Various string replacement improvements - prevent injection (#92)

snyk-labs · Dec 2, 2024 · 2df87f4 · 2df87f4
1 parent 88b05e0
commit 2df87f4
Show file tree

Hide file tree

Showing 5 changed files with 79 additions and 71 deletions.
diff --git a/GitHub/GH Action pipeline-FullPlatform.yml b/GitHub/GH Action pipeline-FullPlatform.yml
@@ -2,9 +2,9 @@ name: Snyk SCA, Code, IaC and Container CLI monitor example
 
 on:
   push:
-    branches: [ master ]
+    branches: [master]
   pull_request:
-    branches: [ master ]
+    branches: [master]
 
 jobs:
   build:
@@ -24,19 +24,20 @@ steps:
     uses: actions/setup-node@v2
     with:
       node-version: ${{ matrix.node-version }}
-      cache: 'npm'
+      cache: "npm"
 
   - name: Setup Snyk + snyk-to-html # For information about the required commands for generating an HTML report see https://github.com/snyk/snyk-to-html
+    env:
+      SNYK_TOKEN: ${{ secrets.SNYK_AUTH }}
     run: |
       npm install snyk -g
       npm install snyk-to-html -g
-      snyk auth ${{secrets.SNYK_AUTH}}
+      snyk auth "$SNYK_TOKEN"
 
   - name: Snyk Open Source # For testing and failing please add snyk test before snyk monitor
     run: |
       snyk monitor
-# For a list of additional available flags/options see: https://docs.snyk.io/snyk-cli/commands
-
+  # For a list of additional available flags/options see: https://docs.snyk.io/snyk-cli/commands
   - name: Snyk Code # Remove || true to fail if there are vulnerabilities
     run: |
       snyk code test || true

diff --git a/GitHub/GH Action pipeline-Windows-Dotnet-CLI.yml b/GitHub/GH Action pipeline-Windows-Dotnet-CLI.yml
@@ -36,9 +36,11 @@ jobs:
         run: dotnet restore
 
       - name: Install & configure Snyk
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         run: |
           curl "https://static.snyk.io/cli/latest/snyk-win.exe" -o snyk.exe
-          .\snyk auth ${{secrets.SNYK_TOKEN}}
+          .\snyk auth "$SNYK_TOKEN"
 
       - name: Run Snyk Open Source (SCA)
         run: |

diff --git a/GitHub/GH-actions-pipeline-npm-java.yml b/GitHub/GH-actions-pipeline-npm-java.yml
@@ -2,9 +2,9 @@ name: Java CI with Maven
 
 on:
   push:
-    branches: [ master ]
+    branches: [master]
   pull_request:
-    branches: [ master ]
+    branches: [master]
 
 jobs:
   archive-build-artifacts:
@@ -15,33 +15,35 @@ jobs:
       - name: Set up JDK 11
         uses: actions/setup-java@v2
         with:
-          java-version: '11'
-          distribution: 'adopt'
+          java-version: "11"
+          distribution: "adopt"
       - name: Build with Maven
         run: mvn -B package --file pom.xml
       - name: run MVN install
         run: mvn install # install maven
 
       - uses: actions/setup-node@v2
         with:
-          node-version: '14'
+          node-version: "14"
       - run: npm install snyk -g # install snyk
       - run: snyk -v
-      - run: snyk auth ${{ secrets.snyk_token }} # snyk authentication using GH secrets
+      - name: Setup Snyk
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run: snyk auth "$SNYK_TOKEN"
 
-        # Generate the HTML report
       - name: install snyk-to-html
         run: |
-       # Install the Snyk JSON to HTML Mapper using npm
-               npm install snyk-to-html -g
-               # Convert JSON output from `snyk test --json` into a static HTML
-               snyk test --json | snyk-to-html -o result.html
-               mkdir downloads
-               cp -v /home/runner/work/java-goof/java-goof/*.html /home/runner/work/java-goof/java-goof/downloads
+          # Install the Snyk JSON to HTML Mapper using npm
+          npm install snyk-to-html -g
+          # Convert JSON output from `snyk test --json` into a static HTML
+          snyk test --json | snyk-to-html -o result.html
+          mkdir downloads
+          cp -v /home/runner/work/java-goof/java-goof/*.html /home/runner/work/java-goof/java-goof/downloads
 
       # save the HTML in the artifact
       - name: Use the Upload Artifact GitHub Action
         uses: actions/upload-artifact@v2
         with:
           name: results
-          path: downloads
+          path: downloads
diff --git a/GitHub/GH-actions-pipeline-npm-nodejs-sarif.yml b/GitHub/GH-actions-pipeline-npm-nodejs-sarif.yml
@@ -15,54 +15,55 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+      - uses: actions/checkout@v2
 
-    - name: Use Node.js for installing Snyk 
-      uses: actions/setup-node@v2
-      with:
-        node-version: 18.4
+      - name: Use Node.js for installing Snyk
+        uses: actions/setup-node@v2
+        with:
+          node-version: 18.4
 
-    # Install & prepare Snyk
-    - run: npm install --location=global snyk
-
-    #  This OPTIONAL step will configure the Snyk CLI to connect to the EU instance of Snyk
-    #- run: snyk config set use-base64-encoding=true
-    #- run: snyk config set endpoint='https://app.eu.snyk.io/api'
-
-    - run: snyk auth ${{ secrets.SNYK_TOKEN }}
+      # Install & prepare Snyk
+      - run: npm install --location=global snyk
 
-    - name: Snyk Open Source Scanning
-      run: snyk test --org=${{ secrets.SNYK_ORG }} --all-projects --sarif-file-output=snyk-oss.sarif
-      continue-on-error: true
-    - name: Upload results to GitHub Open Source Scanning
-      uses: github/codeql-action/upload-sarif@v2
-      with:
-        sarif_file: snyk-oss.sarif
+      #  This OPTIONAL step will configure the Snyk CLI to connect to the EU instance of Snyk
+      #- run: snyk config set endpoint='https://app.eu.snyk.io/api'
 
-    - name: Snyk Code Scanning
-      run: snyk code test --org=${{ secrets.SNYK_ORG }} --sarif-file-output=snyk-code.sarif
-      continue-on-error: true
-    - name: Upload results to GitHub Code Scanning
-      uses: github/codeql-action/upload-sarif@v2
-      with:
-        sarif_file: snyk-code.sarif
+      - name: Setup Snyk
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run: snyk auth "$SNYK_TOKEN"
 
-    #- name: Build the Docker Image
-    #  run: docker build . --file Dockerfile --tag sebsnyk/juice-shop:latest
+      - name: Snyk Open Source Scanning
+        run: snyk test --org=${{ secrets.SNYK_ORG }} --all-projects --sarif-file-output=snyk-oss.sarif
+        continue-on-error: true
+      - name: Upload results to GitHub Open Source Scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk-oss.sarif
 
-    - name: Snyk Container Scanning
-      run: snyk container test --org=${{ secrets.SNYK_ORG }} --file=Dockerfile --sarif-file-output=snyk-container.sarif sebsnyk/juice-shop:latest
-      continue-on-error: true
-    - name: Upload results to GitHub Container Scanning
-      uses: github/codeql-action/upload-sarif@v2
-      with:
-        sarif_file: snyk-container.sarif
+      - name: Snyk Code Scanning
+        run: snyk code test --sarif-file-output=snyk-code.sarif
+        continue-on-error: true
+      - name: Upload results to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk-code.sarif
 
-    - name: Snyk Infrastructure-as-Code Scanning
-      run: snyk iac test --org=${{ secrets.SNYK_ORG }} --sarif-file-output=snyk-iac.sarif
-      continue-on-error: true
-    - name: Upload results to GitHub IaC Scanning
-      uses: github/codeql-action/upload-sarif@v2
-      with:
-        sarif_file: snyk-iac.sarif
-
+      #- name: Build the Docker Image
+      #  run: docker build . --file Dockerfile --tag sebsnyk/juice-shop:latest
+
+      - name: Snyk Container Scanning
+        run: snyk container test --file=Dockerfile --sarif-file-output=snyk-container.sarif sebsnyk/juice-shop:latest
+        continue-on-error: true
+      - name: Upload results to GitHub Container Scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk-container.sarif
+
+      - name: Snyk Infrastructure-as-Code Scanning
+        run: snyk iac test --sarif-file-output=snyk-iac.sarif
+        continue-on-error: true
+      - name: Upload results to GitHub IaC Scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk-iac.sarif
diff --git a/GitHub/GH-actions-pipeline-npm-nodejs.yml b/GitHub/GH-actions-pipeline-npm-nodejs.yml
@@ -2,13 +2,12 @@ name: Node.js CI
 
 on:
   push:
-    branches: [ master ]
+    branches: [master]
   pull_request:
-    branches: [ master ]
+    branches: [master]
 
 jobs:
   build:
-
     runs-on: ubuntu-latest
 
     strategy:
@@ -22,10 +21,13 @@ jobs:
         uses: actions/setup-node@v2
         with:
           node-version: ${{ matrix.node-version }}
-          cache: 'npm'
+          cache: "npm"
       - run: npm install
       - run: npm i -g snyk
-      - run: snyk auth ${{ secrets.SNYK_TOKEN }}
+      - name: Setup Snyk
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run: snyk auth "$SNYK_TOKEN"
       - run: snyk monitor
 
       - name: install snyk-to-html
@@ -39,4 +41,4 @@ jobs:
         uses: actions/upload-artifact@v2
         with:
           name: results
-          path: downloads
+          path: downloads