Feat/sonar demo #112

pstember · 2024-07-19T13:04:09Z

Creating issue for failing quality gate

This reverts commit a349cd0.

* feat: add prototype pollution exploit in typeorm * fix: container and db setup

Sarif/checking scanning flow

sarif: testing scanning flow with sarif file

Create snyk-test-sarif.yml

sarif: testing of workflows

sarif: test on merge

Update sarif.json

…nyk-labs#1295)

github-advanced-security

SnykCode found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

sonarqubecloud · 2024-07-19T13:04:34Z

Quality Gate failed

Failed conditions
8 Security Hotspots
E Security Rating on New Code (required ≥ A)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

routes/index.js

+  console.log(`User logged in: ${username}`)
+
+  if (redirectPage) {
+      return res.redirect(redirectPage)


app.js

+app.use(session({
+  secret: 'keyboard cat',
+  name: 'connect.sid',
+  cookie: { path: '/' }
+}))


app.js

 cons.dust.helpers = dustHelpers;
 app.set('views', path.join(__dirname, 'views'));
 app.set('view engine', 'ejs');
 app.use(logger('dev'));
 app.use(methodOverride());
-app.use(cookieParser());
+app.use(session({
+  secret: 'keyboard cat',


routes/indexBadCode.js

+  // You know password for the user.
+  {name: 'user', password: 'pwd'},
+  // You don't know password for the admin.
+  {name: 'admin', password: Math.random().toString(32), canDelete: true},


routes/index.js

  // You don't know password for the admin.
-  {name: 'admin', password: Math.random().toString(32), canDelete: true},
+  { name: 'admin', password: Math.random().toString(32), canDelete: true },


routes/index.js

+  console.log(`User logged in: ${username}`)
+
+  if (redirectPage) {
+      return res.redirect(redirectPage)


views/admin.ejs

@@ -14,6 +14,7 @@
      <center>password</center>
      <input class="input" type="password" name="password" />
      <center>
+      <input type="hidden" name="redirectPage" value="<%- redirectPage %>" />


routes/index.js

+    profile.lastname = validator.rtrim(profile.lastname)
+
+    // render the view
+    return res.render('account.hbs', profile)


routes/index.js

        subhead: 'Vulnerabilities at their best',
        todos: todos,
      });
    });
 };

+exports.loginHandler = function (req, res, next) {
+  if (validator.isEmail(req.body.username)) {
+    User.find({ username: req.body.username, password: req.body.password }, function (err, users) {


app.js

-app.get('/admin', routes.admin);
-app.post('/admin', routes.admin);
+app.get('/login', routes.login);
+app.post('/login', routes.loginHandler);


routes/index.js

@@ -79,7 +154,7 @@

  var item = req.body.content;
  var imgRegex = /\!\[alt text\]\((http.*)\s\".*/;
-  if (typeof(item) == 'string' && item.match(imgRegex)) {
+  if (typeof (item) == 'string' && item.match(imgRegex)) {


erichusband and others added 30 commits November 28, 2019 14:46

first commit

26547f0

Remove node runtime agent to fix Dockerfile (snyk-labs#707)

c67b1ba

docs: add apache 2 license

30facfd

chore(project): add license key in manifest file

b897ba4

chore(project): correct license key name

aab037b

chore(heroku): support heroku mongodb url (snyk-labs#720)

9dabba3

chore(heroku): add instructions for deployment

c20267a

policy

a349cd0

Revert "policy"

0bd4d3c

This reverts commit a349cd0.

feat: add prototype pollution exploit in typeorm (snyk-labs#784)

be9a290

* feat: add prototype pollution exploit in typeorm * fix: container and db setup

chore: engines specification in package.json is outdated (snyk-labs#797)

4ff67c0

chore: codeowners -> devrel

9300e9a

docs: mongoose disclaimer about the specific Node.js version required

a2ec84d

fix: use an up-to-date version of the Node.js base image

5a4f50e

chore: ignore ide files

c9d461e

feat: add open redirect and xss vulns in code (snyk-labs#960)

6fa7510

feat: add code injection via template (snyk-labs#961)

01c7957

feat: add cookie session for logged in state (snyk-labs#962)

79d4be7

fix: package lockfile update

9205051

fix: only logged in users can save account details

744ecb2

fix: use correct controller function name for route

30b3c78

feat: add nodemon to reload changes easily

a6a04d7

feat: add a false positive case

4c2d076

feat: ignore just a single line from snyk code

f0012a5

fix: update README for NoSQL injection vector

f5d685f

fix: updated exploit payload for code injections

07fd4b3

Update README.md

0e11662

sarif: testing scanning flow with sarif file

6386cc1

Merge pull request #9 from ArturSnyk/sarif/checking_scanning_flow

94c93d7

Sarif/checking scanning flow

sarif: testing scanning flow with sarif file

3837e22

ArturSnyk and others added 26 commits July 18, 2021 20:25

Create snyk-test-sarif.yml

c0ad7b4

Create codeql-analysis.yml

12407f6

Merge pull request #10 from ArturSnyk/sarif/testing1

3f38d63

sarif: testing scanning flow with sarif file

Merge pull request #12 from ArturSnyk/testing1

64fa1b0

Create snyk-test-sarif.yml

sarif: testing of workflows

a5545dc

mend

8f5a5cc

mend

e2f1828

mend

015a7e9

Merge pull request #13 from ArturSnyk/sarif/testing-diff-flows

b3ddff5

sarif: testing of workflows

sarif: test on merge

d729023

Merge pull request #14 from ArturSnyk/sarif/test-on-merge

02af3cf

sarif: test on merge

Update sarif.json

11a22e2

Merge pull request #17 from ArturSnyk/ArturSnyk-sarif-fix

0645e45

Update sarif.json

Merge branch 'master' into master

0336589

Update README.md (snyk-labs#1236)

a2d0d99

fix: M1 compatibility for mysql (snyk-labs#1169)

b322174

Update README.md

f985f27

Refactor CSS with Flexbox

0b2d0b4

chore: manifest file sync

1829b4c

fix: support for Node.js 17 and 18's openssl3 updates

83e5cb5

fix: force mongodb version compat with the project (snyk-labs#1294)

146d69a

docs: update README for MongoDB server version compat (snyk-labs#1293)

b00e701

fix: use the latest LTS so we can pass some new command line options (s…

a393a6c

…nyk-labs#1295)

Update deprecated checkout and upload-sarif actions (snyk-labs#1318)

d240896

added duplicate code for sonar test

91cfc5d

Merge branch 'main' into feat/sonar-demo

bf42248

github-advanced-security bot found potential problems Jul 19, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Feat/sonar demo #112

Feat/sonar demo #112

pstember commented Jul 19, 2024

github-advanced-security bot left a comment

sonarqubecloud bot commented Jul 19, 2024

Feat/sonar demo #112

Are you sure you want to change the base?

Feat/sonar demo #112

Conversation

pstember commented Jul 19, 2024

github-advanced-security bot left a comment

Choose a reason for hiding this comment

sonarqubecloud bot commented Jul 19, 2024

Quality Gate failed