fix: Asymmetric Private Key#41
Draft
galanko wants to merge 486 commits into
Draft
Conversation
Updating my fork with latest from OWASP master
Update tutorial and comments for A6 to match Node.js best practices
Remove extraneous word "access"
grammatical fixes
Update a8.html
Update a4.html
feat(session): improper session management
feat(log-injection): example vulnerable code for CSRF injection
…orial feat(xss-context): improve comments and add tutorial section
…CVE-2022-38900) - Update decode-uri-component from 0.2.0 to 0.2.2 via package-lock.json - This patch version update fixes the improper input validation vulnerability - No code changes required in the application - Vulnerability resolved: CVE-2022-38900 (CVSS 7.5)
Adds 'secure: true' to the express-session cookie configuration to ensure session cookies are only transmitted over HTTPS connections. This prevents session hijacking via man-in-the-middle attacks on HTTP connections. Fixes: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure
…4-29041 fix: express: cause malformed URLs to be evaluated
…2021-23358 fix: nodejs-underscore: Arbitrary code execution via the template function
…alidation fix: Prevent open redirect vulnerability in /learn endpoint
…2019-10746 fix: nodejs-mixin-deep: prototype pollution in function mixin-deep
fix: bson: Deserialization of Untrusted Data vulnerability CVE-2020-7610
…019-10747 fix: nodejs-set-value: prototype pollution in function set-value
…wg-eco-445 fix: Out-of-bounds Read
…A-c3m8-x3cg-qm2c fix: Configuration Override in helmet-csp
…-2025-7339 fix: upgrade on-headers to 1.1.0 - Address CVE-2025-7339
…ponent-cve-2022-38900 fix: decode-uri-component: improper input validation resulting in DoS
…n-secure fix: Add secure flag to session middleware cookie configuration
ci: add Dependabot config
docs: add SECURITY.md
…23-45311 security: upgrade fsevents from 1.2.9 to 1.2.13 (CVE-2023-45311)
Bump minimist from 1.2.0 to 1.2.8 via npm overrides to fix CVE-2021-44906 The minimist package is vulnerable to prototype pollution in versions <=1.2.5. This patch updates minimist to 1.2.8 which includes the fix for this critical vulnerability (CVSS 9.8). The update is applied via npm overrides to ensure all transitive dependencies use the patched version.
…1-44906 fix: minimist: prototype pollution
…20165) - Added explicit debug@^3.1.0 dependency to override transitive dependencies pinning debug@2.2.0 - This addresses the ReDoS vulnerability in the useColors function identified in CVE-2017-20165 - The 3.1.0 version provides a safe regex pattern without breaking changes - Regenerated package-lock.json to reflect the new dependency constraints
…VE-2022-21681 This commit patches the Regular Expression Denial of Service (ReDoS) vulnerability in marked's inline.reflinkSearch regex pattern (CVE-2022-21681). Changes: - Upgraded marked dependency from 0.3.5 to 4.0.10 - Removed deprecated sanitize option from marked.setOptions() call - Updated package-lock.json with new dependency versions The vulnerability allowed catastrophic backtracking against certain markdown patterns, potentially leading to DoS. Version 4.0.10 includes the fix. Note: The sanitize option is no longer available in marked@4.x. HTML sanitization is no longer built-in. Consider using DOMPurify or similar on the frontend for additional security if displaying user-generated markdown.
- Add template path validation to prevent directory traversal attacks - Restrict include/extends tags to files within app/views directory - Document upstream vulnerability (swig@1.4.2 has no patched version available) - Implement interim mitigation until migration to maintained template engine Fixes CVE-2023-25345: Arbitrary local file read via template includes/extends Related: https://nvd.nist.gov/vuln/detail/CVE-2023-25345
…21681 fix: upgrade marked from 0.3.5 to 4.0.10 to fix ReDoS vulnerability CVE-2022-21681
…023-25345 fix: Mitigate CVE-2023-25345 directory traversal in swig template engine
…2017-20165 fix: upgrade debug to 3.1.0 to address ReDoS vulnerability (CVE-2017-20165)
- Removed artifacts/cert/server.key from entire git history using BFG Repo-Cleaner - Updated .gitignore to prevent future commits of certificate/key files - All 938 affected objects rewritten to remove private key material - Private key no longer accessible via git history
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+6
to
+61
| name: Node.js | ||
| runs-on: ubuntu-latest | ||
|
|
||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| node-version: ["10.x", "12.x", "14.x"] | ||
|
|
||
| steps: | ||
| - name: Checkout https://github.com/${{ github.repository }}@${{ github.ref }} | ||
| uses: actions/checkout@v2 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: Set up Node.js ${{ matrix.node-version }} | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: ${{ matrix.node-version }} | ||
|
|
||
| - name: Use cache | ||
| uses: actions/cache@v2 | ||
| with: | ||
| path: | | ||
| ~/.npm | ||
| ~/.cache | ||
| key: ${{ runner.os }}-node${{ matrix.node-version }}-E2E-${{ hashFiles('package-lock.json') }} | ||
|
|
||
| - name: Install dependencies | ||
| run: | | ||
| npm ci | ||
| npm run cy:verify | ||
|
|
||
| - name: Start MongoDB | ||
| run: | | ||
| docker run -d -p 27017:27017 mongo:4.0 | ||
| timeout 60s bash -c 'until nc -z -w 2 localhost 27017 && echo MongoDB ready; do sleep 2; done' | ||
|
|
||
| - name: Run E2E test suite | ||
| id: test-suite | ||
| run: | | ||
| NODE_ENV=test npm start -- --silent & | ||
| npm run test:ci -- --config video=true | ||
|
|
||
| - name: Prepare cypress artifacts | ||
| if: failure() && (steps.test-suite.outcome == 'failure') | ||
| working-directory: ./test/e2e | ||
| run: > | ||
| mkdir -p "screenshots" && find "screenshots" -mindepth 1 -maxdepth 1 -type d | ||
| -exec sh -c 'mv -- "videos/$(basename "$1").mp4" "$1"' _ {} \; | ||
|
|
||
| - name: Upload cypress artifacts | ||
| if: failure() && (steps.test-suite.outcome == 'failure') | ||
| uses: actions/upload-artifact@v2 | ||
| with: | ||
| name: cypress-artifacts-node${{ matrix.node-version }} | ||
| path: test/e2e/screenshots |
Comment on lines
+6
to
+26
| name: Node.js | ||
| runs-on: ubuntu-latest | ||
|
|
||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| node-version: ["14.x"] | ||
|
|
||
| steps: | ||
| - name: Checkout https://github.com/${{ github.repository }}@${{ github.ref }} | ||
| uses: actions/checkout@v2 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: Set up Node.js ${{ matrix.node-version }} | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: ${{ matrix.node-version }} | ||
|
|
||
| - name: Run linter | ||
| run: npx --no-install jshint@2.12.0 . |
| throw `The user supplied threshold: ${parsedThreshold} was not valid.`; | ||
| */ | ||
| return { | ||
| $where: `this.userId == ${parsedUserId} && this.stocks > '${threshold}'` |
Comment on lines
+91
to
+93
| usersCol.findOne({ | ||
| userName: userName | ||
| }, validateUserDoc); |
Comment on lines
+104
to
+106
| usersCol.findOne({ | ||
| userName: userName | ||
| }, callback); |
|
|
||
| /*jslint evil: true */ | ||
| // Insecure use of eval() to parse inputs | ||
| const preTax = eval(req.body.preTax); |
| /*jslint evil: true */ | ||
| // Insecure use of eval() to parse inputs | ||
| const preTax = eval(req.body.preTax); | ||
| const afterTax = eval(req.body.afterTax); |
| // const regexPattern = /([0-9]+)\#/; | ||
| const regexPattern = /([0-9]+)+\#/; | ||
| // Allow only numbers with a suffix of the letter #, for example: 'XXXXXX#' | ||
| const testComplyWithRequirements = regexPattern.test(bankRouting); |
Comment on lines
+16
to
+28
| return needle.get(url, (error, newResponse, body) => { | ||
| if (!error && newResponse.statusCode === 200) { | ||
| res.writeHead(200, { | ||
| "Content-Type": "text/html" | ||
| }); | ||
| } | ||
| res.write("<h1>The following is the stock information you requested.</h1>\n\n"); | ||
| res.write("\n\n"); | ||
| if (body) { | ||
| res.write(body); | ||
| } | ||
| return res.end(); | ||
| }); |
| return false; | ||
| } | ||
| if (email !== "") { | ||
| if (!EMAIL_RE.test(email)) { |
Comment on lines
+78
to
+100
| app.use(session({ | ||
| // genid: (req) => { | ||
| // return genuuid() // use UUIDs for session IDs | ||
| //}, | ||
| secret: cookieSecret, | ||
| // Both mandatory in Express v4 | ||
| saveUninitialized: true, | ||
| resave: true, | ||
| /* | ||
| // Fix for A5 - Security MisConfig | ||
| // Use generic cookie name | ||
| key: "sessionId", | ||
| */ | ||
|
|
||
| // Fix for A3 - XSS and session hijacking prevention | ||
| // TODO: Add "maxAge" | ||
| cookie: { | ||
| httpOnly: true, | ||
| // Remember to start an HTTPS server to get this working | ||
| secure: true | ||
| } | ||
|
|
||
| })); |
| } | ||
|
|
||
| // Safe to redirect | ||
| return res.redirect(validation.url); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Automated remediation for trivy-secret finding: Asymmetric Private Key exposed in version control
Vulnerability Details
Changes Made
Removed private key from entire git history
artifacts/cert/server.keyfrom all commitsEnhanced .gitignore
artifacts/cert/directory pattern to prevent future commitsSecurity Impact
Before Remediation
-----BEGIN RSA PRIVATE KEY-----) accessible in git historyAfter Remediation
Verification
After merge, verify with:
Follow-up Actions Required
These items should be coordinated with the Infrastructure/DevOps team via a separate tracking issue.
Generated by Cliff Security remediation executor