Skip to content

Commit

Permalink
If a threat from a ThreatDragon model already contains a type, reuse …
Browse files Browse the repository at this point in the history 
…this.
  • Loading branch information
@ChristophNiehoff
ChristophNiehoff committed Jun 9, 2023
1 parent addaebb commit 8ebd7ae
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 2 deletions.
4 changes: 4 additions & 0 deletions src/server/__tests__/server.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -341,19 +341,23 @@ it('Download threat file', async () => {
- *Description:* description
- *Mitigation:* mitigation
4. **Accessing DB credentials**
- *Category:* Information disclosure
- *Severity:* High
- *Description:* The Background Worker configuration stores the credentials used by the worker to access the DB. An attacker could compromise the Background Worker and get access to the DB credentials.
- *Mitigation:* \\[Click Me\\]\\(javascript:alert\\('XSS'\\)\\)
5. **Unauthorised access**
- *Category:* Information disclosure
- *Severity:* High
- *Description:* An attacker could make an query call on the DB,
- *Mitigation:* Require all queries to be authenticated.
6. **Credential theft**
- *Category:* Information disclosure
- *Severity:* Medium
- *Author:* The Model
- *Description:* An attacker could obtain the DB credentials ans use them to make unauthorised queries.
- *Mitigation:* Use a firewall to restrict access to the DB to only the Background Worker IP address.
7. **\\!\\[Uh oh...\\]\\(https://www.example.com/image.png"onload="alert\\('XSS'\\)\\)**
- *Category:* Information disclosure
- *Severity:* High
- *Description:* The Web Application Config stores credentials used by the Web App to access the message queue. These could be stolen by an attacker and used to read confidential data or place poison message on the queue.
- *Mitigation:* The Message Queue credentials should be encrypted. newlines shouldn't break the formatting
Expand Down
4 changes: 2 additions & 2 deletions src/server/endpoints.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -248,10 +248,10 @@ export const downloadThreatsMarkdownFile = (gameServer) => async (ctx) => {
};

function enrichThreatWithCategory(threat, gameMode) {
if (threat.type && isSuit(threat.type)) {
if (threat.type) {
return ({
...threat,
category: getSuitDisplayName(gameMode, threat.type)
category: isSuit(threat.type) ? getSuitDisplayName(gameMode, threat.type) : threat.type
});
}

Expand Down

0 comments on commit 8ebd7ae

Please sign in to comment.