diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 00000000..8c922a1d --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,52 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app shiftleft-js-demo --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --js --cpg . + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + Build-Rules: + runs-on: ubuntu-latest + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Validate Build Rules + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-js-demo \ + --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ + --report \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + \ No newline at end of file diff --git a/README.md b/README.md index eb6324fa..1bba79f1 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# NodeJS Tarpit +# NodeJS Tarpit - Chuck B. (edited) An ExpressJS (tarpit) application using mongoDB. diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 00000000..dffef31e --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,20 @@ +#source +# branch: master +build_rules: + - id: allow-zero-findings + finding_types: + - vuln + - secret + - insight + - "*" + severity: + - SEVERITY_HIGH_IMPACT + - SEVERITY_MEDIUM_IMPACT + - SEVERITY_LOW_IMPACT + threshold: 0 + + - id: reachable-oss-vuln + finding_types: [oss_vuln] + options: + reachable: true + num_findings: 0 diff --git a/src/Controllers/ImageLookup.js b/src/Controllers/ImageLookup.js index 4542472b..7d64036b 100644 --- a/src/Controllers/ImageLookup.js +++ b/src/Controllers/ImageLookup.js @@ -1,3 +1,5 @@ +// Checked in with propesed fix as master branch scan + const fs = require("fs"); const { logger } = require("../Logger"); @@ -7,9 +9,31 @@ class ImageLookup { /* Can read any file in the server by passing the filename (image) in the query params */ /* ex: http GET http://localhost:8089/api/v1/image-lookup image=="package.json" */ const fileContent = fs.readFileSync(req.query.image).toString(); + + // ************************************************** Vulnerable Code Block ***** + logger.debug(fileContent); res.send(fileContent); + } + +} + +module.exports = ImageLookup; + +/* + // ************************************************** Remediated Code Block ***** + + sanitizedStr = sanitizeString(fileContent) + logger.debug(sanitizedStr); + res.send(sanitizedStr); + } + } + function sanitizeString(str){ + str = str.replace(/[^a-z0-9áéíóúñü \.,_-]/gim,""); + return str.trim(); + } module.exports = ImageLookup; +*/