Super vulnerable todo list application
Switch branches/tags
adrukh-patch-1 fix/vulns master snyk-fix-0adrbf snyk-fix-0b39bb0e snyk-fix-0c641092 snyk-fix-0de36cb7 snyk-fix-0eapny snyk-fix-0f4a1222 snyk-fix-0fe3e047 snyk-fix-1b1c755e snyk-fix-1b8f5a6e snyk-fix-1b29559e snyk-fix-1cf169ac snyk-fix-1d473261 snyk-fix-1ec7c8a9 snyk-fix-1ef1de14 snyk-fix-1f72896f snyk-fix-1map8s snyk-fix-1ww97s snyk-fix-2a8218d3 snyk-fix-2b2e9980 snyk-fix-2b698d83 snyk-fix-2b208981 snyk-fix-2bbc3e28 snyk-fix-2bmujq snyk-fix-2bnpsx snyk-fix-02cb16c0 snyk-fix-2d8a2d14 snyk-fix-2e4d2a0b snyk-fix-2ezrzr snyk-fix-2faf5c70 snyk-fix-2hvwh2 snyk-fix-2oi13i snyk-fix-3c8f2808 snyk-fix-3df62a8a snyk-fix-3e879a2e snyk-fix-3u2izg snyk-fix-4a1ee514 snyk-fix-4ac643d5 snyk-fix-04d21a1a snyk-fix-4defc4a4 snyk-fix-4e161eab snyk-fix-4f31f289 snyk-fix-4f96d0f0 snyk-fix-4fbe50cd snyk-fix-4tsuea snyk-fix-5aced888 snyk-fix-5b33760a snyk-fix-5b590873 snyk-fix-5ba84f23 snyk-fix-5bb7acd6 snyk-fix-5c518815 snyk-fix-5cejts snyk-fix-5d13553e snyk-fix-5e6134 snyk-fix-005ed4db snyk-fix-5f7276f0 snyk-fix-5feb495b snyk-fix-6a2a5b17 snyk-fix-6a8ba96b snyk-fix-6aa60256 snyk-fix-6aaef958 snyk-fix-6b27e0e4 snyk-fix-06dbf3b3 snyk-fix-6df0ab96 snyk-fix-6e4653cb snyk-fix-06f9efdd snyk-fix-6fe2b828 snyk-fix-7a5c1d33 snyk-fix-7a3172e0 snyk-fix-7b3ea59c snyk-fix-7c2ed66d snyk-fix-07d6283e snyk-fix-7e73b02e snyk-fix-7f9e73b6 snyk-fix-7fd8cb18 snyk-fix-7uebcr snyk-fix-8a00b4ce snyk-fix-8a3d8667 snyk-fix-8ac7a7b0 snyk-fix-8c8e944f snyk-fix-8c331e64 snyk-fix-8d44413b snyk-fix-8e06451c snyk-fix-8f2f9fab snyk-fix-8rcqnj snyk-fix-09ba6c56 snyk-fix-9c8e9b39 snyk-fix-9c744103 snyk-fix-9d50369f snyk-fix-9e973ee4 snyk-fix-9eb1dba0 snyk-fix-9fa8362c snyk-fix-9fd909b0 snyk-fix-9ijr7b snyk-fix-09kdri snyk-fix-9kp30j snyk-fix-10daf300 snyk-fix-11cc1cab snyk-fix-016c4292 snyk-fix-18e3f525 snyk-fix-20de2c64 snyk-fix-22a11881 snyk-fix-25b2586f snyk-fix-28c76d57 snyk-fix-030b6bd3 snyk-fix-36ed8cf0 snyk-fix-38a1326d snyk-fix-44afada9 snyk-fix-44f6c8c9 snyk-fix-45c15b55 snyk-fix-45c3521d snyk-fix-48b80fec snyk-fix-49daef27 snyk-fix-49f2bfdb snyk-fix-53d74b6a snyk-fix-57b29e2f snyk-fix-59accca2 snyk-fix-62fac6fe snyk-fix-65c2c669 snyk-fix-068a5137 snyk-fix-68acead6 snyk-fix-69a2335d snyk-fix-70dacae1 snyk-fix-075f9a71 snyk-fix-77febaf4 snyk-fix-78a867cb snyk-fix-80e91269 snyk-fix-83c7e9ba snyk-fix-85e2b8cc snyk-fix-86fcf584 snyk-fix-87b1f3a3 snyk-fix-89b57427 snyk-fix-93af105a snyk-fix-97efe729 snyk-fix-212c5762 snyk-fix-0219d134 snyk-fix-257dc6a8 snyk-fix-264c63c9 snyk-fix-286d01e7 snyk-fix-313cbea8 snyk-fix-315c1f56 snyk-fix-323cdd65 snyk-fix-385bfbcc snyk-fix-388c2539 snyk-fix-413a76d8 snyk-fix-0499e928 snyk-fix-523bca75 snyk-fix-553fc84a snyk-fix-577c8ea8 snyk-fix-670fd249 snyk-fix-671bbc11 snyk-fix-675e4a53 snyk-fix-694d1db7 snyk-fix-739b26e3 snyk-fix-790a8693 snyk-fix-843gql snyk-fix-881b27cc snyk-fix-915ec7a9 snyk-fix-952ed3a7 snyk-fix-2667f067 snyk-fix-03354bc2 snyk-fix-4588b79e snyk-fix-4613a986 snyk-fix-4827bf83 snyk-fix-4950f56e snyk-fix-6191d873 snyk-fix-7738dcb5 snyk-fix-8935eb06 snyk-fix-9750a13a snyk-fix-19093b0a snyk-fix-42113d32 snyk-fix-49777b8e snyk-fix-66906ca3 snyk-fix-79279e21 snyk-fix-87211da1 snyk-fix-90416f70 snyk-fix-00185654 snyk-fix-0262261c snyk-fix-0390894b snyk-fix-428958 snyk-fix-554202a9 snyk-fix-637733e2 snyk-fix-754443f4 snyk-fix-765159ae snyk-fix-905261bc snyk-fix-1252381f snyk-fix-3129542f snyk-fix-4857481b snyk-fix-25618016 snyk-fix-56066435 snyk-fix-64231635 snyk-fix-67522076 snyk-fix-88541359 snyk-fix-99331348 snyk-fix-a2f1d50a snyk-fix-a5de123a snyk-fix-a6eb2c25 snyk-fix-a07ab188 snyk-fix-a52d33a3 snyk-fix-a55qpu snyk-fix-a71d3e50 snyk-fix-a81cf4f2 snyk-fix-a89f3f60 snyk-fix-a8717927 snyk-fix-aacf6591 snyk-fix-ab14a2cc snyk-fix-ae6d65a9 snyk-fix-b6c40bff snyk-fix-b7da7980 snyk-fix-b22ef9a5 snyk-fix-b53ef7e2 snyk-fix-b57aa2ea snyk-fix-b074d30b snyk-fix-b96a2a74 snyk-fix-b366e50c snyk-fix-b484bf4b snyk-fix-b606a5e4 snyk-fix-b944ce47 snyk-fix-b20273ec snyk-fix-b2280866 snyk-fix-ba8b5298 snyk-fix-baf0daca snyk-fix-bd0e9773 snyk-fix-bdb1f3c2 snyk-fix-be12eaa7 snyk-fix-bwm5og snyk-fix-by8acl snyk-fix-c1bf0116 snyk-fix-c2afc66d snyk-fix-c02e41d0 snyk-fix-c5a13fc0 snyk-fix-c6e06ccf snyk-fix-c9b7825a snyk-fix-c9f7daf0 snyk-fix-c64ae213 snyk-fix-c75ab528 snyk-fix-c655cb2c snyk-fix-c869tu snyk-fix-c2101ff3 snyk-fix-c3505c72 snyk-fix-c80360b5 snyk-fix-capk8r snyk-fix-ccvm2o snyk-fix-cd0g6v snyk-fix-cd331756 snyk-fix-ce7f25c6 snyk-fix-cee6d380 snyk-fix-cf14acef snyk-fix-cf2044b4 snyk-fix-d02b6f2a snyk-fix-d04df9b8 snyk-fix-d5c02564 snyk-fix-d5f48ec8 snyk-fix-d36fe3be snyk-fix-d65dd73f snyk-fix-d00075a4 snyk-fix-d225b6a7 snyk-fix-d693ab15 snyk-fix-d3884b74 snyk-fix-d5313bf5 snyk-fix-d8133a12 snyk-fix-d23146ae snyk-fix-da594de7 snyk-fix-da613e63 snyk-fix-dd606fe1 snyk-fix-ddc133e2 snyk-fix-dp3pp4 snyk-fix-duc6xa snyk-fix-e2a509d8 snyk-fix-e2f01d42 snyk-fix-e3ef88c0 snyk-fix-e4e7ea0d snyk-fix-e5ce4118 snyk-fix-e5ee754a snyk-fix-e6cff9d7 snyk-fix-e7d49563 snyk-fix-e8a7ce82 snyk-fix-e9a88d83 snyk-fix-e41fff3e snyk-fix-e53c2ad9 snyk-fix-e255c925 snyk-fix-e371e6e1 snyk-fix-e986b8b4 snyk-fix-e5840d88 snyk-fix-e082783c snyk-fix-e8023888 snyk-fix-ea604f22 snyk-fix-eb2d5dca snyk-fix-eb3af124 snyk-fix-ecc4e64a snyk-fix-eee01d30 snyk-fix-ef87a886 snyk-fix-efce1034 snyk-fix-eg9p94 snyk-fix-ejhhds snyk-fix-el7qfs snyk-fix-entqaz snyk-fix-f1b57b2c snyk-fix-f3b83d36 snyk-fix-f9eeda40 snyk-fix-f9fc00a0 snyk-fix-f62c4a04 snyk-fix-f834ad7d snyk-fix-f030531f snyk-fix-fb7f71a3 snyk-fix-fb98fdac snyk-fix-fb282d91 snyk-fix-fbb1d126 snyk-fix-fbd0e295 snyk-fix-fdx2iw snyk-fix-fe71cbd4 snyk-fix-ff4fe0b8 snyk-fix-h6q2ur snyk-fix-haok6h snyk-fix-iqdllc snyk-fix-j5frnt snyk-fix-jarzbj snyk-fix-k1bgfv snyk-fix-k3e53z snyk-fix-khcr7z snyk-fix-koro6v snyk-fix-kur0r7 snyk-fix-kzzeoc snyk-fix-l9nnpg snyk-fix-lb6dal snyk-fix-ldw1lu snyk-fix-lrhjj4 snyk-fix-lx2xda snyk-fix-m0jr4l snyk-fix-m55ir1 snyk-fix-n7q3pr snyk-fix-n7x918 snyk-fix-na71z7 snyk-fix-ne31a3 snyk-fix-nmno4r snyk-fix-o24ueu snyk-fix-oe8ygf snyk-fix-okmpbc snyk-fix-ozvaf8 snyk-fix-pgv3vy snyk-fix-pkmkci snyk-fix-pkvrvj snyk-fix-pohdef snyk-fix-puyg72 snyk-fix-pzewkc snyk-fix-qxm6ho snyk-fix-qykch8 snyk-fix-qys6l6 snyk-fix-rpg81l snyk-fix-ryzuzx snyk-fix-sp3usr snyk-fix-sr80zi snyk-fix-srxkh9 snyk-fix-t9uc7s snyk-fix-tgir7f snyk-fix-tod2d5 snyk-fix-uahe9w snyk-fix-umuz2d snyk-fix-uobpzb snyk-fix-uofx56 snyk-fix-wmyu23 snyk-fix-xc1dac snyk-fix-xdrvnr snyk-fix-yjnrub snyk-fix-z0r9ue snyk-fix-z03qq8 snyk-fix-z64zhf
Nothing to show
Clone or download
karniwl Merge pull request #422 from snyk/fix/malicious-backup-read-backup-fr…
…om-fs

fix: malicious backup zip and read backup from fs
Latest commit 3ff8ac2 Oct 22, 2018

README.md

Goof - Snyk's vulnerable demo app

Known Vulnerabilities

A vulnerable Node.js demo application, based on the Dreamers Lab tutorial.

Running

mongod &

git clone https://github.com/Snyk/snyk-demo-todo
npm install
npm start

This will run Goof locally, using a local mongo on the default port and listening on port 3001 (http://localhost:3001)

Running with docker-compose

docker-compose up --build

docker-compose down

Heroku usage

Goof requires attaching a MongoLab service to be deployed as a Heroku app. That sets up the MONGOLAB_URI env var so everything after should just work.

CloudFoundry usage

Goof requires attaching a MongoLab service and naming it "goof-mongo" to be deployed on CloudFoundry. The code explicitly looks for credentials to that service.

Cleanup

To bulk delete the current list of TODO items from the DB run:

npm run cleanup

Exploiting the vulnerabilities

This app uses npm dependencies holding known vulnerabilities.

Here are the exploitable vulnerable packages:

The exploits directory includes a series of steps to demonstrate each one.

Fixing the issues

To find these flaws in this application (and in your own apps), run:

npm install -g snyk
snyk wizard

In this application, the default snyk wizard answers will fix all the issues. When the wizard is done, restart the application and run the exploits again to confirm they are fixed.