage information.
+
+Add a _vulnerabilities/ruleName/views/index.ejs_ file that includes the shared
+template from `@contrast/test-bench-utils`:
+```html
+<% include ../../../node_modules/@contrast/test-bench-utils/public/views/ruleName.ejs %>
+```
+
+Now run the app and make sure everything works as expected!

express/package.json → express4/package.json

@@ -1,5 +1,5 @@
 {
-  "name": "@contrast/express-test-bench",
+  "name": "@contrast/express4-test-bench",
   "private": true,
   "version": "3.36.0",
   "description": "Intentionally vulnerable Express application",