-
Notifications
You must be signed in to change notification settings - Fork 211
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
662 changed files
with
2,603 additions
and
2,921 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,7 @@ on: | |
push: | ||
branches: | ||
- stable | ||
- development | ||
- unstable | ||
- experimental | ||
|
||
jobs: | ||
|
@@ -21,17 +21,17 @@ jobs: | |
git config --global user.email "[email protected]" | ||
git config --global user.name "Bright Security" | ||
- name: Change name to development | ||
if: ${{ github.ref == 'refs/heads/development' }} | ||
run: | | ||
sed -i 's/brokencrystals/brokencrystals-dev/g' ./charts/brokencrystals/Chart.yaml | ||
sed -i 's/brkn/brkn-dev/g' ./charts/brokencrystals/Chart.yaml | ||
- name: Change name to unstable | ||
if: ${{ github.ref == 'refs/heads/unstable' }} | ||
run: | | ||
sed -i 's/brokencrystals/brokencrystals-unstable/g' ./charts/brokencrystals/Chart.yaml | ||
sed -i 's/brkn/brkn-unstbl/g' ./charts/brokencrystals/Chart.yaml | ||
- name: Change values to development | ||
if: ${{ github.ref == 'refs/heads/development' }} | ||
run: | | ||
sed -i 's/^ main:.*/ main: development/' ./charts/brokencrystals/values.yaml | ||
sed -i 's/^ client:.*/ client: development/' ./charts/brokencrystals/values.yaml | ||
if: ${{ github.ref == 'refs/heads/unstable' }} | ||
run: | | ||
sed -i 's/^ main:.*/ main: unstable/' ./charts/brokencrystals/values.yaml | ||
sed -i 's/^ client:.*/ client: unstable/' ./charts/brokencrystals/values.yaml | ||
- name: Release packages | ||
uses: helm/[email protected] | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
# compiled output | ||
/dist | ||
/public/build | ||
/client/build | ||
/node_modules | ||
|
||
# Logs | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,27 +1,63 @@ | ||
FROM node:14 | ||
################### | ||
# BUILD FOR LOCAL DEVELOPMENT | ||
################### | ||
|
||
WORKDIR /var/www/ | ||
FROM node:14-alpine As build | ||
|
||
COPY package*.json ./ | ||
WORKDIR /usr/src/app | ||
|
||
RUN npm ci -q | ||
RUN apk add --no-cache --virtual .gyp python3 py3-pip make g++ | ||
|
||
COPY config ./config | ||
COPY tsconfig.build.json ./ | ||
COPY tsconfig.json ./ | ||
COPY nest-cli.json ./ | ||
COPY .env ./ | ||
COPY src ./src | ||
# Copy and build NestJS server project | ||
COPY --chown=node:node package*.json ./ | ||
COPY --chown=node:node tsconfig.build.json ./ | ||
COPY --chown=node:node tsconfig.json ./ | ||
COPY --chown=node:node nest-cli.json ./ | ||
COPY --chown=node:node mikro-orm.config.ts ./ | ||
COPY --chown=node:node .env ./ | ||
COPY --chown=node:node config ./config | ||
COPY --chown=node:node keycloak ./keycloak | ||
COPY --chown=node:node src ./src | ||
|
||
RUN npm ci | ||
RUN npm run build | ||
RUN npm prune --production | ||
|
||
RUN chown -R node:node /var/www/* | ||
# Copy and build client project | ||
COPY --chown=node:node client/package*.json ./client/ | ||
COPY --chown=node:node client/src ./client/src | ||
COPY --chown=node:node client/public ./client/public | ||
COPY --chown=node:node client/typings ./client/typings | ||
COPY --chown=node:node client/vcs ./client/vcs | ||
COPY --chown=node:node client/tsconfig.json ./client/tsconfig.json | ||
|
||
ENV CYPRESS_INSTALL_BINARY=0 | ||
RUN npm ci --prefix=client | ||
RUN npm run build --prefix=client | ||
|
||
RUN apk del .gyp | ||
|
||
USER node | ||
|
||
ENV NODE_ENV=production | ||
################### | ||
# PRODUCTION | ||
################### | ||
|
||
FROM node:14-alpine As production | ||
|
||
WORKDIR /usr/src/app | ||
|
||
COPY --chown=node:node nest-cli.json ./ | ||
COPY --chown=node:node mikro-orm.config.ts ./ | ||
COPY --chown=node:node .env ./ | ||
COPY --chown=node:node config ./config | ||
COPY --chown=node:node keycloak ./keycloak | ||
|
||
COPY --chown=node:node --from=build /usr/src/app/node_modules ./node_modules | ||
COPY --chown=node:node --from=build /usr/src/app/package*.json ./ | ||
COPY --chown=node:node --from=build /usr/src/app/dist ./dist | ||
|
||
EXPOSE 3000 | ||
COPY --chown=node:node --from=build /usr/src/app/client/build ./client/build | ||
COPY --chown=node:node --from=build /usr/src/app/client/vcs ./client/vcs | ||
|
||
CMD ["npm", "run", "start:prod"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,11 +6,11 @@ The application contains: | |
- React based web client | ||
- FE - http://localhost:8090 | ||
- BE - http://localhost:3000 | ||
- NodeJS server - the full API documentation is available via swagger or GraphQL | ||
- NodeJS server that serves the React client and provides both OpenAPI and GraphQL endpoints. | ||
The full API documentation is available via swagger or GraphQL: | ||
- Swagger UI - http://localhost:8090/swagger | ||
- Swagger JSON file - http://localhost:8090/swagger-json | ||
- GraphiQL UI - http://localhost:8090/graphiql | ||
- nginx web server that serves the client and acts as a reverse proxy for the server's API requests | ||
|
||
> **Note** | ||
> The GraphQL API does not yet support all of the endpoints the REST API does. | ||
|
@@ -22,14 +22,48 @@ The application contains: | |
npm ci && npm run build | ||
|
||
# build client | ||
npm ci --prefix public && npm run build --prefix public | ||
npm ci --prefix client && npm run build --prefix client | ||
|
||
#build and start dockers with Postgres DB, nginx and server | ||
docker-compose --file=docker-compose.local.yml up -d | ||
|
||
#rebuild dockers | ||
docker-compose --file=docker-compose.local.yml up -d --build | ||
``` | ||
## Running application with helm chart | ||
Helm command example: | ||
```bash | ||
helm upgrade --install --namespace distributor broken \ | ||
--set snifferApiURL=https://hotel.playground.neuralegion.com \ | ||
--set snifferProjectID=ud8v8jwUaG14JiAihMQx1M \ | ||
--set snifferApiKey=6g0daym.nexp.spkuhhishhttv \ | ||
--set snifferNetworkInterface=lo0 \ | ||
--set repeaterID=5r9Kci7AKLx4bkN58yYCDz \ | ||
--set token=nptbmxr.nexp.kkaux80olef2mew3n3r3rw08tww3c4f5 \ | ||
--set cluster=hotel.playground.neuralegion.com \ | ||
--set timeout=40000 \ | ||
--set repeaterImageTag=v11.5.0-next.4 \ | ||
--set ingress.url=broken.k3s.brokencrystals.nexploit.app \ | ||
--set ingress.cert=distributorwildcard \ | ||
--set ingress.authlevel=- . --wait | ||
``` | ||
|
||
### Arguments info | ||
|
||
**repeaterID, token and cluster** - These argument values are required if you want to use repeater. In case you don't set any of these fields, repeater container won't be run. In that case this will be regular bc deployment. (Required arguments if repeater container is to be used). | ||
|
||
**timeout** - this is optional argument for repeater deployment with default value 30000 if it is not set, it's only used in conjuction with main repeater options (optional argument). | ||
|
||
**repeaterImageTag** - this argument is optional with default value latest if field is not set. Notice these are docker tags and not repeater versions. They are similar but not the same. Dockerhub tags usually have "v" in front of repeater version. this argument is only used in conjuction with main repeater options (optional argument). | ||
|
||
**snifferApiURL, snifferProjectID and snifferApiKey** - These argument values are required if you want to use sniffer. In case you don't set any of these fields, sniffer container won't be run. In that case this will be regular bc deployment. (Required arguments if sniffer container is to be used). | ||
|
||
**snifferNetworkInterface** - this is optional argument for sniffer deployment with default value set to **"eth0"** if it is not set explicitly, it's only used in conjuction with main sniffer options (optional argument). | ||
|
||
**namespace** - kubernetes namespace where app will be spawned. | ||
|
||
**ingress.url** - Domain name that will be used to access app from Internet. | ||
|
||
|
||
## Running application with helm | ||
Helm command example: | ||
|
@@ -165,3 +199,24 @@ Additionally, the endpoint PUT /api/users/one/{email}/photo accepts SVG images, | |
2. The endpoint GET `/api/partners/searchPartners` is supposed to search partners' names by a given keyword. It's vulnerable to an XPATH injection using string detection payloads. When exploited, it can grant access to sensitive information like passwords and even lead to full data leak. You can use `')] | //password%00//` or `')] | //* | a[('` to exploit the EP. | ||
3. The endpoint GET `/api/partners/query` is a raw XPATH injection endpoint. You can put whatever you like there. It is not referenced in the frontend, but it is an exposed API endpoint. | ||
4. Note: All endpoints are vulnerable to error based payloads. | ||
|
||
* **Prototype Pollution** - The `/marketplace` endpoint is vulnerable to prototype pollution using the following methods: | ||
1. The EP GET `/marketplace?__proto__[Test]=Test` represents the client side vulnerabillity, by parsing the URI (for portfolio filtering) and converting | ||
it's parmeters into an object. This means that a requests like `/marketplace?__proto__[TestKey]=TestValue` will lead to a creation of `Object.TestKey`. | ||
One can test if an attack was successful by viewing the new property created in the console. | ||
This EP also supports prototyp pollution based DOM XSS using a payload such as `__proto__[prototypePollutionDomXss]=data:,alert(1);`. | ||
The "legitimate" code tries to use the `prototypePollutionDomXss` parameter as a source for a script tag, so if the exploit is not used via this key it won't work. | ||
2. The EP GET `/api/email/sendSupportEmail` represents the server side vulnerabillity, by having a rookie URI parsing mistake (similiar to the client side). | ||
This means that a request such as `/api/email/sendSupportEmail?name=Bob%20Dylan&__proto__[status]=222&to=username%40email.com&subject=Help%20Request&content=Help%20me..` | ||
will lead to a creation of `uriParams.status`, which is a parameter used in the final JSON response. | ||
|
||
* **Date Manipulation** - The `/api/products?date_from={df}&date_to={dt}` endpoint fetches all products that were created between the selected dates. There is no limit on the range of dates and when a user tries to query a range larger than 2 years querying takes a significant amount of time. This EP is used by the frontend in the `/marketplace` page. | ||
|
||
* **Email Injection** - The `/api/email/sendSupportEmail` is vulnerable to email injection by supplying tempred recipients. | ||
To exploit the EP you can dispatch a request as such `/api/email/sendSupportEmail?name=Bob&to=username%40email.com%0aCc:%[email protected]&subject=Help%20Request&content=I%20would%20like%20to%20request%20help%20regarding`. | ||
This will lead to the sending of a mail to both `[email protected]` and `[email protected]` (as the Cc). | ||
Note: This EP is also vulnerable to `Server side prototype pollution`, as mentioned in this README. | ||
|
||
* **Insecure Output Handling** - The `/chat` route is vulnerable to non-sanitized output originating from the LLM response. | ||
Issue a `POST /api/chat` request with body payload like `[{"content": "Provide a minimal html markup for img tag with invalid source and onerror attribute with alert", "role": "user"}]`. | ||
The response will include raw HTML code. If this output is not properly sanitized before rendering, it can trigger an alert box in the user interface. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.