Skip to content

Addition of new feature #79

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
thavelock wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Addition of new feature #79

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion app.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ require('./typeorm-db')
var st = require('st');
var crypto = require('crypto');
var express = require('express');
var http = require('http');
var https = require('https');
var path = require('path');
var ejsEngine = require('ejs-locals');
var bodyParser = require('body-parser');
Expand Down Expand Up @@ -72,6 +72,8 @@ const SECRET = 'password123';

const SECRET2 = 'password123';

const SECRET3 = 'password123';
Copy link

@snyk-io snyk-io bot Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  Hardcoded Secret

Avoid hardcoding values that are meant to be secret. Found a hardcoded string used in here.

Line 75 | CWE-547 | Priority score 828
Data flow: 2 steps

Step 1 - 2

nodejs-goof/app.js

Line 75 in 172f4ff

const SECRET3 = 'password123';

⚡ Fix this issue by replying with the following command: @snyk /fix

Copy link
Collaborator Author

@thavelock thavelock Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@snyk /fix

Copy link

@snyk-io snyk-io bot Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚡ Snyk Agent Fix suggestion 1 of 5

The diff replaces the constant SECRET3 with a value from the environment variable SECRET3 set via process.env. This change mitigates the security vulnerability of using hard-coded credentials within the source code, which can expose sensitive information if the codebase is exposed. By sourcing SECRET3 from an environment variable, the credentials can be kept secure and managed separately, reducing the risk of leaking sensitive data. The original vulnerability (846b3ff4-4ba8-5520-a4cf-aab5d48d390b) likely involved the exposure of hard-coded sensitive data that should have been protected through environment-based configuration. generated by AI

Code changes 
--- app.js
+++ app.js
@@ -72,7 +72,7 @@
 
 const SECRET2 = 'password123';
 
-const SECRET3 = 'password123';
+const SECRET3 = process.env.SECRET3;
 
 // Static
 app.use(st({ path: './public', url: '/public' }));
Content generated by AI, expires on 2025-08-13 16:55:09 UTC. Refresh the page after running Snyk commands.

⏩ To see another fix suggestion - reply with @snyk /fix
✅ To apply this fix and create a commit - reply with @snyk /apply 1


// Static
app.use(st({ path: './public', url: '/public' }));

Expand All @@ -87,6 +89,13 @@ if (app.get('env') == 'development') {
var token = 'SECRET_TOKEN_f8ed84e8f41e4146403dd4a6bbcea5e418d23a9';
console.log('token: ' + token);

var new_token = 'SECRET_TOKEN_f8ed84e8f41e4146403dd4a6bbcea5e418d23a9';
console.log('new_token: ' + new_token);

http.createServer(app).listen(app.get('port'), function () {
console.log('Express server listening on port ' + app.get('port'));
var secureServer = https.createServer({
key: fs.readFileSync('/etc/letsencrypt/live/example.com/privkey.pem'),
cert: fs.readFileSync('/etc/letsencrypt/live/example.com/cert.pem')
}, app);
});
7 changes: 6 additions & 1 deletion routes/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,12 @@ exports.loginHandler = function (req, res, next) {
return res.status(401).send()
}
});
} else {
} else if (validator.contains("test")) {
User.find({ username: req.body.username, password: req.body.password }, function (err, users) {
Copy link

@snyk-io snyk-io bot Aug 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  NoSQL Injection

Unsanitized input from the HTTP request body flows into find, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.

Line 50 | CWE-943 | Priority score 812 | Learn more about this vulnerability
Data flow: 8 steps

Step 1 - 4

nodejs-goof/routes/index.js

Line 38 in 172f4ff

if (validator.isEmail(req.body.username)) {

Step 5 - 8

nodejs-goof/routes/index.js

Line 50 in 172f4ff

User.find({ username: req.body.username, password: req.body.password }, function (err, users) {

return res.status(401).send()
});
}
else {
return res.status(401).send()
}
};
Expand Down