New vulns #2 #12
New vulns #2 #12
Conversation
cm ignored accept
Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md
![orca-security-us[bot]](https://avatars.githubusercontent.com/in/276250?s=60&v=4){kind=small}
There was a problem hiding this comment.
Orca Security Scan Summary
| Status | Check | Issues by priority | |
|---|---|---|---|
 Passed |
Infrastructure as Code |  0  1  3  1 |
View in Orca |
 Failed |
Secrets | 1 0 1 0 |
View in Orca |
| Passed |
Vulnerabilities | 0 0 0 0 |
View in Orca |
🛡️ The following IaC misconfigurations have been detected
| NAME | FILE | ||
|---|---|---|---|
|
Missing User Instruction | ...est/smoke/Dockerfile | View in code |
|
Healthcheck Instruction Missing | ...est/smoke/Dockerfile | View in code |
|
Image Version Not Explicit | ...est/smoke/Dockerfile | View in code |
|
Unpinned Package Version in Apk Add | ...est/smoke/Dockerfile | View in code |
|
Apk Add Using Local Cache Path | ...est/smoke/Dockerfile | View in code |
🔑 The following Secrets have been detected in your pull request across all commits
| NAME | FILE | LINE NUM | COMMIT | ||
|---|---|---|---|---|---|
|
Private Key | lib/insecurity.ts | 23 | 95169dc | View in code |
|
Generic High Entropy Secret | ...ata/static/users.yml | 150 | 95169dc | View in code |
📜 PR Summary 📜
|
✨ gitStream Review ✨README.md
data/static/users.yml
lib/insecurity.ts
package.json
routes/likeProductReviews.ts
routes/updateProductReviews.ts
test/smoke/Dockerfile
General Best Practices and Style Guide
Suggested Improvements
In conclusion, hardcoded sensitive data within the source code is a significant security risk, and additional attention should be given to ensuring all user input is sanitized to protect against injection attacks. Regular dependency checks for vulnerabilities should also be part of the development process. |
![jit-ci[bot]](https://avatars.githubusercontent.com/in/142441?s=60&v=4){kind=small}
There was a problem hiding this comment.
❌ Jit has detected 10 important findings in this PR that you should review.
The findings are detailed below as separate comments.
It’s highly recommended that you fix these security issues before merge.
Repository Risks:
- Database Integration: Connects to a database, often involving sensitive data that must be securely managed.
Repository Context:
graph LR
GitHub$Repository#linear-b/juice-shop["GitHub Repository<br/>linear-b/juice-shop"]:::GitHub$Repository
DBIntegration#redis["DBIntegration<br/>redis"]:::DBIntegration
GitHub$Repository#linear-b/juice-shop -- "Repository uses database" --> DBIntegration#redis
package.json
Outdated
| "errorhandler": "^1.5.1", | ||
| "exif": "^0.6.0", | ||
| "express": "^4.17.1", | ||
| "express-ipfilter": "^1.2.0", | ||
| "express-jwt": "0.1.3", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Verification Bypass In Jsonwebtoken
Description: express-jwt>jsonwebtoken
Severity: CRITICAL
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
Update each outdated library in your code.
Note: Once you apply these changes, you'll need to regenerate the package-lock.json file on your end.
Ensure to thoroughly test your application after updating each library, to make sure that the update hasn't broken anything.
If an update does cause issues, consider whether you can modify your code to work with the updated library, or if necessary, look for an alternative library that is maintained and up to date.
| "express-jwt": "0.1.3", | |
| "express-jwt": "8.4.1", |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Verification Bypass in jsonwebtoken" in package.json; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
package.json
Outdated
| @@ -119,17 +119,20 @@ | |||
| "cookie-parser": "^1.4.5", | |||
| "cors": "^2.8.5", | |||
| "dottie": "^2.0.2", | |||
| "download": "^8.0.0", | |||
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Got Allows A Redirect To A Unix Socket
Description: download>got
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Got allows a redirect to a UNIX socket" in package.json; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
package.json
Outdated
| @@ -119,17 +119,20 @@ | |||
| "cookie-parser": "^1.4.5", | |||
| "cors": "^2.8.5", | |||
| "dottie": "^2.0.2", | |||
| "download": "^8.0.0", | |||
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service
Description: Paths from library to vulnerable dependencies:
- download>got>cacheable-request>http-cache-semantics
- sqlite3>node-gyp>make-fetch-happen>http-cache-semantics
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "http-cache-semantics vulnerable to Regular Expression Denial of Service" in package.json; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
package.json
Outdated
| "errorhandler": "^1.5.1", | ||
| "exif": "^0.6.0", | ||
| "express": "^4.17.1", | ||
| "express-ipfilter": "^1.2.0", | ||
| "express-jwt": "0.1.3", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Forgeable Public/Private Tokens In Jws
Description: express-jwt>jsonwebtoken>jws
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
Update each outdated library in your code.
Note: Once you apply these changes, you'll need to regenerate the package-lock.json file on your end.
Ensure to thoroughly test your application after updating each library, to make sure that the update hasn't broken anything.
If an update does cause issues, consider whether you can modify your code to work with the updated library, or if necessary, look for an alternative library that is maintained and up to date.
| "express-jwt": "0.1.3", | |
| "express-jwt": "8.4.1", |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Forgeable Public/Private Tokens in jws" in package.json; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
package.json
Outdated
| "errorhandler": "^1.5.1", | ||
| "exif": "^0.6.0", | ||
| "express": "^4.17.1", | ||
| "express-ipfilter": "^1.2.0", | ||
| "express-jwt": "0.1.3", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Regular Expression Denial Of Service In Moment
Description: Paths from library to vulnerable dependencies:
- express-jwt>jsonwebtoken>moment
- file-stream-rotator>moment
- filesniffer>filehound>moment
- finale-rest>moment
- sequelize>moment-timezone>moment
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
Update each outdated library in your code.
Note: Once you apply these changes, you'll need to regenerate the package-lock.json file on your end.
Ensure to thoroughly test your application after updating each library, to make sure that the update hasn't broken anything.
If an update does cause issues, consider whether you can modify your code to work with the updated library, or if necessary, look for an alternative library that is maintained and up to date.
| "express-jwt": "0.1.3", | |
| "express-jwt": "8.4.1", |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Regular Expression Denial of Service in moment" in package.json; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
package.json
Outdated
| "errorhandler": "^1.5.1", | ||
| "exif": "^0.6.0", | ||
| "express": "^4.17.1", | ||
| "express-ipfilter": "^1.2.0", | ||
| "express-jwt": "0.1.3", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Authorization Bypass In Express-Jwt
Description: express-jwt
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
Update each outdated library in your code.
Note: Once you apply these changes, you'll need to regenerate the package-lock.json file on your end.
Ensure to thoroughly test your application after updating each library, to make sure that the update hasn't broken anything.
If an update does cause issues, consider whether you can modify your code to work with the updated library, or if necessary, look for an alternative library that is maintained and up to date.
| "express-jwt": "0.1.3", | |
| "express-jwt": "8.4.1", |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Authorization bypass in express-jwt" in package.json; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
lib/insecurity.ts
Outdated
| @@ -20,6 +20,7 @@ | |||
| import * as z85 from 'z85' | |||
|
|
|||
| export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-public-key' | |||
| const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----' | |||
There was a problem hiding this comment.
Security control: Secret Detection
Type: Private-Key
Description: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "private-key" in lib/insecurity.ts; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
routes/likeProductReviews.ts
Outdated
| @@ -15,7 +15,7 @@ | |||
| return (req: Request, res: Response, next: NextFunction) => { | |||
| const id = req.body.id | |||
| const user = security.authenticatedUsers.from(req) | |||
| db.reviews.findOne({ _id: "a" }).then((review: Review) => { | |||
| db.reviews.findOne({ _id: id }).then((review: Review) => { | |||
There was a problem hiding this comment.
Security control: Static Code Analysis Js
Type: Codsec.Javascriptnosql-Injection.Nosql-Injection
Description: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "codsec.javascriptnosql-injection.nosql-injection" in routes/likeProductReviews.ts; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
routes/updateProductReviews.ts
Outdated
| { _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge | ||
| { $set: { message: req.body.message } }, | ||
| { multi: true } // vuln-code-snippet vuln-line noSqlReviewsChallenge | ||
| ).then( |
There was a problem hiding this comment.
Security control: Static Code Analysis Js
Type: Codsec.Javascriptnosql-Injection.Nosql-Injection
Description: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "codsec.javascriptnosql-injection.nosql-injection" in routes/updateProductReviews.ts; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
test/smoke/Dockerfile
Outdated
| @@ -1,3 +1,4 @@ | |||
| FROM alpine | |||
There was a problem hiding this comment.
Security control: Docker Scan
Type: Image User Should Not Be 'Root'
Description: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
- First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this:
docker run <image> whoami. If it returnsroot, then you should consider using a non-root user, by following one of the next steps:- If a non-root user already exists in your container, consider using it.
- If not, you can create a new user by adding a
USERcommand to the Dockerfile, with a non-root user as argument, for example:USER <non-root-user-name>.
| FROM alpine | |
| FROM alpine | |
| RUN addgroup --system <group> | |
| RUN adduser --system <user> --ingroup <group> | |
| USER <user>:<group> | |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Image user should not be 'root'" in test/smoke/Dockerfile; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
PavelLinearB
force-pushed
the
master
branch
from
95de275
to
39b4686
Compare
Description
A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.
Resolved or fixed issue:
Affirmation