Merge pull request #43 from TNG/category_in_threat_download

Added threat category to markdown export

src/server/__tests__/server.test.js

@@ -323,34 +323,41 @@ it('Download threat file', async () => {
 =======
 
 1. **title**
+    - *Category:* Spoofing
     - *Severity:* High
     - *Author:* Player 1
     - *Description:* <img src="" onerror="alert\\('XSS'\\) alt="Uh oh...">
     - *Mitigation:* mitigation
 2. **title**
+    - *Category:* Spoofing
     - *Severity:* High
     - *Author:* Player 1
     - *Description:* description
     - *Mitigation:* mitigation
 3. **title**
+    - *Category:* Spoofing
     - *Severity:* High
     - *Author:* Player 1
     - *Description:* description
     - *Mitigation:* mitigation
 4. **Accessing DB credentials**
+    - *Category:* Information disclosure
     - *Severity:* High
     - *Description:* The Background Worker configuration stores the credentials used by the worker to access the DB. An attacker could compromise the Background Worker and get access to the DB credentials.
     - *Mitigation:* \\[Click Me\\]\\(javascript:alert\\('XSS'\\)\\)
 5. **Unauthorised access**
+    - *Category:* Information disclosure
     - *Severity:* High
     - *Description:* An attacker could make an query call on the DB,
     - *Mitigation:* Require all queries to be authenticated.
 6. **Credential theft**
+    - *Category:* Information disclosure
     - *Severity:* Medium
     - *Author:* The Model
     - *Description:* An attacker could obtain the DB credentials ans use them to make unauthorised queries.
     - *Mitigation:* Use a firewall to restrict access to the DB to only the Background Worker IP address.
 7. **\\!\\[Uh oh...\\]\\(https://www.example.com/image.png"onload="alert\\('XSS'\\)\\)**
+    - *Category:* Information disclosure
     - *Severity:* High
     - *Description:* The Web Application Config stores credentials used  by the Web App to access the message queue. These could be stolen by an attacker and used to read confidential data or place poison message on the queue.
     - *Mitigation:* The Message Queue credentials should be encrypted. newlines shouldn't break the formatting

src/server/endpoints.js

@@ -3,7 +3,7 @@ import send from 'koa-send';
 import request from 'superagent';
 import { v4 as uuidv4 } from 'uuid';
 import { ElevationOfPrivilege } from '../game/eop';
-import { getSuitDisplayName } from '../utils/cardDefinitions';
+import { getSuitDisplayName, isSuit } from '../utils/cardDefinitions';
 import { DEFAULT_MODEL, ModelType } from '../utils/constants';
 import { GameMode } from '../utils/GameMode';
 import { INTERNAL_API_PORT } from '../utils/serverConfig';
@@ -244,9 +244,20 @@ export const downloadThreatsMarkdownFile = (gameServer) => async (ctx) => {
   logEvent(`Download threats: ${matchID}`);
   ctx.attachment(filename);
   ctx.set('Access-Control-Expose-Headers', 'Content-Disposition');
-  ctx.body = formatThreats(threats, date);
+  ctx.body = formatThreats(threats.map(threat => enrichThreatWithCategory(threat, game.state.G.gameMode)), date);
 };
 
+function enrichThreatWithCategory(threat, gameMode) {
+  if (threat.type) {
+    return ({
+      ...threat,
+      category: isSuit(threat.type) ? getSuitDisplayName(gameMode, threat.type) : threat.type
+    });
+  }
+
+  return threat;  
+}
+
 function getThreats(gameState, metadata, model) {
   var threats = [];
 
@@ -295,6 +306,10 @@ function formatSingleThreat(threat, index) {
     `${index + 1}. **${escapeMarkdownText(threat.title.trim())}**`,
   ];
 
+  if ('category' in threat) {
+    lines.push(`    - *Category:* ${escapeMarkdownText(threat.category)}`);
+  }
+
   if ('severity' in threat) {
     lines.push(`    - *Severity:* ${escapeMarkdownText(threat.severity)}`);
   }

src/utils/cardDefinitions.ts

@@ -371,6 +371,10 @@ const CARD_DECKS: CardDeckDefinitions = {
   },
 };
 
+export function isSuit(str: string): str is Suit {
+  return ['A', 'B', 'C', 'D', 'E', 'T'].includes(str);
+}
+
 export function getStartingCard(gameMode: GameMode, suit: Suit): Card {
   const usedSuit =
     CARD_DECKS[gameMode][suit].cards.length > 0