Vulnerabilities Dashboard - Code

[nullify-infotrack[bot]]

Severity Threshold: 🔵 MEDIUM

103 Potential vulnerability sources found within this repo

🔴 CRITICAL	🟡 HIGH	🔵 MEDIUM	⚪ LOW
0	36	67	0

ID: 01HTES3V4Z69ZFDY9R3YT5AZ65 Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/captcha.ts#L37-L49 # ID: 01HTES3V4Z69ZFDY9R1P43J258 Language: Containerfile Severity: 🟡 HIGH AVD-DS-0002

Image user should not be 'root'

Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. Read more: https://avd.aquasec.com/misconfig/ds002 https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/test/smoke/Dockerfile#L1 # ID: 01HTES3V4Z69ZFDY9R1RCG2CGD Language: Containerfile Severity: 🟡 HIGH AVD-DS-0025

'apk add' is missing '--no-cache'

You should use 'apk add' with '--no-cache' to clean package cached data and reduce image size. Read more: https://avd.aquasec.com/misconfig/ds025 https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/test/smoke/Dockerfile#L3 # ID: 01HTES3V4Z69ZFDY9R8GJRDF9V Language: OpenAPI Severity: 🟡 HIGH CKV_OPENAPI_3

Ensure that security schemes don't allow cleartext credentials over unencrypted channel - version 3.x.y files

Read more: https://docs.bridgecrew.io/docs/ensure-that-security-schemes-dont-allow-cleartext-credentials-over-unencrypted-channel https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/swagger.yml#L29-L33 # ID: 01HTES3V4Z69ZFDY9R6BTSNAME Language: TypeScript Severity: 🟡 HIGH CWE-502

Yaml deserialize

User controlled data in 'yaml.load()' function can result in Remote Code Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/server.ts#L48 # ID: 01HTES3V4Z69ZFDY9R1YH310K4 Language: Containerfile Severity: 🟡 HIGH AVD-DS-0029

'apt-get' missing '--no-install-recommends'

'apt-get' install should use '--no-install-recommends' to minimize image size. Read more: https://avd.aquasec.com/misconfig/ds029 https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/Dockerfile#L25 # ID: 01HTES3V4Z69ZFDY9R66ZM29KY Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/wallet.ts#L24 # ID: 01HTES3V4Z69ZFDY9R64XNSVY4 Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/wallet.ts#L23-L24 # ID: 01HTES3V4Z69ZFDY9R62XZFER7 Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/wallet.ts#L12 # ID: 01HTES3V4Z69ZFDY9R5X43R6F1 Language: TypeScript Severity: 🟡 HIGH CWE-502

Yaml deserialize

User controlled data in 'yaml.load()' function can result in Remote Code Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/vulnCodeFixes.ts#L80 # ID: 01HTES3V4Z69ZFDY9R5MPCE5KR Language: TypeScript Severity: 🟡 HIGH CWE-807

Node logic bypass

User controlled data is used for application business logic decision making. This expose protected data or functionality. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/verify.ts#L60 # ID: 01HTES3V4Z69ZFDY9R5HR50HNN Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL js injection

Untrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/trackOrder.ts#L15-L27 # ID: 01HTES3V4Z69ZFDY9R5EVC1W9E Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL js injection

Untrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/showProductReviews.ts#L30-L44 # ID: 01HTES3V4Z69ZFDY9R5CDHYFGX Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/securityQuestion.ts#L14-L19 # ID: 01HTES3V4Z69ZFDY9R5C7SC487 Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/securityQuestion.ts#L13-L27 # ID: 01HTES3V4Z69ZFDY9R59NH5VJS Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/resetPassword.ts#L30-L35 # ID: 01HTES3V4Z69ZFDY9R573GPEAE Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/resetPassword.ts#L19-L33 # ID: 01HTES3V4Z69ZFDY9R53AKRZQ7 Language: TypeScript Severity: 🟡 HIGH CWE-918

Node ssrf

User controlled URL in http client libraries can result in Server Side Request Forgery (SSRF). https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/profileImageUrlUpload.ts#L20 # ID: 01HTES3V4Z69ZFDY9R5221X210 Language: TypeScript Severity: 🟡 HIGH CWE-918

Node ssrf

User controlled URL in http client libraries can result in Server Side Request Forgery (SSRF). https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/profileImageUrlUpload.ts#L18-L32 # ID: 01HTES3V4Z69ZFDY9R51Q06BNS Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/payment.ts#L41 # ID: 01HTES3V4Z69ZFDY9R4Y9DN515 Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/order.ts#L141 # ID: 01HTES3V4Z69ZFDY9R4TBCQ63B Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/order.ts#L118 # ID: 01HTES3V4Z69ZFDY9R4QQYJ0HA Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/order.ts#L72 # ID: 01HTES3V4Z69ZFDY9R4KWV1VBX Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/order.ts#L37 # ID: 01HTES3V4Z69ZFDY9R4HZ3JJHF Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/order.ts#L36-L50 # ID: 01HTES3V4Z69ZFDY9R4H459Z1Y Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/likeProductReviews.ts#L16-L30 # ID: 01HTES3V4Z69ZFDY9R3DGKAHHZ Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/address.ts#L18 # ID: 01HTES3V4Z69ZFDY9R3FHFSDM1 Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/basket.ts#L17-L31 # ID: 01HTES3V4Z69ZFDY9R3H7MAYWY Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/basket.ts#L18 # ID: 01HTES3V4Z69ZFDY9R3MD000ME Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/basketItems.ts#L67 # ID: 01HTES3V4Z69ZFDY9R4GYJ1H1Y Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/deluxe.ts#L35 # ID: 01HTES3V4Z69ZFDY9R4FX7HFTN Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/deluxe.ts#L25 # ID: 01HTES3V4Z69ZFDY9R4DF4K17K Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/deluxe.ts#L19 # ID: 01HTES3V4Z69ZFDY9R4C3B2V68 Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/delivery.ts#L34 # ID: 01HTES3V4Z69ZFDY9R49WHZNK0 Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/dataErasure.ts#L27-L32 # ID: 01HTES3V4Z69ZFDY9R46AY5Y6E Language: TypeScript Severity: 🟡 HIGH CWE-943

Node noSQL injection

Untrusted user input in findOne() function can result in NoSQL Injection. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/dataErasure.ts#L24-L38 # ID: 01HTES3V4Z69ZFDY9R36N0V3SS Language: TypeScript Severity: 🔵 MEDIUM CWE-327

Node insecure random generator

crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/lib/insecurity.ts#L55 # ID: 01HTES3V4Z69ZFDY9R24X6A1RT Language: JavaScript Severity: 🔵 MEDIUM CWE-185

Javascript dos rule non literal regexp

The RegExp constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.

To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.

Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):

// Import the re2 module
const RE2 = require('re2');

function match(userSuppliedRegex, userInput) {
    // Create a RE2 object with the user supplied regex, this is relatively safe
    // due to RE2 not supporting backtracking which can be abused to cause long running
    // queries
    var re = new RE2(userSuppliedRegex);
    // Execute the regular expression against some userInput
    var result = re.exec(userInput);
    // Work with the result
}

For more information on Regular Expression DoS see:

• https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/frontend/src/assets/private/dat.gui.min.js#L11 # ID: 01HTES3V4Z69ZFDY9R43F3GFB0 Language: TypeScript Severity: 🔵 MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use path.normalize to resolve and validate the path information prior to processing any file functionality.

Example using path.normalize and not allowing direct user input:

// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';

// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
    console.log("Invalid path specified!");
}
// Process / work with file
// ...

For more information on path traversal issues see OWASP: https://owasp.org/www-community/attacks/Path_Traversal

https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/chatbot.ts#L41 # ID: 01HTES3V4Z69ZFDY9R3YCMBSED Language: TypeScript Severity: 🔵 MEDIUM CWE-95

Javascript eval rule eval with expression

The application was found calling the eval function OR Function() constructor OR setTimeout() OR setInterval() methods. If the

variables or strings or functions passed to these methods contains user-supplied input, an adversary could attempt to execute arbitrary

JavaScript

code. This could lead to a full system compromise in Node applications or Cross-site Scripting

(XSS) in web applications.

To remediate this issue, remove all calls to above methods and consider alternative methods for

executing

the necessary business logic. There is almost no safe method of calling eval or other above stated sinks with

user-supplied input.

Instead, consider alternative methods such as using property accessors to dynamically access

values.

Example using property accessors to dynamically access an object's property:

  // Define an object

  const obj = {key1: 'value1', key2: 'value2'};

  // Get key dynamically from user input

  const key = getUserInput();

  // Check if the key exists in our object and return it, or a default empty string

  const value = (obj.hasOwnProperty(key)) ? obj[key] : '';

  // Work with the value

For more information on why not to use eval, and alternatives see:

• https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!

  Other References:

• https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/Function

• https://developer.mozilla.org/en-US/docs/Web/API/setTimeout

• https://developer.mozilla.org/en-US/docs/Web/API/setInterval

https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/captcha.ts#L23 # ID: 01HTES3V4Z69ZFDY9R3TPG9ZJ9 Language: TypeScript Severity: 🔵 MEDIUM CWE-327

Node insecure random generator

crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/captcha.ts#L20 # ID: 01HTES3V4Z69ZFDY9R3TNRSN8K Language: TypeScript Severity: 🔵 MEDIUM CWE-327

Node insecure random generator

crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/captcha.ts#L19 # ID: 01HTES3V4Z69ZFDY9R3RGF0Z4G Language: TypeScript Severity: 🔵 MEDIUM CWE-327

Node insecure random generator

crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/captcha.ts#L17 # ID: 01HTES3V4Z69ZFDY9R3RG5TB16 Language: TypeScript Severity: 🔵 MEDIUM CWE-327

Node insecure random generator

crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/captcha.ts#L16 # ID: 01HTES3V4Z69ZFDY9R3RA04JQC Language: TypeScript Severity: 🔵 MEDIUM CWE-327

Node insecure random generator

crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/captcha.ts#L15 # ID: 01HTES3V4Z69ZFDY9R3AGPDW1B Language: TypeScript Severity: 🔵 MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use path.normalize to resolve and validate the path information prior to processing any file functionality.

Example using path.normalize and not allowing direct user input:

// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';

// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
    console.log("Invalid path specified!");
}
// Process / work with file
// ...

For more information on path traversal issues see OWASP: https://owasp.org/www-community/attacks/Path_Traversal

https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/lib/utils.ts#L131 # ID: 01HTES3V4Z69ZFDY9R1JD4VQEJ Language: Containerfile Severity: 🔵 MEDIUM AVD-DS-0001

':latest' tag used

When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated. Read more: https://avd.aquasec.com/misconfig/ds001 https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/test/smoke/Dockerfile#L1 # ID: 01HTES3V4Z69ZFDY9R35SMTMGV Language: TypeScript Severity: 🔵 MEDIUM CWE-327

Node md5

MD5 is a a weak hash which is known to have collision. Use a strong hashing function. https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/lib/insecurity.ts#L43 # ID: 01HTES3V4Z69ZFDY9R4Q49VRS2 Language: TypeScript Severity: 🔵 MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use path.normalize to resolve and validate the path information prior to processing any file functionality.

Example using path.normalize and not allowing direct user input:

// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';

// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
    console.log("Invalid path specified!");
}
// Process / work with file
// ...

For more information on path traversal issues see OWASP: https://owasp.org/www-community/attacks/Path_Traversal

https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/routes/order.ts#L46 # ID: 01HTES3V4Z69ZFDY9R32NC4Z24 Language: TypeScript Severity: 🔵 MEDIUM CWE-185

Javascript dos rule non literal regexp

The RegExp constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests.

To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as node-re2. RE2 is a safe alternative that does not support backtracking, which is what leads to ReDoS.

Example using re2 which does not support backtracking (Note: it is still recommended to never use user-supplied input):

// Import the re2 module
const RE2 = require('re2');

function match(userSuppliedRegex, userInput) {
    // Create a RE2 object with the user supplied regex, this is relatively safe
    // due to RE2 not supporting backtracking which can be abused to cause long running
    // queries
    var re = new RE2(userSuppliedRegex);
    // Execute the regular expression against some userInput
    var result = re.exec(userInput);
    // Work with the result
}

For more information on Regular Expression DoS see:

• https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

https://github.com/InfoTrackGlobal/juice-shop/blob/c8ba32bd2e555aecfcd857628be6564bf35ccadb/lib/codingChallenges.ts#L78 #

ℹ️ Note: 103 vulnerabilities were detected. This dashboard prioritises and showcases the top 50 most critical findings.

Reply with /nullify to interact with me like another developer

[WillCohenInfotrack]

/nullify fix this vuln 01HTEAR31QTNFP74BRNKTEQV26 test

[WillCohenInfotrack]

/nullify can you please open a PR to fix this issue 01HTEAR31QTNFP74BRNKTEQV26

[nullify-infotrack[bot]]

I have opened a pull request to fix the NoSQL injection vulnerability in the findOne() function as requested. You can review and merge the changes from this link.

[WillCohenInfotrack]

ID: 01HTEC7NV82M2VCKATWAJVXTSJ Language: TypeScript Severity: 🔵 MEDIUM CWE-327

Node md5

MD5 is a a weak hash which is known to have collision. Use a strong hashing function.

https://github.com/InfoTrackGlobal/juice-shop/blob/6276c9e088840d5c95390c462fbd5b2fc33c6c51/lib/insecurity.ts#L43

Jira Ticket: js-zyx-123

/nullify can you please raise a PR to resolve this issue?

[WillCohenInfotrack]

/nullify please raise PR and fix issue 01HTES3V4Z69ZFDY9R8GJRDF9V

[nullify-infotrack[bot]]

I have raised a pull request to fix the NoSQL injection vulnerability in the wallet route, which is identified by the ID 01HTES3V4Z69ZFDY9R8GJRDF9V. You can review and merge the changes from this pull request.