Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pr demo branch #1438

Closed
wants to merge 58 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
58 commits
Select commit Hold shift + click to select a range
2d5fc92
Create config.yml for circleci
DefenderK Mar 1, 2024
fca80e8
Create config.yaml
DefenderK Mar 1, 2024
9e46aee
Delete .circleci directory
DefenderK Mar 5, 2024
fad7250
Delete circleci directory
DefenderK Mar 5, 2024
3f1e3d7
Create config.yml
DefenderK Mar 5, 2024
b000961
Update config.yml
DefenderK Mar 5, 2024
4bfe928
Update config.yml
DefenderK Mar 5, 2024
f18e8b1
Update config.yml
DefenderK Mar 5, 2024
1bf5b70
Delete .github/workflows/codeql-analysis.yml
DefenderK Mar 9, 2024
7b46b9d
Delete .github/workflows/snyk-code-manual.yml
DefenderK Mar 9, 2024
f78202a
Delete .github/workflows/snyk-code.yml
DefenderK Mar 9, 2024
42fea84
Delete .github/workflows/snyk-test-sarif.yml
DefenderK Mar 9, 2024
a17cf05
Create main.yml
DefenderK Mar 9, 2024
0b4b779
Enter your commit message:
Mar 9, 2024
91cb003
Update main.yml
DefenderK Mar 9, 2024
10dcfe6
Dylan Fixing Issues
Mar 9, 2024
673ca2c
Delete .github/workflows/codeql-analysis.yml
DefenderK Mar 9, 2024
ce2b8dd
Delete .github/workflows/snyk-code-manual.yml
DefenderK Mar 9, 2024
d52df9d
Delete .github/workflows/snyk-code.yml
DefenderK Mar 9, 2024
8309e30
Delete .github/workflows/snyk-test-sarif.yml
DefenderK Mar 9, 2024
fc55996
Merge pull request #25 from DefenderK/demo-branch-0
DefenderK Mar 9, 2024
4d221ba
Dylan Fixing Issues
Mar 10, 2024
bb0e58b
Dylan Fixing Issues
Mar 10, 2024
a1e7204
Update main.yml
DefenderK Mar 10, 2024
73e6fec
Dylan Fixing Issues
Mar 10, 2024
0ea27c7
Merge pull request #27 from DefenderK/demo-branch-1
DefenderK Mar 10, 2024
8bf8660
Dylan Fixing Issues
Mar 10, 2024
663c81b
Update main.yml
DefenderK Mar 10, 2024
c8c8dc1
Update main.yml
DefenderK Mar 10, 2024
1ab5707
Update main.yml
DefenderK Mar 10, 2024
27dacde
Dylan Fixing Issues
Mar 10, 2024
c471350
Merge pull request #28 from DefenderK/demo-branch-2
DefenderK Mar 10, 2024
9a35bd9
Update index.js
DefenderK Mar 11, 2024
236d0c6
Update index.js
DefenderK Mar 12, 2024
1e088f9
Update main.yml
DefenderK Mar 15, 2024
26c02a8
Update package.json
DefenderK Mar 16, 2024
acd93ce
Update package.json
DefenderK Mar 16, 2024
acb87ac
Update main.yml
DefenderK Mar 16, 2024
931a92f
Update main.yml
DefenderK Mar 16, 2024
1587aae
Update main.yml
DefenderK Mar 16, 2024
fd9f3ea
Update main.yml
DefenderK Mar 16, 2024
a05883a
Create full-with-diff.yml
DefenderK Mar 21, 2024
ecc2724
Update full-with-diff.yml
DefenderK Mar 22, 2024
44048f4
Update full-with-diff.yml
DefenderK Mar 22, 2024
b1f3573
Update full-with-diff.yml
DefenderK Mar 22, 2024
e0a7db6
Update full-with-diff.yml
DefenderK Mar 22, 2024
c090525
Update main.yml
DefenderK Mar 22, 2024
b95ac9e
Update full-with-diff.yml
DefenderK Mar 22, 2024
fbca79d
Add files via upload
DefenderK Mar 22, 2024
12550a9
Update full-with-diff.yml
DefenderK Mar 22, 2024
391fb08
Update main.yml
DefenderK Mar 22, 2024
c2cded0
Update main.yml
DefenderK Mar 22, 2024
45bf94d
Update full-with-diff.yml
DefenderK Mar 22, 2024
0d68bb5
Update main.yml
DefenderK Apr 2, 2024
2450d13
Update main.yml
DefenderK Apr 2, 2024
627f4e7
Rename full-with-diff.yml to full-with-diff.test
DefenderK Jul 9, 2024
f459875
Update main.yml
DefenderK Sep 10, 2024
345a15f
Update index.js
DefenderK Sep 30, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
version: '2.1'
orbs:
snyk: snyk/snyk@2.0.3
jobs:
build:
docker:
- image: cimg/node:lts
steps:
- checkout
- run: npm ci
- snyk/scan:
fail-on-issues: false
monitor-on-build: true
severity-threshold: high
token-variable: SNYK_TOKEN
workflows: null
Binary file added .github/snyk-pr-diff-amd64-linux
Binary file not shown.
71 changes: 0 additions & 71 deletions .github/workflows/codeql-analysis.yml

This file was deleted.

61 changes: 61 additions & 0 deletions .github/workflows/full-with-diff.test
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
name: Snyk Code PR Diff Scan

on:
pull_request:
branches: [ main ]

jobs:
snyk-pipeline:
runs-on: ubuntu-latest
name: Snyk Code PR Diff Scan
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
steps:
# Checkout base ref branch
- uses: actions/checkout@v3
with:
ref: ${{ github.base_ref }}
- name: Download Snyk
run: |
wget -O snyk https://static.snyk.io/cli/latest/snyk-linux
chmod +x ./snyk
mv ./snyk /usr/local/bin/

- name: Authenticate Snyk
run: snyk auth ${SNYK_TOKEN}

- name: Run Snyk Code
run: snyk code test --json-file-output=${{ github.workspace }}/snyk_code_baseline.json
continue-on-error: true

# Upload the Snyk Code results from the main branch
- uses: actions/upload-artifact@v3
with:
name: snyk_code_baseline
path: ${{ github.workspace }}/snyk_code_baseline.json

# Checkout PR branch
- uses: actions/checkout@v3
- name: Authenticate Snyk
run: snyk auth ${SNYK_TOKEN}

- name: Run Snyk Code
run: |
sleep 10s
snyk code test --json-file-output=${{ github.workspace }}/snyk_code_pr.json || true
continue-on-error: true

# Upload the Snyk Code results from the PR scan
- uses: actions/upload-artifact@v3
with:
name: snyk_code_pr
path: ${{ github.workspace }}/snyk_code_pr.json

- uses: actions/download-artifact@v3
with:
name: snyk_code_baseline

- name: Check if new issues have been introduced via the PR
run: |
chmod +x "${{ github.workspace }}/.github/snyk-pr-diff-amd64-linux"
${{ github.workspace }}/.github/snyk-pr-diff-amd64-linux code ${{ github.workspace }}/snyk_code_baseline.json ${{ github.workspace }}/snyk_code_pr.json
36 changes: 36 additions & 0 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: "Snyk Scan"

on:
push:
branches:
- 'demo*' # Include any branch starting with demo

jobs:
Pipeline-Job:
# Configure Environment
name: 'Snyk Scan'
runs-on: ubuntu-latest
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

steps:
# Checkout Code
- name: Checkout Code
uses: actions/checkout@v1

# Install and Authenticate to Snyk
- name: Install Snyk & Authenticate
run: |
sudo npm install -g snyk
sudo npm install -g snyk-delta
snyk auth ${SNYK_TOKEN}
# Run Snyk Code
- name: Run Snyk Code
run: |
snyk code test --report --project-name="GH_ACTION_CI" --severity-threshold=high
continue-on-error: true
# Run Snyk OS
- name: Run Snyk OS
run: |
snyk test --json --print-deps | snyk-delta --baselineOrg 6d36ac7a-c75b-4179-8e73-6dd4d3fc8343 --baselineProject c8cfc88f-7bc5-4fc4-8474-3fa716593d4a --setPassIfNoBaseline true
continue-on-error: true
16 changes: 0 additions & 16 deletions .github/workflows/snyk-code-manual.yml

This file was deleted.

17 changes: 0 additions & 17 deletions .github/workflows/snyk-code.yml

This file was deleted.

17 changes: 0 additions & 17 deletions .github/workflows/snyk-test-sarif.yml

This file was deleted.

6 changes: 4 additions & 2 deletions app.js
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ app.set('view engine', 'ejs');
app.use(logger('dev'));
app.use(methodOverride());
app.use(session({
secret: 'keyboard cat',
// secret: 'keyboard cat',
name: 'connect.sid',
cookie: { path: '/' }
}))
Expand Down Expand Up @@ -79,9 +79,11 @@ app.locals.marked = marked;
if (app.get('env') == 'development') {
app.use(errorHandler());
}

// Introduce Token
/*
var token = 'SECRET_TOKEN_f8ed84e8f41e4146403dd4a6bbcea5e418d23a9';
console.log('token: ' + token);
*/

http.createServer(app).listen(app.get('port'), function () {
console.log('Express server listening on port ' + app.get('port'));
Expand Down
10 changes: 10 additions & 0 deletions push.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/bin/bash

# Stage all modified files
git add .

# Commit with a prompt for your message
git commit -m "Dylan Fixing Issues"

# Push your changes to the remote branch
git push origin $(git branch --show-current)
53 changes: 53 additions & 0 deletions routes/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,9 @@ exports.index = function (req, res, next) {
});
};

// Insert new vulnerable code:


exports.loginHandler = function (req, res, next) {
if (validator.isEmail(req.body.username)) {
User.find({ username: req.body.username, password: req.body.password }, function (err, users) {
Expand All @@ -51,6 +54,53 @@ exports.loginHandler = function (req, res, next) {
}
};


if (validator.isEmail(req.body.username)) {
User.find({ username: req.body.username, password: req.body.password }, function (err, users) {
if (users.length > 0) {
const redirectPage = req.body.redirectPage
const session = req.session
const username = req.body.username
return adminLoginSuccess(redirectPage, session, username, res)
} else {
return res.status(401).send()
}
});
} else {
return res.status(401).send()
};

// Fixed code: validator.escape() is used to sanitize the input parameters (username and password) before using them in the database query.
/*
exports.loginHandler = function (req, res, next) {
// Validate if the username is in email format
if (validator.isEmail(req.body.username)) {
// Sanitize the username and password inputs
const username = validator.escape(req.body.username);
const password = validator.escape(req.body.password);

// Find the user with the provided username and password
User.find({ username: username, password: password }, function (err, users) {
if (err) {
// Handle error
return res.status(500).send("Internal Server Error");
}
// Check if users array is not empty
if (users.length > 0) {
const redirectPage = req.body.redirectPage;
const session = req.session;
const username = username;
return adminLoginSuccess(redirectPage, session, username, res);
} else {
return res.status(401).send("Unauthorized");
}
});
} else {
return res.status(401).send("Unauthorized");
}
};
*/

function adminLoginSuccess(redirectPage, session, username, res) {
session.loggedIn = 1

Expand Down Expand Up @@ -187,6 +237,8 @@ exports.create = function (req, res, next) {
});
};

// Insert new vulnerable code:

exports.destroy = function (req, res, next) {
Todo.findById(req.params.id, function (err, todo) {

Expand Down Expand Up @@ -228,6 +280,7 @@ exports.update = function (req, res, next) {
});
};


// ** express turns the cookie key to lowercase **
exports.current_user = function (req, res, next) {

Expand Down