From bed4c4bb1b5974031e583c4381316e909ba4a14d Mon Sep 17 00:00:00 2001 From: jmagee Date: Tue, 6 Feb 2024 08:59:16 +0000 Subject: [PATCH 1/3] SAST Update PRFiles --- IAC/ec2.tf | 32 ------- IAC/s3.tf | 141 ------------------------------- IAC/s3bucket.yaml | 24 ------ IAC/storage.bicep | 49 ----------- SCA/pom.xml | 128 ---------------------------- SCA/requirements.txt | 38 --------- Secrets/app1.js | 3 - Secrets/config.js | 2 - java/main.java | 189 ------------------------------------------ javascript/crypto.js | 94 --------------------- javascript/express.js | 40 --------- javascript/index.js | 39 --------- javascript/nest.js | 26 ------ javascript/next.js | 39 --------- python/django.py | 96 --------------------- python/flask.py | 23 ----- python/main.py | 61 -------------- 17 files changed, 1024 deletions(-) delete mode 100644 IAC/ec2.tf delete mode 100644 IAC/s3.tf delete mode 100644 IAC/s3bucket.yaml delete mode 100644 IAC/storage.bicep delete mode 100644 SCA/pom.xml delete mode 100644 SCA/requirements.txt delete mode 100644 Secrets/app1.js delete mode 100644 Secrets/config.js delete mode 100644 java/main.java delete mode 100644 javascript/crypto.js delete mode 100644 javascript/express.js delete mode 100644 javascript/index.js delete mode 100644 javascript/nest.js delete mode 100644 javascript/next.js delete mode 100644 python/django.py delete mode 100644 python/flask.py delete mode 100644 python/main.py diff --git a/IAC/ec2.tf b/IAC/ec2.tf deleted file mode 100644 index ef6cf82..0000000 --- a/IAC/ec2.tf +++ /dev/null @@ -1,32 +0,0 @@ -resource "aws_instance" "web_host" { - # ec2 have plain text secrets in user data - ami = "${var.ami}" - instance_type = "t2.nano" - - vpc_security_group_ids = [ - "${aws_security_group.web-node.id}"] - subnet_id = "${aws_subnet.web_subnet.id}" - user_data = <Deployed via Terraform" | sudo tee /var/www/html/index.html -EOF - tags = merge({ - Name = "${local.resource_prefix.value}-ec2" - }, { - git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" - git_file = "terraform/aws/ec2.tf" - git_last_modified_at = "2020-06-16 14:46:24" - git_last_modified_by = "jmagee@paloaltonetworks.com" - git_modifiers = "jmagee" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "347af3cd-4f70-4632-aca3-4d5e30ffc0b6" - }) -} diff --git a/IAC/s3.tf b/IAC/s3.tf deleted file mode 100644 index 45afe45..0000000 --- a/IAC/s3.tf +++ /dev/null @@ -1,141 +0,0 @@ -resource "aws_s3_bucket" "data" { - # bucket is public - # bucket is not encrypted - # bucket does not have access logs - # bucket does not have versioning - bucket = "${local.resource_prefix.value}-data" - force_destroy = true - tags = merge({ - Name = "${local.resource_prefix.value}-data" - Environment = local.resource_prefix.value - }, { - git_commit = "4d57f83ca4d3a78a44fb36d1dcf0d23983fa44f5" - git_file = "terraform/aws/s3.tf" - git_last_modified_at = "2022-05-18 07:08:06" - git_last_modified_by = "jmagee@paloaltonetworks.com" - git_modifiers = "34870196+LironElbaz/nimrod/nimrodkor/jmagee" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "0874007d-903a-4b4c-945f-c9c233e13243" - }) -} - -resource "aws_s3_bucket_object" "data_object" { - bucket = aws_s3_bucket.data.id - key = "customer-master.xlsx" - source = "resources/customer-master.xlsx" - tags = merge({ - Name = "${local.resource_prefix.value}-customer-master" - Environment = local.resource_prefix.value - }, { - git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" - git_file = "terraform/aws/s3.tf" - git_last_modified_at = "2020-06-16 14:46:24" - git_last_modified_by = "njmagee@paloaltonetworks.com" - git_modifiers = "jmagee" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "a7f01cc7-63c2-41a8-8555-6665e5e39a64" - }) -} - -resource "aws_s3_bucket" "financials" { - # bucket is not encrypted - # bucket does not have access logs - # bucket does not have versioning - bucket = "${local.resource_prefix.value}-financials" - acl = "private" - force_destroy = true - tags = merge({ - Name = "${local.resource_prefix.value}-financials" - Environment = local.resource_prefix.value - }, { - git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" - git_file = "terraform/aws/s3.tf" - git_last_modified_at = "2020-06-16 14:46:24" - git_last_modified_by = "jmagee@paloaltonetworks.com" - git_modifiers = "jmagee" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "0e012640-b597-4e5d-9378-d4b584aea913" - }) - -} - -resource "aws_s3_bucket" "operations" { - # bucket is not encrypted - # bucket does not have access logs - bucket = "${local.resource_prefix.value}-operations" - acl = "private" - versioning { - enabled = true - } - force_destroy = true - tags = merge({ - Name = "${local.resource_prefix.value}-operations" - Environment = local.resource_prefix.value - }, { - git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" - git_file = "terraform/aws/s3.tf" - git_last_modified_at = "2020-06-16 14:46:24" - git_last_modified_by = "jmagee@paloaltonetworks.com" - git_modifiers = "jmagee" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "29efcf7b-22a8-4bd6-8e14-1f55b3a2d743" - }) -} - -resource "aws_s3_bucket" "data_science" { - # bucket is not encrypted - bucket = "${local.resource_prefix.value}-data-science" - acl = "private" - versioning { - enabled = true - } - logging { - target_bucket = "${aws_s3_bucket.logs.id}" - target_prefix = "log/" - } - force_destroy = true - tags = { - git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" - git_file = "terraform/aws/s3.tf" - git_last_modified_at = "2020-06-16 14:46:24" - git_last_modified_by = "jmagee@paloaltonetworks.com" - git_modifiers = "jmagee" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "9a7c8788-5655-4708-bbc3-64ead9847f64" - } -} - -resource "aws_s3_bucket" "logs" { - bucket = "${local.resource_prefix.value}-logs" - acl = "log-delivery-write" - versioning { - enabled = true - } - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "aws:kms" - kms_master_key_id = "${aws_kms_key.logs_key.arn}" - } - } - } - force_destroy = true - tags = merge({ - Name = "${local.resource_prefix.value}-logs" - Environment = local.resource_prefix.value - }, { - git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" - git_file = "terraform/aws/s3.tf" - git_last_modified_at = "2020-06-16 14:46:24" - git_last_modified_by = "jmagee@paloaltonetworks.com" - git_modifiers = "jmagee" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "01946fe9-aae2-4c99-a975-e9b0d3a4696c" - }) -} diff --git a/IAC/s3bucket.yaml b/IAC/s3bucket.yaml deleted file mode 100644 index 5a22548..0000000 --- a/IAC/s3bucket.yaml +++ /dev/null @@ -1,24 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Metadata: - License: Apache-2.0 -Description: 'AWS CloudFormation Sample Template S3_Website_Bucket_With_Retain_On_Delete: - Sample template showing how to create a publicly accessible S3 bucket configured - for website access with a deletion policy of retain on delete. **WARNING** This - template creates an S3 bucket that will NOT be deleted when the stack is deleted. - You will be billed for the AWS resources used if you create a stack from this template.' -Resources: - S3Bucket: - Type: AWS::S3::Bucket - Properties: - AccessControl: PublicRead - WebsiteConfiguration: - IndexDocument: index.html - ErrorDocument: error.html - DeletionPolicy: Retain -Outputs: - WebsiteURL: - Value: !GetAtt [S3Bucket, WebsiteURL] - Description: URL for website hosted on S3 - S3BucketSecureURL: - Value: !Join ['', ['https://', !GetAtt [S3Bucket, DomainName]]] - Description: Name of S3 bucket to hold website content \ No newline at end of file diff --git a/IAC/storage.bicep b/IAC/storage.bicep deleted file mode 100644 index 9dd77d4..0000000 --- a/IAC/storage.bicep +++ /dev/null @@ -1,49 +0,0 @@ -@description('Name of environment') -param env string = 'dev' - -@description('Default location for all resources.') -param location string = resourceGroup().location - -var name = 'bicepgoat' - -resource datadisk 'Microsoft.Compute/disks@2021-12-01' = { - name: '${name}-disk-${env}' - location: location - sku: { - name: 'Standard_LRS' - } - - properties: { - diskSizeGB: 10 - encryptionSettingsCollection: { - enabled: false - } - } -} - -resource storageAccount 'Microsoft.Storage/storageAccounts@2021-01-01' = { - name: '${name}-sa-${env}' - location: location - kind: 'StorageV2' - sku: { - name: 'Standard_GRS' - } - - properties: { - supportsHttpsTrafficOnly: false - - networkAcls: { - bypass: 'None' - defaultAction: 'Deny' - } - } - - resource configWeb 'config' = { - name: 'web' - - properties: { - minTlsVersion: '1.1' - remoteDebuggingEnabled: true - } - } -} \ No newline at end of file diff --git a/SCA/pom.xml b/SCA/pom.xml deleted file mode 100644 index c245fb2..0000000 --- a/SCA/pom.xml +++ /dev/null @@ -1,128 +0,0 @@ - - 4.0.0 - com.checkmarx.app - sca-big-goat - jar - 1.0-SNAPSHOT - sca-big-goat - http://maven.apache.org - - - - ${org.checkerframework:jdk8:jar} - - - - - commons-httpclient - commons-httpclient - 3.1 - - - commons-collections - commons-collections - 3.2.2 - - - dom4j - dom4j - 1.6.1 - - - axis - axis - 1.4 - - - org.apache.httpcomponents - httpasyncclient - 4.1.4 - - - ca.juliusdavies - not-yet-commons-ssl - 0.3.9 - - - org.bouncycastle - bcprov-jdk15 - 1.46 - - - org.webjars - jquery - 3.5.1 - - - org.beanshell - bsh - 2.0b5 - - - org.codehaus.jackson - jackson-core-asl - 1.9.13 - - - org.mortbay.jetty - jetty-util - 6.1.26 - - - io.netty - netty - 3.10.6.Final - - - log4j - log4j - 1.2.17 - - - net.sf.dozer - dozer - 5.5.1 - - - org.beanshell - bsh - 2.0b4 - - - org.codehaus.jackson - jackson-mapper-asl - 1.9.13 - - - taglibs - standard - 1.1.2 - - - org.simpleframework - simple-xml - 2.7.1 - - - ant - ant - 1.6.5 - - - org.apache.spark - spark-core_2.11 - 2.4.7 - - - org.mortbay.jetty - jetty - 6.1.26 - - - org.apache.hadoop - hadoop-yarn-server-nodemanager - 3.3.0 - - - diff --git a/SCA/requirements.txt b/SCA/requirements.txt deleted file mode 100644 index 6ecc4ce..0000000 --- a/SCA/requirements.txt +++ /dev/null @@ -1,38 +0,0 @@ -parso==0.8.1 -pycrypto==2.6.1 -oauth2==1.9.0.post1 -httplib2==0.17.4 -Django==1.11.1 -PyYAML==3.13 -urllib3==1.23 -requests==2.2.1 -PyYAML==5.1 -Django==1.7.1 -ansible==2.8.8 -Werkzeug==0.15.3 -urllib3==1.25.2 -Jinja2==2.10.1 -Pygments==2.0.2 -pandas==0.24.2 -python-gnupg==0.4.3 -PyJWT==0.4.2 -rsa==3.4.2 -requests==2.19.1 -urllib3==1.24.2 -Django==3.1 -Pillow==7.1.0 -pycrypto==2.4 -tensorflow==1.14.0 -Jinja2==2.7.2 -Flask==0.11.1 -feedparser==5.1.1 -mercurial==4.8.2 -buildbot==0.7.11 -notebook==5.7.10 -httplib2==0.12.0 -lodash==3.10.1 -sphinx==3.0.3 -sphinx-py3doc-enhanced-theme==2.4.0 -docutils==0.16 --e . - diff --git a/Secrets/app1.js b/Secrets/app1.js deleted file mode 100644 index 68d0341..0000000 --- a/Secrets/app1.js +++ /dev/null @@ -1,3 +0,0 @@ -const SEC_1 = "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" -const SEC_2 = "eyJrIjoiNUwyZU7TMmRxQXNVcnR7UXB0ME4zYkhRaTk2STVhR0MiLCJuIjoidGVtcCIsImlkIjoxfQ==" -const SEC_3 = "dsapi45202d12abdce73c004a9e0be24a21b2" \ No newline at end of file diff --git a/Secrets/config.js b/Secrets/config.js deleted file mode 100644 index 430f192..0000000 --- a/Secrets/config.js +++ /dev/null @@ -1,2 +0,0 @@ -const CIRCLE_CI = "2065ae463be5e534bb1d074a366d44e7a776d472" -const JIRA = "5FP0NmFYz81U32XdjNb42762" \ No newline at end of file diff --git a/java/main.java b/java/main.java deleted file mode 100644 index c6d4618..0000000 --- a/java/main.java +++ /dev/null @@ -1,189 +0,0 @@ -import static org.apache.commons.io.FilenameUtils; -import org.apache.commons.fileupload.FileItem; -import javax.servlet.http.Cookie; -import static org.apache.commons.io.FilenameUtils; - -class MyBadImplementation extends java.security.MessageDigest { - -} - -class Connector1 { - @javax.jws.WebMethod - void connect(HttpServletRequest req){ - HttpServletResponse res = new HttpServletResponse(); - res.setHeader("Access-Control-Allow-Origin", "*"); - } -} - -import javax.servlet.Filter; -public class HttpRequestDebugFilter implements Filter { - public void doFilter(ServletRequest request) throws IOException, - ServletException { - if (request instanceof HttpServletRequest) { - javax.crypto.Cipher.getInstance("/CBC/PKCS5Padding") - } - } -} - -@EnableWebSecurity -public class WebSecurityConfig extends WebSecurityConfigurerAdapter { - - @Override - protected void configure(HttpSecurity http) throws Exception { - http.csrf().ignoringAntMatchers("/route/fre"); - } -} - -class Connector2 { - @javax.jws.WebMethod - void connect(HttpServletRequest req){ - SymmetricEncryptionConfig sec = new com.hazelcast.config.SymmetricEncryptionConfig(); - } -} - -class Connector3 { - void connect(HttpServletRequest req){ - javax.servlet.http.Cookie cookie = new Cookie("cookie") - HttpServletResponse res = new HttpServletResponse(); - res.addCookie(cookie); - } -} - -class Connector4 { - @javax.jws.WebMethod - void connect(HttpServletRequest req){ - javax.crypto.Cipher.getInstance("DES/CBC/NoPadding"); - } -} - -class Connector5 { - @javax.jws.WebMethod - void connect(HttpServletRequest req){ - Keygen keygen = javax.crypto.KeyGenerator.getInstance("Blowfish"); - keygen.init(100); - } -} - -class Connector6 { - @javax.jws.WebMethod - void connect(HttpServletRequest req){ - javax.servlet.http.Cookie cook = new Cookie("cookie"); - cook.setSecure(false); - req.addCookie(cook); - } -} - - -class Connector7 { - @javax.jws.WebMethod - void connect(HttpServletRequest req){ - Cookie cook = new Cookie("cookie"); - cook.setMaxAge(31536000); - } -} - -class Connector8 { - void connect(HttpServletRequest req){ - java.nio.file.Files.createTempDirectory("file"); - } -} - -public class WeakNightVoter implements AccessDecisionVoter { - @Override - public int vote(Authentication authentication, Object object, Collection collection) { // Noncompliant - Calendar calendar = Calendar.getInstance(); - int currentHour = calendar.get(Calendar.HOUR_OF_DAY); - return ACCESS_ABSTAIN; // Noncompliant - } -} - -class Connector9 { - @javax.jws.WebMethod - void connect(HttpServletRequest req){ - Cookie cook = new Cookie("cookie"); - for (Cookie cookie : req.getCookies()) { - cookie.getPath(); - } - } -} - -class Connector10 { - @javax.jws.WebMethod - void connect(HttpServletRequest req){ - Cookie cook = new Cookie("cookie"); - req.setAttribute(cook.getString(), cook.getVal()); - } -} - -public class Decorator1 { - - public static void main(String[] args) { - org.apache.commons.io.FilenameUtils.normalize(args[0]); - } -} - -public class Decorator2 { - - public void decorator(HttpServletRequest request) { - ServletFileUpload sfu = new ServletFileUpload(); - FileItem[] files = sfu.parseRequest(request); - for (FileItem file : files) { - System.out.println(file.getName()); - } - } -} - -public class Decorator3 { - - public void decorator(HttpServletRequest request) { - Parameter param = request.getParameter('param'); - new java.io.FileReader(param); - } -} - -public class Decorator4 { - - public void decorator(String[] args) { - new java.io.FileWriter(args[0]) - } -} - -public class Decorator5 { - - public void decorator(String var) { - FileInputStream fis = new FileInputStream(var); - javax.xml.transform.Transformer transformer = new Transformer(); - transformer.transform(fis); - } -} - -public class Decorator6 { - - public void decorator(HttpServletRequest request) { - Parameter param = request.getParameter('param'); - added = param + "addition"; - new java.io.FileInputStream(added); - } -} - -public class Decorator7 { - - public void decorator(String[] args) { - String param = args[0]; - new java.io.RandomAccessFile(param); - } -} - - - -public class LambdaFunctionHandler implements RequestHandler < Request, String > { - @javax.ws.rs.Path("some/path") - String handleRequest(Request request, Context context) { - String s = " "; - if (s == "") { - s = "Sucess " + String.format("Added %s %s %s %s %s.", request.emp_id, request.month, request.year, request.overtime); - } - return s; - } -} - diff --git a/javascript/crypto.js b/javascript/crypto.js deleted file mode 100644 index 006f5db..0000000 --- a/javascript/crypto.js +++ /dev/null @@ -1,94 +0,0 @@ -const cryptoRandomString = require('crypto-random-string'); -const forge = require('node-forge'); -const randomBytes = require('randombytes'); -const nacl = require('tweetnacl'); -import crypto from 'node:crypto'; -var crypto = require('crypto'); - -let Rand = new brorand.Rand({getByte: () => 255}); -let rand = Rand.rand; -let result= Rand.generate(12); - -randomBytes(12, (err, buf) => { - if (err) throw err; - console.log(`${buf.length} bytes of random data: ${buf.toString('hex')}`); -}); -randomBytes(8, function (err, resp) { -}); - -const randString = cryptoRandomString({length: 10}); -var randKey1 = forge.random.getBytesSync(8); -var randKey2 = new Buffer(nacl.randomBytes(12)); - - -// getting derived key -// by using hkdf() method -const val = crypto.hkdf('sha512', 'key', '', - 'info', 64, (err, derivedKey) => { - if (err) throw err; - console.log(Buffer.from(derivedKey).toString('hex')); -}); - -crypto.DEFAULT_ENCODING = 'hex'; -const key = crypto.scryptSync('password', '', 64, { N: 1024 }); - -function generateKeyFiles() { - - const keyPair = crypto.generateKeyPairSync('rsa', { - modulusLength: 520, - publicKeyEncoding: { - type: 'spki', - format: 'pem' - }, - privateKeyEncoding: { - type: 'pkcs8', - format: 'pem', - cipher: 'aes-256-cbc', - passphrase: 'top secret' - } - }); - - // Creating private key file - return keyPair.privateKey; -} - -// Generate keys -let privateKey = generateKeyFiles(); - -// Creating a function to encrypt string -function encryptString (plaintext, privateKey) { - privateKey = { - key: privateKey, - padding: crypto.constants.RSA_NO_PADDING, - passphrase: 'top secret' - } - // privateEncrypt() method with its parameters - const encrypted = crypto.privateEncrypt( - privateKey, Buffer.from(plaintext)); - return encrypted.toString("base64"); -} - - -const plainText = "GfG"; -const encrypted1 = encryptString(plainText, privateKey); -let functionCipher = crypto.createCipheriv('des128', "Password") -let myHashedPassword = functionCipher.update("my private password in plain text", "utf8", "hex") -myHashedPassword += functionCipher.final("hex") -var encrypted2 = CryptoJS.TripleDES.encrypt("Message", "Secret Passphrase"); - - -const filename = argv[2]; - -const hash = createHash('md5'); - -const input = createReadStream(filename); -input.on('readable', () => { - // Only one element is going to be produced by the - // hash stream. - const data = input.read(); - if (data) - hash.update(data); - else { - console.log(`${hash.digest('hex')} ${filename}`); - } -}); \ No newline at end of file diff --git a/javascript/express.js b/javascript/express.js deleted file mode 100644 index 5c3cf0b..0000000 --- a/javascript/express.js +++ /dev/null @@ -1,40 +0,0 @@ -const express = require('express') -const axios = require('axios'); -import qs from 'qs'; - -const data = { 'bar': 123 }; -const options = { - method: 'GET', - headers: { 'content-type': 'application/x-www-form-urlencoded' }, - data: qs.stringify(data), - url: "http://google.com" -}; -axios(options); - -express.csrf(); -express.methodOverride(); -const express = express() - -// GET random number -express.get("/random", (req, res) => { - var randomishNumber = crypto.pseudoRandomBytes - res.send(randomishNumber); -}); - -express.get("/", (req, res) => res.send("Hello World!")); - -express.listen(1000, () => console.log("Server listening on port 1000!")); - -import axios from 'axios'; - -async function doGetRequest() { - - let res = await axios.post('http://google.com'); - - let data = res.data; - console.log(data); -} - -doGetRequest(); - - diff --git a/javascript/index.js b/javascript/index.js deleted file mode 100644 index 2ac1517..0000000 --- a/javascript/index.js +++ /dev/null @@ -1,39 +0,0 @@ -const fs = require('fs'); - -fs.writeFile("temp_programming.txt", "foo", {mode:fs.constants.S_IXUSR | fs.constants.S_IRUSR }); - -const mode1 = fs.constants.S_IXGRP | fs.constants.S_IRUSR -fs.writeFile("temp_programming.txt", "bar", {mode1}); -fs.appendFile(argOne, data, callback) -fs.appendFileSync(argOne, data) -fs.chmod(argOne, mode, callback) -fs.chmodSync(argOne, mode) - -const mode2 = fs.constants.S_IXUSR; -const flags = 'w' -fs.open('temp_foo', flags, mode2, function (err, f) { - if (err) { - return console.error(err); - } - console.log(f); - console.log("File opened!!"); -}); - -fs.writeFileSync("temp_programming.txt", "foo", {mode:fs.constants.S_IXUSR | fs.constants.S_IRUSR }); - -new Buffer(5); -new Buffer(res.body.size); - -function getVarFromObject(someVar, obj) { - obj.escapeMarkup = false; - const someObjVar = {s: someVar} - const val = obj[someObjVar.s] - return val -} - -const expression = new String("2 + 2"); -eval(String(expression)); - - - - diff --git a/javascript/nest.js b/javascript/nest.js deleted file mode 100644 index e77592d..0000000 --- a/javascript/nest.js +++ /dev/null @@ -1,26 +0,0 @@ -import { INestApplication, ValidationPipe } from '@nestjs/common'; -import { NestFactory } from '@nestjs/core'; -import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger'; - -import { LoggingInterceptor } from 'libs/LoggingInterceptor'; -import { HttpExceptionFilter } from 'libs/HttpExceptionFilter'; - -import { Config } from 'src/Config'; -import { AppModule } from 'src/AppModule'; -import helmet from 'helmet'; -import compression from 'compression'; - - -async function bootstrap() { - const app = await NestFactory.create(AppModule); - app.enableCors(); - app.use(helmet()); - app.use(compression()); - app.useGlobalPipes(new ValidationPipe()); - app.useGlobalInterceptors(new LoggingInterceptor()); - app.useGlobalFilters(new HttpExceptionFilter()); - setupSwagger(app); - await app.listen(1000); -} - -bootstrap(); \ No newline at end of file diff --git a/javascript/next.js b/javascript/next.js deleted file mode 100644 index 12cfdee..0000000 --- a/javascript/next.js +++ /dev/null @@ -1,39 +0,0 @@ -// server.js -const { createServer } = require('http') -const { parse } = require('url') -const next = require('next') - -const hostname = 'localhost' -// when using middleware `hostname` and `port` must be provided below -const app = next({ dev: process.env.NODE_ENV !== 'production', hostname: 'localhost', port:5 }) -const handle = app.getRequestHandler() - -app.prepare().then(() => { - createServer(async (req, res) => { - try { - // Be sure to pass `true` as the second argument to `url.parse`. - // This tells it to parse the query portion of the URL. - const parsedUrl = parse(req.url, true) - const { pathname, query } = parsedUrl - - if (pathname === '/a') { - await app.render(req, res, '/a', query) - } else if (pathname === '/b') { - await app.render(req, res, '/b', query) - } else { - await handle(req, res, parsedUrl) - } - } catch (err) { - console.error('Error occurred handling', req.url, err) - res.statusCode = 500 - res.end('internal server error') - } - }) - .once('error', (err) => { - console.error(err) - process.exit(1) - }) - .listen(port, () => { - console.log(`> Ready on http://localhost:${5}`) - }) -}) \ No newline at end of file diff --git a/python/django.py b/python/django.py deleted file mode 100644 index 3beac97..0000000 --- a/python/django.py +++ /dev/null @@ -1,96 +0,0 @@ -import json -from collections import OrderedDict - -from django.conf import settings -try: - from django.core import urlresolvers -except ImportError: - from django import urls as urlresolvers -try: - from django.urls.exceptions import NoReverseMatch -except ImportError: - from django.core.urlresolvers import NoReverseMatch -from django.utils.html import format_html -from django.utils.safestring import mark_safe - -MAX = 75 - - -class LogEntryAdminMixin(object): - - def created(self, obj): - return obj.timestamp.strftime('%Y-%m-%d %H:%M:%S') - created.short_description = 'Created' - - def user_url(self, obj): - if obj.actor: - app_label, model = settings.AUTH_USER_MODEL.split('.') - viewname = 'admin:%s_%s_change' % (app_label, model.lower()) - try: - link = urlresolvers.reverse(viewname, args=[obj.actor.id]) - except NoReverseMatch: - return u'%s' % (obj.actor) - return format_html(u'{}', link, obj.actor) - - return 'system' - user_url.short_description = 'User' - - def msg_short(self, obj): - if obj.action == 2: - return '' # delete - changes = json.loads(obj.changes) - s = '' if len(changes) == 1 else 's' - fields = ', '.join(changes.keys()) - if len(fields) > MAX: - i = fields.rfind(' ', 0, MAX) - fields = fields[:i] + ' ..' - return '%d change%s: %s' % (len(changes), s, fields) - msg_short.short_description = 'Changes' - - def msg(self, obj): - if obj.action == 2: - return '' # delete - changes = json.loads(obj.changes) - msg = '' - for i, field in enumerate(sorted(changes), 1): - value = [i, field] + (['***', '***'] if field == 'password' else changes[field]) - msg += format_html('', *value) - - msg += '
#FieldFromTo
{}{}{}{}
' - return mark_safe(msg) - msg.short_description = 'Changes' - - -class State(models.Model): - name=models.CharField(max_length=150) - -class City(models.Model): - name=models.CharField(max_length=150) - -class Student(models.Model): - name=models.CharField(max_length=150) - state_id=models.PositiveIntegerField() - city_id=models.PositiveIntegerField() - is_active = models.BooleanField(default=False) - -students = Student.objects.filter( - is_active=True, - ).extra( - select={ - 'state': - 'SELECT name FROM state WHERE ' - 'state.id = ' - 'testapp_student.state_id', - 'city': - 'SELECT name FROM city WHERE ' - 'city.id = ' - 'testapp_student.city_id', - }, - ) - - -students_2 = Student.objects.extra( - select=OrderedDict([('a', '%s'), ('b', '%s')]), - select_params=('one', 'two')) - -Students_3 = Student.objects.extra(where=["foo='a' OR bar = 'a'", "baz = 'a'"]) \ No newline at end of file diff --git a/python/flask.py b/python/flask.py deleted file mode 100644 index c78931d..0000000 --- a/python/flask.py +++ /dev/null @@ -1,23 +0,0 @@ -import os -from flask import Flask, request -import bleach -app = Flask(__name__) - -# curl -X GET "http://localhost:5000/tainted7/touch%20HELLO" -@app.route("/tainted7/") -def test_sources_7(something): - - os.system(request.remote_addr) - - return "foo" - -@app.route("/sanitized/") -def test_sources_7(something): - data = flask.request.args.get("key") - sanitized_data = bleach.clean(data) - os.system(sanitized_data) - - return "bar" - -if __name__ == "__main__": - app.run(debug=True) diff --git a/python/main.py b/python/main.py deleted file mode 100644 index 2e7b1c0..0000000 --- a/python/main.py +++ /dev/null @@ -1,61 +0,0 @@ -import os, stat -from cryptography.hazmat.primitives.asymmetric import rsa, dsa -from Crypto.PublicKey import DSA -from socket import socket, AF_INET, SOCK_STREAM, SOCK_NONBLOCK - -# Set a file write by others. -temp_file = "/tmp/foo.txt" -os.chmod(temp_file, stat.S_IWOTH) - -with open(temp_file, 'r') as f: - print(f) - -os.chmod("/tmp/foo.txt", stat.S_IXGRP) -tar_file = '/file.tax*' -os.system(tar_file) - -KEY_SIZE = 1024 -private_rsa_key = rsa.generate_private_key( - public_exponent=65537, - key_size=KEY_SIZE -) - -private_dsa_key = dsa.generate_private_key( - key_size=KEY_SIZE, -) - - -private_dsa_key_2 = DSA.generate(bits=KEY_SIZE) - -assert(private_dsa_key_2 == private_dsa_key) - -program = 'a = 5\nb=10\nprint("Sum =", a+b)' -exec(program) - - -def is_real_user(user="user123", password="Password1"): - return True - - -sock = socket( - AF_INET, - SOCK_STREAM | SOCK_NONBLOCK) - -# Bind the socket to the internet with a port number -sock.bind(("::", 32007)) - - -def add_server_port(sg, server_name, port): - server = _get_server(sg, server_name, port) - if server is not None: - return False - set_port(port) - return server - -add_server_port('security-group', 'server', 80) - - - - - - From 52014b126d14ea9f0da07a20e3e43e8d427c5813 Mon Sep 17 00:00:00 2001 From: jmagee Date: Tue, 6 Feb 2024 09:15:06 +0000 Subject: [PATCH 2/3] IAC Update PR Files --- IAC/DynamoDB_Index.yaml | 54 ++++ IAC/DynamoDB_Secondary_Index.yaml | 64 +++++ IAC/aks.bicep | 34 +++ IAC/dbapp.tf | 423 ++++++++++++++++++++++++++++++ IAC/ec2sg.yaml | 69 +++++ IAC/ecr.tf | 34 +++ IAC/instance.bicep | 75 ++++++ 7 files changed, 753 insertions(+) create mode 100644 IAC/DynamoDB_Index.yaml create mode 100644 IAC/DynamoDB_Secondary_Index.yaml create mode 100644 IAC/aks.bicep create mode 100644 IAC/dbapp.tf create mode 100644 IAC/ec2sg.yaml create mode 100644 IAC/ecr.tf create mode 100644 IAC/instance.bicep diff --git a/IAC/DynamoDB_Index.yaml b/IAC/DynamoDB_Index.yaml new file mode 100644 index 0000000..ea6d86a --- /dev/null +++ b/IAC/DynamoDB_Index.yaml @@ -0,0 +1,54 @@ +AWSTemplateFormatVersion: '2010-09-09' +Metadata: + License: Apache-2.0 +Description: 'AWS CloudFormation Sample Template DynamoDB_Table: This template demonstrates + the creation of a DynamoDB table. **WARNING** This template creates an Amazon DynamoDB + table. You will be billed for the AWS resources used if you create a stack from + this template.' +Parameters: + HashKeyElementName: + Description: HashType PrimaryKey Name + Type: String + AllowedPattern: '[a-zA-Z0-9]*' + MinLength: '1' + MaxLength: '2048' + ConstraintDescription: must contain only alphanumberic characters + HashKeyElementType: + Description: HashType PrimaryKey Type + Type: String + Default: S + AllowedPattern: '[S|N]' + MinLength: '1' + MaxLength: '1' + ConstraintDescription: must be either S or N + ReadCapacityUnits: + Description: Provisioned read throughput + Type: Number + Default: '5' + MinValue: '5' + MaxValue: '10000' + ConstraintDescription: must be between 5 and 10000 + WriteCapacityUnits: + Description: Provisioned write throughput + Type: Number + Default: '10' + MinValue: '5' + MaxValue: '10000' + ConstraintDescription: must be between 5 and 10000 +Resources: + myDynamoDBTable: + Type: AWS::DynamoDB::Table + Properties: + AttributeDefinitions: + - AttributeName: !Ref 'HashKeyElementName' + AttributeType: !Ref 'HashKeyElementType' + KeySchema: + - AttributeName: !Ref 'HashKeyElementName' + KeyType: HASH + ProvisionedThroughput: + ReadCapacityUnits: !Ref 'ReadCapacityUnits' + WriteCapacityUnits: !Ref 'WriteCapacityUnits' +Outputs: + TableName: + Value: !Ref 'myDynamoDBTable' + Description: Table name of the newly created DynamoDB table \ No newline at end of file diff --git a/IAC/DynamoDB_Secondary_Index.yaml b/IAC/DynamoDB_Secondary_Index.yaml new file mode 100644 index 0000000..ca519ba --- /dev/null +++ b/IAC/DynamoDB_Secondary_Index.yaml @@ -0,0 +1,64 @@ +AWSTemplateFormatVersion: '2010-09-09' +Metadata: + License: Apache-2.0 +Description: 'AWS CloudFormation Sample Template DynamoDB_Secondary_Indexes: Create + a DynamoDB table with local and global secondary indexes. **WARNING** This template + creates an Amazon DynamoDB table. You will be billed for the AWS resources used + if you create a stack from this template.' +Parameters: + ReadCapacityUnits: + Description: Provisioned read throughput + Type: Number + Default: '5' + MinValue: '5' + MaxValue: '10000' + ConstraintDescription: must be between 5 and 10000 + WriteCapacityUnits: + Description: Provisioned write throughput + Type: Number + Default: '10' + MinValue: '5' + MaxValue: '10000' + ConstraintDescription: must be between 5 and 10000 +Resources: + TableOfBooks: + Type: AWS::DynamoDB::Table + Properties: + AttributeDefinitions: + - AttributeName: Title + AttributeType: S + - AttributeName: Category + AttributeType: S + - AttributeName: Language + AttributeType: S + KeySchema: + - AttributeName: Category + KeyType: HASH + - AttributeName: Title + KeyType: RANGE + ProvisionedThroughput: + ReadCapacityUnits: !Ref 'ReadCapacityUnits' + WriteCapacityUnits: !Ref 'WriteCapacityUnits' + LocalSecondaryIndexes: + - IndexName: LanguageIndex + KeySchema: + - AttributeName: Category + KeyType: HASH + - AttributeName: Language + KeyType: RANGE + Projection: + ProjectionType: KEYS_ONLY + GlobalSecondaryIndexes: + - IndexName: TitleIndex + KeySchema: + - AttributeName: Title + KeyType: HASH + Projection: + ProjectionType: KEYS_ONLY + ProvisionedThroughput: + ReadCapacityUnits: !Ref 'ReadCapacityUnits' + WriteCapacityUnits: !Ref 'WriteCapacityUnits' +Outputs: + TableName: + Value: !Ref 'TableOfBooks' + Description: Name of the newly created DynamoDB table \ No newline at end of file diff --git a/IAC/aks.bicep b/IAC/aks.bicep new file mode 100644 index 0000000..ccb00c0 --- /dev/null +++ b/IAC/aks.bicep @@ -0,0 +1,34 @@ +@description('Name of environment') +param env string = 'dev' + +@description('Default location for all resources') +param location string = resourceGroup().location + +var name = 'bicepgoat' + +resource aksCluster 'Microsoft.ContainerService/managedClusters@2021-02-01' = { + name: '${name}-aks-${env}' + location: location + + identity: { + type: 'SystemAssigned' + } + properties: { + kubernetesVersion: '1.19.7' + dnsPrefix: '${name}-${env}' + enableRBAC: false + + agentPoolProfiles: [ + { + name: 'default' + count: 2 + vmSize: 'Standard_D2_v2' + } + ] + addonProfiles: { + omsagent: { + enabled: false + } + } + } +} \ No newline at end of file diff --git a/IAC/dbapp.tf b/IAC/dbapp.tf new file mode 100644 index 0000000..1c40b6b --- /dev/null +++ b/IAC/dbapp.tf @@ -0,0 +1,423 @@ +resource "aws_db_instance" "default" { + name = var.dbname + engine = "mysql" + option_group_name = aws_db_option_group.default.name + parameter_group_name = aws_db_parameter_group.default.name + db_subnet_group_name = aws_db_subnet_group.default.name + vpc_security_group_ids = ["${aws_security_group.default.id}"] + + identifier = "rds-${local.resource_prefix.value}" + engine_version = "8.0" # Latest major version + instance_class = "db.t3.micro" + allocated_storage = "20" + username = "admin" + password = var.password + apply_immediately = true + multi_az = false + backup_retention_period = 0 + storage_encrypted = false + skip_final_snapshot = true + monitoring_interval = 0 + publicly_accessible = true + + tags = merge({ + Name = "${local.resource_prefix.value}-rds" + Environment = local.resource_prefix.value + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/db-app.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "47c13290-c2ce-48a7-b666-1b0085effb92" + }) + + # Ignore password changes from tf plan diff + lifecycle { + ignore_changes = ["password"] + } +} + +resource "aws_db_option_group" "default" { + engine_name = "mysql" + name = "og-${local.resource_prefix.value}" + major_engine_version = "8.0" + option_group_description = "Terraform OG" + + tags = merge({ + Name = "${local.resource_prefix.value}-og" + Environment = local.resource_prefix.value + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/db-app.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "c8076043-5de7-4203-9a1c-b4e61900628a" + }) +} + +resource "aws_db_parameter_group" "default" { + name = "pg-${local.resource_prefix.value}" + family = "mysql8.0" + description = "Terraform PG" + + parameter { + name = "character_set_client" + value = "utf8" + apply_method = "immediate" + } + + parameter { + name = "character_set_server" + value = "utf8" + apply_method = "immediate" + } + + tags = merge({ + Name = "${local.resource_prefix.value}-pg" + Environment = local.resource_prefix.value + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/db-app.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "6432b3f9-3f45-4463-befc-2e0f2fbdffc1" + }) +} + +resource "aws_db_subnet_group" "default" { + name = "sg-${local.resource_prefix.value}" + subnet_ids = ["${aws_subnet.web_subnet.id}", "${aws_subnet.web_subnet2.id}"] + description = "Terraform DB Subnet Group" + + tags = merge({ + Name = "sg-${local.resource_prefix.value}" + Environment = local.resource_prefix.value + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/db-app.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "b8368249-50c5-4a24-bdb0-9f83d197b11c" + }) +} + +resource "aws_security_group" "default" { + name = "${local.resource_prefix.value}-rds-sg" + vpc_id = aws_vpc.web_vpc.id + + tags = merge({ + Name = "${local.resource_prefix.value}-rds-sg" + Environment = local.resource_prefix.value + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/db-app.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "7b251090-8ac1-4290-bd2e-bf3e16126430" + }) +} + +resource "aws_security_group_rule" "ingress" { + type = "ingress" + from_port = "3306" + to_port = "3306" + protocol = "tcp" + cidr_blocks = ["${aws_vpc.web_vpc.cidr_block}"] + security_group_id = aws_security_group.default.id +} + +resource "aws_security_group_rule" "egress" { + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = "${aws_security_group.default.id}" +} + + +### EC2 instance +resource "aws_iam_instance_profile" "ec2profile" { + name = "${local.resource_prefix.value}-profile" + role = "${aws_iam_role.ec2role.name}" + tags = { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/db-app.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "6d33b2b9-2dd3-4915-b5d4-283152c928f1" + } +} + +resource "aws_iam_role" "ec2role" { + name = "${local.resource_prefix.value}-role" + path = "/" + + assume_role_policy = < /tmp/dbinfo.inc + +EnD +sudo mv /tmp/dbinfo.inc /var/www/inc +sudo chown root:root /var/www/inc/dbinfo.inc + +cat << EnD > /tmp/index.php + + + +

Sample page

+ + + +
+ + + + + + + + + + +
NAMEADDRESS
+ + + + + +
+
+ + + + + + + + + +"; + echo "", + "", + ""; + echo ""; +} +?> + +
IDNAMEADDRESS
",\$query_data[0], "",\$query_data[1], "",\$query_data[2], "
+ + + + + + + + +Error adding employee data.

"); +} + +/* Check whether the table exists and, if not, create it. */ +function VerifyEmployeesTable(\$connection, \$dbName) { + if(!TableExists("EMPLOYEES", \$connection, \$dbName)) + { + \$query = "CREATE TABLE EMPLOYEES ( + ID int(11) UNSIGNED AUTO_INCREMENT PRIMARY KEY, + NAME VARCHAR(45), + ADDRESS VARCHAR(90) + )"; + + if(!mysqli_query(\$connection, \$query)) echo("

Error creating table.

"); + } +} + +/* Check for the existence of a table. */ +function TableExists(\$tableName, \$connection, \$dbName) { + \$t = mysqli_real_escape_string(\$connection, \$tableName); + \$d = mysqli_real_escape_string(\$connection, \$dbName); + + \$checktable = mysqli_query(\$connection, + "SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_NAME = '\$t' AND TABLE_SCHEMA = '\$d'"); + + if(mysqli_num_rows(\$checktable) > 0) return true; + + return false; +} +?> +EnD + +sudo mv /tmp/index.php /var/www/html +sudo chown root:root /var/www/html/index.php + + + +EOF + tags = merge({ + Name = "${local.resource_prefix.value}-dbapp" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/db-app.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "f7999d4e-c983-43ee-bd88-7903a6f8483e" + }) +} + +output "db_app_public_dns" { + description = "DB Public DNS name" + value = aws_instance.db_app.public_dns +} + +output "db_endpoint" { + description = "DB Endpoint" + value = aws_db_instance.default.endpoint +} + diff --git a/IAC/ec2sg.yaml b/IAC/ec2sg.yaml new file mode 100644 index 0000000..06681a2 --- /dev/null +++ b/IAC/ec2sg.yaml @@ -0,0 +1,69 @@ +AWSTemplateFormatVersion: '2010-09-09' +Metadata: + License: Apache-2.0 +Description: 'AWS CloudFormation Sample Template EC2InstanceWithSecurityGroupSample: + Create an Amazon EC2 instance running the Amazon Linux AMI. The AMI is chosen based + on the region in which the stack is run. This example creates an EC2 security group + for the instance to give you SSH access. **WARNING** This template creates an Amazon + EC2 instance. You will be billed for the AWS resources used if you create a stack + from this template.' +Parameters: + KeyName: + Description: Name of an existing EC2 KeyPair to enable SSH access to the instance + Type: AWS::EC2::KeyPair::KeyName + ConstraintDescription: must be the name of an existing EC2 KeyPair. + InstanceType: + Description: WebServer EC2 instance type + Type: String + Default: t3.small + AllowedValues: [t2.nano, t2.micro, t2.small, t2.medium, t2.large, t2.xlarge, t2.2xlarge, + t3.nano, t3.micro, t3.small, t3.medium, t3.large, t3.xlarge, t3.2xlarge, + m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge, + m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge, + c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge, + g3.8xlarge, + r5.large, r5.xlarge, r5.2xlarge, r5.4xlarge, r3.12xlarge, + i3.xlarge, i3.2xlarge, i3.4xlarge, i3.8xlarge, + d2.xlarge, d2.2xlarge, d2.4xlarge, d2.8xlarge] + ConstraintDescription: must be a valid EC2 instance type. + SSHLocation: + Description: The IP address range that can be used to SSH to the EC2 instances + Type: String + MinLength: 9 + MaxLength: 18 + Default: 0.0.0.0/0 + AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) + ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. + LatestAmiId: + Type: 'AWS::SSM::Parameter::Value' + Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2' +Resources: + EC2Instance: + Type: AWS::EC2::Instance + Properties: + InstanceType: !Ref 'InstanceType' + SecurityGroups: [!Ref 'InstanceSecurityGroup'] + KeyName: !Ref 'KeyName' + ImageId: !Ref 'LatestAmiId' + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Enable SSH access via port 22 + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: !Ref 'SSHLocation' +Outputs: + InstanceId: + Description: InstanceId of the newly created EC2 instance + Value: !Ref 'EC2Instance' + AZ: + Description: Availability Zone of the newly created EC2 instance + Value: !GetAtt [EC2Instance, AvailabilityZone] + PublicDNS: + Description: Public DNSName of the newly created EC2 instance + Value: !GetAtt [EC2Instance, PublicDnsName] + PublicIP: + Description: Public IP address of the newly created EC2 instance + Value: !GetAtt [EC2Instance, PublicIp] \ No newline at end of file diff --git a/IAC/ecr.tf b/IAC/ecr.tf new file mode 100644 index 0000000..ac0b511 --- /dev/null +++ b/IAC/ecr.tf @@ -0,0 +1,34 @@ +resource aws_ecr_repository "repository" { + name = "${local.resource_prefix.value}-repository" + image_tag_mutability = "MUTABLE" + + tags = merge({ + Name = "${local.resource_prefix.value}-repository" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ecr.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "7a3ec657-fa54-4aa2-8467-5d08d6c90bc2" + }) +} + +locals { + docker_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${aws_ecr_repository.repository.name}" +} + + +resource null_resource "push_image" { + provisioner "local-exec" { + working_dir = "${path.module}/resources" + command = < Date: Tue, 6 Feb 2024 09:23:14 +0000 Subject: [PATCH 3/3] SAC Update PR Files --- IAC/DynamoDB_Index.yaml | 54 ---- IAC/DynamoDB_Secondary_Index.yaml | 64 ----- IAC/aks.bicep | 34 --- IAC/dbapp.tf | 423 ------------------------------ IAC/ec2sg.yaml | 69 ----- IAC/ecr.tf | 34 --- IAC/instance.bicep | 75 ------ SCA/build.gradle | 45 ++++ SCA/goat-nuget.csproj | 75 ++++++ 9 files changed, 120 insertions(+), 753 deletions(-) delete mode 100644 IAC/DynamoDB_Index.yaml delete mode 100644 IAC/DynamoDB_Secondary_Index.yaml delete mode 100644 IAC/aks.bicep delete mode 100644 IAC/dbapp.tf delete mode 100644 IAC/ec2sg.yaml delete mode 100644 IAC/ecr.tf delete mode 100644 IAC/instance.bicep create mode 100644 SCA/build.gradle create mode 100644 SCA/goat-nuget.csproj diff --git a/IAC/DynamoDB_Index.yaml b/IAC/DynamoDB_Index.yaml deleted file mode 100644 index ea6d86a..0000000 --- a/IAC/DynamoDB_Index.yaml +++ /dev/null @@ -1,54 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Metadata: - License: Apache-2.0 -Description: 'AWS CloudFormation Sample Template DynamoDB_Table: This template demonstrates - the creation of a DynamoDB table. **WARNING** This template creates an Amazon DynamoDB - table. You will be billed for the AWS resources used if you create a stack from - this template.' -Parameters: - HashKeyElementName: - Description: HashType PrimaryKey Name - Type: String - AllowedPattern: '[a-zA-Z0-9]*' - MinLength: '1' - MaxLength: '2048' - ConstraintDescription: must contain only alphanumberic characters - HashKeyElementType: - Description: HashType PrimaryKey Type - Type: String - Default: S - AllowedPattern: '[S|N]' - MinLength: '1' - MaxLength: '1' - ConstraintDescription: must be either S or N - ReadCapacityUnits: - Description: Provisioned read throughput - Type: Number - Default: '5' - MinValue: '5' - MaxValue: '10000' - ConstraintDescription: must be between 5 and 10000 - WriteCapacityUnits: - Description: Provisioned write throughput - Type: Number - Default: '10' - MinValue: '5' - MaxValue: '10000' - ConstraintDescription: must be between 5 and 10000 -Resources: - myDynamoDBTable: - Type: AWS::DynamoDB::Table - Properties: - AttributeDefinitions: - - AttributeName: !Ref 'HashKeyElementName' - AttributeType: !Ref 'HashKeyElementType' - KeySchema: - - AttributeName: !Ref 'HashKeyElementName' - KeyType: HASH - ProvisionedThroughput: - ReadCapacityUnits: !Ref 'ReadCapacityUnits' - WriteCapacityUnits: !Ref 'WriteCapacityUnits' -Outputs: - TableName: - Value: !Ref 'myDynamoDBTable' - Description: Table name of the newly created DynamoDB table \ No newline at end of file diff --git a/IAC/DynamoDB_Secondary_Index.yaml b/IAC/DynamoDB_Secondary_Index.yaml deleted file mode 100644 index ca519ba..0000000 --- a/IAC/DynamoDB_Secondary_Index.yaml +++ /dev/null @@ -1,64 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Metadata: - License: Apache-2.0 -Description: 'AWS CloudFormation Sample Template DynamoDB_Secondary_Indexes: Create - a DynamoDB table with local and global secondary indexes. **WARNING** This template - creates an Amazon DynamoDB table. You will be billed for the AWS resources used - if you create a stack from this template.' -Parameters: - ReadCapacityUnits: - Description: Provisioned read throughput - Type: Number - Default: '5' - MinValue: '5' - MaxValue: '10000' - ConstraintDescription: must be between 5 and 10000 - WriteCapacityUnits: - Description: Provisioned write throughput - Type: Number - Default: '10' - MinValue: '5' - MaxValue: '10000' - ConstraintDescription: must be between 5 and 10000 -Resources: - TableOfBooks: - Type: AWS::DynamoDB::Table - Properties: - AttributeDefinitions: - - AttributeName: Title - AttributeType: S - - AttributeName: Category - AttributeType: S - - AttributeName: Language - AttributeType: S - KeySchema: - - AttributeName: Category - KeyType: HASH - - AttributeName: Title - KeyType: RANGE - ProvisionedThroughput: - ReadCapacityUnits: !Ref 'ReadCapacityUnits' - WriteCapacityUnits: !Ref 'WriteCapacityUnits' - LocalSecondaryIndexes: - - IndexName: LanguageIndex - KeySchema: - - AttributeName: Category - KeyType: HASH - - AttributeName: Language - KeyType: RANGE - Projection: - ProjectionType: KEYS_ONLY - GlobalSecondaryIndexes: - - IndexName: TitleIndex - KeySchema: - - AttributeName: Title - KeyType: HASH - Projection: - ProjectionType: KEYS_ONLY - ProvisionedThroughput: - ReadCapacityUnits: !Ref 'ReadCapacityUnits' - WriteCapacityUnits: !Ref 'WriteCapacityUnits' -Outputs: - TableName: - Value: !Ref 'TableOfBooks' - Description: Name of the newly created DynamoDB table \ No newline at end of file diff --git a/IAC/aks.bicep b/IAC/aks.bicep deleted file mode 100644 index ccb00c0..0000000 --- a/IAC/aks.bicep +++ /dev/null @@ -1,34 +0,0 @@ -@description('Name of environment') -param env string = 'dev' - -@description('Default location for all resources') -param location string = resourceGroup().location - -var name = 'bicepgoat' - -resource aksCluster 'Microsoft.ContainerService/managedClusters@2021-02-01' = { - name: '${name}-aks-${env}' - location: location - - identity: { - type: 'SystemAssigned' - } - properties: { - kubernetesVersion: '1.19.7' - dnsPrefix: '${name}-${env}' - enableRBAC: false - - agentPoolProfiles: [ - { - name: 'default' - count: 2 - vmSize: 'Standard_D2_v2' - } - ] - addonProfiles: { - omsagent: { - enabled: false - } - } - } -} \ No newline at end of file diff --git a/IAC/dbapp.tf b/IAC/dbapp.tf deleted file mode 100644 index 1c40b6b..0000000 --- a/IAC/dbapp.tf +++ /dev/null @@ -1,423 +0,0 @@ -resource "aws_db_instance" "default" { - name = var.dbname - engine = "mysql" - option_group_name = aws_db_option_group.default.name - parameter_group_name = aws_db_parameter_group.default.name - db_subnet_group_name = aws_db_subnet_group.default.name - vpc_security_group_ids = ["${aws_security_group.default.id}"] - - identifier = "rds-${local.resource_prefix.value}" - engine_version = "8.0" # Latest major version - instance_class = "db.t3.micro" - allocated_storage = "20" - username = "admin" - password = var.password - apply_immediately = true - multi_az = false - backup_retention_period = 0 - storage_encrypted = false - skip_final_snapshot = true - monitoring_interval = 0 - publicly_accessible = true - - tags = merge({ - Name = "${local.resource_prefix.value}-rds" - Environment = local.resource_prefix.value - }, { - git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" - git_file = "terraform/aws/db-app.tf" - git_last_modified_at = "2020-06-16 14:46:24" - git_last_modified_by = "nimrodkor@gmail.com" - git_modifiers = "nimrodkor" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "47c13290-c2ce-48a7-b666-1b0085effb92" - }) - - # Ignore password changes from tf plan diff - lifecycle { - ignore_changes = ["password"] - } -} - -resource "aws_db_option_group" "default" { - engine_name = "mysql" - name = "og-${local.resource_prefix.value}" - major_engine_version = "8.0" - option_group_description = "Terraform OG" - - tags = merge({ - Name = "${local.resource_prefix.value}-og" - Environment = local.resource_prefix.value - }, { - git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" - git_file = "terraform/aws/db-app.tf" - git_last_modified_at = "2020-06-16 14:46:24" - git_last_modified_by = "nimrodkor@gmail.com" - git_modifiers = "nimrodkor" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "c8076043-5de7-4203-9a1c-b4e61900628a" - }) -} - -resource "aws_db_parameter_group" "default" { - name = "pg-${local.resource_prefix.value}" - family = "mysql8.0" - description = "Terraform PG" - - parameter { - name = "character_set_client" - value = "utf8" - apply_method = "immediate" - } - - parameter { - name = "character_set_server" - value = "utf8" - apply_method = "immediate" - } - - tags = merge({ - Name = "${local.resource_prefix.value}-pg" - Environment = local.resource_prefix.value - }, { - git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" - git_file = "terraform/aws/db-app.tf" - git_last_modified_at = "2020-06-16 14:46:24" - git_last_modified_by = "nimrodkor@gmail.com" - git_modifiers = "nimrodkor" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "6432b3f9-3f45-4463-befc-2e0f2fbdffc1" - }) -} - -resource "aws_db_subnet_group" "default" { - name = "sg-${local.resource_prefix.value}" - subnet_ids = ["${aws_subnet.web_subnet.id}", "${aws_subnet.web_subnet2.id}"] - description = "Terraform DB Subnet Group" - - tags = merge({ - Name = "sg-${local.resource_prefix.value}" - Environment = local.resource_prefix.value - }, { - git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" - git_file = "terraform/aws/db-app.tf" - git_last_modified_at = "2020-06-16 14:46:24" - git_last_modified_by = "nimrodkor@gmail.com" - git_modifiers = "nimrodkor" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "b8368249-50c5-4a24-bdb0-9f83d197b11c" - }) -} - -resource "aws_security_group" "default" { - name = "${local.resource_prefix.value}-rds-sg" - vpc_id = aws_vpc.web_vpc.id - - tags = merge({ - Name = "${local.resource_prefix.value}-rds-sg" - Environment = local.resource_prefix.value - }, { - git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" - git_file = "terraform/aws/db-app.tf" - git_last_modified_at = "2020-06-16 14:46:24" - git_last_modified_by = "nimrodkor@gmail.com" - git_modifiers = "nimrodkor" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "7b251090-8ac1-4290-bd2e-bf3e16126430" - }) -} - -resource "aws_security_group_rule" "ingress" { - type = "ingress" - from_port = "3306" - to_port = "3306" - protocol = "tcp" - cidr_blocks = ["${aws_vpc.web_vpc.cidr_block}"] - security_group_id = aws_security_group.default.id -} - -resource "aws_security_group_rule" "egress" { - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.default.id}" -} - - -### EC2 instance -resource "aws_iam_instance_profile" "ec2profile" { - name = "${local.resource_prefix.value}-profile" - role = "${aws_iam_role.ec2role.name}" - tags = { - git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" - git_file = "terraform/aws/db-app.tf" - git_last_modified_at = "2020-06-16 14:46:24" - git_last_modified_by = "nimrodkor@gmail.com" - git_modifiers = "nimrodkor" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "6d33b2b9-2dd3-4915-b5d4-283152c928f1" - } -} - -resource "aws_iam_role" "ec2role" { - name = "${local.resource_prefix.value}-role" - path = "/" - - assume_role_policy = < /tmp/dbinfo.inc - -EnD -sudo mv /tmp/dbinfo.inc /var/www/inc -sudo chown root:root /var/www/inc/dbinfo.inc - -cat << EnD > /tmp/index.php - - - -

Sample page

- - - -
- - - - - - - - - - -
NAMEADDRESS
- - - - - -
-
- - - - - - - - - -"; - echo "", - "", - ""; - echo ""; -} -?> - -
IDNAMEADDRESS
",\$query_data[0], "",\$query_data[1], "",\$query_data[2], "
- - - - - - - - -Error adding employee data.

"); -} - -/* Check whether the table exists and, if not, create it. */ -function VerifyEmployeesTable(\$connection, \$dbName) { - if(!TableExists("EMPLOYEES", \$connection, \$dbName)) - { - \$query = "CREATE TABLE EMPLOYEES ( - ID int(11) UNSIGNED AUTO_INCREMENT PRIMARY KEY, - NAME VARCHAR(45), - ADDRESS VARCHAR(90) - )"; - - if(!mysqli_query(\$connection, \$query)) echo("

Error creating table.

"); - } -} - -/* Check for the existence of a table. */ -function TableExists(\$tableName, \$connection, \$dbName) { - \$t = mysqli_real_escape_string(\$connection, \$tableName); - \$d = mysqli_real_escape_string(\$connection, \$dbName); - - \$checktable = mysqli_query(\$connection, - "SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_NAME = '\$t' AND TABLE_SCHEMA = '\$d'"); - - if(mysqli_num_rows(\$checktable) > 0) return true; - - return false; -} -?> -EnD - -sudo mv /tmp/index.php /var/www/html -sudo chown root:root /var/www/html/index.php - - - -EOF - tags = merge({ - Name = "${local.resource_prefix.value}-dbapp" - }, { - git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" - git_file = "terraform/aws/db-app.tf" - git_last_modified_at = "2020-06-16 14:46:24" - git_last_modified_by = "nimrodkor@gmail.com" - git_modifiers = "nimrodkor" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "f7999d4e-c983-43ee-bd88-7903a6f8483e" - }) -} - -output "db_app_public_dns" { - description = "DB Public DNS name" - value = aws_instance.db_app.public_dns -} - -output "db_endpoint" { - description = "DB Endpoint" - value = aws_db_instance.default.endpoint -} - diff --git a/IAC/ec2sg.yaml b/IAC/ec2sg.yaml deleted file mode 100644 index 06681a2..0000000 --- a/IAC/ec2sg.yaml +++ /dev/null @@ -1,69 +0,0 @@ -AWSTemplateFormatVersion: '2010-09-09' -Metadata: - License: Apache-2.0 -Description: 'AWS CloudFormation Sample Template EC2InstanceWithSecurityGroupSample: - Create an Amazon EC2 instance running the Amazon Linux AMI. The AMI is chosen based - on the region in which the stack is run. This example creates an EC2 security group - for the instance to give you SSH access. **WARNING** This template creates an Amazon - EC2 instance. You will be billed for the AWS resources used if you create a stack - from this template.' -Parameters: - KeyName: - Description: Name of an existing EC2 KeyPair to enable SSH access to the instance - Type: AWS::EC2::KeyPair::KeyName - ConstraintDescription: must be the name of an existing EC2 KeyPair. - InstanceType: - Description: WebServer EC2 instance type - Type: String - Default: t3.small - AllowedValues: [t2.nano, t2.micro, t2.small, t2.medium, t2.large, t2.xlarge, t2.2xlarge, - t3.nano, t3.micro, t3.small, t3.medium, t3.large, t3.xlarge, t3.2xlarge, - m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge, - m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge, - c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge, - g3.8xlarge, - r5.large, r5.xlarge, r5.2xlarge, r5.4xlarge, r3.12xlarge, - i3.xlarge, i3.2xlarge, i3.4xlarge, i3.8xlarge, - d2.xlarge, d2.2xlarge, d2.4xlarge, d2.8xlarge] - ConstraintDescription: must be a valid EC2 instance type. - SSHLocation: - Description: The IP address range that can be used to SSH to the EC2 instances - Type: String - MinLength: 9 - MaxLength: 18 - Default: 0.0.0.0/0 - AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) - ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. - LatestAmiId: - Type: 'AWS::SSM::Parameter::Value' - Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2' -Resources: - EC2Instance: - Type: AWS::EC2::Instance - Properties: - InstanceType: !Ref 'InstanceType' - SecurityGroups: [!Ref 'InstanceSecurityGroup'] - KeyName: !Ref 'KeyName' - ImageId: !Ref 'LatestAmiId' - InstanceSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - GroupDescription: Enable SSH access via port 22 - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 22 - ToPort: 22 - CidrIp: !Ref 'SSHLocation' -Outputs: - InstanceId: - Description: InstanceId of the newly created EC2 instance - Value: !Ref 'EC2Instance' - AZ: - Description: Availability Zone of the newly created EC2 instance - Value: !GetAtt [EC2Instance, AvailabilityZone] - PublicDNS: - Description: Public DNSName of the newly created EC2 instance - Value: !GetAtt [EC2Instance, PublicDnsName] - PublicIP: - Description: Public IP address of the newly created EC2 instance - Value: !GetAtt [EC2Instance, PublicIp] \ No newline at end of file diff --git a/IAC/ecr.tf b/IAC/ecr.tf deleted file mode 100644 index ac0b511..0000000 --- a/IAC/ecr.tf +++ /dev/null @@ -1,34 +0,0 @@ -resource aws_ecr_repository "repository" { - name = "${local.resource_prefix.value}-repository" - image_tag_mutability = "MUTABLE" - - tags = merge({ - Name = "${local.resource_prefix.value}-repository" - }, { - git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" - git_file = "terraform/aws/ecr.tf" - git_last_modified_at = "2020-06-16 14:46:24" - git_last_modified_by = "nimrodkor@gmail.com" - git_modifiers = "nimrodkor" - git_org = "bridgecrewio" - git_repo = "terragoat" - yor_trace = "7a3ec657-fa54-4aa2-8467-5d08d6c90bc2" - }) -} - -locals { - docker_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${aws_ecr_repository.repository.name}" -} - - -resource null_resource "push_image" { - provisioner "local-exec" { - working_dir = "${path.module}/resources" - command = < + + + Exe + net5.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +