wip #199
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,26 +1,27 @@ | ||
| # Name of this GitHub Actions workflow. | ||
| name: Semgrep CE scan | ||
|
|
||
| on: | ||
| # Scan in PRs: | ||
| pull_request: {} | ||
| # Scan on-demand through GitHub Actions interface: | ||
| workflow_dispatch: {} | ||
| # Scan mainline branches and report all findings: | ||
| push: | ||
| branches: ["master", "!main"] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| semgrep: | ||
| name: semgrep-oss/scan | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| # A Docker image with Semgrep installed. Do not change this. | ||
| image: semgrep/semgrep | ||
| if: (github.actor != 'dependabot[bot]') | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Run Semgrep | ||
| run: semgrep scan --config auto --error |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| /* | ||
| * Copyright (c) 2014-2022 Bjoern Kimminich & the OWASP Juice Shop contributors. | ||
| * SPDX-License-Identifier: MIT | ||
| */ | ||
|
|
||
| import challengeUtils = require('../lib/challengeUtils') | ||
| import { Request, Response, NextFunction } from 'express' | ||
| import { Review } from '../data/types' | ||
|
|
||
| const challenges = require('../data/datacache').challenges | ||
| const db = require('../data/mongodb') | ||
| const security = require('../lib/insecurity') | ||
|
|
||
| module.exports = function productReviews () { | ||
| return (req: Request, res: Response, next: NextFunction) => { | ||
| const id = req.body.id | ||
| const user = security.authenticatedUsers.from(req) | ||
| db.reviews.findOne({ _id: id }).then((review: Review) => { | ||
| if (!review) { | ||
| res.status(404).json({ error: 'Not found' }) | ||
| } else { | ||
| const likedBy = review.likedBy | ||
| if (!likedBy.includes(user.data.email)) { | ||
| db.reviews.update( | ||
| { _id: id }, | ||
|
There was a problem hiding this comment. Semgrep identified a blocking 🔴 issue in your code: Dataflow graphflowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>src/app/d1.js</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] req.body</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] id</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L25 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 25] { _id: id }</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment: 🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods. 💬 Ignore this findingReply with Semgrep commands to ignore this finding.
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by express-mongo-nosqli. You can view more details about this finding in the Semgrep AppSec Platform. |
||
| { $inc: { likesCount: 1 } } | ||
| ).then( | ||
| () => { | ||
| // Artificial wait for timing attack challenge | ||
| setTimeout(function () { | ||
| db.reviews.findOne({ _id: id }).then((review: Review) => { | ||
|
There was a problem hiding this comment. Semgrep identified a blocking 🔴 issue in your code: Dataflow graphflowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>src/app/d1.js</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] req.body</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] id</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L31 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 31] { _id: id }</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment: 🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods. 💬 Ignore this findingReply with Semgrep commands to ignore this finding.
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by express-mongo-nosqli. You can view more details about this finding in the Semgrep AppSec Platform. |
||
| const likedBy = review.likedBy | ||
| likedBy.push(user.data.email) | ||
| let count = 0 | ||
| for (let i = 0; i < likedBy.length; i++) { | ||
| if (likedBy[i] === user.data.email) { | ||
| count++ | ||
| } | ||
| } | ||
| challengeUtils.solveIf(challenges.timingAttackChallenge, () => { return count > 2 }) | ||
| db.reviews.update( | ||
| { _id: id }, | ||
|
There was a problem hiding this comment. Semgrep identified a blocking 🔴 issue in your code: Dataflow graphflowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>src/app/d1.js</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] req.body</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] id</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L42 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 42] { _id: id }</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment: 🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods. 💬 Ignore this findingReply with Semgrep commands to ignore this finding.
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by express-mongo-nosqli. You can view more details about this finding in the Semgrep AppSec Platform. |
||
| { $set: { likedBy: likedBy } } | ||
| ).then( | ||
| (result: any) => { | ||
| res.json(result) | ||
| }, (err: unknown) => { | ||
| res.status(500).json(err) | ||
| }) | ||
| }, () => { | ||
| res.status(400).json({ error: 'Wrong Params' }) | ||
| }) | ||
| }, 150) | ||
| }, (err: unknown) => { | ||
| res.status(500).json(err) | ||
| }) | ||
| } else { | ||
| res.status(403).json({ error: 'Not allowed' }) | ||
| } | ||
| } | ||
| }, () => { | ||
| res.status(400).json({ error: 'Wrong Params' }) | ||
| }) | ||
| } | ||
| } | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Semgrep identified a blocking 🔴 issue in your code:
Detected a
../data/mongodbstatement that comes from areqargument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query.Dataflow graph
flowchart LR classDef invis fill:white, stroke: none classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none subgraph File0["<b>src/app/d1.js</b>"] direction LR %% Source subgraph Source direction LR v0["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] req.body</a>"] end %% Intermediate subgraph Traces0[Traces] direction TB v2["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] id</a>"] end %% Sink subgraph Sink direction LR v1["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L18 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 18] { _id: id }</a>"] end end %% Class Assignment Source:::invis Sink:::invis Traces0:::invis File0:::invis %% Connections Source --> Traces0 Traces0 --> SinkTo resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasonsAlternatively, triage in Semgrep AppSec Platform to ignore the finding created by express-mongo-nosqli.
You can view more details about this finding in the Semgrep AppSec Platform.