Java Reachability Playground Modified by ASecurityGuru for End to End Java DevSecOps Project Case Study

Updated on 11th June, 2022 - Added SonarCloud Code Coverage Changes

This is an intentionally vulnerable application. It was purposely designed to demonstrate the capabilities of Snyk's Reachable Vulnerabilities feature and includes both a "Reachable" vulnerability (with a direct data flow to the vulnerable function) and a "Potentially Reachable" vulnerability (where only partial data exists for determining reachability).

Included vulnerabilities

Arbitrary File Write via Archive Extraction

An exploit is using a vulnerability called ZipSlip - a critical vulnerability discovered by Snyk, which typically results in remote command execution. As part of the exploit, a special zip archive is crafted (attached as malicious_file.zip). When this file is extracted by a vulnerable function, it will create a file called good.txt in the folder unzipped, but it will also create a file called evil.txt in the /tmp/ folder. This example is not dangerous, of course, but demonstrates the risk the vulnerability poses - imagine overwriting .ssh/authorized_keys or another sensitive file.

Deserialization of Untrusted Data

This vulnerability is not exploited. It demonstrates potentially vulnerable code, for which data about vulnerable functions is not available.

How to run the demo (Maven)

Checkout this repository (git checkout [email protected]:snyk/java-reachability-playground.git)
Install all the dependencies (mvn install)
Compile the project (mvn compile)
Run the main class (mvn exec:java -Dexec.mainClass=Unzipper); the application should throw an exception saying Malicious file /tmp/evil.txt was created.
Run snyk command with Reachable Vulnerabilities flag (snyk test --reachable or snyk monitor --reachable); you should see the vulnerability SNYK-JAVA-ORGND4J-72550 marked as reachable and the function call path to the vulnerability

For Gradle

Make sure you build the artifacts with ./gradlew build
To see test results run snyk test --file=build.gradle --reachable or monitor: snyk monitor --file=build.gradle --reachable

Note: Once the java application is run, malicious_file.zip will be deleted by it. To run it again, run git checkout . prior to next java run.

Name		Name	Last commit message	Last commit date
Latest commit History 16 Commits
.github/workflows		.github/workflows
app/.jdk/bin		app/.jdk/bin
gradle/wrapper		gradle/wrapper
src		src
CLI_reachable.png		CLI_reachable.png
README.md		README.md
UI_reachable.png		UI_reachable.png
build.gradle		build.gradle
buildspec.yml		buildspec.yml
gradlew		gradlew
gradlew.bat		gradlew.bat
java-reachable-goof.iml		java-reachable-goof.iml
malicious_file.zip		malicious_file.zip
pom.xml		pom.xml
settings.gradle		settings.gradle

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Java Reachability Playground Modified by ASecurityGuru for End to End Java DevSecOps Project Case Study

Updated on 11th June, 2022 - Added SonarCloud Code Coverage Changes

Included vulnerabilities

Arbitrary File Write via Archive Extraction

Deserialization of Untrusted Data

How to run the demo (Maven)

For Gradle

About

Releases

Packages

Languages

asecurityguru/devsecops-github-actions-all

Folders and files

Latest commit

History

Repository files navigation

Java Reachability Playground Modified by ASecurityGuru for End to End Java DevSecOps Project Case Study

Updated on 11th June, 2022 - Added SonarCloud Code Coverage Changes

Included vulnerabilities

Arbitrary File Write via Archive Extraction

Deserialization of Untrusted Data

How to run the demo (Maven)

For Gradle

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages