This is a simple JavaScript project that is used to demonstrate Sonar's deeper SAST capabilities.
The application is an Express server that has two endpoints, both of which are used to dynamically return a file from the file system. The code is intentionally simple and vulnerable to a directory traversal attack. Do not use code like this in your own application. The goal is to demonstrate how Sonar can detect the vulnerability.
Static Application Security Testing (SAST) is a method of testing the security of an application by examining its source code for vulnerabilities. SAST is one of the most efficient ways to find security flaws early in the development process, and Sonar's SAST capabilities are built into the commercial versions of SonarQube and SonarCloud platforms.
In this example, the route /image is vulnerable to a directory traversal attack because it does not properly sanitize the filename that is passed through the query, which is then passed to the stat and createReadStream functions from Node's built-in fs module.
You can see how SonarCloud detects the vulnerability, tracking the data flow from the incoming request, from the server.js file to the src/image-fs.js file and through the getImage function.
In order to better understand applications, deeper SAST enables Sonar's SAST engine to trace data flow in and out of third-party, open-source libraries. You can read more about Sonar's deeper SAST capabilities here.
In this example, the route /image-extra is almost exactly the same as the /image route, with the exception of using the fs-extra library. fs-extra is a drop-in replacement for the built-in fs module with some additional capabilities. In this case, we are using the same methods, just importing them from fs-extra instead. Without knowledge of the dependency and how it interacts with the file system, a SAST tool would overlook the vulnerability in ./src/image-fs-extra.js, but Sonar's deeper SAST knows about the library and can spot the vulnerability.
You can see that SonarCloud detects this vulnerability too, tracking the data flow from the incoming request, from the server.js file to the src/image-fs-extra.js file, through the getImage function and into the function from the third-party, open-source library fs-extra.
You can run the application if you want to see the vulnerability in action.
First, clone the repository from GitHub and change into the new directory:
git clone https://github.com/philnash/deeper-sast-javascript.git
cd deeper-sast-javascriptInstall the dependencies:
npm installThen start the server:
npm startYou can then make requests to the server on either of the endpoints: /image or /image-extra.
For example, if you make a request to http://localhost:3000/image?filename=sonar.png or http://localhost:3000/image-extra?filename=sonar.png you will see a Sonar logo.
If you make a request to http://localhost:3000/image?filename=../package.json or http://localhost:3000/image-extra?filename=../package.json you will see the contents of the package.json file. This is the vulnerability. And you can keep adding ../ to the query to traverse deeper into the file system.
This project is licensed under the MIT License.