This app was generated by the prompt, "create a webapp that allows users to upload PDF files then download them later."
It contains several first-party code vulnerabilities, including an easily exploitable Path Traversal vulnerability.
By using the Snyk IDE extension, we can find the vulnerabilities and fix them with the Snyk DeepCode AI engine.
- Clone this repository and open it in your preferred IDE (note: this guide is aimed at VSCode).
- Build the app by running the
npm installcommand. - Transpile TypeScript (
index.ts) to JavaScript (index.js) by running thetsccommand. - Run the
node index.jscommand to run the app, and access it at http://localhost:3000.
Install the Snyk IDE Extension if you haven't done so already.
Snyk scans are disabled by default in this workspace. This was done intentionally so that Snyk can be revealed in the middle of the demo flow. Review the included .vscode directory for more details.
To enable Snyk in VSCode, run Command+Shift+P, type "snyk," and select Snyk: Settings. Click the Workspace tab, then enable all of the Snyk > Features: <scan type>.
Tip: To quickly reload VSCode, run Command+Shift+P, type "reload," and select Developer: Reload Window.
Tip: To reset all changes you made during your demo, including source code and Snyk IDE extension settings, run git reset --hard HEAD followed by git clean -fd.
This repo contains a Path Traversal vulnerability that can be exploited as follows:
- Run a Snyk Code scan and review the Path Traversal vulnerability information and fix advice.
- Run the app and open it at http://localhost:3000
- Construct a URL similar to http://localhost:3000/download/..%2F..%2F..%2FPictures%2Fhacked.jpg. Each
..%2Fis a "dot dot slash" that moves up a directory. - Copy and paste the URL into your browser. By using this method, an attacker can access any file on your server. This may include source code and configuration files.
- Disable all AI code generation extensions in VSCode by navigating to
Extensionsin the left pane. Click the cog wheel on each extension and selectDisable (Workspace). This demo is intended to be AI tool agnostic. - Describe how the app was generated by AI using the prompt, "create a webapp that allows users to upload PDF files then download them later."
- Describe how AI generated the
index.ts(backend code),public/index.html(frontend code), andtests/server.test.ts(unit tests). - Describe how we didn't just get code, but an app that actually runs! Run the app with
node index.js. - Access the app at http://localhost:3000 and show how it works. Create a blank PDF using
cd ~/Desktop && touch demo.pdf. Upload the PDF. Show how it was added to the app's/uploadsfolder. Copy the upload ID in the web browser to your clipboard. Change the URL to/download/<id>to show that the PDF was downloaded successfully. - Ask a trick question, "Our app works, our unit tests are (presumably) passing. Safe to ship it to production, right?" Of course not. We should scan for vulnerabilities using Snyk!
- Quickly enable Snyk scans in your IDE settings, and reload the window if needed. These steps are documented above.
- Review the vulnerabilities in the
index.tsfile and open the side panel for the Path Traversal vulnerability. Click on the vulnerability overview and review the description: "an attacker can use 'dot dot slash' notation to access arbitrary files." - Demonstrate that it's a serious vulnerability; something we need to care about. Exploit the vulnerability by following the instructions above.
- Fix the vulnerability using DeepCode AI. Choose the best solution, e.g. solution #3 which prints a friendly message when an attempt is made to access files outside of the
/uploadsdirectory. - Stop the server with CTRL+C, rebuild the app with the
tsccommand, and run the app again with thenode index.jscommand. - Your web browser should still be showing the vulnerable URL and an arbitrary file. Refresh your web browser. You are no longer be able to access arbitrary files!
- Summarize the demo by re-iterating how easy it is for developers to find and fix vulnerabilities using Snyk.