2022-08 Code Review
Content
Overview
Date | 2022-08-24 |
---|---|
Status | WIP |
Release | |
TestType | mixed |
TestTopic | Code Review |
Context | |
Tester | |
Standard | https://openimis.atlassian.net/wiki/spaces/OP/pages/3122200577 |
Result Summary
Vulnerabilities
Risk | Count |
---|---|
Critical | 3 |
High | 2 |
Medium | 4 |
Low | 0 |
OWASP Top 10
A01 | NO | |
---|---|---|
A02 | NO | |
A03 | YES | |
A04 | NO | |
A05 | WARNING | |
A06 | YES | |
A07 | NO | |
A08 | NO | |
A09 | NAP | |
A10 | NO |
Evaluation Methodology
SecurityONE has used seCode review is systematic examination of computer source code and reviews are done in various forms and can be accomplished in various stages of each organization S-SDLC. This document does not attempt to tell each organization how to implement code reviews in their organization, but this section does go over in generic terms and methodology of doing code reviews from informal
walkthroughs, formal inspections, or Tool-assisted code reviews.
Pre-Review Discovery
A representative from the target application’s development team is asked to confirm the scope of the engagement. Trustwave requires a full list of the applications to be tested, design documentation, and third-party in-use, applications, and libraries used during the design, coding, and testing of the target application. This information allows the SecurityONE consultants to become familiar with the existing application environment prior to the commencement of the engagement.Documentation Review
SecurityONE conducts a detailed review of the existing documentation for each application listed in this proposal, including design documents, concept of operations, and source code listings. On an as-needed basis, SecurityONE requests clarification on components of the site, functionality, program flow, and design issues.Architecture and Product Familiarization
SecurityONE reviews the overall architecture of the application to become familiar with the security issues resulting from any third-party tools, applications, libraries, or services being used. This includes interface specifications for any pre-existing libraries or utilities, as well as security vulnerabilities or known issues with commercial tools and applications.Static and Manual Source Code Analysis
The SecurityONE team performs a detailed, manual analysis of the application source code. Many of the vulnerabilities discovered in a source code review are like vulnerabilities discovered during an Application Penetration Test. Unlike a penetration test, a code review allows for a greater breadth of coverage and an increased confidence level in the results of the assessment. This is principally a result of having a fuller understanding of the design, software architecture and its internals, allowing identified vulnerabilities to have their exploitability fully assessed from a risk perspective.
Detailed Results
Vulnerability | Risk | Component | Impact | Status |
---|---|---|---|---|
Multiple outdated dependencies in frontend Dockerfile | Critical | npm node:16 base image | The base image should be upgraded to node:16.17.0-bullseye-slim |
|
Multiple outdated dependencies in backend Dockerfile | Critical | python:3.8-buster | The base image should be upgraded to python:3.9.13-slim |
|
Multiple outdated dependencies in requirements.txt | Critical | pyjwt@1.7.0 | The following modules/libraries should be upgraded to: |
|
Multiple outdated dependencies in package.json | High | react-scripts@4.0.3 | The following modules/libraries should be upgraded to react-scripts@5.0.0 |
|
Password Stored as Environment Variable in plaintext | High | DB_Password | Consider storing the password in any encrypted form (secure string on Windows or AES encrypted on Linux systems) |
|
Cross-Site Request Forgery (CSRF) | Medium | openimis-fe_js/server.js | Considering that the underlying application is built on express, a specific middleware such as csurf should be use that implement CSRF protections |
|
Command Injection | Medium | openimis-fe_js/dev_tools/installModuleLocally.js | Any user input should be first sanitized and then strongly checked to respect specific formats (blacklists/regex match) before being used in a shell command. |
|
Information Exposure | Medium | openimis-fe_js/server.js | Consider using the Helmet middleware that disables the X-Powered-By header |
|
Allocation of Resources Without Limits or Throttling | Medium | openimis-fe_js/server.js | Consider using a rate-limiting middleware such as express-limit |
|
Remediation
All critical and high risk errors were fixed immedeatly ( ). Lower risk errors were adressed in the issue queue ( ). No instances in countries were affected.
Report
Did you encounter a problem or do you have a suggestion?
Please contact our Service Desk
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-sa/4.0/