From 4218a7de38cf1de5cc6005725a8f1785512798f4 Mon Sep 17 00:00:00 2001 From: Anton Drukh Date: Wed, 3 Oct 2018 11:46:48 +0300 Subject: [PATCH 1/3] feat: add a demo server that triggers a vuln method --- demo/index.js | 20 ++++++++++++ demo/static/hello.txt | 6 ++++ package-lock.json | 71 +++++++++++++++++++++++++++++++++++++++---- package.json | 4 ++- 4 files changed, 94 insertions(+), 7 deletions(-) create mode 100644 demo/index.js create mode 100644 demo/static/hello.txt diff --git a/demo/index.js b/demo/index.js new file mode 100644 index 0000000..a4241ca --- /dev/null +++ b/demo/index.js @@ -0,0 +1,20 @@ +// load the agent from the local project and start it +require('../lib')({ + url: 'http://localhost:8000/api/v1/beacon', + projectId: 12345, + debug: true, +}); + +// create a server with a known vulnerability +const http = require('http'); +const st = require('st'); +const PORT = process.env.PORT || 3000; + + +http.createServer( + st({ + path: __dirname + '/static', + url: '/', + cors: true + }) +).listen(PORT, () => console.log(`Demo server started, hit http://localhost:${PORT}/hello.txt to try it`)); diff --git a/demo/static/hello.txt b/demo/static/hello.txt new file mode 100644 index 0000000..6fdcf4d --- /dev/null +++ b/demo/static/hello.txt @@ -0,0 +1,6 @@ +Hello there! + +You've just triggered a vulnerable method in `st`, congratulations! + +This event is being recorded and will be sent to the homebase service shortly. +Refresh this page to trigger the event once again. diff --git a/package-lock.json b/package-lock.json index 67afc04..e8e4048 100644 --- a/package-lock.json +++ b/package-lock.json @@ -130,6 +130,23 @@ "integrity": "sha1-8S4PPF13sLHN2RRpQuTpbB5N1SU=", "dev": true }, + "async-cache": { + "version": "0.1.5", + "resolved": "https://registry.npmjs.org/async-cache/-/async-cache-0.1.5.tgz", + "integrity": "sha1-t805bSlaqMUoKbvjDsM7YkJgBto=", + "dev": true, + "requires": { + "lru-cache": "~2.3" + }, + "dependencies": { + "lru-cache": { + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-2.3.1.tgz", + "integrity": "sha1-s632s9hW6VTiw5DmzvIggSRaU9Y=", + "dev": true + } + } + }, "asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", @@ -739,6 +756,12 @@ "integrity": "sha1-PYpcZog6FqMMqGQ+hR8Zuqd5eRc=", "dev": true }, + "fd": { + "version": "0.0.3", + "resolved": "https://registry.npmjs.org/fd/-/fd-0.0.3.tgz", + "integrity": "sha512-iAHrIslQb3U68OcMSP0kkNWabp7sSN6d2TBSb2JO3gcLJVDd4owr/hKM4SFJovFOUeeXeItjYgouEDTMWiVAnA==", + "dev": true + }, "figures": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/figures/-/figures-2.0.0.tgz", @@ -4123,12 +4146,6 @@ "integrity": "sha1-wNWmOycYgArY4esPpSachN1BhF4=", "dev": true }, - "qs": { - "version": "6.5.2", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.2.tgz", - "integrity": "sha512-N5ZAX4/LxJmF+7wN74pUD6qAh9/wnvdQcjq9TZjevvXzSUo7bfmw91saqMjzGS2xq91/odN2dW/WOl7qQHNDGA==", - "dev": true - }, "readable-stream": { "version": "2.3.6", "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.6.tgz", @@ -4186,6 +4203,14 @@ "tough-cookie": "~2.4.3", "tunnel-agent": "^0.6.0", "uuid": "^3.3.2" + }, + "dependencies": { + "qs": { + "version": "6.5.2", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.2.tgz", + "integrity": "sha512-N5ZAX4/LxJmF+7wN74pUD6qAh9/wnvdQcjq9TZjevvXzSUo7bfmw91saqMjzGS2xq91/odN2dW/WOl7qQHNDGA==", + "dev": true + } } }, "require-uncached": { @@ -4395,6 +4420,40 @@ "tweetnacl": "~0.14.0" } }, + "st": { + "version": "0.1.4", + "resolved": "https://registry.npmjs.org/st/-/st-0.1.4.tgz", + "integrity": "sha1-i+VSF/nDAOMe+LPFCVxg+1Gqmvc=", + "dev": true, + "requires": { + "async-cache": "~0.1.2", + "fd": "~0.0.2", + "graceful-fs": "~1.2", + "mime": "~1.2.7", + "negotiator": "~0.2.5" + }, + "dependencies": { + "graceful-fs": { + "version": "1.2.3", + "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-1.2.3.tgz", + "integrity": "sha1-FaSAaldUfLLS2/J/QuiajDRRs2Q=", + "dev": true, + "optional": true + }, + "mime": { + "version": "1.2.11", + "resolved": "https://registry.npmjs.org/mime/-/mime-1.2.11.tgz", + "integrity": "sha1-WCA+7Ybjpe8XrtK32evUfwpg3RA=", + "dev": true + }, + "negotiator": { + "version": "0.2.8", + "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.2.8.tgz", + "integrity": "sha1-rf0gejh1xNNwlXKcLnwoPFui7nI=", + "dev": true + } + } + }, "stack-utils": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/stack-utils/-/stack-utils-1.0.1.tgz", diff --git a/package.json b/package.json index 25399cb..4427929 100644 --- a/package.json +++ b/package.json @@ -6,11 +6,12 @@ "type": "git", "url": "https://github.com/snyk/nodejs-agent" }, - "main": "lib/index.js", + "main": "demo/index.js", "directories": { "test": "test" }, "scripts": { + "start": "node .", "test": "npm run lint && tap ./test/*.test.js -R spec", "lint": "eslint -c .eslintrc lib" }, @@ -18,6 +19,7 @@ "license": "private", "devDependencies": { "eslint": "^4.19.1", + "st": "^0.1.0", "tap": "^12.0.1", "sinon": "^6.1.5" }, From ed33ff2a4690c5c8b5acbff60e9e287d57c1fcd6 Mon Sep 17 00:00:00 2001 From: Anton Drukh Date: Wed, 3 Oct 2018 11:57:40 +0300 Subject: [PATCH 2/3] docs: basic readme --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index ce1aca7..9782ace 100644 --- a/README.md +++ b/README.md @@ -1 +1,14 @@ # Snyk Nodejs Runtime Agent + +Use this package as a library in your application to monitor your dependencies and learn how the dependencies' vulnerable methods are being invoked in your deployments. + +# Howto +```js +require('@snyk/nodejs-agent')({ + url: 'https://homebase.snyk.io/api/v1/beacon', + projectId: `your project ID from snyk.io`, +}); +``` + +# Demo +`npm start` to bring up an http server that invokes a vulnerable method on every request. From b2cde568e8cc350854d9974ba4432eaf6e1808fe Mon Sep 17 00:00:00 2001 From: Anton Drukh Date: Wed, 3 Oct 2018 12:26:04 +0300 Subject: [PATCH 3/3] fix: use a uuid --- demo/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/demo/index.js b/demo/index.js index a4241ca..ec623f0 100644 --- a/demo/index.js +++ b/demo/index.js @@ -1,7 +1,7 @@ // load the agent from the local project and start it require('../lib')({ url: 'http://localhost:8000/api/v1/beacon', - projectId: 12345, + projectId: 'A3B8ADA9-B726-41E9-BC6B-5169F7F89A0C', debug: true, });