Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerabilities Dashboard - Code #1

Open
nalbion-nullify bot opened this issue Feb 22, 2024 · 1 comment
Open

Vulnerabilities Dashboard - Code #1

nalbion-nullify bot opened this issue Feb 22, 2024 · 1 comment

Comments

@nalbion-nullify
Copy link

nalbion-nullify bot commented Feb 22, 2024

Severity Threshold: πŸ”΅ MEDIUM

8 Potential vulnerability sources found within this repo

πŸ”΄ CRITICAL 🟑 HIGH πŸ”΅ MEDIUM βšͺ LOW
0 0 8 0

ID: 01HSKB01BXF448BZ22FXREJ490 Language: TypeScript Severity: πŸ”΅ MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The application dynamically constructs file or path information. If the path
information comes from user-supplied input, it could be abused to read sensitive files,
access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or using unique values and
use path.normalize to resolve and validate the path information
prior to processing any file functionality.

Example using path.normalize and not allowing direct user input:

// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';

// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
    console.log("Invalid path specified!");
}
// Process / work with file
// ...

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

const path = fs.mkdirSync(baseDir, { recursive: true });

ID: 01HSKB01BXF448BZ22FY1CKCNJ Language: TypeScript Severity: πŸ”΅ MEDIUM CWE-185

Regex dos

Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.

const contextValue = context[requirement.name];
if (requirement.condition) {
if (requirement.condition === 'undefined') {
return contextValue === undefined;
}
if (typeof requirement.condition === 'number') {
return Array.isArray(contextValue) || typeof contextValue === 'string'
? contextValue.length >= requirement.condition
: false;
}
if (Array.isArray(contextValue)) {
return contextValue.includes(requirement.condition);
}
if (

ID: 01HSKB01BXF448BZ22FYF92Y9N Language: TypeScript Severity: πŸ”΅ MEDIUM CWE-185

Javascript dos rule non literal regexp

The RegExp constructor was called with a non-literal value. If an adversary were able to
supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS)
against the application. In Node applications, this could cause the entire application to no
longer
be responsive to other users' requests.

To remediate this issue, never allow user-supplied regular expressions. Instead, the regular
expression should be
hardcoded. If this is not possible, consider using an alternative regular expression engine
such as node-re2. RE2 is a safe alternative that does not
support backtracking, which is what leads to ReDoS.

Example using re2 which does not support backtracking (Note: it is still recommended to
never use user-supplied input):

// Import the re2 module
const RE2 = require('re2');

function match(userSuppliedRegex, userInput) {
    // Create a RE2 object with the user supplied regex, this is relatively safe
    // due to RE2 not supporting backtracking which can be abused to cause long running
    // queries
    var re = new RE2(userSuppliedRegex);
    // Execute the regular expression against some userInput
    var result = re.exec(userInput);
    // Work with the result
}

For more information on Regular Expression DoS see:

return new RegExp(requirement.condition).test(contextValue);

ID: 01HSKB01BXF448BZ22G1TMDBQB Language: TypeScript Severity: πŸ”΅ MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The application dynamically constructs file or path information. If the path
information comes from user-supplied input, it could be abused to read sensitive files,
access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or using unique values and
use path.normalize to resolve and validate the path information
prior to processing any file functionality.

Example using path.normalize and not allowing direct user input:

// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';

// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
    console.log("Invalid path specified!");
}
// Process / work with file
// ...

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

if (fs.statSync(dirPath).isDirectory()) {

ID: 01HSKB01BXF448BZ22G3XQHAC8 Language: TypeScript Severity: πŸ”΅ MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The application dynamically constructs file or path information. If the path
information comes from user-supplied input, it could be abused to read sensitive files,
access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or using unique values and
use path.normalize to resolve and validate the path information
prior to processing any file functionality.

Example using path.normalize and not allowing direct user input:

// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';

// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
    console.log("Invalid path specified!");
}
// Process / work with file
// ...

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

const items = fs.readdirSync(dirPath);

ID: 01HSKB01BXF448BZ22G6N53TP9 Language: TypeScript Severity: πŸ”΅ MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The application dynamically constructs file or path information. If the path
information comes from user-supplied input, it could be abused to read sensitive files,
access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or using unique values and
use path.normalize to resolve and validate the path information
prior to processing any file functionality.

Example using path.normalize and not allowing direct user input:

// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';

// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
    console.log("Invalid path specified!");
}
// Process / work with file
// ...

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

if (fs.statSync(itemPath).isDirectory()) {

ID: 01HSKB01BXF448BZ22G8S1MEQ8 Language: TypeScript Severity: πŸ”΅ MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The application dynamically constructs file or path information. If the path
information comes from user-supplied input, it could be abused to read sensitive files,
access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or using unique values and
use path.normalize to resolve and validate the path information
prior to processing any file functionality.

Example using path.normalize and not allowing direct user input:

// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';

// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
    console.log("Invalid path specified!");
}
// Process / work with file
// ...

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

const files = await fs.readdir(path, { withFileTypes: true });

ID: 01HSKB01BXF448BZ22GARZZBBG Language: TypeScript Severity: πŸ”΅ MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The application dynamically constructs file or path information. If the path
information comes from user-supplied input, it could be abused to read sensitive files,
access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or using unique values and
use path.normalize to resolve and validate the path information
prior to processing any file functionality.

Example using path.normalize and not allowing direct user input:

// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';

// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
    console.log("Invalid path specified!");
}
// Process / work with file
// ...

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

if (!fs.existsSync(absolutePath)) {

Reply with /nullify to interact with me like another developer

@nalbion-nullify nalbion-nullify bot pinned this issue Feb 22, 2024
@nalbion-nullify
Copy link
Author

New code security updates for commit 1d2092a

New Fixed Allowlisted Unallowlisted
3 3 0 0
See Details

New Findings

ID Title File Line CWE
01HSKB01BXF448BZ22G1TMDBQB Javascript pathtraversal rule non literal fs filename src/tools/impl/get_directory_tree.ts 30 22
01HSKB01BXF448BZ22G3XQHAC8 Javascript pathtraversal rule non literal fs filename src/tools/impl/get_directory_tree.ts 38 22
01HSKB01BXF448BZ22G6N53TP9 Javascript pathtraversal rule non literal fs filename src/tools/impl/get_directory_tree.ts 48 22

New Fixed Findings

ID Title File Line CWE
01HRS93CDQWYH30R1ZFCRGQ7HA Javascript pathtraversal rule non literal fs filename src/tools/impl/get_directory_tree.ts 42 22
01HRS93CDQWYH30R1ZF7NJ15PS Javascript pathtraversal rule non literal fs filename src/tools/impl/get_directory_tree.ts 24 22
01HRS93CDQWYH30R1ZF9JSV8CK Javascript pathtraversal rule non literal fs filename src/tools/impl/get_directory_tree.ts 32 22

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

0 participants