Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adding new feature #62

Open
wants to merge 20 commits into
base: master
Choose a base branch
from
Open

adding new feature #62

wants to merge 20 commits into from

Conversation

jordaniac89
Copy link
Owner

No description provided.

@jordaniac89 jordaniac89 closed this Jun 9, 2023
@jordaniac89 jordaniac89 reopened this Jun 9, 2023
@jordaniac89 jordaniac89 closed this Jun 9, 2023
@jordaniac89 jordaniac89 reopened this Jun 9, 2023
@jordaniac89 jordaniac89 closed this Jun 9, 2023
@jordaniac89 jordaniac89 reopened this Jun 9, 2023
@jordanmilessnyk
Copy link
Collaborator

jordanmilessnyk commented Sep 16, 2024
edited
Loading

Snyk checks have failed. 4 issues have been found so far.

Icon Severity Issues
Critical 0
High 1
Medium 3
Low 0

security/snyk check is complete. No issues have been found. (View Details)

license/snyk check is complete. No issues have been found. (View Details)

code/snyk check is complete. 4 issues have been found. (View Details)

jordanmilessnyk
jordanmilessnyk reviewed Sep 26, 2024
View reviewed changes
routes/photo_upload.js
}

// Stream the file to the client
res.sendFile(filePath);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  Path Traversal

Unsanitized input from an HTTP parameter flows into sendFile, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.

CWE-23 | Priority score 813 | Line 38

frontend/src/app/data-export/data-export.component-alt.ts
this.error = null
this.confirmation = data.confirmation
this.userData = data.userData
window.open('', '_blank', 'width=500')!.document.write(this.userData)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  Cross-site Scripting (XSS)

Unsanitized input from data from a remote resource flows into write, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).

CWE-79 | Priority score 557 | Line 59

frontend/src/app/data-export/data-export.component-alt.ts

getNewCaptcha () {
this.imageCaptchaService.getCaptcha().subscribe((data: any) => {
this.captcha = this.sanitizer.bypassSecurityTrustHtml(data.image)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  Cross-site Scripting (XSS)

Unsanitized input from data from a remote resource flows into bypassSecurityTrustHtml, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).

CWE-79 | Priority score 584 | Line 46

routes/photo_upload.js
});

// Handle file download
app.get('/download/:filename', (req, res) => {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  Allocation of Resources Without Limits or Throttling

This endpoint handler performs a file system operation and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.

CWE-770 | Priority score 575 | Line 28

@jordaniac89 jordaniac89 reopened this Nov 20, 2024
@jordaniac89 jordaniac89 reopened this Nov 20, 2024
@jordaniac89 jordaniac89 reopened this Nov 20, 2024
@jordaniac89 jordaniac89 reopened this Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jordanmilessnyk jordanmilessnyk jordanmilessnyk left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jordaniac89 @jordanmilessnyk