mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-06 19:35:13 +02:00
f96a89e7c1
* feat: Enhance control flow analysis with function summaries and taint analysis * feat: Update taint analysis to utilize function summaries for enhanced tracking * Refactor `walk.rs` batch processing and override handling: - Renamed `Batcher` to `BatchSender` for clarity. - Added `BatchSender::new` constructor for cleaner initialization. - Simplified batch size management in `BatchSender`. - Extracted `build_overrides` function for reusable override construction. - Improved error handling and validation in override building. - Enhanced performance with directory and file type filtering in `walk`. * Improve logging and streamline directory walk process: - Added detailed `tracing` logs for debugging batch flushes, override construction, and walk initialization/completion. - Optimized and simplified `filter_entry` logic for directory and file type filters. - Improved metadata checks and max file size enforcement during the scan. * Refactor and optimize taint tracking, label rules, and directory walk process: - Replaced `DefaultHasher` with `blake3::Hasher` for improved taint hashing. - Enhanced sorting and hashing logic in `taint.rs` for consistency and efficiency. - Removed unused `set_hash` function and redundant imports across files. - Improved batch sender logic in `walk.rs`, renaming key components for clarity. - Unified `spawn_senders` and `spawn_file_walker` with thread handling and channel tuple return. - Expanded label rules with additional matchers for sources, sanitizers, and sinks. - Deprecated `dump_cfg` and specific logging utilities in `cfg.rs` for code cleanup. * fix: fixed let chains error in walk.rs * fix: updated dependencies * fix: updated dependencies * chore: Remove standard error in scan.rs * feat: Introduce function summaries for enhanced taint and control flow analysis * feat: Enhance taint analysis with interop support and function summaries * feat: Add configuration analysis module and enhance matcher rules * feat: Add arity column to function_summaries and handle schema migration * fix: fixed clippy &PathBuf warnings * chore: Update dependencies and versioning in Cargo files * docs: Update README to enhance clarity and detail on features and analysis modes * chore: Update CHANGELOG for version 0.2.0 with new features, changes, and fixes * docs: Update SECURITY.md to clarify version support status --------- Co-authored-by: elipeter <eli.peter@es.fcm.travel>
137 lines
4.4 KiB
JavaScript
137 lines
4.4 KiB
JavaScript
var child_process = require("child_process");
|
|
var crypto = require("crypto");
|
|
var fs = require("fs");
|
|
|
|
// ───── User authentication route ─────
|
|
|
|
// POST /auth/login
|
|
// Reads credentials from request body, constructs a shell command to
|
|
// check credentials via an external LDAP tool.
|
|
// VULN: req.body flows into child_process.exec
|
|
function handleLogin(req, res) {
|
|
var username = req.body.username;
|
|
var password = req.body.password;
|
|
|
|
var cmd = "ldapwhoami -x -D 'cn=" + username + ",dc=corp' -w '" + password + "'";
|
|
child_process.exec(cmd, function(err, stdout, stderr) {
|
|
if (err) {
|
|
res.status(401).send("Authentication failed");
|
|
return;
|
|
}
|
|
var token = crypto.randomBytes(32).toString("hex");
|
|
res.json({ token: token, user: username });
|
|
});
|
|
}
|
|
|
|
// ───── Search endpoint ─────
|
|
|
|
// GET /api/search
|
|
// User-supplied query parameter is passed directly to eval for "dynamic filtering".
|
|
// VULN: req.query flows into eval (code injection)
|
|
function handleSearch(req, res) {
|
|
var query = req.query.q;
|
|
var filterExpr = req.query.filter;
|
|
|
|
// Developer thought this was clever for dynamic filtering
|
|
var filterFn = eval("(function(item) { return " + filterExpr + "; })");
|
|
|
|
var results = getDatabase().filter(filterFn);
|
|
res.json({ results: results, query: query });
|
|
}
|
|
|
|
// ───── Admin panel rendering ─────
|
|
|
|
// GET /admin/dashboard
|
|
// Renders an admin dashboard; user-supplied name goes into innerHTML.
|
|
// VULN: req.query flows into innerHTML (XSS)
|
|
function renderDashboard(req, res) {
|
|
var userName = req.query.name;
|
|
var greeting = "<h1>Welcome, " + userName + "</h1>";
|
|
document.getElementById("header").innerHTML = greeting;
|
|
|
|
var statsHtml = req.query.stats;
|
|
document.getElementById("stats-panel").innerHTML = statsHtml;
|
|
}
|
|
|
|
// ───── Webhook handler ─────
|
|
|
|
// POST /webhooks/deploy
|
|
// Reads a deployment command from process.env, executes it.
|
|
// VULN: process.env flows into child_process.execSync
|
|
function handleDeployWebhook(req, res) {
|
|
var secret = req.headers["x-webhook-secret"];
|
|
if (secret !== process.env.WEBHOOK_SECRET) {
|
|
res.status(403).send("Forbidden");
|
|
return;
|
|
}
|
|
|
|
var deployCmd = process.env.DEPLOY_COMMAND;
|
|
var output = child_process.execSync(deployCmd);
|
|
res.send("Deployed: " + output.toString());
|
|
}
|
|
|
|
// ───── File preview ─────
|
|
|
|
// GET /files/preview
|
|
// Reads a file based on user-supplied path, writes content to page.
|
|
// VULN: req.query flows into innerHTML (reflected XSS via file content)
|
|
function previewFile(req, res) {
|
|
var filePath = req.query.path;
|
|
var content = fs.readFileSync(filePath, "utf-8");
|
|
document.getElementById("preview").innerHTML = content;
|
|
}
|
|
|
|
// ───── Cookie-based session ─────
|
|
|
|
// POST /session/set
|
|
// Sets a cookie from request parameters.
|
|
// VULN: document.cookie write from user input
|
|
function setSessionCookie(req, res) {
|
|
var sessionId = req.params.sid;
|
|
document.cookie = "session=" + sessionId + "; path=/; HttpOnly";
|
|
}
|
|
|
|
// ───── Prototype pollution ─────
|
|
|
|
// POST /api/config/merge
|
|
// Merges user-supplied config into the global config object.
|
|
// VULN: prototype pollution via __proto__
|
|
function mergeConfig(req, res) {
|
|
var userConfig = JSON.parse(req.body.config);
|
|
for (var key in userConfig) {
|
|
if (key === "__proto__") {
|
|
// Developer forgot to skip this
|
|
Object.prototype[key] = userConfig[key];
|
|
}
|
|
globalConfig[key] = userConfig[key];
|
|
}
|
|
res.json({ status: "ok" });
|
|
}
|
|
|
|
// ───── Timer-based polling ─────
|
|
|
|
// Sets up a polling interval with a string argument.
|
|
// VULN: setTimeout with string is equivalent to eval
|
|
function startPolling() {
|
|
var interval = 5000;
|
|
setTimeout("checkForUpdates()", interval);
|
|
setInterval("refreshDashboard()", 30000);
|
|
}
|
|
|
|
// ───── Safe patterns ─────
|
|
|
|
// GET /api/profile
|
|
// SAFE: user input sanitized with DOMPurify before rendering
|
|
function renderProfile(req, res) {
|
|
var bio = req.query.bio;
|
|
var cleanBio = DOMPurify.sanitize(bio);
|
|
document.getElementById("bio").innerHTML = cleanBio;
|
|
}
|
|
|
|
// GET /api/redirect
|
|
// SAFE: URL properly encoded before use
|
|
function safeRedirect(req, res) {
|
|
var target = req.query.url;
|
|
var encoded = encodeURIComponent(target);
|
|
res.redirect("/go?url=" + encoded);
|
|
}
|