From f536d271deda854f3cadc2cf75c88e98bb00f139 Mon Sep 17 00:00:00 2001 From: James Berthoty Date: Tue, 3 Sep 2024 03:02:26 +0000 Subject: [PATCH 01/10] vuln add --- insecure-js/package.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/insecure-js/package.json b/insecure-js/package.json index 21f09aa..c974a96 100644 --- a/insecure-js/package.json +++ b/insecure-js/package.json @@ -2,7 +2,8 @@ "dependencies": { "@aikidosec/firewall": "^1.5.47", "lodash": "4.16.1", - "semver": "5.4.1" + "semver": "5.4.1", + "jquery": "2.1.0" }, "devDependencies": { "@babel/core": "7.0.0-rc.1" From d1b32d5a3fa6093bd1aafcd71479cd086f87f6ae Mon Sep 17 00:00:00 2001 From: James Berthoty Date: Tue, 3 Sep 2024 03:09:30 +0000 Subject: [PATCH 02/10] vuln add --- insecure-js/package.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/insecure-js/package.json b/insecure-js/package.json index c974a96..3cd1591 100644 --- a/insecure-js/package.json +++ b/insecure-js/package.json @@ -3,7 +3,8 @@ "@aikidosec/firewall": "^1.5.47", "lodash": "4.16.1", "semver": "5.4.1", - "jquery": "2.1.0" + "jquery": "2.1.0", + "chartist": "0.3.0" }, "devDependencies": { "@babel/core": "7.0.0-rc.1" From 620989e62825fd48f972054c553d494b0f5597c1 Mon Sep 17 00:00:00 2001 From: James Berthoty Date: Tue, 3 Sep 2024 03:13:58 +0000 Subject: [PATCH 03/10] vuln add --- insecure-js/package.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/insecure-js/package.json b/insecure-js/package.json index 3cd1591..772b3e5 100644 --- a/insecure-js/package.json +++ b/insecure-js/package.json @@ -4,7 +4,8 @@ "lodash": "4.16.1", "semver": "5.4.1", "jquery": "2.1.0", - "chartist": "0.3.0" + "chartist": "0.3.0", + "chart.js": "2.8.0" }, "devDependencies": { "@babel/core": "7.0.0-rc.1" From 0b0f0615146434b55d853b711310bceb52bdc357 Mon Sep 17 00:00:00 2001 From: James Berthoty Date: Tue, 3 Sep 2024 16:07:00 +0000 Subject: [PATCH 04/10] add vuln --- insecure-js/server.js | 67 +++++++++++++++++++++++++++++++++---------- 1 file changed, 52 insertions(+), 15 deletions(-) diff --git a/insecure-js/server.js b/insecure-js/server.js index 888da99..49d405c 100644 --- a/insecure-js/server.js +++ b/insecure-js/server.js @@ -2,22 +2,60 @@ const http = require('http'); const _ = require('lodash'); const qs = require('querystring'); const semver = require('semver'); -const JSON5 = require('json5') +const JSON5 = require('json5'); +const Sequelize = require('sequelize'); // Add sequelize dependency const hostname = '0.0.0.0'; const port = 3000; +// Initialize Sequelize +const sequelize = new Sequelize('database', 'username', 'password', { + host: 'localhost', + dialect: 'mysql' +}); + +// Define a simple model +const User = sequelize.define('user', { + username: { + type: Sequelize.STRING + }, + email: { + type: Sequelize.STRING + } +}); + const server = http.createServer((req, res) => { if (req.method === 'POST') { let body = ''; req.on('data', chunk => { body += chunk.toString(); }); - req.on('end', () => { + req.on('end', async () => { const postData = qs.parse(body); let responseMessages = []; - // Process template input for lodash vulnerability CVE-2021-23337 - lodash injection + // SQL Injection via Sequelize findAll function - CVE-2017-18342 + if (postData.username) { + try { + // Vulnerable code: unsanitized input being directly passed to where clause + const users = await User.findAll({ + where: { + username: postData.username // This is vulnerable to SQL Injection + } + }); + + if (users.length > 0) { + responseMessages.push(`

Found ${users.length} user(s) with username: ${postData.username}

`); + } else { + responseMessages.push(`

No users found with username: ${postData.username}

`); + } + } catch (error) { + console.error(error); + responseMessages.push(`

An error occurred: ${error.message}

`); + } + } + + // Process template input for lodash vulnerability CVE-2021-23337 if (postData.template) { try { const compiled = _.template(postData.template); @@ -29,7 +67,7 @@ const server = http.createServer((req, res) => { } } - // Process version range input for semver ReDoS vulnerability //CVE-2022-25883 - semver redos and phantom package + // Process version range input for semver ReDoS vulnerability CVE-2022-25883 if (postData.versionRange) { const start = Date.now(); try { @@ -45,17 +83,12 @@ const server = http.createServer((req, res) => { } } - // CVE-2022-46175 Prototype Polution from JSON5 showing phantom package + // CVE-2022-46175 Prototype Pollution from JSON5 if (postData.json5data) { try { - // Parse the JSON5 data, which may include prototype pollution const parsedObject = JSON5.parse(postData.json5data); - - // Create a new object that inherits from the parsedObject - // This step is crucial to demonstrate the prototype pollution, as it will inherit any polluted properties const testObject = Object.create(parsedObject); - - // Now, check if the prototype pollution has been successful by checking the new object + if (testObject.polluted) { responseMessages.push(`

Prototype pollution detected: testObject.polluted = ${testObject.polluted}

`); } else { @@ -65,7 +98,7 @@ const server = http.createServer((req, res) => { console.error(error); responseMessages.push(`

An error occurred while processing the JSON5 data: ${error.message}

`); } - } + } // Send combined response res.writeHead(200, { 'Content-Type': 'text/html' }); @@ -76,11 +109,15 @@ const server = http.createServer((req, res) => { res.end(` -

Lodash Template and Semver Range Vulnerability Demo

+

Lodash Template, Semver Range, and Sequelize Vulnerability Demo

+
+
+
+

-
+

@@ -96,7 +133,7 @@ const server = http.createServer((req, res) => {
-

Submit to execute the vulnerable lodash template function or to validate a version range with semver on the server.

+

Submit to execute the vulnerable lodash template function, validate a version range with semver, or test SQL injection via Sequelize on the server.

`); From 66e46000ce3675c343e435e019ba11325f9a8143 Mon Sep 17 00:00:00 2001 From: James Berthoty Date: Tue, 3 Sep 2024 16:21:02 +0000 Subject: [PATCH 05/10] sql inject --- insecure-js/package.json | 3 ++- insecure-js/server.js | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/insecure-js/package.json b/insecure-js/package.json index 772b3e5..05f1d56 100644 --- a/insecure-js/package.json +++ b/insecure-js/package.json @@ -5,7 +5,8 @@ "semver": "5.4.1", "jquery": "2.1.0", "chartist": "0.3.0", - "chart.js": "2.8.0" + "chart.js": "2.8.0", + "sequelize": "4.44.3" }, "devDependencies": { "@babel/core": "7.0.0-rc.1" diff --git a/insecure-js/server.js b/insecure-js/server.js index 49d405c..a5ec286 100644 --- a/insecure-js/server.js +++ b/insecure-js/server.js @@ -33,7 +33,22 @@ const server = http.createServer((req, res) => { req.on('end', async () => { const postData = qs.parse(body); let responseMessages = []; + // SQL Injection via string concatenation + if (postData.rawSql) { + try { + const rawQuery = `SELECT * FROM users WHERE username = '${postData.rawSql}'`; + const users = await sequelize.query(rawQuery, { type: sequelize.QueryTypes.SELECT }); + if (users.length > 0) { + responseMessages.push(`

Found ${users.length} user(s) with username: ${postData.rawSql}

`); + } else { + responseMessages.push(`

No users found with username: ${postData.rawSql}

`); + } + } catch (error) { + console.error(error); + responseMessages.push(`

An error occurred: ${error.message}

`); + } + } // SQL Injection via Sequelize findAll function - CVE-2017-18342 if (postData.username) { try { From fffd72a8561f7e41b176cabe099986c6f6a3f937 Mon Sep 17 00:00:00 2001 From: James Berthoty Date: Tue, 3 Sep 2024 16:28:30 +0000 Subject: [PATCH 06/10] trigger From 4afb07d079ecc26da2ae72be761d04847fbe9fb0 Mon Sep 17 00:00:00 2001 From: James Berthoty Date: Tue, 3 Sep 2024 17:00:48 +0000 Subject: [PATCH 07/10] push --- insecure-js/server.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/insecure-js/server.js b/insecure-js/server.js index a5ec286..bc9ab1d 100644 --- a/insecure-js/server.js +++ b/insecure-js/server.js @@ -35,8 +35,9 @@ const server = http.createServer((req, res) => { let responseMessages = []; // SQL Injection via string concatenation if (postData.rawSql) { + // try { - const rawQuery = `SELECT * FROM users WHERE username = '${postData.rawSql}'`; + const rawQuery = `SELECT * FROM users WHERE username = '${postData.rawSql}'`; const users = await sequelize.query(rawQuery, { type: sequelize.QueryTypes.SELECT }); if (users.length > 0) { From d51526fff41c61b8dbb60817f55ebfb977cccf0f Mon Sep 17 00:00:00 2001 From: James Berthoty Date: Sat, 7 Sep 2024 15:00:38 -0400 Subject: [PATCH 08/10] fix example --- insecure-js/.dccache | 1 + insecure-js/package-lock.json | 264 +++++++++++++++++++++++++++++++++- insecure-js/package.json | 2 +- insecure-js/server.js | 15 +- 4 files changed, 266 insertions(+), 16 deletions(-) create mode 100644 insecure-js/.dccache diff --git a/insecure-js/.dccache b/insecure-js/.dccache new file mode 100644 index 0000000..97bdf5e --- /dev/null +++ b/insecure-js/.dccache @@ -0,0 +1 @@ +{"/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-js/server.js":[5988,1725735163763.5144,"8b14a50d31bb3f143e4b605b0e9e8e305a0f676bd35d364cdcc520dd2dc96954"]} \ No newline at end of file diff --git a/insecure-js/package-lock.json b/insecure-js/package-lock.json index b30b7e2..2314e8d 100644 --- a/insecure-js/package-lock.json +++ b/insecure-js/package-lock.json @@ -6,8 +6,12 @@ "": { "dependencies": { "@aikidosec/firewall": "^1.5.47", + "chart.js": "2.8.0", + "chartist": "0.3.0", + "jquery": "2.1.0", "lodash": "4.16.1", - "semver": "5.4.1" + "semver": "5.4.1", + "sequelize": "4.44.1" }, "devDependencies": { "@babel/core": "7.0.0-rc.1" @@ -201,6 +205,19 @@ "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", "dev": true }, + "node_modules/@types/geojson": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/@types/geojson/-/geojson-1.0.6.tgz", + "integrity": "sha512-Xqg/lIZMrUd0VRmSRbCAewtwGZiAk3mEUDvV4op1tGl+LvyPcb/MIOSxTl9z+9+J+R4/vpjiCAT4xeKzH9ji1w==" + }, + "node_modules/@types/node": { + "version": "22.5.4", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.5.4.tgz", + "integrity": "sha512-FDuKUJQm/ju9fT/SeX/6+gBzoPzlVCzfzmGkwKvRHQVxi4BntVbyIwf6a4Xn62mrvndLiml6z/UBXIdEVjQLXg==", + "dependencies": { + "undici-types": "~6.19.2" + } + }, "node_modules/ansi-styles": { "version": "3.2.1", "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-3.2.1.tgz", @@ -213,6 +230,11 @@ "node": ">=4" } }, + "node_modules/bluebird": { + "version": "3.7.2", + "resolved": "https://registry.npmjs.org/bluebird/-/bluebird-3.7.2.tgz", + "integrity": "sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg==" + }, "node_modules/chalk": { "version": "2.4.2", "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz", @@ -227,11 +249,53 @@ "node": ">=4" } }, + "node_modules/chart.js": { + "version": "2.8.0", + "resolved": "https://registry.npmjs.org/chart.js/-/chart.js-2.8.0.tgz", + "integrity": "sha512-Di3wUL4BFvqI5FB5K26aQ+hvWh8wnP9A3DWGvXHVkO13D3DSnaSsdZx29cXlEsYKVkn1E2az+ZYFS4t0zi8x0w==", + "dependencies": { + "chartjs-color": "^2.1.0", + "moment": "^2.10.2" + } + }, + "node_modules/chartist": { + "version": "0.3.0", + "resolved": "https://registry.npmjs.org/chartist/-/chartist-0.3.0.tgz", + "integrity": "sha512-mQuyWZLXMRDcIEawKTsmNxDH14YwiAXPmRlW3yyS7sLyx+zOYDgxWyKuLwsooX49jUcZw7JXSeaEA/WwdGRfzg==", + "engines": { + "node": ">=0.8.0" + } + }, + "node_modules/chartjs-color": { + "version": "2.4.1", + "resolved": "https://registry.npmjs.org/chartjs-color/-/chartjs-color-2.4.1.tgz", + "integrity": "sha512-haqOg1+Yebys/Ts/9bLo/BqUcONQOdr/hoEr2LLTRl6C5LXctUdHxsCYfvQVg5JIxITrfCNUDr4ntqmQk9+/0w==", + "dependencies": { + "chartjs-color-string": "^0.6.0", + "color-convert": "^1.9.3" + } + }, + "node_modules/chartjs-color-string": { + "version": "0.6.0", + "resolved": "https://registry.npmjs.org/chartjs-color-string/-/chartjs-color-string-0.6.0.tgz", + "integrity": "sha512-TIB5OKn1hPJvO7JcteW4WY/63v6KwEdt6udfnDE9iCAZgy+V4SrbSxoIbTw/xkUIapjEI4ExGtD0+6D3KyFd7A==", + "dependencies": { + "color-name": "^1.0.0" + } + }, + "node_modules/cls-bluebird": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/cls-bluebird/-/cls-bluebird-2.1.0.tgz", + "integrity": "sha512-XVb0RPmHQyy35Tz9z34gvtUcBKUK8A/1xkGCyeFc9B0C7Zr5SysgFaswRVdwI5NEMcO+3JKlIDGIOgERSn9NdA==", + "dependencies": { + "is-bluebird": "^1.0.2", + "shimmer": "^1.1.0" + } + }, "node_modules/color-convert": { "version": "1.9.3", "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz", "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==", - "dev": true, "dependencies": { "color-name": "1.1.3" } @@ -239,8 +303,7 @@ "node_modules/color-name": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz", - "integrity": "sha512-72fSenhMw2HZMTVHeCA9KCmpEIbzWiQsjN+BHcBbS9vr1mtt+vJjPdksIBNUmKAW8TFUDPJK5SUU3QhE9NEXDw==", - "dev": true + "integrity": "sha512-72fSenhMw2HZMTVHeCA9KCmpEIbzWiQsjN+BHcBbS9vr1mtt+vJjPdksIBNUmKAW8TFUDPJK5SUU3QhE9NEXDw==" }, "node_modules/convert-source-map": { "version": "1.9.0", @@ -252,11 +315,23 @@ "version": "3.2.7", "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz", "integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==", - "dev": true, "dependencies": { "ms": "^2.1.1" } }, + "node_modules/depd": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz", + "integrity": "sha512-7emPTl6Dpo6JRXOXjLRxck+FlLRX5847cLKEn00PLAgc3g2hTZZgr+e4c2v6QpSmLeFP3n5yUo7ft6avBK/5jQ==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/dottie": { + "version": "2.0.6", + "resolved": "https://registry.npmjs.org/dottie/-/dottie-2.0.6.tgz", + "integrity": "sha512-iGCHkfUc5kFekGiqhe8B/mdaurD+lakO9txNnTvKtA6PISrw86LgqHvRzWYPyoE2Ph5aMIrCw9/uko6XHTKCwA==" + }, "node_modules/escape-string-regexp": { "version": "1.0.5", "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz", @@ -284,6 +359,14 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/generic-pool": { + "version": "3.5.0", + "resolved": "https://registry.npmjs.org/generic-pool/-/generic-pool-3.5.0.tgz", + "integrity": "sha512-dEkxmX+egB2o4NR80c/q+xzLLzLX+k68/K8xv81XprD+Sk7ZtP14VugeCz+fUwv5FzpWq40pPtAkzPRqT8ka9w==", + "engines": { + "node": ">= 4" + } + }, "node_modules/globals": { "version": "11.12.0", "resolved": "https://registry.npmjs.org/globals/-/globals-11.12.0.tgz", @@ -314,6 +397,22 @@ "node": ">= 0.4" } }, + "node_modules/inflection": { + "version": "1.12.0", + "resolved": "https://registry.npmjs.org/inflection/-/inflection-1.12.0.tgz", + "integrity": "sha512-lRy4DxuIFWXlJU7ed8UiTJOSTqStqYdEb4CEbtXfNbkdj3nH1L+reUWiE10VWcJS2yR7tge8Z74pJjtBjNwj0w==", + "engines": [ + "node >= 0.4.0" + ] + }, + "node_modules/is-bluebird": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/is-bluebird/-/is-bluebird-1.0.2.tgz", + "integrity": "sha512-PDRu1vVip5dGQg5tfn2qVCCyxbBYu5MhYUJwSfL/RoGBI97n1fxvilVazxzptZW0gcmsMH17H4EVZZI5E/RSeA==", + "engines": { + "node": ">=0.10.0" + } + }, "node_modules/is-core-module": { "version": "2.13.1", "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", @@ -326,6 +425,11 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/jquery": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/jquery/-/jquery-2.1.0.tgz", + "integrity": "sha512-QyJAvw0LUlUPci88C5LTFNtg4WFs70Dkqmwq4rZyOBflduKnHZakpIIDjhZVygAQbUqaghv6msUyP5TmRoNevQ==" + }, "node_modules/js-tokens": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-3.0.2.tgz", @@ -358,11 +462,29 @@ "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz", "integrity": "sha512-qK+vzI6bQ91q3gkfBKpO0rgR0qV6ECjT1+ZBprnFejldHGi74AQ9MPWfSreqqzaF0aLRC7qnnYb5AjTwLXSNKw==" }, + "node_modules/moment": { + "version": "2.30.1", + "resolved": "https://registry.npmjs.org/moment/-/moment-2.30.1.tgz", + "integrity": "sha512-uEmtNhbDOrWPFS+hdjFCBfy9f2YoyzRpwcl+DqpC6taX21FzsTLQVbMV/W7PzNSX6x/bhC1zA3c2UQ5NzH6how==", + "engines": { + "node": "*" + } + }, + "node_modules/moment-timezone": { + "version": "0.5.45", + "resolved": "https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.45.tgz", + "integrity": "sha512-HIWmqA86KcmCAhnMAN0wuDOARV/525R2+lOLotuGFzn4HO+FH+/645z2wx0Dt3iDv6/p61SIvKnDstISainhLQ==", + "dependencies": { + "moment": "^2.29.4" + }, + "engines": { + "node": "*" + } + }, "node_modules/ms": { "version": "2.1.3", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", - "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", - "dev": true + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==" }, "node_modules/path-parse": { "version": "1.0.7", @@ -387,6 +509,28 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/retry-as-promised": { + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/retry-as-promised/-/retry-as-promised-2.3.2.tgz", + "integrity": "sha512-KZMPON7wEhqU4pyWzXw/Ti8NYTVk5+qQ5OfAq3+L/3gJ2Fv+YaLVHbFSK80XlIfI9WrdP8c73bDTrh14SvTSKw==", + "dependencies": { + "bluebird": "^3.4.6", + "debug": "^2.6.9" + } + }, + "node_modules/retry-as-promised/node_modules/debug": { + "version": "2.6.9", + "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz", + "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==", + "dependencies": { + "ms": "2.0.0" + } + }, + "node_modules/retry-as-promised/node_modules/ms": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", + "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==" + }, "node_modules/semver": { "version": "5.4.1", "resolved": "https://registry.npmjs.org/semver/-/semver-5.4.1.tgz", @@ -395,6 +539,52 @@ "semver": "bin/semver" } }, + "node_modules/sequelize": { + "version": "4.44.1", + "resolved": "https://registry.npmjs.org/sequelize/-/sequelize-4.44.1.tgz", + "integrity": "sha512-eMPkuIRFMVSJWL4QXkI3luuOC/fxSQ0KRHodQb/cbB0PZSbJZ5pNv9HoQkAyzGKdxnU1efb4vMy9ctFcRhIVOw==", + "deprecated": "Please update to v6 or higher! A migration guide can be found here: https://sequelize.org/v6/manual/upgrade-to-v6.html", + "dependencies": { + "bluebird": "^3.5.0", + "cls-bluebird": "^2.1.0", + "debug": "^3.1.0", + "depd": "^1.1.0", + "dottie": "^2.0.0", + "generic-pool": "3.5.0", + "inflection": "1.12.0", + "lodash": "^4.17.1", + "moment": "^2.20.0", + "moment-timezone": "^0.5.14", + "retry-as-promised": "^2.3.2", + "semver": "^5.5.0", + "terraformer-wkt-parser": "^1.1.2", + "toposort-class": "^1.0.1", + "uuid": "^3.2.1", + "validator": "^10.4.0", + "wkx": "^0.4.1" + }, + "engines": { + "node": ">=4.0.0" + } + }, + "node_modules/sequelize/node_modules/lodash": { + "version": "4.17.21", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", + "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==" + }, + "node_modules/sequelize/node_modules/semver": { + "version": "5.7.2", + "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.2.tgz", + "integrity": "sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g==", + "bin": { + "semver": "bin/semver" + } + }, + "node_modules/shimmer": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/shimmer/-/shimmer-1.2.1.tgz", + "integrity": "sha512-sQTKC1Re/rM6XyFM6fIAGHRPVGvyXfgzIDvzoq608vM+jeyVD0Tu1E6Np0Kc2zAIFWIj963V2800iF/9LPieQw==" + }, "node_modules/source-map": { "version": "0.5.7", "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz", @@ -428,6 +618,31 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/terraformer": { + "version": "1.0.12", + "resolved": "https://registry.npmjs.org/terraformer/-/terraformer-1.0.12.tgz", + "integrity": "sha512-MokUp0+MFal4CmJDVL6VAO1bKegeXcBM2RnPVfqcFIp2IIv8EbPAjG0j/vEy/vuKB8NVMMSF2vfpVS/QLe4DBg==", + "deprecated": "terraformer is deprecated and no longer supported. Please use @terraformer/arcgis.", + "engines": { + "node": ">=4.2.6" + }, + "optionalDependencies": { + "@types/geojson": "^7946.0.0 || ^1.0.0" + } + }, + "node_modules/terraformer-wkt-parser": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/terraformer-wkt-parser/-/terraformer-wkt-parser-1.2.1.tgz", + "integrity": "sha512-+CJyNLWb3lJ9RsZMTM66BY0MT3yIo4l4l22Jd9CrZuwzk54fsu4Sc7zejuS9fCITTuTQy3p06d4MZMVI7v5wSg==", + "deprecated": "terraformer-wkt-parser is deprecated and no longer supported. Please use @terraformer/wkt.", + "dependencies": { + "@types/geojson": "^1.0.0", + "terraformer": "~1.0.5" + }, + "engines": { + "node": ">=4.2.6" + } + }, "node_modules/to-fast-properties": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/to-fast-properties/-/to-fast-properties-2.0.0.tgz", @@ -437,6 +652,11 @@ "node": ">=4" } }, + "node_modules/toposort-class": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/toposort-class/-/toposort-class-1.0.1.tgz", + "integrity": "sha512-OsLcGGbYF3rMjPUf8oKktyvCiUxSbqMMS39m33MAjLTC1DVIH6x3WSt63/M77ihI09+Sdfk1AXvfhCEeUmC7mg==" + }, "node_modules/trim-right": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/trim-right/-/trim-right-1.0.1.tgz", @@ -445,6 +665,36 @@ "engines": { "node": ">=0.10.0" } + }, + "node_modules/undici-types": { + "version": "6.19.8", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.8.tgz", + "integrity": "sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw==" + }, + "node_modules/uuid": { + "version": "3.4.0", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", + "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", + "deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.", + "bin": { + "uuid": "bin/uuid" + } + }, + "node_modules/validator": { + "version": "10.11.0", + "resolved": "https://registry.npmjs.org/validator/-/validator-10.11.0.tgz", + "integrity": "sha512-X/p3UZerAIsbBfN/IwahhYaBbY68EN/UQBWHtsbXGT5bfrH/p4NQzUCG1kF/rtKaNpnJ7jAu6NGTdSNtyNIXMw==", + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/wkx": { + "version": "0.4.8", + "resolved": "https://registry.npmjs.org/wkx/-/wkx-0.4.8.tgz", + "integrity": "sha512-ikPXMM9IR/gy/LwiOSqWlSL3X/J5uk9EO2hHNRXS41eTLXaUFEVw9fn/593jW/tE5tedNg8YjT5HkCa4FqQZyQ==", + "dependencies": { + "@types/node": "*" + } } } } diff --git a/insecure-js/package.json b/insecure-js/package.json index 05f1d56..af55434 100644 --- a/insecure-js/package.json +++ b/insecure-js/package.json @@ -6,7 +6,7 @@ "jquery": "2.1.0", "chartist": "0.3.0", "chart.js": "2.8.0", - "sequelize": "4.44.3" + "sequelize": "4.44.1" }, "devDependencies": { "@babel/core": "7.0.0-rc.1" diff --git a/insecure-js/server.js b/insecure-js/server.js index bc9ab1d..a1d598a 100644 --- a/insecure-js/server.js +++ b/insecure-js/server.js @@ -3,7 +3,7 @@ const _ = require('lodash'); const qs = require('querystring'); const semver = require('semver'); const JSON5 = require('json5'); -const Sequelize = require('sequelize'); // Add sequelize dependency +const Sequelize = require('sequelize'); const hostname = '0.0.0.0'; const port = 3000; @@ -50,27 +50,26 @@ const server = http.createServer((req, res) => { responseMessages.push(`

An error occurred: ${error.message}

`); } } - // SQL Injection via Sequelize findAll function - CVE-2017-18342 + // SQL Injection via Sequelize findAll function - CVE-2019-10748, technically requires db to be MySQL or MariaDB if (postData.username) { try { - // Vulnerable code: unsanitized input being directly passed to where clause + // Vulnerable code: unsanitized input being directly passed to the where clause involving a JSON path key const users = await User.findAll({ where: { - username: postData.username // This is vulnerable to SQL Injection + target: { [postData.username]: 1 } } }); - + if (users.length > 0) { - responseMessages.push(`

Found ${users.length} user(s) with username: ${postData.username}

`); + responseMessages.push(`

Found ${users.length} user(s) with target username: ${postData.username}

`); } else { - responseMessages.push(`

No users found with username: ${postData.username}

`); + responseMessages.push(`

No users found with target username: ${postData.username}

`); } } catch (error) { console.error(error); responseMessages.push(`

An error occurred: ${error.message}

`); } } - // Process template input for lodash vulnerability CVE-2021-23337 if (postData.template) { try { From 18946e5abd686fa7f1f3f12cabf2d790a867a1eb Mon Sep 17 00:00:00 2001 From: James Berthoty Date: Tue, 17 Sep 2024 22:49:51 -0400 Subject: [PATCH 09/10] add seccomp --- insecure-chart/Chart.yaml | 4 +- .../templates/insecure-app-seccomp.yaml | 97 +++++++++++++++++++ insecure-chart/templates/insecure-app.yaml | 4 +- 3 files changed, 102 insertions(+), 3 deletions(-) create mode 100644 insecure-chart/templates/insecure-app-seccomp.yaml diff --git a/insecure-chart/Chart.yaml b/insecure-chart/Chart.yaml index 4c6241e..65d02f8 100644 --- a/insecure-chart/Chart.yaml +++ b/insecure-chart/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: insecure-apps description: Intentionally insecure Helm chart for testing purposes type: application -version: 0.1.1 -appVersion: "1.0.0" +version: 0.1.4 +appVersion: "1.0.4" maintainers: - email: james@latio.tech name: Latio Tech \ No newline at end of file diff --git a/insecure-chart/templates/insecure-app-seccomp.yaml b/insecure-chart/templates/insecure-app-seccomp.yaml new file mode 100644 index 0000000..e080d1d --- /dev/null +++ b/insecure-chart/templates/insecure-app-seccomp.yaml @@ -0,0 +1,97 @@ +kind: SeccompProfile +apiVersion: spdx.softwarecomposition.kubescape.io/v1beta1 +metadata: + name: insecure-app + namespace: default + creationTimestamp: null +spec: + containers: + - name: insecure-app + path: default/Deployment-insecure-app-insecure-app.json + spec: + defaultAction: SCMP_ACT_ERRNO + architectures: + - SCMP_ARCH_X86_64 + - SCMP_ARCH_X86 + - SCMP_ARCH_X32 + syscalls: + - names: + - accept4 + - access + - arch_prctl + - bind + - brk + - capget + - capset + - chdir + - clone + - close + - connect + - dup + - dup2 + - epoll_create1 + - epoll_ctl + - epoll_pwait + - epoll_wait + - execve + - exit + - exit_group + - faccessat2 + - fcntl + - fstat + - fstatfs + - futex + - getcwd + - getdents64 + - getegid + - geteuid + - getgid + - getpid + - getppid + - getrandom + - getsockname + - gettid + - getuid + - ioctl + - listen + - lseek + - lstat + - madvise + - mmap + - mprotect + - munmap + - nanosleep + - newfstatat + - openat + - pipe2 + - poll + - prctl + - pread64 + - prlimit64 + - read + - readlink + - recvfrom + - rt_sigaction + - rt_sigprocmask + - rt_sigreturn + - sched_yield + - select + - sendto + - set_robust_list + - set_tid_address + - setgid + - setgroups + - setsockopt + - setuid + - shutdown + - sigaltstack + - socket + - stat + - sysinfo + - tgkill + - umask + - uname + - wait4 + - write + action: SCMP_ACT_ALLOW +status: {} diff --git a/insecure-chart/templates/insecure-app.yaml b/insecure-chart/templates/insecure-app.yaml index eeb9e7f..a76c9ba 100644 --- a/insecure-chart/templates/insecure-app.yaml +++ b/insecure-chart/templates/insecure-app.yaml @@ -23,7 +23,9 @@ spec: - name: AWS_SECRET_ACCESS_KEY value: v5xpjkWYoy45fGKFSMajSn+sqs22WI2niacX9yO5 securityContext: - privileged: true + seccompProfile: + localhostProfile: default/Deployment-insecure-app-insecure-app.json + type: Localhost volumeMounts: - name: docker-socket mountPath: /var/run/docker.sock From 9deaea29eb936c4f4bbb2ab9dbddf2c6e2886899 Mon Sep 17 00:00:00 2001 From: James Berthoty Date: Wed, 18 Sep 2024 22:56:36 -0400 Subject: [PATCH 10/10] remove irrelevant --- insecure-js/.dccache | 1 - insecure-js/Dockerfile | 17 - insecure-js/package-lock.json | 700 ---------------------------------- insecure-js/package.json | 18 - insecure-js/server.js | 160 -------- 5 files changed, 896 deletions(-) delete mode 100644 insecure-js/.dccache delete mode 100644 insecure-js/Dockerfile delete mode 100644 insecure-js/package-lock.json delete mode 100644 insecure-js/package.json delete mode 100644 insecure-js/server.js diff --git a/insecure-js/.dccache b/insecure-js/.dccache deleted file mode 100644 index 97bdf5e..0000000 --- a/insecure-js/.dccache +++ /dev/null @@ -1 +0,0 @@ -{"/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-js/server.js":[5988,1725735163763.5144,"8b14a50d31bb3f143e4b605b0e9e8e305a0f676bd35d364cdcc520dd2dc96954"]} \ No newline at end of file diff --git a/insecure-js/Dockerfile b/insecure-js/Dockerfile deleted file mode 100644 index b98e31e..0000000 --- a/insecure-js/Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -FROM node:16 - -# Create /app directory and set as working directory -RUN mkdir /app -WORKDIR /app - -# Add application and package -ADD ./insecure-js/package.json /app/ -ADD ./insecure-js/server.js /app/ - -RUN npm install - -RUN rm /usr/local/lib/node_modules/npm/node_modules/semver/package.json - -EXPOSE 3000 - -CMD [ "node", "server.js" ] diff --git a/insecure-js/package-lock.json b/insecure-js/package-lock.json deleted file mode 100644 index 2314e8d..0000000 --- a/insecure-js/package-lock.json +++ /dev/null @@ -1,700 +0,0 @@ -{ - "name": "insecure-js", - "lockfileVersion": 3, - "requires": true, - "packages": { - "": { - "dependencies": { - "@aikidosec/firewall": "^1.5.47", - "chart.js": "2.8.0", - "chartist": "0.3.0", - "jquery": "2.1.0", - "lodash": "4.16.1", - "semver": "5.4.1", - "sequelize": "4.44.1" - }, - "devDependencies": { - "@babel/core": "7.0.0-rc.1" - } - }, - "node_modules/@aikidosec/firewall": { - "version": "1.5.47", - "resolved": "https://registry.npmjs.org/@aikidosec/firewall/-/firewall-1.5.47.tgz", - "integrity": "sha512-BvQKMq2gl80onRGDzDLfaZX/abxPF0MgbnVUdNyUIU0CFDS1ffLwRATNLg7AxirBtpgwKF94uMYug72YwnKsyw==", - "engines": { - "node": ">=16" - } - }, - "node_modules/@babel/code-frame": { - "version": "7.0.0-rc.1", - "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.0.0-rc.1.tgz", - "integrity": "sha512-qhQo3GqwqMUv03SxxjcEkWtlkEDvFYrBKbJUn4Dtd9amC2cLkJ3me4iYUVSBbVXWbfbVRalEeVBHzX4aQYKnBg==", - "dev": true, - "dependencies": { - "@babel/highlight": "7.0.0-rc.1" - } - }, - "node_modules/@babel/core": { - "version": "7.0.0-rc.1", - "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.0.0-rc.1.tgz", - "integrity": "sha512-CvuSsq+LFs9N4SJG8MnNPI0hnl913HK1OqG3NEfejOKo+JqtVuxpmAFyXIDogX2x668xqFKAW6EQiCIcUHklMg==", - "dev": true, - "dependencies": { - "@babel/code-frame": "7.0.0-rc.1", - "@babel/generator": "7.0.0-rc.1", - "@babel/helpers": "7.0.0-rc.1", - "@babel/parser": "7.0.0-rc.1", - "@babel/template": "7.0.0-rc.1", - "@babel/traverse": "7.0.0-rc.1", - "@babel/types": "7.0.0-rc.1", - "convert-source-map": "^1.1.0", - "debug": "^3.1.0", - "json5": "^0.5.0", - "lodash": "^4.17.10", - "resolve": "^1.3.2", - "semver": "^5.4.1", - "source-map": "^0.5.0" - }, - "engines": { - "node": ">=6.9.0" - } - }, - "node_modules/@babel/core/node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", - "dev": true - }, - "node_modules/@babel/generator": { - "version": "7.0.0-rc.1", - "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.0.0-rc.1.tgz", - "integrity": "sha512-Ak4n780/coo+L9GZUS7V/IGJilP11t4UoWl0J9cG3jso4KkDGQcqdx4Y6gJAiXng+sDfvzUmvWfM1hZwH82J0A==", - "dev": true, - "dependencies": { - "@babel/types": "7.0.0-rc.1", - "jsesc": "^2.5.1", - "lodash": "^4.17.10", - "source-map": "^0.5.0", - "trim-right": "^1.0.1" - } - }, - "node_modules/@babel/generator/node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", - "dev": true - }, - "node_modules/@babel/helper-function-name": { - "version": "7.0.0-rc.1", - "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.0.0-rc.1.tgz", - "integrity": "sha512-fDbWxdYYbFNzcI5jn3qsPxHI1UCXwvFk0kGytGce/FEBYEPXBqycKknC8Oqiub8DzGtmTcvnqcm/cl/qxzeuiQ==", - "dev": true, - "dependencies": { - "@babel/helper-get-function-arity": "7.0.0-rc.1", - "@babel/template": "7.0.0-rc.1", - "@babel/types": "7.0.0-rc.1" - } - }, - "node_modules/@babel/helper-get-function-arity": { - "version": "7.0.0-rc.1", - "resolved": "https://registry.npmjs.org/@babel/helper-get-function-arity/-/helper-get-function-arity-7.0.0-rc.1.tgz", - "integrity": "sha512-5+ydaIRxT42FSDqvoXIDksCGlW1903xC73HQnQCFF1YuV7VcIf+9M4+tRZulLlYlshw7ILA+4SiYsKoDlC0Irg==", - "dev": true, - "dependencies": { - "@babel/types": "7.0.0-rc.1" - } - }, - "node_modules/@babel/helper-split-export-declaration": { - "version": "7.0.0-rc.1", - "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.0.0-rc.1.tgz", - "integrity": "sha512-hz6QmlnaBFYt4ra8DfRLCMgrI7yfwQ13kJtufSO5dVCasxmAng2LeeQiT6H4iN5TpFONcayp5f/2mXqHH/zn/g==", - "dev": true, - "dependencies": { - "@babel/types": "7.0.0-rc.1" - } - }, - "node_modules/@babel/helpers": { - "version": "7.0.0-rc.1", - "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.0.0-rc.1.tgz", - "integrity": "sha512-4+AkDbZ0Usr7mNH4wGX8fVx4WJzHdrcjRkJy52EIWyBAQEoKqb5HXca1VjejWtnVwaGwW7zk/h6oQ9FQPywQfA==", - "dev": true, - "dependencies": { - "@babel/template": "7.0.0-rc.1", - "@babel/traverse": "7.0.0-rc.1", - "@babel/types": "7.0.0-rc.1" - } - }, - "node_modules/@babel/highlight": { - "version": "7.0.0-rc.1", - "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.0.0-rc.1.tgz", - "integrity": "sha512-5PgPDV6F5s69XNznTcP0za3qH7qgBkr9DVQTXfZtpF+3iEyuIZB1Mjxu52F5CFxgzQUQJoBYHVxtH4Itdb5MgA==", - "dev": true, - "dependencies": { - "chalk": "^2.0.0", - "esutils": "^2.0.2", - "js-tokens": "^3.0.0" - } - }, - "node_modules/@babel/parser": { - "version": "7.0.0-rc.1", - "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.0.0-rc.1.tgz", - "integrity": "sha512-rC+bIz2eZnJlacERmJO25UAbXVZttcSxh0Px0gRGinOTzug5tL7+L9urfIdSWlv1ZzP03+f2xkOFLOxZqSsVmQ==", - "dev": true, - "bin": { - "parser": "bin/babel-parser.js" - }, - "engines": { - "node": ">=6.0.0" - } - }, - "node_modules/@babel/template": { - "version": "7.0.0-rc.1", - "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.0.0-rc.1.tgz", - "integrity": "sha512-gPLng2iedNlkaGD0UdwaUByQXK8k4bnaoq2RH5JgR2mqHvh2RyjkDdaMbZFlSss1Iu8+PrXwbIRworTl8iRqbA==", - "dev": true, - "dependencies": { - "@babel/code-frame": "7.0.0-rc.1", - "@babel/parser": "7.0.0-rc.1", - "@babel/types": "7.0.0-rc.1", - "lodash": "^4.17.10" - } - }, - "node_modules/@babel/template/node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", - "dev": true - }, - "node_modules/@babel/traverse": { - "version": "7.0.0-rc.1", - "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.0.0-rc.1.tgz", - "integrity": "sha512-lNOpJ5xzakg+fCobQQHdeDRYeN54b+bAZpeTYMeeYPAvN+hTldg9/FSNKYEMRs5EWoQ0Yt74gwq98InSORdSDQ==", - "dev": true, - "dependencies": { - "@babel/code-frame": "7.0.0-rc.1", - "@babel/generator": "7.0.0-rc.1", - "@babel/helper-function-name": "7.0.0-rc.1", - "@babel/helper-split-export-declaration": "7.0.0-rc.1", - "@babel/parser": "7.0.0-rc.1", - "@babel/types": "7.0.0-rc.1", - "debug": "^3.1.0", - "globals": "^11.1.0", - "lodash": "^4.17.10" - } - }, - "node_modules/@babel/traverse/node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", - "dev": true - }, - "node_modules/@babel/types": { - "version": "7.0.0-rc.1", - "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.0.0-rc.1.tgz", - "integrity": "sha512-MBwO1JQKin9BwKTGydrYe4VDJbStCUy35IhJzeZt3FByOdx/q3CYaqMRrH70qVD2RA7+Xk8e3RN0mzKZkYBYuQ==", - "dev": true, - "dependencies": { - "esutils": "^2.0.2", - "lodash": "^4.17.10", - "to-fast-properties": "^2.0.0" - } - }, - "node_modules/@babel/types/node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", - "dev": true - }, - "node_modules/@types/geojson": { - "version": "1.0.6", - "resolved": "https://registry.npmjs.org/@types/geojson/-/geojson-1.0.6.tgz", - "integrity": "sha512-Xqg/lIZMrUd0VRmSRbCAewtwGZiAk3mEUDvV4op1tGl+LvyPcb/MIOSxTl9z+9+J+R4/vpjiCAT4xeKzH9ji1w==" - }, - "node_modules/@types/node": { - "version": "22.5.4", - "resolved": "https://registry.npmjs.org/@types/node/-/node-22.5.4.tgz", - "integrity": "sha512-FDuKUJQm/ju9fT/SeX/6+gBzoPzlVCzfzmGkwKvRHQVxi4BntVbyIwf6a4Xn62mrvndLiml6z/UBXIdEVjQLXg==", - "dependencies": { - "undici-types": "~6.19.2" - } - }, - "node_modules/ansi-styles": { - "version": "3.2.1", - "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-3.2.1.tgz", - "integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==", - "dev": true, - "dependencies": { - "color-convert": "^1.9.0" - }, - "engines": { - "node": ">=4" - } - }, - "node_modules/bluebird": { - "version": "3.7.2", - "resolved": "https://registry.npmjs.org/bluebird/-/bluebird-3.7.2.tgz", - "integrity": "sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg==" - }, - "node_modules/chalk": { - "version": "2.4.2", - "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz", - "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==", - "dev": true, - "dependencies": { - "ansi-styles": "^3.2.1", - "escape-string-regexp": "^1.0.5", - "supports-color": "^5.3.0" - }, - "engines": { - "node": ">=4" - } - }, - "node_modules/chart.js": { - "version": "2.8.0", - "resolved": "https://registry.npmjs.org/chart.js/-/chart.js-2.8.0.tgz", - "integrity": "sha512-Di3wUL4BFvqI5FB5K26aQ+hvWh8wnP9A3DWGvXHVkO13D3DSnaSsdZx29cXlEsYKVkn1E2az+ZYFS4t0zi8x0w==", - "dependencies": { - "chartjs-color": "^2.1.0", - "moment": "^2.10.2" - } - }, - "node_modules/chartist": { - "version": "0.3.0", - "resolved": "https://registry.npmjs.org/chartist/-/chartist-0.3.0.tgz", - "integrity": "sha512-mQuyWZLXMRDcIEawKTsmNxDH14YwiAXPmRlW3yyS7sLyx+zOYDgxWyKuLwsooX49jUcZw7JXSeaEA/WwdGRfzg==", - "engines": { - "node": ">=0.8.0" - } - }, - "node_modules/chartjs-color": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/chartjs-color/-/chartjs-color-2.4.1.tgz", - "integrity": "sha512-haqOg1+Yebys/Ts/9bLo/BqUcONQOdr/hoEr2LLTRl6C5LXctUdHxsCYfvQVg5JIxITrfCNUDr4ntqmQk9+/0w==", - "dependencies": { - "chartjs-color-string": "^0.6.0", - "color-convert": "^1.9.3" - } - }, - "node_modules/chartjs-color-string": { - "version": "0.6.0", - "resolved": "https://registry.npmjs.org/chartjs-color-string/-/chartjs-color-string-0.6.0.tgz", - "integrity": "sha512-TIB5OKn1hPJvO7JcteW4WY/63v6KwEdt6udfnDE9iCAZgy+V4SrbSxoIbTw/xkUIapjEI4ExGtD0+6D3KyFd7A==", - "dependencies": { - "color-name": "^1.0.0" - } - }, - "node_modules/cls-bluebird": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/cls-bluebird/-/cls-bluebird-2.1.0.tgz", - "integrity": "sha512-XVb0RPmHQyy35Tz9z34gvtUcBKUK8A/1xkGCyeFc9B0C7Zr5SysgFaswRVdwI5NEMcO+3JKlIDGIOgERSn9NdA==", - "dependencies": { - "is-bluebird": "^1.0.2", - "shimmer": "^1.1.0" - } - }, - "node_modules/color-convert": { - "version": "1.9.3", - "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz", - "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==", - "dependencies": { - "color-name": "1.1.3" - } - }, - "node_modules/color-name": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz", - "integrity": "sha512-72fSenhMw2HZMTVHeCA9KCmpEIbzWiQsjN+BHcBbS9vr1mtt+vJjPdksIBNUmKAW8TFUDPJK5SUU3QhE9NEXDw==" - }, - "node_modules/convert-source-map": { - "version": "1.9.0", - "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-1.9.0.tgz", - "integrity": "sha512-ASFBup0Mz1uyiIjANan1jzLQami9z1PoYSZCiiYW2FczPbenXc45FZdBZLzOT+r6+iciuEModtmCti+hjaAk0A==", - "dev": true - }, - "node_modules/debug": { - "version": "3.2.7", - "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz", - "integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==", - "dependencies": { - "ms": "^2.1.1" - } - }, - "node_modules/depd": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz", - "integrity": "sha512-7emPTl6Dpo6JRXOXjLRxck+FlLRX5847cLKEn00PLAgc3g2hTZZgr+e4c2v6QpSmLeFP3n5yUo7ft6avBK/5jQ==", - "engines": { - "node": ">= 0.6" - } - }, - "node_modules/dottie": { - "version": "2.0.6", - "resolved": "https://registry.npmjs.org/dottie/-/dottie-2.0.6.tgz", - "integrity": "sha512-iGCHkfUc5kFekGiqhe8B/mdaurD+lakO9txNnTvKtA6PISrw86LgqHvRzWYPyoE2Ph5aMIrCw9/uko6XHTKCwA==" - }, - "node_modules/escape-string-regexp": { - "version": "1.0.5", - "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz", - "integrity": "sha512-vbRorB5FUQWvla16U8R/qgaFIya2qGzwDrNmCZuYKrbdSUMG6I1ZCGQRefkRVhuOkIGVne7BQ35DSfo1qvJqFg==", - "dev": true, - "engines": { - "node": ">=0.8.0" - } - }, - "node_modules/esutils": { - "version": "2.0.3", - "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz", - "integrity": "sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/function-bind": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", - "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", - "dev": true, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, - "node_modules/generic-pool": { - "version": "3.5.0", - "resolved": "https://registry.npmjs.org/generic-pool/-/generic-pool-3.5.0.tgz", - "integrity": "sha512-dEkxmX+egB2o4NR80c/q+xzLLzLX+k68/K8xv81XprD+Sk7ZtP14VugeCz+fUwv5FzpWq40pPtAkzPRqT8ka9w==", - "engines": { - "node": ">= 4" - } - }, - "node_modules/globals": { - "version": "11.12.0", - "resolved": "https://registry.npmjs.org/globals/-/globals-11.12.0.tgz", - "integrity": "sha512-WOBp/EEGUiIsJSp7wcv/y6MO+lV9UoncWqxuFfm8eBwzWNgyfBd6Gz+IeKQ9jCmyhoH99g15M3T+QaVHFjizVA==", - "dev": true, - "engines": { - "node": ">=4" - } - }, - "node_modules/has-flag": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz", - "integrity": "sha512-sKJf1+ceQBr4SMkvQnBDNDtf4TXpVhVGateu0t918bl30FnbE2m4vNLX+VWe/dpjlb+HugGYzW7uQXH98HPEYw==", - "dev": true, - "engines": { - "node": ">=4" - } - }, - "node_modules/hasown": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", - "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", - "dev": true, - "dependencies": { - "function-bind": "^1.1.2" - }, - "engines": { - "node": ">= 0.4" - } - }, - "node_modules/inflection": { - "version": "1.12.0", - "resolved": "https://registry.npmjs.org/inflection/-/inflection-1.12.0.tgz", - "integrity": "sha512-lRy4DxuIFWXlJU7ed8UiTJOSTqStqYdEb4CEbtXfNbkdj3nH1L+reUWiE10VWcJS2yR7tge8Z74pJjtBjNwj0w==", - "engines": [ - "node >= 0.4.0" - ] - }, - "node_modules/is-bluebird": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/is-bluebird/-/is-bluebird-1.0.2.tgz", - "integrity": "sha512-PDRu1vVip5dGQg5tfn2qVCCyxbBYu5MhYUJwSfL/RoGBI97n1fxvilVazxzptZW0gcmsMH17H4EVZZI5E/RSeA==", - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/is-core-module": { - "version": "2.13.1", - "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", - "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", - "dev": true, - "dependencies": { - "hasown": "^2.0.0" - }, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, - "node_modules/jquery": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/jquery/-/jquery-2.1.0.tgz", - "integrity": "sha512-QyJAvw0LUlUPci88C5LTFNtg4WFs70Dkqmwq4rZyOBflduKnHZakpIIDjhZVygAQbUqaghv6msUyP5TmRoNevQ==" - }, - "node_modules/js-tokens": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-3.0.2.tgz", - "integrity": "sha512-RjTcuD4xjtthQkaWH7dFlH85L+QaVtSoOyGdZ3g6HFhS9dFNDfLyqgm2NFe2X6cQpeFmt0452FJjFG5UameExg==", - "dev": true - }, - "node_modules/jsesc": { - "version": "2.5.2", - "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-2.5.2.tgz", - "integrity": "sha512-OYu7XEzjkCQ3C5Ps3QIZsQfNpqoJyZZA99wd9aWd05NCtC5pWOkShK2mkL6HXQR6/Cy2lbNdPlZBpuQHXE63gA==", - "dev": true, - "bin": { - "jsesc": "bin/jsesc" - }, - "engines": { - "node": ">=4" - } - }, - "node_modules/json5": { - "version": "0.5.1", - "resolved": "https://registry.npmjs.org/json5/-/json5-0.5.1.tgz", - "integrity": "sha512-4xrs1aW+6N5DalkqSVA8fxh458CXvR99WU8WLKmq4v8eWAL86Xo3BVqyd3SkA9wEVjCMqyvvRRkshAdOnBp5rw==", - "dev": true, - "bin": { - "json5": "lib/cli.js" - } - }, - "node_modules/lodash": { - "version": "4.16.1", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz", - "integrity": "sha512-qK+vzI6bQ91q3gkfBKpO0rgR0qV6ECjT1+ZBprnFejldHGi74AQ9MPWfSreqqzaF0aLRC7qnnYb5AjTwLXSNKw==" - }, - "node_modules/moment": { - "version": "2.30.1", - "resolved": "https://registry.npmjs.org/moment/-/moment-2.30.1.tgz", - "integrity": "sha512-uEmtNhbDOrWPFS+hdjFCBfy9f2YoyzRpwcl+DqpC6taX21FzsTLQVbMV/W7PzNSX6x/bhC1zA3c2UQ5NzH6how==", - "engines": { - "node": "*" - } - }, - "node_modules/moment-timezone": { - "version": "0.5.45", - "resolved": "https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.45.tgz", - "integrity": "sha512-HIWmqA86KcmCAhnMAN0wuDOARV/525R2+lOLotuGFzn4HO+FH+/645z2wx0Dt3iDv6/p61SIvKnDstISainhLQ==", - "dependencies": { - "moment": "^2.29.4" - }, - "engines": { - "node": "*" - } - }, - "node_modules/ms": { - "version": "2.1.3", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", - "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==" - }, - "node_modules/path-parse": { - "version": "1.0.7", - "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", - "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==", - "dev": true - }, - "node_modules/resolve": { - "version": "1.22.8", - "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", - "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", - "dev": true, - "dependencies": { - "is-core-module": "^2.13.0", - "path-parse": "^1.0.7", - "supports-preserve-symlinks-flag": "^1.0.0" - }, - "bin": { - "resolve": "bin/resolve" - }, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, - "node_modules/retry-as-promised": { - "version": "2.3.2", - "resolved": "https://registry.npmjs.org/retry-as-promised/-/retry-as-promised-2.3.2.tgz", - "integrity": "sha512-KZMPON7wEhqU4pyWzXw/Ti8NYTVk5+qQ5OfAq3+L/3gJ2Fv+YaLVHbFSK80XlIfI9WrdP8c73bDTrh14SvTSKw==", - "dependencies": { - "bluebird": "^3.4.6", - "debug": "^2.6.9" - } - }, - "node_modules/retry-as-promised/node_modules/debug": { - "version": "2.6.9", - "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz", - "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==", - "dependencies": { - "ms": "2.0.0" - } - }, - "node_modules/retry-as-promised/node_modules/ms": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", - "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==" - }, - "node_modules/semver": { - "version": "5.4.1", - "resolved": "https://registry.npmjs.org/semver/-/semver-5.4.1.tgz", - "integrity": "sha512-WfG/X9+oATh81XtllIo/I8gOiY9EXRdv1cQdyykeXK17YcUW3EXUAi2To4pcH6nZtJPr7ZOpM5OMyWJZm+8Rsg==", - "bin": { - "semver": "bin/semver" - } - }, - "node_modules/sequelize": { - "version": "4.44.1", - "resolved": "https://registry.npmjs.org/sequelize/-/sequelize-4.44.1.tgz", - "integrity": "sha512-eMPkuIRFMVSJWL4QXkI3luuOC/fxSQ0KRHodQb/cbB0PZSbJZ5pNv9HoQkAyzGKdxnU1efb4vMy9ctFcRhIVOw==", - "deprecated": "Please update to v6 or higher! A migration guide can be found here: https://sequelize.org/v6/manual/upgrade-to-v6.html", - "dependencies": { - "bluebird": "^3.5.0", - "cls-bluebird": "^2.1.0", - "debug": "^3.1.0", - "depd": "^1.1.0", - "dottie": "^2.0.0", - "generic-pool": "3.5.0", - "inflection": "1.12.0", - "lodash": "^4.17.1", - "moment": "^2.20.0", - "moment-timezone": "^0.5.14", - "retry-as-promised": "^2.3.2", - "semver": "^5.5.0", - "terraformer-wkt-parser": "^1.1.2", - "toposort-class": "^1.0.1", - "uuid": "^3.2.1", - "validator": "^10.4.0", - "wkx": "^0.4.1" - }, - "engines": { - "node": ">=4.0.0" - } - }, - "node_modules/sequelize/node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==" - }, - "node_modules/sequelize/node_modules/semver": { - "version": "5.7.2", - "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.2.tgz", - "integrity": "sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g==", - "bin": { - "semver": "bin/semver" - } - }, - "node_modules/shimmer": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/shimmer/-/shimmer-1.2.1.tgz", - "integrity": "sha512-sQTKC1Re/rM6XyFM6fIAGHRPVGvyXfgzIDvzoq608vM+jeyVD0Tu1E6Np0Kc2zAIFWIj963V2800iF/9LPieQw==" - }, - "node_modules/source-map": { - "version": "0.5.7", - "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz", - "integrity": "sha512-LbrmJOMUSdEVxIKvdcJzQC+nQhe8FUZQTXQy6+I75skNgn3OoQ0DZA8YnFa7gp8tqtL3KPf1kmo0R5DoApeSGQ==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/supports-color": { - "version": "5.5.0", - "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz", - "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==", - "dev": true, - "dependencies": { - "has-flag": "^3.0.0" - }, - "engines": { - "node": ">=4" - } - }, - "node_modules/supports-preserve-symlinks-flag": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", - "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", - "dev": true, - "engines": { - "node": ">= 0.4" - }, - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, - "node_modules/terraformer": { - "version": "1.0.12", - "resolved": "https://registry.npmjs.org/terraformer/-/terraformer-1.0.12.tgz", - "integrity": "sha512-MokUp0+MFal4CmJDVL6VAO1bKegeXcBM2RnPVfqcFIp2IIv8EbPAjG0j/vEy/vuKB8NVMMSF2vfpVS/QLe4DBg==", - "deprecated": "terraformer is deprecated and no longer supported. Please use @terraformer/arcgis.", - "engines": { - "node": ">=4.2.6" - }, - "optionalDependencies": { - "@types/geojson": "^7946.0.0 || ^1.0.0" - } - }, - "node_modules/terraformer-wkt-parser": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/terraformer-wkt-parser/-/terraformer-wkt-parser-1.2.1.tgz", - "integrity": "sha512-+CJyNLWb3lJ9RsZMTM66BY0MT3yIo4l4l22Jd9CrZuwzk54fsu4Sc7zejuS9fCITTuTQy3p06d4MZMVI7v5wSg==", - "deprecated": "terraformer-wkt-parser is deprecated and no longer supported. Please use @terraformer/wkt.", - "dependencies": { - "@types/geojson": "^1.0.0", - "terraformer": "~1.0.5" - }, - "engines": { - "node": ">=4.2.6" - } - }, - "node_modules/to-fast-properties": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/to-fast-properties/-/to-fast-properties-2.0.0.tgz", - "integrity": "sha512-/OaKK0xYrs3DmxRYqL/yDc+FxFUVYhDlXMhRmv3z915w2HF1tnN1omB354j8VUGO/hbRzyD6Y3sA7v7GS/ceog==", - "dev": true, - "engines": { - "node": ">=4" - } - }, - "node_modules/toposort-class": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/toposort-class/-/toposort-class-1.0.1.tgz", - "integrity": "sha512-OsLcGGbYF3rMjPUf8oKktyvCiUxSbqMMS39m33MAjLTC1DVIH6x3WSt63/M77ihI09+Sdfk1AXvfhCEeUmC7mg==" - }, - "node_modules/trim-right": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/trim-right/-/trim-right-1.0.1.tgz", - "integrity": "sha512-WZGXGstmCWgeevgTL54hrCuw1dyMQIzWy7ZfqRJfSmJZBwklI15egmQytFP6bPidmw3M8d5yEowl1niq4vmqZw==", - "dev": true, - "engines": { - "node": ">=0.10.0" - } - }, - "node_modules/undici-types": { - "version": "6.19.8", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.8.tgz", - "integrity": "sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw==" - }, - "node_modules/uuid": { - "version": "3.4.0", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", - "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", - "deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.", - "bin": { - "uuid": "bin/uuid" - } - }, - "node_modules/validator": { - "version": "10.11.0", - "resolved": "https://registry.npmjs.org/validator/-/validator-10.11.0.tgz", - "integrity": "sha512-X/p3UZerAIsbBfN/IwahhYaBbY68EN/UQBWHtsbXGT5bfrH/p4NQzUCG1kF/rtKaNpnJ7jAu6NGTdSNtyNIXMw==", - "engines": { - "node": ">= 0.10" - } - }, - "node_modules/wkx": { - "version": "0.4.8", - "resolved": "https://registry.npmjs.org/wkx/-/wkx-0.4.8.tgz", - "integrity": "sha512-ikPXMM9IR/gy/LwiOSqWlSL3X/J5uk9EO2hHNRXS41eTLXaUFEVw9fn/593jW/tE5tedNg8YjT5HkCa4FqQZyQ==", - "dependencies": { - "@types/node": "*" - } - } - } -} diff --git a/insecure-js/package.json b/insecure-js/package.json deleted file mode 100644 index af55434..0000000 --- a/insecure-js/package.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "dependencies": { - "@aikidosec/firewall": "^1.5.47", - "lodash": "4.16.1", - "semver": "5.4.1", - "jquery": "2.1.0", - "chartist": "0.3.0", - "chart.js": "2.8.0", - "sequelize": "4.44.1" - }, - "devDependencies": { - "@babel/core": "7.0.0-rc.1" - }, - "resolutions": { - "**/semver": "5.4.1", - "**/lodash": "4.16.1" - } -} diff --git a/insecure-js/server.js b/insecure-js/server.js deleted file mode 100644 index a1d598a..0000000 --- a/insecure-js/server.js +++ /dev/null @@ -1,160 +0,0 @@ -const http = require('http'); -const _ = require('lodash'); -const qs = require('querystring'); -const semver = require('semver'); -const JSON5 = require('json5'); -const Sequelize = require('sequelize'); - -const hostname = '0.0.0.0'; -const port = 3000; - -// Initialize Sequelize -const sequelize = new Sequelize('database', 'username', 'password', { - host: 'localhost', - dialect: 'mysql' -}); - -// Define a simple model -const User = sequelize.define('user', { - username: { - type: Sequelize.STRING - }, - email: { - type: Sequelize.STRING - } -}); - -const server = http.createServer((req, res) => { - if (req.method === 'POST') { - let body = ''; - req.on('data', chunk => { - body += chunk.toString(); - }); - req.on('end', async () => { - const postData = qs.parse(body); - let responseMessages = []; - // SQL Injection via string concatenation - if (postData.rawSql) { - // - try { - const rawQuery = `SELECT * FROM users WHERE username = '${postData.rawSql}'`; - const users = await sequelize.query(rawQuery, { type: sequelize.QueryTypes.SELECT }); - - if (users.length > 0) { - responseMessages.push(`

Found ${users.length} user(s) with username: ${postData.rawSql}

`); - } else { - responseMessages.push(`

No users found with username: ${postData.rawSql}

`); - } - } catch (error) { - console.error(error); - responseMessages.push(`

An error occurred: ${error.message}

`); - } - } - // SQL Injection via Sequelize findAll function - CVE-2019-10748, technically requires db to be MySQL or MariaDB - if (postData.username) { - try { - // Vulnerable code: unsanitized input being directly passed to the where clause involving a JSON path key - const users = await User.findAll({ - where: { - target: { [postData.username]: 1 } - } - }); - - if (users.length > 0) { - responseMessages.push(`

Found ${users.length} user(s) with target username: ${postData.username}

`); - } else { - responseMessages.push(`

No users found with target username: ${postData.username}

`); - } - } catch (error) { - console.error(error); - responseMessages.push(`

An error occurred: ${error.message}

`); - } - } - // Process template input for lodash vulnerability CVE-2021-23337 - if (postData.template) { - try { - const compiled = _.template(postData.template); - compiled({}); - responseMessages.push(`

Executed template. Check server console for output.

`); - } catch (error) { - console.error(error); - responseMessages.push(`

An error occurred: ${error.message}

`); - } - } - - // Process version range input for semver ReDoS vulnerability CVE-2022-25883 - if (postData.versionRange) { - const start = Date.now(); - try { - semver.validRange(postData.versionRange); - const end = Date.now(); - const timeTaken = end - start; - responseMessages.push(`

Processed version range. Time taken: ${timeTaken}ms.

`); - } catch (error) { - const end = Date.now(); - const timeTaken = end - start; - console.error(error); - responseMessages.push(`

An error occurred while processing the version range: ${error.message}. Time taken: ${timeTaken}ms

`); - } - } - - // CVE-2022-46175 Prototype Pollution from JSON5 - if (postData.json5data) { - try { - const parsedObject = JSON5.parse(postData.json5data); - const testObject = Object.create(parsedObject); - - if (testObject.polluted) { - responseMessages.push(`

Prototype pollution detected: testObject.polluted = ${testObject.polluted}

`); - } else { - responseMessages.push(`

No prototype pollution detected.

`); - } - } catch (error) { - console.error(error); - responseMessages.push(`

An error occurred while processing the JSON5 data: ${error.message}

`); - } - } - - // Send combined response - res.writeHead(200, { 'Content-Type': 'text/html' }); - res.end(responseMessages.join('') + `Go back`); - }); - } else if (req.method === 'GET') { - res.writeHead(200, { 'Content-Type': 'text/html' }); - res.end(` - - -

Lodash Template, Semver Range, and Sequelize Vulnerability Demo

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- -
- -
-

Submit to execute the vulnerable lodash template function, validate a version range with semver, or test SQL injection via Sequelize on the server.

- - - `); - } -}); - -server.listen(port, hostname, () => { - console.log(`Server running at http://${hostname}:${port}/`); -});