Vulnerabilities Dashboard - Code

[nullify-latest[bot]]

Severity Threshold: 🔵 MEDIUM

4 Potential vulnerability sources found within this repo

🔴 CRITICAL	🟡 HIGH	🔵 MEDIUM	⚪ LOW
0	1	3	0

ID: 01HTXPMY2EAMREH3ANTESXF4Z8 Language: Containerfile Severity: 🟡 HIGH AVD-DS-0002

Image user should not be 'root'

Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. Read more: https://avd.aquasec.com/misconfig/ds002 https://github.com/Nullify-Platform/nullify-grafana-datasource/blob/00e92e5bf47d5ce2a6a39997c4a7ac961d3abcb1/.config/Dockerfile#L15 # ID: 01HTXPMY2EAMREH3ANTMW2R24Q Language: TypeScript Severity: 🔵 MEDIUM CWE-95

Javascript require rule non literal require

The application was found to dynamically import a module by calling require using a non-literal string. An adversary might be able to read the first line of arbitrary files. If they had write access to the file system, they may also be able to execute arbitrary code.

To remediate this issue, use a hardcoded string literal when calling require. Never call it it with dynamically created variables or user-supplied data.

https://github.com/Nullify-Platform/nullify-grafana-datasource/blob/00e92e5bf47d5ce2a6a39997c4a7ac961d3abcb1/.config/webpack/utils.ts#L25 # ID: 01HTXPMY2EAMREH3ANTRGHQN72 Language: TypeScript Severity: 🔵 MEDIUM CWE-95

Javascript require rule non literal require

The application was found to dynamically import a module by calling require using a non-literal string. An adversary might be able to read the first line of arbitrary files. If they had write access to the file system, they may also be able to execute arbitrary code.

To remediate this issue, use a hardcoded string literal when calling require. Never call it it with dynamically created variables or user-supplied data.

https://github.com/Nullify-Platform/nullify-grafana-datasource/blob/00e92e5bf47d5ce2a6a39997c4a7ac961d3abcb1/.config/webpack/utils.ts#L29 # ID: 01HTXPMY2EAMREH3ANTT74GB2Z Language: TypeScript Severity: 🔵 MEDIUM CWE-22

Javascript pathtraversal rule non literal fs filename

The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use path.normalize to resolve and validate the path information prior to processing any file functionality.

Example using path.normalize and not allowing direct user input:

// User input, saved only as a reference
// id is a randomly generated UUID to be used as the filename
const userData = {userFilename: userSuppliedFilename, id: crypto.randomUUID()};
// Restrict all file processing to this directory only
const basePath = '/app/restricted/';

// Create the full path, but only use our random generated id as the filename
const joinedPath = path.join(basePath, userData.id);
// Normalize path, removing any '..'
const fullPath = path.normalize(joinedPath);
// Verify the fullPath is contained within our basePath
if (!fullPath.startsWith(basePath)) {
    console.log("Invalid path specified!");
}
// Process / work with file
// ...

For more information on path traversal issues see OWASP: https://owasp.org/www-community/attacks/Path_Traversal

https://github.com/Nullify-Platform/nullify-grafana-datasource/blob/00e92e5bf47d5ce2a6a39997c4a7ac961d3abcb1/.config/webpack/utils.ts#L33

Reply with /nullify to interact with me like another developer

[kevinydzhu]

/nullify How do I fix the "Detect non literal fs filename" vulnerability?