From 9afc57ea5e5790d5c054c1ede427c327112deeff Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Thu, 10 Mar 2022 08:40:57 -0800 Subject: [PATCH 01/13] adding ShiftLeft GitHub action --- .github/workflows/shiftleft.yml | 52 +++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/shiftleft.yml diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 00000000..8c922a1d --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,52 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app shiftleft-js-demo --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --js --cpg . + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + Build-Rules: + runs-on: ubuntu-latest + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Validate Build Rules + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-js-demo \ + --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ + --report \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + \ No newline at end of file From 04fb1cfdbe77053b925d4534d3545888e46a076d Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Thu, 10 Mar 2022 08:40:57 -0800 Subject: [PATCH 02/13] adding ShiftLeft build rules --- shiftleft.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 shiftleft.yml diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 00000000..220d4baf --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,12 @@ +build_rules: + - id: allow-zero-findings + finding_types: + - vuln + - secret + - insight + - "*" + severity: + - SEVERITY_MEDIUM_IMPACT + - SEVERITY_HIGH_IMPACT + - SEVERITY_LOW_IMPACT + threshold: 0 \ No newline at end of file From ef642fb5653d97c7e7513529161c312bcfda1443 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Thu, 10 Mar 2022 13:02:32 -0500 Subject: [PATCH 03/13] Create main.yml --- .github/workflows/main.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 00000000..f937a06b --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,36 @@ +# This is a basic workflow to help you get started with Actions + +name: CI + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the master branch + push: + branches: [ master ] + pull_request: + branches: [ master ] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + # Runs a single command using the runners shell + - name: Run a one-line script + run: echo Hello, world! + + # Runs a set of commands using the runners shell + - name: Run a multi-line script + run: | + echo Add other actions to build, + echo test, and deploy your project. From dd124356f04dbc3d2da82f95d00646721f8e047b Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Thu, 10 Mar 2022 13:06:18 -0500 Subject: [PATCH 04/13] Update README.md added to comment line. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index eb6324fa..504adab7 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# NodeJS Tarpit +# NodeJS Tarpit - Chuck An ExpressJS (tarpit) application using mongoDB. From c65654b0b8ad765d8e27a316d8625cf9b21a0235 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Thu, 24 Mar 2022 08:08:24 -0400 Subject: [PATCH 05/13] Delete main.yml --- .github/workflows/main.yml | 36 ------------------------------------ 1 file changed, 36 deletions(-) delete mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index f937a06b..00000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,36 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: CI - -# Controls when the workflow will run -on: - # Triggers the workflow on push or pull request events but only for the master branch - push: - branches: [ master ] - pull_request: - branches: [ master ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 - - # Runs a single command using the runners shell - - name: Run a one-line script - run: echo Hello, world! - - # Runs a set of commands using the runners shell - - name: Run a multi-line script - run: | - echo Add other actions to build, - echo test, and deploy your project. From d100d3df95b4c4f701cdd4a320cc20d53a174486 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Thu, 24 Mar 2022 09:09:55 -0400 Subject: [PATCH 06/13] Update shiftleft.yml --- shiftleft.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/shiftleft.yml b/shiftleft.yml index 220d4baf..56276ac4 100644 --- a/shiftleft.yml +++ b/shiftleft.yml @@ -6,7 +6,7 @@ build_rules: - insight - "*" severity: - - SEVERITY_MEDIUM_IMPACT - SEVERITY_HIGH_IMPACT - - SEVERITY_LOW_IMPACT - threshold: 0 \ No newline at end of file +# - SEVERITY_MEDIUM_IMPACT +# - SEVERITY_LOW_IMPACT +# threshold: 10 From 7ff2891cbbb737a5de41e6b3310f07c5b7b5d5e7 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Thu, 24 Mar 2022 09:14:21 -0400 Subject: [PATCH 07/13] Update shiftleft.yml --- shiftleft.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shiftleft.yml b/shiftleft.yml index 56276ac4..0600e987 100644 --- a/shiftleft.yml +++ b/shiftleft.yml @@ -9,4 +9,4 @@ build_rules: - SEVERITY_HIGH_IMPACT # - SEVERITY_MEDIUM_IMPACT # - SEVERITY_LOW_IMPACT -# threshold: 10 + threshold: 10 From cbc2a11ded3feac8e768cd7fe6c357270717a52b Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Thu, 24 Mar 2022 09:17:36 -0400 Subject: [PATCH 08/13] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 504adab7..1bba79f1 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# NodeJS Tarpit - Chuck +# NodeJS Tarpit - Chuck B. (edited) An ExpressJS (tarpit) application using mongoDB. From 7e3ec4692400825d6a29f12700565c642ea37e8c Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Fri, 25 Mar 2022 12:31:57 -0400 Subject: [PATCH 09/13] Update ImageLookup.js --- src/Controllers/ImageLookup.js | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/Controllers/ImageLookup.js b/src/Controllers/ImageLookup.js index 4542472b..e6340bea 100644 --- a/src/Controllers/ImageLookup.js +++ b/src/Controllers/ImageLookup.js @@ -7,9 +7,16 @@ class ImageLookup { /* Can read any file in the server by passing the filename (image) in the query params */ /* ex: http GET http://localhost:8089/api/v1/image-lookup image=="package.json" */ const fileContent = fs.readFileSync(req.query.image).toString(); - logger.debug(fileContent); + string sanitizedString = sanitizeString(fileContent) + logger.debug(sanitizedString); +// logger.debug(fileContent); res.send(fileContent); } + + function sanitizeString(str){ + str = str.replace(/[^a-z0-9áéíóúñü \.,_-]/gim,""); + return str.trim(); +} } module.exports = ImageLookup; From b526616e395f887ca623997b3a94eb9ee2fe9374 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Fri, 25 Mar 2022 13:43:27 -0400 Subject: [PATCH 10/13] Update ImageLookup.js --- src/Controllers/ImageLookup.js | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/src/Controllers/ImageLookup.js b/src/Controllers/ImageLookup.js index e6340bea..6bb6a12d 100644 --- a/src/Controllers/ImageLookup.js +++ b/src/Controllers/ImageLookup.js @@ -7,9 +7,22 @@ class ImageLookup { /* Can read any file in the server by passing the filename (image) in the query params */ /* ex: http GET http://localhost:8089/api/v1/image-lookup image=="package.json" */ const fileContent = fs.readFileSync(req.query.image).toString(); - string sanitizedString = sanitizeString(fileContent) - logger.debug(sanitizedString); -// logger.debug(fileContent); + + // ************************************************** + // ************************************************** Vulnerable Code Block ***** + + logger.debug(fileContent); + + // ************************************************** + + // ************************************************** Remediated Code Block ***** + +// string sanitizedStr = sanitizeString(fileContent) +// fileContent = sanitizedStr; +// logger.debug(sanitizedStr); + + // ************************************************** + res.send(fileContent); } From 622e8bd3296ee1cf2e28532572c96e4fbb4a5040 Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Fri, 25 Mar 2022 13:54:19 -0400 Subject: [PATCH 11/13] Update ImageLookup.js --- src/Controllers/ImageLookup.js | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/Controllers/ImageLookup.js b/src/Controllers/ImageLookup.js index 6bb6a12d..f614f6a4 100644 --- a/src/Controllers/ImageLookup.js +++ b/src/Controllers/ImageLookup.js @@ -26,10 +26,11 @@ class ImageLookup { res.send(fileContent); } - function sanitizeString(str){ - str = str.replace(/[^a-z0-9áéíóúñü \.,_-]/gim,""); - return str.trim(); -} +// function sanitizeString(str){ +// str = str.replace(/[^a-z0-9áéíóúñü \.,_-]/gim,""); +// return str.trim(); +// } + } module.exports = ImageLookup; From da1f7de13f67cb816ad17734a48e8538cb10bb8c Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Mon, 28 Mar 2022 08:57:32 -0400 Subject: [PATCH 12/13] Update ImageLookup.js --- src/Controllers/ImageLookup.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/Controllers/ImageLookup.js b/src/Controllers/ImageLookup.js index f614f6a4..0c31e005 100644 --- a/src/Controllers/ImageLookup.js +++ b/src/Controllers/ImageLookup.js @@ -12,6 +12,7 @@ class ImageLookup { // ************************************************** Vulnerable Code Block ***** logger.debug(fileContent); + res.send(fileContent); // ************************************************** @@ -20,16 +21,16 @@ class ImageLookup { // string sanitizedStr = sanitizeString(fileContent) // fileContent = sanitizedStr; // logger.debug(sanitizedStr); +// res.send(sanitizedStr); - // ************************************************** - - res.send(fileContent); } // function sanitizeString(str){ // str = str.replace(/[^a-z0-9áéíóúñü \.,_-]/gim,""); // return str.trim(); // } + + // ************************************************** } From 526229dc0f581a1ada89d0f74969fa8f2a81c30f Mon Sep 17 00:00:00 2001 From: shiftleft-chuck <100888182+shiftleft-chuck@users.noreply.github.com> Date: Mon, 28 Mar 2022 08:59:08 -0400 Subject: [PATCH 13/13] Update ImageLookup.js --- src/Controllers/ImageLookup.js | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/src/Controllers/ImageLookup.js b/src/Controllers/ImageLookup.js index 0c31e005..3b280849 100644 --- a/src/Controllers/ImageLookup.js +++ b/src/Controllers/ImageLookup.js @@ -8,15 +8,14 @@ class ImageLookup { /* ex: http GET http://localhost:8089/api/v1/image-lookup image=="package.json" */ const fileContent = fs.readFileSync(req.query.image).toString(); - // ************************************************** - // ************************************************** Vulnerable Code Block ***** +// ************************************************** +// ************************************************** Vulnerable Code Block ***** logger.debug(fileContent); res.send(fileContent); - // ************************************************** - // ************************************************** Remediated Code Block ***** +// ************************************************** Remediated Code Block ***** // string sanitizedStr = sanitizeString(fileContent) // fileContent = sanitizedStr; @@ -30,7 +29,7 @@ class ImageLookup { // return str.trim(); // } - // ************************************************** + }