search

bengmend / NodeGoat

Apache License 2.0
0 stars 0 forks source link

Code Security Report: 12 high severity findings, 17 total findings #12

Open mend-for-github-com[bot] opened 8 months ago

mend-for-github-com[bot] commented 8 months ago

Code Security Report

Scan Metadata

Latest Scan: 2024-05-22 06:50am Total Findings: 17 | New Findings: 17 | Resolved Findings: 17 Tested Project Files: 50 Detected Programming Languages: 1 (JavaScript / TypeScript*)

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

SeverityVulnerability TypeCWEFileData FlowsDate
HighCode Injection [CWE-94](https://cwe.mitre.org/data/definitions/94.html) [contributions.js:27](https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/contributions.js#L27) 12024-05-22 06:50am
Vulnerable Code https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/contributions.js#L22-L27
1 Data Flow/s detected
https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L52 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/contributions.js#L22 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/contributions.js#L27
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/nodejs/express) ● Videos    ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading    ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)
 
HighCode Injection [CWE-94](https://cwe.mitre.org/data/definitions/94.html) [contributions.js:26](https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/contributions.js#L26) 12024-05-22 06:50am
Vulnerable Code https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/contributions.js#L21-L26
1 Data Flow/s detected
https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L52 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/contributions.js#L22 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/contributions.js#L26
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/nodejs/express) ● Videos    ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading    ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)
 
HighCode Injection [CWE-94](https://cwe.mitre.org/data/definitions/94.html) [error.js:10](https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/error.js#L10) 12024-05-22 06:50am
Vulnerable Code https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/error.js#L5-L10
1 Data Flow/s detected
https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L91 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/error.js#L3 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/error.js#L11 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/error.js#L10
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/nodejs/express) ● Videos    ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading    ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)
 
HighCode Injection [CWE-94](https://cwe.mitre.org/data/definitions/94.html) [session.js:231](https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/session.js#L231) 22024-05-22 06:50am
Vulnerable Code https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/session.js#L226-L231
2 Data Flow/s detected
View Data Flow 1 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L38 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/session.js#L177 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/session.js#L181 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/session.js#L190 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/session.js#L231
View Data Flow 2 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L38 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/session.js#L177 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/session.js#L180 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/session.js#L191 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/session.js#L231
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/nodejs/express) ● Videos    ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading    ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)
 
HighCode Injection [CWE-94](https://cwe.mitre.org/data/definitions/94.html) [profile.js:59](https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/profile.js#L59) 72024-05-22 06:50am
Vulnerable Code https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/profile.js#L54-L59
7 Data Flow/s detected
View Data Flow 1 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L48 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/profile.js#L34 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/profile.js#L39 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/profile.js#L63 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/profile.js#L59
View Data Flow 2 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L48 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/profile.js#L34 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/profile.js#L38 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/profile.js#L62 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/profile.js#L59
View Data Flow 3 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L48 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/profile.js#L34 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/profile.js#L40 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/profile.js#L64 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/profile.js#L59
[View more Data Flows](https://saas-eu.mend.io/app/orgs/bengdemocorp-mend/scans/3671edb9-7491-4132-9235-6b6d917b42c9/sast?project=e7f49aa4-0e4e-44aa-8788-eabfc679eac1&findingSnapshotId=e020dfc8-bb35-4d3e-b73c-d1208b6bbd77&filtered=yes)
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/nodejs/express) ● Videos    ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading    ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)
 
HighCode Injection [CWE-94](https://cwe.mitre.org/data/definitions/94.html) [contributions.js:28](https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/contributions.js#L28) 12024-05-22 06:50am
Vulnerable Code https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/contributions.js#L23-L28
1 Data Flow/s detected
https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L52 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/contributions.js#L22 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/contributions.js#L28
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Code Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/code/nodejs/express) ● Videos    ▪ [Secure Code Warrior Code Injection Video](https://media.securecodewarrior.com/v2/Module_28_CODE_INJECTION_v2.mp4) ● Further Reading    ▪ [OWASP Command Injection](https://owasp.org/www-community/attacks/Code_Injection)
 
HighPath/Directory Traversal [CWE-22](https://cwe.mitre.org/data/definitions/22.html) [index.js:84](https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L84) 12024-05-22 06:50am
Vulnerable Code https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L79-L84
1 Data Flow/s detected
https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L80 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L82 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L84
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/nodejs/express) ● Videos    ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading    ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)    ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
 
HighNoSQL Injection [CWE-943](https://cwe.mitre.org/data/definitions/943.html) [memos-dao.js:23](https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/data/memos-dao.js#L23) 12024-05-22 06:50am
Vulnerable Code https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/data/memos-dao.js#L18-L23
1 Data Flow/s detected
https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L67 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/memos.js#L8 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/memos.js#L10 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/data/memos-dao.js#L15 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/data/memos-dao.js#L19 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/data/memos-dao.js#L23
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior NoSQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/nosql/nodejs/express) ● Videos    ▪ [Secure Code Warrior NoSQL Injection Video](https://media.securecodewarrior.com/v2/Module_21_NoSQL_INJECTION_v2.mp4)
 
HighNoSQL Injection [CWE-943](https://cwe.mitre.org/data/definitions/943.html) [user-dao.js:91](https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/data/user-dao.js#L91) 12024-05-22 06:50am
Vulnerable Code https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/data/user-dao.js#L86-L91
1 Data Flow/s detected
https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L34 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/session.js#L47 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/session.js#L49 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/session.js#L52 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/data/user-dao.js#L57 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/data/user-dao.js#L92 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/data/user-dao.js#L91
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior NoSQL Injection Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/nosql/nodejs/express) ● Videos    ▪ [Secure Code Warrior NoSQL Injection Video](https://media.securecodewarrior.com/v2/Module_21_NoSQL_INJECTION_v2.mp4)
 
HighServer Side Request Forgery [CWE-918](https://cwe.mitre.org/data/definitions/918.html) [research.js:13](https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/research.js#L13) 12024-05-22 06:50am
Vulnerable Code https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/research.js#L8-L13
1 Data Flow/s detected
https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/index.js#L88 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/research.js#L9 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/research.js#L12 https://github.com/bengmend/NodeGoat/blob/ac60bedbb26aac1d1737d95a9da0e9dce0d89bcf/apps/server-render/app/routes/research.js#L13
Secure Code Warrior Training Material ● Training    ▪ [Secure Code Warrior Server Side Request Forgery Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/ssrf/generic/nodejs/express) ● Videos    ▪ [Secure Code Warrior Server Side Request Forgery Video](https://media.securecodewarrior.com/v2/module_125_server_side_request_forgery.mp4)

Findings Overview

Severity Vulnerability Type CWE Language Count
High Path/Directory Traversal CWE-22 JavaScript / TypeScript* 1
High Code Injection CWE-94 JavaScript / TypeScript* 6
High Server Side Request Forgery CWE-918 JavaScript / TypeScript* 1
High NoSQL Injection CWE-943 JavaScript / TypeScript* 4
Medium Regex Denial of Service (ReDoS) CWE-1333 JavaScript / TypeScript* 1
Low Unvalidated/Open Redirect CWE-601 JavaScript / TypeScript* 1
Low Log Forging CWE-117 JavaScript / TypeScript* 2
Low Sensitive Cookie Without Secure CWE-614 JavaScript / TypeScript* 1