search

DimaMend / juice-shop

MIT License
0 stars 0 forks source link

Code Security Report: 23 high severity findings, 32 total findings #35

Open mend-for-github-com[bot] opened 3 months ago

mend-for-github-com[bot] commented 3 months ago

Code Security Report

Scan Metadata

Latest Scan: 2024-06-22 12:19am Total Findings: 32 | New Findings: 1 | Resolved Findings: 0 Tested Project Files: 441 Detected Programming Languages: 1 (JavaScript / TypeScript*)

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

SeverityVulnerability TypeCWEFileData FlowsDate
HighSQL Injection [CWE-89](https://cwe.mitre.org/data/definitions/89.html) [login.ts:36](https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/login.ts#L36) 12024-06-22 12:23am
Vulnerable Code https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/login.ts#L31-L36
1 Data Flow/s detected
https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/server.ts#L564 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/login.ts#L34 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/login.ts#L36
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior SQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/sql/nodejs/express) ● Videos    ▪ [Secure Code Warrior SQL Injection Video](https://media.securecodewarrior.com/v2/module_01_sql_injection.mp4) ● Further Reading    ▪ [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)    ▪ [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)    ▪ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html)
 
HighCode Injection [CWE-94](https://cwe.mitre.org/data/definitions/94.html) [dataErasure.ts:87](https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/dataErasure.ts#L87) 12024-06-22 12:23am
Vulnerable Code https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/dataErasure.ts#L82-L87
1 Data Flow/s detected
https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/dataErasure.ts#L54
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/nodejs/express) ● Videos    ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading    ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)
 
HighCode Injection [CWE-94](https://cwe.mitre.org/data/definitions/94.html) [dataErasure.ts:72](https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/dataErasure.ts#L72) 12024-06-22 12:23am
Vulnerable Code https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/dataErasure.ts#L67-L72
1 Data Flow/s detected
https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/dataErasure.ts#L54
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/nodejs/express) ● Videos    ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading    ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)
 
HighPath/Directory Traversal [CWE-22](https://cwe.mitre.org/data/definitions/22.html) [vulnCodeSnippet.ts:93](https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeSnippet.ts#L93) 12024-06-22 12:23am
Vulnerable Code https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeSnippet.ts#L88-L93
1 Data Flow/s detected
https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/server.ts#L640 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeSnippet.ts#L74 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeSnippet.ts#L75 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeSnippet.ts#L93
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/nodejs/express) ● Videos    ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading    ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)    ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
 
HighPath/Directory Traversal [CWE-22](https://cwe.mitre.org/data/definitions/22.html) [vulnCodeFixes.ts:80](https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeFixes.ts#L80) 12024-06-22 12:23am
Vulnerable Code https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeFixes.ts#L75-L80
1 Data Flow/s detected
https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/server.ts#L642 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeFixes.ts#L69 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeFixes.ts#L70 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeFixes.ts#L80
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/nodejs/express) ● Videos    ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading    ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)    ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
 
HighPath/Directory Traversal [CWE-22](https://cwe.mitre.org/data/definitions/22.html) [vulnCodeFixes.ts:79](https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeFixes.ts#L79) 12024-06-22 12:23am
Vulnerable Code https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeFixes.ts#L74-L79
1 Data Flow/s detected
https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/server.ts#L642 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeFixes.ts#L69 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeFixes.ts#L70 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeFixes.ts#L79
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/nodejs/express) ● Videos    ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading    ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)    ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
 
HighPath/Directory Traversal [CWE-22](https://cwe.mitre.org/data/definitions/22.html) [fileUpload.ts:30](https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/fileUpload.ts#L30) 12024-06-22 12:23am
Vulnerable Code https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/fileUpload.ts#L25-L30
1 Data Flow/s detected
https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/server.ts#L295 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/fileUpload.ts#L24 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/fileUpload.ts#L28 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/fileUpload.ts#L29 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/fileUpload.ts#L30
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/nodejs/express) ● Videos    ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading    ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)    ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
 
HighPath/Directory Traversal [CWE-22](https://cwe.mitre.org/data/definitions/22.html) [utils.ts:206](https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/lib/utils.ts#L206) 12024-06-22 12:23am
Vulnerable Code https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/lib/utils.ts#L201-L206
1 Data Flow/s detected
https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/server.ts#L405 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/basketItems.ts#L20 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/basketItems.ts#L21 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/lib/utils.ts#L197 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/lib/utils.ts#L206
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/nodejs/express) ● Videos    ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading    ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)    ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
 
HighPath/Directory Traversal [CWE-22](https://cwe.mitre.org/data/definitions/22.html) [vulnCodeSnippet.ts:94](https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeSnippet.ts#L94) 12024-06-22 12:23am
Vulnerable Code https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeSnippet.ts#L89-L94
1 Data Flow/s detected
https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/server.ts#L640 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeSnippet.ts#L74 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeSnippet.ts#L75 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/vulnCodeSnippet.ts#L94
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/nodejs/express) ● Videos    ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading    ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)    ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
 
HighSQL Injection [CWE-89](https://cwe.mitre.org/data/definitions/89.html) [search.ts:23](https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/search.ts#L23) 12024-06-22 12:23am
Vulnerable Code https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/search.ts#L18-L23
1 Data Flow/s detected
https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/server.ts#L570 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/search.ts#L20 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/search.ts#L21 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/search.ts#L22 https://github.com/DimaMend/juice-shop/blob/c93fae24360417eb6ff9e1859197b1c29d71ebe7/routes/search.ts#L23
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior SQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/sql/nodejs/express) ● Videos    ▪ [Secure Code Warrior SQL Injection Video](https://media.securecodewarrior.com/v2/module_01_sql_injection.mp4) ● Further Reading    ▪ [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)    ▪ [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)    ▪ [OWASP Query Parameterization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html)

Findings Overview

Severity Vulnerability Type CWE Language Count
High SQL Injection CWE-89 JavaScript / TypeScript* 2
High Path/Directory Traversal CWE-22 JavaScript / TypeScript* 6
High Origin Validation Error CWE-346 JavaScript / TypeScript* 1
High DOM Based Cross-Site Scripting CWE-79 JavaScript / TypeScript* 1
High Code Injection CWE-94 JavaScript / TypeScript* 2
High Server Side Request Forgery CWE-918 JavaScript / TypeScript* 1
High NoSQL Injection CWE-943 JavaScript / TypeScript* 10
Medium Improper Verification of JWT Signature CWE-347 JavaScript / TypeScript* 4
Medium Hardcoded Password/Credentials CWE-798 JavaScript / TypeScript* 2
Medium Regex Denial of Service (ReDoS) CWE-1333 JavaScript / TypeScript* 1
Low Weak Hash Strength CWE-328 JavaScript / TypeScript* 1
Low Log Forging CWE-117 JavaScript / TypeScript* 1