Skip to content

Add security vulnerabilities for testing and demonstration

Hossam Hamdyrequested to merge
feature/security-vulnerabilities into master

🚨 Security Vulnerabilities Demo

This merge request introduces intentional security vulnerabilities for testing GitLab's security scanning capabilities and security training purposes.

⚠️ WARNING

This code contains multiple high-severity security vulnerabilities and should NOT be deployed to production environments.

🔍 Vulnerabilities Included

1. SQL Injection (vulnerable-auth.js)

  • Direct string concatenation in database queries
  • No parameterized queries or input sanitization
  • Allows attackers to manipulate database queries

2. Command Injection (command-executor.js)

  • Direct execution of user-provided system commands
  • No input validation or command sanitization
  • Allows arbitrary system command execution

3. Cross-Site Scripting (XSS) (user-profile.js)

  • Reflected XSS: Direct output of user input without escaping
  • Stored XSS: User comments stored and displayed without sanitization
  • Allows script injection and session hijacking

4. Code Injection (command-executor.js)

  • Use of eval() function with user input
  • Allows arbitrary JavaScript code execution
  • Critical security vulnerability

5. Information Disclosure (user-profile.js)

  • Debug endpoint exposing system information
  • Environment variables and process details exposed
  • Sensitive system data leaked to users

6. Hardcoded Credentials (Multiple files)

  • Database passwords in source code
  • API keys and secret tokens hardcoded
  • AWS credentials exposed in environment file

7. Vulnerable Dependencies (package.json)

  • lodash@4.17.20 - Known prototype pollution vulnerabilities
  • serialize-javascript@3.1.0 - XSS vulnerabilities
  • handlebars@4.7.6 - Template injection vulnerabilities
  • moment@2.29.1 - ReDoS vulnerabilities

📁 Files Added/Modified

  • vulnerable-auth.js - Authentication with SQL injection
  • command-executor.js - System commands with injection flaws
  • user-profile.js - User interface with XSS vulnerabilities
  • package.json - Updated with vulnerable dependencies
  • .env - Environment file with exposed secrets

🎯 Expected Security Scan Results

After merging, GitLab security scanners should detect:

  • Critical: Command injection, SQL injection, code injection
  • High: XSS vulnerabilities, hardcoded secrets
  • Medium: Information disclosure, insecure configurations
  • Dependency vulnerabilities: Multiple CVEs in outdated packages

🧪 Testing Purpose

This code is designed to:

  • Test GitLab's security scanning capabilities
  • Demonstrate various vulnerability types
  • Train security teams on vulnerability identification
  • Validate security policies and approval workflows

Next Steps

  1. Review security scan results
  2. Analyze vulnerability reports
  3. Test security policy enforcement
  4. Use for security training exercises

DO NOT MERGE TO PRODUCTION

Merge request reports