diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 0000000000..36734a40a7 --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,16 @@ +version: '2.1' +orbs: + snyk: snyk/snyk@2.0.3 +jobs: + build: + docker: + - image: cimg/node:lts + steps: + - checkout + - run: npm ci + - snyk/scan: + fail-on-issues: false + monitor-on-build: true + severity-threshold: high + token-variable: SNYK_TOKEN +workflows: null diff --git a/.github/snyk-pr-diff-amd64-linux b/.github/snyk-pr-diff-amd64-linux new file mode 100644 index 0000000000..872b318b00 Binary files /dev/null and b/.github/snyk-pr-diff-amd64-linux differ diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index 3ebc0c31fb..0000000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,71 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '32 19 * * 4' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'javascript' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] - # Learn more: - # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v1 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 diff --git a/.github/workflows/full-with-diff.test b/.github/workflows/full-with-diff.test new file mode 100644 index 0000000000..4ec6b8b726 --- /dev/null +++ b/.github/workflows/full-with-diff.test @@ -0,0 +1,61 @@ +name: Snyk Code PR Diff Scan + +on: + pull_request: + branches: [ main ] + +jobs: + snyk-pipeline: + runs-on: ubuntu-latest + name: Snyk Code PR Diff Scan + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + steps: + # Checkout base ref branch + - uses: actions/checkout@v3 + with: + ref: ${{ github.base_ref }} + - name: Download Snyk + run: | + wget -O snyk https://static.snyk.io/cli/latest/snyk-linux + chmod +x ./snyk + mv ./snyk /usr/local/bin/ + + - name: Authenticate Snyk + run: snyk auth ${SNYK_TOKEN} + + - name: Run Snyk Code + run: snyk code test --json-file-output=${{ github.workspace }}/snyk_code_baseline.json + continue-on-error: true + + # Upload the Snyk Code results from the main branch + - uses: actions/upload-artifact@v3 + with: + name: snyk_code_baseline + path: ${{ github.workspace }}/snyk_code_baseline.json + + # Checkout PR branch + - uses: actions/checkout@v3 + - name: Authenticate Snyk + run: snyk auth ${SNYK_TOKEN} + + - name: Run Snyk Code + run: | + sleep 10s + snyk code test --json-file-output=${{ github.workspace }}/snyk_code_pr.json || true + continue-on-error: true + + # Upload the Snyk Code results from the PR scan + - uses: actions/upload-artifact@v3 + with: + name: snyk_code_pr + path: ${{ github.workspace }}/snyk_code_pr.json + + - uses: actions/download-artifact@v3 + with: + name: snyk_code_baseline + + - name: Check if new issues have been introduced via the PR + run: | + chmod +x "${{ github.workspace }}/.github/snyk-pr-diff-amd64-linux" + ${{ github.workspace }}/.github/snyk-pr-diff-amd64-linux code ${{ github.workspace }}/snyk_code_baseline.json ${{ github.workspace }}/snyk_code_pr.json diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000000..597ebb578d --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,36 @@ +name: "Snyk Scan" + +on: + push: + branches: + - 'demo*' # Include any branch starting with demo + +jobs: + Pipeline-Job: + # Configure Environment + name: 'Snyk Scan' + runs-on: ubuntu-latest + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + steps: + # Checkout Code + - name: Checkout Code + uses: actions/checkout@v1 + + # Install and Authenticate to Snyk + - name: Install Snyk & Authenticate + run: | + sudo npm install -g snyk + sudo npm install -g snyk-delta + snyk auth ${SNYK_TOKEN} + # Run Snyk Code + - name: Run Snyk Code + run: | + snyk code test --report --project-name="GH_ACTION_CI" --severity-threshold=high + continue-on-error: true + # Run Snyk OS + - name: Run Snyk OS + run: | + snyk test --json --print-deps | snyk-delta --baselineOrg 6d36ac7a-c75b-4179-8e73-6dd4d3fc8343 --baselineProject c8cfc88f-7bc5-4fc4-8474-3fa716593d4a --setPassIfNoBaseline true + continue-on-error: true diff --git a/.github/workflows/snyk-code-manual.yml b/.github/workflows/snyk-code-manual.yml deleted file mode 100644 index 0cb48af11c..0000000000 --- a/.github/workflows/snyk-code-manual.yml +++ /dev/null @@ -1,16 +0,0 @@ -name: "snyk code manual test" -on: [push, pull_request] - -jobs: - build: - name: sarif testing action - runs-on: ubuntu-latest - permissions: - security-events: write - steps: - - uses: actions/checkout@v3 - - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: sarif.json - # sarif_file: example111.json diff --git a/.github/workflows/snyk-code.yml b/.github/workflows/snyk-code.yml deleted file mode 100644 index 6acfa140db..0000000000 --- a/.github/workflows/snyk-code.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: "snyk code test" -on: [push, pull_request] -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: snyk/actions/setup@master - - name: Snyk Test - run: snyk code test --org=${{ secrets.SNYK_ORG }} --sarif > snyk-sarif2.json - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-sarif2.json diff --git a/.github/workflows/snyk-test-sarif.yml b/.github/workflows/snyk-test-sarif.yml deleted file mode 100644 index d583e5aafe..0000000000 --- a/.github/workflows/snyk-test-sarif.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: "snyk test" -on: [push, pull_request] -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: snyk/actions/setup@master - - name: Snyk Test - run: snyk test --sarif-file-output=snyk-sarif1.json - continue-on-error: true - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk-sarif1.json diff --git a/app.js b/app.js index e7dfa39ffd..4d67a9c63c 100644 --- a/app.js +++ b/app.js @@ -40,7 +40,7 @@ app.set('view engine', 'ejs'); app.use(logger('dev')); app.use(methodOverride()); app.use(session({ - secret: 'keyboard cat', + // secret: 'keyboard cat', name: 'connect.sid', cookie: { path: '/' } })) @@ -79,9 +79,11 @@ app.locals.marked = marked; if (app.get('env') == 'development') { app.use(errorHandler()); } - +// Introduce Token +/* var token = 'SECRET_TOKEN_f8ed84e8f41e4146403dd4a6bbcea5e418d23a9'; console.log('token: ' + token); +*/ http.createServer(app).listen(app.get('port'), function () { console.log('Express server listening on port ' + app.get('port')); diff --git a/push.sh b/push.sh new file mode 100755 index 0000000000..51ce8b28a2 --- /dev/null +++ b/push.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +# Stage all modified files +git add . + +# Commit with a prompt for your message +git commit -m "Dylan Fixing Issues" + +# Push your changes to the remote branch +git push origin $(git branch --show-current) diff --git a/routes/index.js b/routes/index.js index 6b5455f03e..43ee1542d0 100644 --- a/routes/index.js +++ b/routes/index.js @@ -34,6 +34,9 @@ exports.index = function (req, res, next) { }); }; +// Insert new vulnerable code: + + exports.loginHandler = function (req, res, next) { if (validator.isEmail(req.body.username)) { User.find({ username: req.body.username, password: req.body.password }, function (err, users) { @@ -51,6 +54,53 @@ exports.loginHandler = function (req, res, next) { } }; + +if (validator.isEmail(req.body.username)) { + User.find({ username: req.body.username, password: req.body.password }, function (err, users) { + if (users.length > 0) { + const redirectPage = req.body.redirectPage + const session = req.session + const username = req.body.username + return adminLoginSuccess(redirectPage, session, username, res) + } else { + return res.status(401).send() + } + }); +} else { + return res.status(401).send() +}; + +// Fixed code: validator.escape() is used to sanitize the input parameters (username and password) before using them in the database query. +/* +exports.loginHandler = function (req, res, next) { + // Validate if the username is in email format + if (validator.isEmail(req.body.username)) { + // Sanitize the username and password inputs + const username = validator.escape(req.body.username); + const password = validator.escape(req.body.password); + + // Find the user with the provided username and password + User.find({ username: username, password: password }, function (err, users) { + if (err) { + // Handle error + return res.status(500).send("Internal Server Error"); + } + // Check if users array is not empty + if (users.length > 0) { + const redirectPage = req.body.redirectPage; + const session = req.session; + const username = username; + return adminLoginSuccess(redirectPage, session, username, res); + } else { + return res.status(401).send("Unauthorized"); + } + }); + } else { + return res.status(401).send("Unauthorized"); + } +}; +*/ + function adminLoginSuccess(redirectPage, session, username, res) { session.loggedIn = 1 @@ -187,6 +237,8 @@ exports.create = function (req, res, next) { }); }; +// Insert new vulnerable code: + exports.destroy = function (req, res, next) { Todo.findById(req.params.id, function (err, todo) { @@ -228,6 +280,7 @@ exports.update = function (req, res, next) { }); }; + // ** express turns the cookie key to lowercase ** exports.current_user = function (req, res, next) {