Restore project files

[Peterbyte]

No description provided.

[shinobi-dev-app]

Security Review

Code Vulnerabilities:

• Critical - Missing secure HTTP server configuration | CWE-319

  Found In

  • src/AccountService/bin/www
  • src/AuthenticationService/bin/www
  • src/FrontendService/bin/www
  • src/ManagementService/bin/www
  • src/OrderService/bin/www
  • src/PaymentService/bin/www
  • src/ProductService/bin/www

  Description

  Failing to configure your HTTP server to use HTTPS can expose data to interception and manipulation. HTTPS, which incorporates TLS (Transport Layer Security), encrypts data in transit and therefore provides a more secure communication channel than HTTP.

  Remediations

  • Do use the https module for creating secure servers in your applications. This ensures that data transmitted between the server and clients is encrypted.

    var https = require('https');
    var express = require('express');
    var app = express();
    
    var httpsServer = https.createServer(app);
    httpsServer.listen(8080);

  References

  • Express Security Best Practices: use TLS
• Critical - Unsanitized input in NoSQL query | CWE-943

  Found In

  • src/AccountService/routes/index.js
    • L16-16
    • L19-24
    • L46-46
    • L71-73
    • L98-100
    • L125-127
  • src/PaymentService/routes/index.js
    • L20-22
    • L25-30
  • src/ProductService/routes/index.js
    • L17-17
    • L20-25
    • L47-47
    • L72-74
    • L99-101
    • L126-128

  Description

  Using unsanitized data in NoSQL queries exposes your application to NoSQL injection attacks. This vulnerability arises when user input, request data, or any externally influenced data is directly passed into a NoSQL query function without proper sanitization.

  Remediations

  • Do not include raw, unsanitized user input in NoSQL queries. This practice can lead to NoSQL injection vulnerabilities.

      const User = require("../models/user")
      const newUser = new User(req.body); // unsafe

  • Do sanitize all input data before using it in NoSQL queries. Ensuring data is properly sanitized can prevent NoSQL injection attacks.

      const User = require("../models/user");
    
      username = req.params.username;
      User.findOne({ name: username.toString() });

  References

  • OWASP NoSQL injection explained
• Medium - Missing Helmet configuration on HTTP headers | CWE-693

  Found In

  • src/AccountService/app.js
  • src/AuthenticationService/app.js
  • src/FrontendService/app.js
  • src/ManagementService/app.js
  • src/OrderService/app.js
  • src/PaymentService/app.js
  • src/ProductService/app.js

  Description

  Helmet can help protect your app from some well-known web vulnerabilities by setting HTTP headers appropriately. Failing to configure Helmet for HTTP headers leaves your application vulnerable to several web attacks.

  Remediations

  • Do use Helmet middleware to secure your app by adding it to your application's middleware.

    const helmet = require("helmet");
    app.use(helmet());

  References

  • Express Security Best Practices: Use Helmet
• Medium - Missing server configuration to reduce server fingerprinting | CWE-693

  Found In

  • src/AccountService/app.js
  • src/AuthenticationService/app.js
  • src/FrontendService/app.js
  • src/ManagementService/app.js
  • src/OrderService/app.js
  • src/PaymentService/app.js
  • src/ProductService/app.js

  Description

  Reducing server fingerprinting enhances security by making it harder for attackers to identify the software your server is running. Server fingerprinting involves analyzing the unique responses of server software to specific requests, which can reveal information about the server's software and version. While not a direct security vulnerability, minimizing this information leakage is a proactive step to obscure details that could be used in targeted attacks.

  Remediations

  • Do disable the X-Powered-By header in Express.js applications to prevent revealing the server's technology stack. Use the app.disable() method to achieve this.

    app.disable('x-powered-by');

  References

  • Express Security Best Practices
• Low - Leakage of information in logger message | CWE-532

  Found In

  • src/AccountService/app.js
  • src/ProductService/app.js

  Description

  Information leakage through logger messages can compromise sensitive data. This vulnerability arises when dynamic data or variables, which may contain sensitive information, are included in log messages.

  Remediations

  • Do not include sensitive data directly in logger messages. This can lead to the exposure of such data in log files, which might be accessible to unauthorized individuals.

    logger.info(`Results: ${data}`) // unsafe

  • Do use logging levels appropriately to control the verbosity of log output and minimize the risk of leaking sensitive information in production environments.

Introduced Vulnerable Packages:

• Critical - ejs: server-side template injection in outputFunctionName | CWE-94

  Package: ejs
  Installed Version: 2.6.2
  Fixed Version: 3.1.7
  Details

• Critical - Mongoose Vulnerable to Prototype Pollution in Schema Object |

  Package: mongoose
  Installed Version: 5.9.6
  Fixed Version: 6.4.6, 5.13.15
  Details

• Critical - Mongoose Prototype Pollution vulnerability | CWE-1321

  Package: mongoose
  Installed Version: 5.9.6
  Fixed Version: 7.3.3, 6.11.3, 5.13.20
  Details

• Critical - Mongoose Vulnerable to Prototype Pollution in Schema Object |

  Package: mongoose
  Installed Version: 5.9.7
  Fixed Version: 6.4.6, 5.13.15
  Details

• Critical - Mongoose Prototype Pollution vulnerability | CWE-1321

  Package: mongoose
  Installed Version: 5.9.7
  Fixed Version: 7.3.3, 6.11.3, 5.13.20
  Details

• High - body-parser: Denial of Service Vulnerability in body-parser | CWE-405

  Package: body-parser
  Installed Version: 1.18.3
  Fixed Version: 1.20.3
  Details

• High - path-to-regexp: Backtracking regular expressions cause ReDoS | CWE-1333

  Package: path-to-regexp
  Installed Version: 0.1.7
  Fixed Version: 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0
  Details

• High - express: "qs" prototype poisoning causes the hang of the node process | CWE-1321

  Package: qs
  Installed Version: 6.5.2
  Fixed Version: 6.10.3, 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, 6.2.4
  Details

• High - automattic/mongoose vulnerable to Prototype pollution via Schema.path | CWE-1321

  Package: mongoose
  Installed Version: 5.9.6
  Fixed Version: 6.4.6, 5.13.15
  Details

• High - nodejs-semver: Regular expression denial of service | CWE-1333

  Package: semver
  Installed Version: 5.7.1
  Fixed Version: 7.5.2, 6.3.1, 5.7.2
  Details

• High - automattic/mongoose vulnerable to Prototype pollution via Schema.path | CWE-1321

  Package: mongoose
  Installed Version: 5.9.7
  Fixed Version: 6.4.6, 5.13.15
  Details

• Medium - The ejs (aka Embedded JavaScript templates) package before 3.1.10 for ... | CWE-693

  Package: ejs
  Installed Version: 2.6.2
  Fixed Version: 3.1.10
  Details

• Medium - express: cause malformed URLs to be evaluated | CWE-1286, CWE-601

  Package: express
  Installed Version: 4.16.4
  Fixed Version: 4.19.2, 5.0.0-beta.3
  Details

• Medium - express: Improper Input Handling in Express Redirects | CWE-79

  Package: express
  Installed Version: 4.16.4
  Fixed Version: 4.20.0, 5.0.0
  Details

• Medium - send: Code Execution Vulnerability in Send Library | CWE-79

  Package: send
  Installed Version: 0.16.2
  Fixed Version: 0.19.0
  Details

• Medium - serve-static: Improper Sanitization in serve-static | CWE-79

  Package: serve-static
  Installed Version: 1.13.2
  Fixed Version: 1.16.0, 2.1.0
  Details

• Medium - mpath: type confusion can lead to a bypass of CVE-2018-16490 | CWE-843

  Package: mpath
  Installed Version: 0.6.0
  Fixed Version: 0.8.4
  Details

• Medium - mquery: Code injection via merge or clone operation |

  Package: mquery
  Installed Version: 3.2.2
  Fixed Version: 3.2.3
  Details

• Medium - Spoofing attack in swagger-ui-dist | CWE-1021

  Package: swagger-ui-dist
  Installed Version: 3.25.0
  Fixed Version: 4.1.3
  Details

• Medium - Server side request forgery in SwaggerUI |

  Package: swagger-ui-dist
  Installed Version: 3.25.0
  Fixed Version: 4.1.3
  Details