{"id":18112092,"url":"https://github.com/philnash/deeper-sast-javascript","last_synced_at":"2025-10-30T07:48:23.438Z","repository":{"id":187122341,"uuid":"676339162","full_name":"philnash/deeper-sast-javascript","owner":"philnash","description":"An example JavaScript application that shows how Sonar's deeper SAST can detect vulnerabilities even with third-party libraries","archived":false,"fork":false,"pushed_at":"2023-08-09T02:22:37.000Z","size":598,"stargazers_count":0,"open_issues_count":0,"forks_count":4,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-02-21T00:08:57.979Z","etag":null,"topics":["deeper-sast","javascript","path-traversal-exploitation","sast","sonar","sonarcloud","sonarqube","sonarsource"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/philnash.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-08-09T01:39:49.000Z","updated_at":"2025-01-17T08:52:09.000Z","dependencies_parsed_at":"2023-08-09T04:23:48.210Z","dependency_job_id":null,"html_url":"https://github.com/philnash/deeper-sast-javascript","commit_stats":null,"previous_names":["philnash/deeper-sast-javascript"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philnash%2Fdeeper-sast-javascript","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philnash%2Fdeeper-sast-javascript/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philnash%2Fdeeper-sast-javascript/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/philnash%2Fdeeper-sast-javascript/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/philnash","download_url":"https://codeload.github.com/philnash/deeper-sast-javascript/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247456289,"owners_count":20941864,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deeper-sast","javascript","path-traversal-exploitation","sast","sonar","sonarcloud","sonarqube","sonarsource"],"created_at":"2024-11-01T01:09:23.386Z","updated_at":"2025-10-30T07:48:23.355Z","avatar_url":"https://github.com/philnash.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Sonar SAST demo in JavaScript\n\nThis is a simple JavaScript project that is used to demonstrate [Sonar's deeper SAST](https://www.sonarsource.com/solutions/security/) capabilities.\n\n- [Intro](#intro)\n- [SAST](#sast)\n  - [Deeper SAST](#deeper-sast)\n- [Running the application](#running-the-application)\n- [License](#license)\n\n## Intro\n\nThe application is an Express server that has two endpoints, both of which are used to dynamically return a file from the file system. The code is intentionally simple and vulnerable to a [directory traversal attack](https://owasp.org/www-community/attacks/Path_Traversal). _Do not use code like this in your own application_. The goal is to demonstrate how Sonar can detect the vulnerability.\n\n## SAST\n\nStatic Application Security Testing (SAST) is a method of testing the security of an application by examining its source code for vulnerabilities. SAST is one of the most efficient ways to find security flaws early in the development process, and Sonar's SAST capabilities are built into the commercial versions of [SonarQube](https://www.sonarsource.com/products/sonarqube/) and [SonarCloud](https://www.sonarsource.com/products/sonarcloud/) platforms.\n\nIn this example, the route `/image` is vulnerable to a directory traversal attack because it does not properly sanitize the filename that is passed through the query, which is then passed to the `stat` and `createReadStream` functions from Node's built-in [`fs` module](https://nodejs.org/api/fs.html).\n\nYou can see [how SonarCloud detects the vulnerability](https://sonarcloud.io/project/issues?resolved=false\u0026types=VULNERABILITY\u0026id=philnash_deeper-sast-javascript\u0026open=AYnYBrsEF5NvR2klfg_o), tracking the data flow from the incoming request, from the `server.js` file to the `src/image-fs.js` file and through the `getImage` function.\n\n![A screenshot of SonarCloud's analysis of this project, showing the locations of the data flow through the code and how the result is vulnerable](./images/sast.png)\n\n### Deeper SAST\n\nIn order to better understand applications, deeper SAST enables Sonar's SAST engine to trace data flow in and out of third-party, open-source libraries. You can [read more about Sonar's deeper SAST capabilities here](https://www.sonarsource.com/solutions/security/).\n\nIn this example, the route `/image-extra` is almost exactly the same as the `/image` route, with the exception of using the [`fs-extra` library](https://www.npmjs.com/package/fs-extra). `fs-extra` is a drop-in replacement for the built-in `fs` module with some additional capabilities. In this case, we are using the same methods, just importing them from `fs-extra` instead. Without knowledge of the dependency and how it interacts with the file system, a SAST tool would overlook the vulnerability in `./src/image-fs-extra.js`, but Sonar's deeper SAST knows about the library and can spot the vulnerability.\n\nYou can see [that SonarCloud detects this vulnerability too](https://sonarcloud.io/project/issues?resolved=false\u0026types=VULNERABILITY\u0026id=philnash_deeper-sast-javascript\u0026open=AYnYBrsEF5NvR2klfg_o), tracking the data flow from the incoming request, from the `server.js` file to the `src/image-fs-extra.js` file, through the `getImage` function and into the function from the third-party, open-source library `fs-extra`.\n\n![A screenshot of SonarCloud's analysis of this project, showing the locations of the data flow through the code and how the result is vulnerable even though it uses a function from a third-party, open-source library](./images/deeper-sast.png)\n\n## Running the application\n\nYou can run the application if you want to see the vulnerability in action.\n\nFirst, clone the repository from GitHub and change into the new directory:\n\n```bash\ngit clone https://github.com/philnash/deeper-sast-javascript.git\ncd deeper-sast-javascript\n```\n\nInstall the dependencies:\n\n```bash\nnpm install\n```\n\nThen start the server:\n\n```bash\nnpm start\n```\n\nYou can then make requests to the server on either of the endpoints: `/image` or `/image-extra`.\n\nFor example, if you make a request to [http://localhost:3000/image?filename=sonar.png](http://localhost:3000/image?filename=sonar.png) or [http://localhost:3000/image-extra?filename=sonar.png](http://localhost:3000/image-extra?filename=sonar.png) you will see a Sonar logo.\n\nIf you make a request to [http://localhost:3000/image?filename=../package.json](http://localhost:3000/image?filename=../package.json) or [http://localhost:3000/image-extra?filename=../package.json](http://localhost:3000/image-extra?filename=../package.json) you will see the contents of the `package.json` file. This is the vulnerability. And you can keep adding `../` to the query to traverse deeper into the file system.\n\n## License\n\nThis project is licensed under the [MIT License](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilnash%2Fdeeper-sast-javascript","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphilnash%2Fdeeper-sast-javascript","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphilnash%2Fdeeper-sast-javascript/lists"}