Update users.yml

.cm/jit-and-sonar.cm

@@ -0,0 +1,106 @@
+# -*- mode: yaml -*-
+
+manifest:
+  version: 1.0
+
+config:
+  admin:
+    users: ['EladKohavi']
+
+automations:
+  mark_bugs:
+    if:
+      - {{ sonar.bugs.count > 0 }}
+    run: 
+      - action: add-label@v1
+        args:
+          label: '{{ sonar.bugs.count }} Bugs 🐞'
+          color: {{ colors.bugs }}
+  mark_code_smell:
+    if:
+      - {{ sonar.code_smells.count > 0 }}
+    run: 
+      - action: add-label@v1
+        args:
+          label: '{{ sonar.code_smells.count }} Code Smells 💩'
+          color: {{ colors.code_smells }}
+  mark_security_hotspots:
+    if:
+      - {{ sonar.security_hotspots.count > 0 }}
+    run: 
+      - action: add-label@v1
+        args:
+          label: '{{ sonar.security_hotspots.count }} Security hotspots 🌶️'
+          color: {{ colors.security_hotspots }}
+      - action: add-reviewers@v1
+        args:
+          reviewers: [Dudu-linb]
+  mark_outstanding_pr:
+    if:
+      - {{ sonar.bugs.count == 0 }}
+      - {{ sonar.code_smells.count == 0 }}
+      - {{ sonar.vulnerabilities.count == 0 }}
+      - {{ sonar.security_hotspots.count == 0 }}
+      - {{ sonar.duplications == null or sonar.duplications == 0.0 }}
+    run: 
+      - action: add-label@v1
+        args:
+          label: '✅ Sonar: Clean Code'
+          color: '0e8a16'
+  high_duplications:
+    if:
+      - {{ sonar.duplications > 40 }}
+    run:
+      - action: request-changes@v1
+        args:
+          comment: |
+            High percentage of duplications in code. Please fix!
+      - action: add-label@v1
+        args:
+          label: '{{ sonar.duplications }} Duplications 👯'
+          color: {{ colors.duplications }}
+  mark_vulnerabilities:
+    if:
+      - {{ sonar.vulnerabilities.count > 0 }}
+    run: 
+      - action: add-label@v1
+        args:
+          label: '{{ sonar.vulnerabilities.count }} Vulnerabilities 🛡️'
+          color: {{ colors.vulnerabilities }}
+  jit_vulns:
+    if:
+      - {{ jit.metrics.HIGH > 0}}
+    run:
+      - action: add-label@v1
+        args:
+          label: '🛡️ x {{ jit.metrics.HIGH }} High vulnerabilities'
+      - action: add-reviewers@v1
+        args:
+          reviewers: [Dudu-linb]
+
+  jit_secretss:
+    if:
+      - {{ jit.vulnerabilities | match(attr='security_control', term='Secret Detection') | some }}
+    run:
+      - action: add-label@v1
+        args:
+          label: "🤫 PR with secrets"
+
+  jit_ignores:
+    if:
+      - {{ pr.conversations | filter(attr='commenter', term='jit-ci') | map(attr='content') | match(term='#jit_ignore_accept') | some }}
+    run:
+      - action: add-label@v1
+        args:
+          label: '🙈 jit_ignore_accept'
+
+
+
+sonar: {{ pr | extractSonarFindings }}
+jit: {{ pr | extractJitFindings }}
+colors:
+  code_smells: 'D2B48C'
+  bugs: 'FAA0A0'
+  vulnerabilities: 'F3E5AB'
+  security_hotspots: 'F89880'
+  duplications: 'D7BDE2'

lib/insecurity.ts

@@ -20,7 +20,6 @@ import * as utils from './utils'
 import * as z85 from 'z85'
 
 export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-public-key'
-const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----'
 
 interface ResponseWithUser {
   status: string

package.json

@@ -119,20 +119,17 @@
     "cookie-parser": "^1.4.5",
     "cors": "^2.8.5",
     "dottie": "^2.0.2",
-    "download": "^8.0.0",
     "errorhandler": "^1.5.1",
     "exif": "^0.6.0",
     "express": "^4.17.1",
     "express-ipfilter": "^1.2.0",
-    "express-jwt": "0.1.3",
     "express-rate-limit": "^5.3.0",
     "express-robots-txt": "^0.4.1",
     "express-security.txt": "^2.0.0",
     "feature-policy": "^0.5.0",
     "file-stream-rotator": "^0.5.7",
     "file-type": "^16.1.0",
     "filesniffer": "^1.0.3",
-    "finale-rest": "^1.1.1",
     "fs-extra": "^9.0.1",
     "fuzzball": "^1.3.0",
     "glob": "^7.1.6",
@@ -146,7 +143,6 @@
     "html-entities": "^1.3.1",
     "i18n": "^0.11.1",
     "js-yaml": "^3.14.0",
-    "jsonwebtoken": "0.4.0",
     "jssha": "^3.1.1",
     "juicy-chat-bot": "~0.7.1",
     "libxmljs2": "^0.32.0",

routes/likeProductReviews.ts

@@ -15,7 +15,7 @@ module.exports = function productReviews () {
   return (req: Request, res: Response, next: NextFunction) => {
     const id = req.body.id
     const user = security.authenticatedUsers.from(req)
-    db.reviews.findOne({ _id: id }).then((review: Review) => {
+    db.reviews.findOne({ _id: "a" }).then((review: Review) => {
       if (!review) {
         res.status(404).json({ error: 'Not found' })
       } else {

routes/updateProductReviews.ts

@@ -13,19 +13,6 @@ const security = require('../lib/insecurity')
 // vuln-code-snippet start noSqlReviewsChallenge forgedReviewChallenge
 module.exports = function productReviews () {
   return (req: Request, res: Response, next: NextFunction) => {
-    const user = security.authenticatedUsers.from(req) // vuln-code-snippet vuln-line forgedReviewChallenge
-    db.reviews.update( // vuln-code-snippet neutral-line forgedReviewChallenge
-      { _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge
-      { $set: { message: req.body.message } },
-      { multi: true } // vuln-code-snippet vuln-line noSqlReviewsChallenge
-    ).then(
-      (result: { modified: number, original: Array<{ author: any }> }) => {
-        challengeUtils.solveIf(challenges.noSqlReviewsChallenge, () => { return result.modified > 1 }) // vuln-code-snippet hide-line
-        challengeUtils.solveIf(challenges.forgedReviewChallenge, () => { return user?.data && result.original[0] && result.original[0].author !== user.data.email && result.modified === 1 }) // vuln-code-snippet hide-line
-        res.json(result)
-      }, (err: unknown) => {
-        res.status(500).json(err)
-      })
   }
 }
 // vuln-code-snippet end noSqlReviewsChallenge forgedReviewChallenge

test/smoke/Dockerfile

@@ -1,4 +1,3 @@
-FROM alpine
 
 RUN apk add curl