Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New vulns #2 #11

Closed
wants to merge 4 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -325,3 +325,5 @@ OWASP Juice Shop and any contributions are Copyright © by Bjoern Kimminich & th
2014-2023.

![Juice Shop Logo](https://raw.githubusercontent.com/bkimminich/juice-shop/master/frontend/src/assets/public/images/JuiceShop_Logo_400px.png)
123456🙈🤫
Update!
2 changes: 2 additions & 0 deletions data/static/users.yml
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,8 @@
email: wurstbrot
username: wurstbrot
password: 'EinBelegtesBrotMitSchinkenSCHINKEN!'
totpSecret: IFTXE3SPOEYVURT2MRYGI52TKJ4HC3KH
key: timo
role: 'admin'
securityQuestion:
id: 1
Expand Down
1 change: 1 addition & 0 deletions lib/insecurity.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/*

Check failure on line 1 in lib/insecurity.ts

View workflow job for this annotation

GitHub Actions / smoke-test

Could not find a declaration file for module 'express'. '/home/runner/work/juice-shop/juice-shop/node_modules/express/index.js' implicitly has an 'any' type.

Check failure on line 1 in lib/insecurity.ts

View workflow job for this annotation

GitHub Actions / smoke-test

Could not find a declaration file for module 'express-jwt'. '/home/runner/work/juice-shop/juice-shop/node_modules/express-jwt/lib/index.js' implicitly has an 'any' type.

Check failure on line 1 in lib/insecurity.ts

View workflow job for this annotation

GitHub Actions / smoke-test

Could not find a declaration file for module 'jsonwebtoken'. '/home/runner/work/juice-shop/juice-shop/node_modules/jsonwebtoken/index.js' implicitly has an 'any' type.

Check failure on line 1 in lib/insecurity.ts

View workflow job for this annotation

GitHub Actions / smoke-test

Could not find a declaration file for module 'jws'. '/home/runner/work/juice-shop/juice-shop/node_modules/jws/index.js' implicitly has an 'any' type.

Check failure on line 1 in lib/insecurity.ts

View workflow job for this annotation

GitHub Actions / smoke-test

Could not find a declaration file for module 'sanitize-html'. '/home/runner/work/juice-shop/juice-shop/node_modules/sanitize-html/index.js' implicitly has an 'any' type.
* Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
* SPDX-License-Identifier: MIT
*/
Expand All @@ -20,6 +20,7 @@
import * as z85 from 'z85'

export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-public-key'
const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----'

Check failure

Code scanning / CodeQL

Hard-coded credentials Critical

The hard-coded value "-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=
-----END RSA PRIVATE KEY-----" is used as
jwt key
.
The hard-coded value "-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=
-----END RSA PRIVATE KEY-----" is used as
key
.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Secret Detection

Type: Private-Key

Description: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

Severity: HIGH


Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "private-key" in lib/insecurity.ts; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command


interface ResponseWithUser {
status: string
Expand Down
3 changes: 3 additions & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -119,17 +119,20 @@
"cookie-parser": "^1.4.5",
"cors": "^2.8.5",
"dottie": "^2.0.2",
"download": "^8.0.0",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Software Component Analysis Js

Type: Got Allows A Redirect To A Unix Socket

Description: download>got

Severity: HIGH

Learn more about this issue


Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "Got allows a redirect to a UNIX socket" in package.json; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Software Component Analysis Js

Type: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service

Description: Paths from library to vulnerable dependencies:

  • download>got>cacheable-request>http-cache-semantics
  • sqlite3>node-gyp>make-fetch-happen>http-cache-semantics

Severity: HIGH

Learn more about this issue


Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "http-cache-semantics vulnerable to Regular Expression Denial of Service" in package.json; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

"errorhandler": "^1.5.1",
"exif": "^0.6.0",
"express": "^4.17.1",
"express-ipfilter": "^1.2.0",
"express-jwt": "0.1.3",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Software Component Analysis Js

Type: Verification Bypass In Jsonwebtoken

Description: express-jwt>jsonwebtoken

Severity: CRITICAL

Learn more about this issue


Fix suggestion:

This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.

Suggestion guidelines

Update each outdated library in your code.

Note: Once you apply these changes, you'll need to regenerate the package-lock.json file on your end.

Ensure to thoroughly test your application after updating each library, to make sure that the update hasn't broken anything.
If an update does cause issues, consider whether you can modify your code to work with the updated library, or if necessary, look for an alternative library that is maintained and up to date.

Suggested change
"express-jwt": "0.1.3",
"express-jwt": "8.4.1",

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "Verification Bypass in jsonwebtoken" in package.json; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Software Component Analysis Js

Type: Authorization Bypass In Express-Jwt

Description: express-jwt

Severity: HIGH

Learn more about this issue


Fix suggestion:

This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.

Suggestion guidelines

Update each outdated library in your code.

Note: Once you apply these changes, you'll need to regenerate the package-lock.json file on your end.

Ensure to thoroughly test your application after updating each library, to make sure that the update hasn't broken anything.
If an update does cause issues, consider whether you can modify your code to work with the updated library, or if necessary, look for an alternative library that is maintained and up to date.

Suggested change
"express-jwt": "0.1.3",
"express-jwt": "8.4.1",

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "Authorization bypass in express-jwt" in package.json; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Software Component Analysis Js

Type: Regular Expression Denial Of Service In Moment

Description: Paths from library to vulnerable dependencies:

  • express-jwt>jsonwebtoken>moment
  • file-stream-rotator>moment
  • filesniffer>filehound>moment
  • finale-rest>moment
  • sequelize>moment-timezone>moment

Severity: HIGH

Learn more about this issue


Fix suggestion:

This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.

Suggestion guidelines

Update each outdated library in your code.

Note: Once you apply these changes, you'll need to regenerate the package-lock.json file on your end.

Ensure to thoroughly test your application after updating each library, to make sure that the update hasn't broken anything.
If an update does cause issues, consider whether you can modify your code to work with the updated library, or if necessary, look for an alternative library that is maintained and up to date.

Suggested change
"express-jwt": "0.1.3",
"express-jwt": "8.4.1",

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "Regular Expression Denial of Service in moment" in package.json; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Software Component Analysis Js

Type: Forgeable Public/Private Tokens In Jws

Description: express-jwt>jsonwebtoken>jws

Severity: HIGH

Learn more about this issue


Fix suggestion:

This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.

Suggestion guidelines

Update each outdated library in your code.

Note: Once you apply these changes, you'll need to regenerate the package-lock.json file on your end.

Ensure to thoroughly test your application after updating each library, to make sure that the update hasn't broken anything.
If an update does cause issues, consider whether you can modify your code to work with the updated library, or if necessary, look for an alternative library that is maintained and up to date.

Suggested change
"express-jwt": "0.1.3",
"express-jwt": "8.4.1",

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "Forgeable Public/Private Tokens in jws" in package.json; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

"express-rate-limit": "^5.3.0",
"express-robots-txt": "^0.4.1",
"express-security.txt": "^2.0.0",
"feature-policy": "^0.5.0",
"file-stream-rotator": "^0.5.7",
"file-type": "^16.1.0",
"filesniffer": "^1.0.3",
"finale-rest": "^1.1.1",
"fs-extra": "^9.0.1",
"fuzzball": "^1.3.0",
"glob": "^7.1.6",
Expand Down
2 changes: 1 addition & 1 deletion routes/likeProductReviews.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
return (req: Request, res: Response, next: NextFunction) => {
const id = req.body.id
const user = security.authenticatedUsers.from(req)
db.reviews.findOne({ _id: "a" }).then((review: Review) => {
db.reviews.findOne({ _id: id }).then((review: Review) => {

Check failure

Code scanning / CodeQL

Database query built from user-controlled sources High

This query object depends on a
user-provided value
.
This query object depends on a
user-provided value
.

Copilot Autofix AI 3 months ago

To fix this issue, we need to ensure that the user-provided id is treated as a literal value and not as a query object. This can be achieved by using MongoDB's $eq operator, which ensures that the value is interpreted as a literal. Additionally, we should validate that the id is a string to prevent any potential injection attacks.

Suggested changeset 1
routes/likeProductReviews.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/routes/likeProductReviews.ts b/routes/likeProductReviews.ts
--- a/routes/likeProductReviews.ts
+++ b/routes/likeProductReviews.ts
@@ -16,4 +16,8 @@
     const id = req.body.id
+    if (typeof id !== 'string') {
+      res.status(400).json({ error: 'Invalid ID format' })
+      return
+    }
     const user = security.authenticatedUsers.from(req)
-    db.reviews.findOne({ _id: id }).then((review: Review) => {
+    db.reviews.findOne({ _id: { $eq: id } }).then((review: Review) => {
       if (!review) {
@@ -24,3 +28,3 @@
           db.reviews.update(
-            { _id: id },
+            { _id: { $eq: id } },
             { $inc: { likesCount: 1 } }
@@ -41,3 +45,3 @@
                   db.reviews.update(
-                    { _id: id },
+                    { _id: { $eq: id } },
                     { $set: { likedBy: likedBy } }
EOF
@@ -16,4 +16,8 @@
const id = req.body.id
if (typeof id !== 'string') {
res.status(400).json({ error: 'Invalid ID format' })
return
}
const user = security.authenticatedUsers.from(req)
db.reviews.findOne({ _id: id }).then((review: Review) => {
db.reviews.findOne({ _id: { $eq: id } }).then((review: Review) => {
if (!review) {
@@ -24,3 +28,3 @@
db.reviews.update(
{ _id: id },
{ _id: { $eq: id } },
{ $inc: { likesCount: 1 } }
@@ -41,3 +45,3 @@
db.reviews.update(
{ _id: id },
{ _id: { $eq: id } },
{ $set: { likedBy: likedBy } }
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Static Code Analysis Js

Type: Codsec.Javascriptnosql-Injection.Nosql-Injection

Description: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query.

Severity: HIGH


Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "codsec.javascriptnosql-injection.nosql-injection" in routes/likeProductReviews.ts; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

if (!review) {
res.status(404).json({ error: 'Not found' })
} else {
Expand Down
13 changes: 13 additions & 0 deletions routes/updateProductReviews.ts
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,19 @@
// vuln-code-snippet start noSqlReviewsChallenge forgedReviewChallenge
module.exports = function productReviews () {
return (req: Request, res: Response, next: NextFunction) => {
const user = security.authenticatedUsers.from(req) // vuln-code-snippet vuln-line forgedReviewChallenge
db.reviews.update( // vuln-code-snippet neutral-line forgedReviewChallenge
{ _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge

Check failure

Code scanning / CodeQL

Database query built from user-controlled sources High

This query object depends on a
user-provided value
.
This query object depends on a
user-provided value
.

Copilot Autofix AI 3 months ago

To fix the problem, we need to ensure that the user input is safely embedded into the query. For MongoDB, we can use the $eq operator to ensure that the user input is treated as a literal value. This prevents any potential NoSQL injection attacks.

  • Modify the query to use the $eq operator for the _id field.
  • Ensure that the req.body.id is treated as a literal value and not as a query object.
Suggested changeset 1
routes/updateProductReviews.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/routes/updateProductReviews.ts b/routes/updateProductReviews.ts
--- a/routes/updateProductReviews.ts
+++ b/routes/updateProductReviews.ts
@@ -17,3 +17,3 @@
     db.reviews.update( // vuln-code-snippet neutral-line forgedReviewChallenge
-      { _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge
+      { _id: { $eq: req.body.id } }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge
       { $set: { message: req.body.message } },
EOF
@@ -17,3 +17,3 @@
db.reviews.update( // vuln-code-snippet neutral-line forgedReviewChallenge
{ _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge
{ _id: { $eq: req.body.id } }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge
{ $set: { message: req.body.message } },
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
{ $set: { message: req.body.message } },
{ multi: true } // vuln-code-snippet vuln-line noSqlReviewsChallenge
).then(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Static Code Analysis Js

Type: Codsec.Javascriptnosql-Injection.Nosql-Injection

Description: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query.

Severity: HIGH


Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "codsec.javascriptnosql-injection.nosql-injection" in routes/updateProductReviews.ts; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

(result: { modified: number, original: Array<{ author: any }> }) => {
challengeUtils.solveIf(challenges.noSqlReviewsChallenge, () => { return result.modified > 1 }) // vuln-code-snippet hide-line
challengeUtils.solveIf(challenges.forgedReviewChallenge, () => { return user?.data && result.original[0] && result.original[0].author !== user.data.email && result.modified === 1 }) // vuln-code-snippet hide-line
res.json(result)
}, (err: unknown) => {
res.status(500).json(err)
})
}
}
// vuln-code-snippet end noSqlReviewsChallenge forgedReviewChallenge
1 change: 1 addition & 0 deletions test/smoke/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
FROM alpine
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Docker Scan

Type: Image User Should Not Be 'Root'

Description: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

Severity: HIGH

Learn more about this issue


Fix suggestion:

This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.

Suggestion guidelines

  • First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: docker run <image> whoami. If it returns root, then you should consider using a non-root user, by following one of the next steps:
    • If a non-root user already exists in your container, consider using it.
    • If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name>.
Suggested change
FROM alpine
FROM alpine
RUN addgroup --system <group>
RUN adduser --system <user> --ingroup <group>
USER <user>:<group>

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "Image user should not be 'root'" in test/smoke/Dockerfile; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command


RUN apk add curl

Expand Down
Loading