2022-08 Code Review

Owned by Uwe Wahser
Last updated: Aug 02, 2023
2 min read

Overview

Date

2022-08-24

Status

WIP

Release

https://openimis.atlassian.net/wiki/spaces/OP/pages/3211395073

TestType

mixed

TestTopic

Code Review

Context

https://openimis.atlassian.net/wiki/spaces/OP/pages/3365076993

Tester

https://openimis.atlassian.net/wiki/spaces/OP/pages/3364454413

Standard

Result Summary

Vulnerabilities

Risk

Count

Critical

3

High

2

Medium

4

Low

0

extension

OWASP Top 10

A01

NO

A02

NO

A03

YES

A04

NO

A05

WARNING

A06

YES

A07

NO

A08

NO

A09

NAP

A10

NO

Evaluation Methodology

SecurityONE has used seCode review is systematic examination of computer source code and reviews are done in various forms and can be accomplished in various stages of each organization S-SDLC. This document does not attempt to tell each organization how to implement code reviews in their organization, but this section does go over in generic terms and methodology of doing code reviews from informal
walkthroughs, formal inspections, or Tool-assisted code reviews.

  • Pre-Review Discovery
    A representative from the target application’s development team is asked to confirm the scope of the engagement. Trustwave requires a full list of the applications to be tested, design documentation, and third-party in-use, applications, and libraries used during the design, coding, and testing of the target application. This information allows the SecurityONE consultants to become familiar with the existing application environment prior to the commencement of the engagement.

  • Documentation Review
    SecurityONE conducts a detailed review of the existing documentation for each application listed in this proposal, including design documents, concept of operations, and source code listings. On an as-needed basis, SecurityONE requests clarification on components of the site, functionality, program flow, and design issues.

  • Architecture and Product Familiarization
    SecurityONE reviews the overall architecture of the application to become familiar with the security issues resulting from any third-party tools, applications, libraries, or services being used. This includes interface specifications for any pre-existing libraries or utilities, as well as security vulnerabilities or known issues with commercial tools and applications.

  • Static and Manual Source Code Analysis
    The SecurityONE team performs a detailed, manual analysis of the application source code. Many of the vulnerabilities discovered in a source code review are like vulnerabilities discovered during an Application Penetration Test. Unlike a penetration test, a code review allows for a greater breadth of coverage and an increased confidence level in the results of the assessment. This is principally a result of having a fuller understanding of the design, software architecture and its internals, allowing identified vulnerabilities to have their exploitability fully assessed from a risk perspective.

Detailed Results

Vulnerability

Risk

Component

Impact

Status

Vulnerability

Risk

Component

Impact

Status

Multiple outdated dependencies in frontend Dockerfile

Critical

npm node:16 base image

The base image should be upgraded to node:16.17.0-bullseye-slim

Multiple outdated dependencies in backend Dockerfile

Critical

python:3.8-buster

The base image should be upgraded to python:3.9.13-slim

Multiple outdated dependencies in requirements.txt

Critical

pyjwt@1.7.0
django@3.0.14
gitpython@3.1.24

The following modules/libraries should be upgraded to:
pyjwt@2.4.0
django@3.2.15
gitpython@3.1.27

Multiple outdated dependencies in package.json

High

react-scripts@4.0.3

The following modules/libraries should be upgraded to react-scripts@5.0.0

Password Stored as Environment Variable in plaintext

High

DB_Password

Consider storing the password in any encrypted form (secure string on Windows or AES encrypted on Linux systems)

Cross-Site Request Forgery (CSRF)

Medium

openimis-fe_js/server.js

Considering that the underlying application is built on express, a specific middleware such as csurf should be use that implement CSRF protections

Command Injection

Medium

openimis-fe_js/dev_tools/installModuleLocally.js

Any user input should be first sanitized and then strongly checked to respect specific formats (blacklists/regex match) before being used in a shell command.

 

Information Exposure

Medium

openimis-fe_js/server.js

Consider using the Helmet middleware that disables the X-Powered-By header

 

Allocation of Resources Without Limits or Throttling

Medium

openimis-fe_js/server.js

Consider using a rate-limiting middleware such as express-limit

 

Remediation

All critical and high risk errors were fixed immedeatly ( ). Lower risk errors were adressed in the issue queue ( ). No instances in countries were affected.

Report

 

Did you encounter a problem or do you have a suggestion?

Please contact our Service Desk


This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-sa/4.0/