2022-08 Code Review

Owned by Uwe Wahser
Last updated: Aug 02, 2023
2 min read

Overview

Date

2022-08-24

Status

WIP

Release

Release 2022-04

TestType

mixed

TestTopic

Code Review

Context

Project: Security 2022

Tester

SecurityOne

Standard

Background: Open Web Application Security Project (OWASP)

Result Summary

Vulnerabilities

Risk

Count

Critical

3

High

2

Medium

4

Low

0

extension

OWASP Top 10

A01

NO

OWASP A01:2021 – Broken Access Control

A02

NO

OWASP A02:2021 – Cryptographic Failures

A03

YES

OWASP A03:2021 – Injection

A04

NO

OWASP A04:2021 – Insecure Design

A05

WARNING

OWASP A05:2021 – Security Misconfiguration

A06

YES

OWASP A06:2021 – Vulnerable and Outdated Components

A07

NO

OWASP A07:2021 – Identification and Authentication Failures

A08

NO

OWASP A08:2021 – Software and Data Integrity Failures

A09

NAP

OWASP A09:2021 – Security Logging and Monitoring Failures

A10

NO

OWASP A10:2021 – Server-Side Request Forgery (SSRF)

Evaluation Methodology

SecurityONE has used seCode review is systematic examination of computer source code and reviews are done in various forms and can be accomplished in various stages of each organization S-SDLC. This document does not attempt to tell each organization how to implement code reviews in their organization, but this section does go over in generic terms and methodology of doing code reviews from informal
walkthroughs, formal inspections, or Tool-assisted code reviews.

  • Pre-Review Discovery
    A representative from the target application’s development team is asked to confirm the scope of the engagement. Trustwave requires a full list of the applications to be tested, design documentation, and third-party in-use, applications, and libraries used during the design, coding, and testing of the target application. This information allows the SecurityONE consultants to become familiar with the existing application environment prior to the commencement of the engagement.

  • Documentation Review
    SecurityONE conducts a detailed review of the existing documentation for each application listed in this proposal, including design documents, concept of operations, and source code listings. On an as-needed basis, SecurityONE requests clarification on components of the site, functionality, program flow, and design issues.

  • Architecture and Product Familiarization
    SecurityONE reviews the overall architecture of the application to become familiar with the security issues resulting from any third-party tools, applications, libraries, or services being used. This includes interface specifications for any pre-existing libraries or utilities, as well as security vulnerabilities or known issues with commercial tools and applications.

  • Static and Manual Source Code Analysis
    The SecurityONE team performs a detailed, manual analysis of the application source code. Many of the vulnerabilities discovered in a source code review are like vulnerabilities discovered during an Application Penetration Test. Unlike a penetration test, a code review allows for a greater breadth of coverage and an increased confidence level in the results of the assessment. This is principally a result of having a fuller understanding of the design, software architecture and its internals, allowing identified vulnerabilities to have their exploitability fully assessed from a risk perspective.

Detailed Results

Vulnerability

Risk

Component

Impact

Status

Vulnerability

Risk

Component

Impact

Status

Multiple outdated dependencies in frontend Dockerfile

Critical

npm node:16 base image

The base image should be upgraded to node:16.17.0-bullseye-slim

Multiple outdated dependencies in backend Dockerfile

Critical

python:3.8-buster

The base image should be upgraded to python:3.9.13-slim

Multiple outdated dependencies in requirements.txt

Critical

pyjwt@1.7.0
django@3.0.14
gitpython@3.1.24

The following modules/libraries should be upgraded to:
pyjwt@2.4.0
django@3.2.15
gitpython@3.1.27

Multiple outdated dependencies in package.json

High

react-scripts@4.0.3

The following modules/libraries should be upgraded to react-scripts@5.0.0

Password Stored as Environment Variable in plaintext

High

DB_Password

Consider storing the password in any encrypted form (secure string on Windows or AES encrypted on Linux systems)

Cross-Site Request Forgery (CSRF)

Medium

openimis-fe_js/server.js

Considering that the underlying application is built on express, a specific middleware such as csurf should be use that implement CSRF protections

Command Injection

Medium

openimis-fe_js/dev_tools/installModuleLocally.js

Any user input should be first sanitized and then strongly checked to respect specific formats (blacklists/regex match) before being used in a shell command.

 

Information Exposure

Medium

openimis-fe_js/server.js

Consider using the Helmet middleware that disables the X-Powered-By header

 

Allocation of Resources Without Limits or Throttling

Medium

openimis-fe_js/server.js

Consider using a rate-limiting middleware such as express-limit

 

Remediation

All critical and high risk errors were fixed immedeatly ( ). Lower risk errors were adressed in the issue queue ( ). No instances in countries were affected.

Report

 

Did you encounter a problem or do you have a suggestion?

Please contact our Service Desk


This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-sa/4.0/