Giter Site home page Giter Site logo

osweekends / batimagen Goto Github PK

View Code? Open in Web Editor NEW
12.0 4.0 3.0 9.63 MB

Un proyecto sobre metadatos del guild de ciberseguridad

License: GNU General Public License v3.0

JavaScript 46.47% CSS 15.52% HTML 28.70% Shell 9.30%
exiftool osint image-analysis nodejs

batimagen's Introduction

header

travis issues abiertos issues promedio PR Abiertos PR Promedio último commit TOP Lang total lang

Batimagen

Analizador de ficheros utilizando metadatos y APIs de terceros. Incluye un honeypot (Opcional)

Poster de Batimagen

El proyecto utiliza la librería ExifTool de Phil Harvey para extraer la información de los metadatos del fichero.

También se realiza un analisis en busca de virus utilizando virustotal. En el caso de las imagenes el fichero en enviado a Google vision API para detectar diversos parámetros como imagenes similares, textos, detección de caras, etc...

Utilizamos Node.js y Pug para hacer un aplicación web de tipo server render.

Motivación

Creamos esta herramienta para mostrar al mundo la importancia de los metadatos y la privacidad. Nuestro objetivo final es concienciar y enseñar un buen uso de la tecnologia para la ciudadania en general.

Equipo

Agradecimientos
Necesitamos

Necesitamos ayuda, ¡únete!

  • Traductor: ¿Nos ayudas a crear este portal en ingles?
  • Documentación: ¿Nos ayudas a explicar mejor que son los metadatos al mundo?

Demo

El proyecto esta disponible para su descarga y ejecución en local.

Tecnología utilizada

Dependencias

  • express: Gestión del servidor HTTP
  • express-fileupload: Gestión de ficheros desde el cliente por peticiones POST
  • node-exiftool: Wrapper de exiftool para Nodejs
  • pug: Motor de plantillas del backend

Cómo contribuir en el proyecto

Más informacion en CONTRIBUTING.md

¿Cómo usarlo?.

Sin usar Docker

TL:DR;

Solo necesitas tener Node y descargarte exiftool

Instalación

Prepara el entorno

Descarga el proyecto

git clone https://github.com/OSWeekends/batimagen.git

Lanzar el proyecto en local

Si se sigue este procedimiento es necesario insertar los tokens de la API de Google en node.env, así como el de virusTotal. Seguir las instrucciones del package.json donde se ve que el comando es start:

npm run start

Utilizando docker

Descargar la imagen de Docker

Has de tener docker instalado en el ordenador.

Descarga la imagen de Batimagen de DockerHub desde aquí con el siguiente comando:

docker pull osweekends/batimagen

Lanza el proyecto en local

Una vez hecho esto, puedes hacer funcionar el docker con este comando, en este caso, no se utilizan ni la API de google ni el token de virus total, así que esos resultados no van a verse en el análisis:

docker run -p 3000:3000 osweekends/batimagen

Lanzar el proyecto con todo (thirdparty)

Guarda el fichero de tokens de Google Cloud en secrets/SECRET_gcloud.json

$ docker run \
     -p 3000:3000 \ # Bindeo de puertos
     -v  "$(pwd)/temp/":/app/temp/ \ # Extraer los analisis del repo
     -v  "$(pwd)/secrets/":/app/secrets/ \ # Compartición de fichero de credenciales
     -e TP_ENABLED=true  \      # habilitar terceras partes
     -e TP_VIRUSTOTAL=true \    # habilitar virus total
     -e TP_GVISION=true \       # habilitar Google Vision
     -e VIRUSTOTAL='----YOUR TOKEN ----' # Añadir to token de virus total
     -e GOOGLE_APPLICATION_CREDENTIALS='./secrets/SECRET_gcloud.json' # vicular la ruta de los tokens de Google Cloud
      osweekends/batimagen # Imagen de docker

Estado del proyecto.

Ahora mismo estamos en desarrollo activo del primer MVP (Sprint 1 y 0 en paralelo)

Exención de responsabilidad

Este proyecto tiene la intención de sensibilizar al usuario sobre la ciberseguridad, la prevención y la detección del uso no autorizado de los sistemas informáticos.

El usuario al aplicar estos conocimientos deberá tener en cuenta que hay que respetar las normas que regulan la seguridad informática, evitando la comisión de actos que no se ajusten a la legalidad vigente, siendo su responsabilidad el mal uso que haga de este proyecto.

Los desarrolladores del proyecto no se hace responsables del uso negligente o ilícito que puedan hacer los usuarios con los conocimientos que se ponen de manifiesto en este proyecto.

Some extra info ;)

https://docs.google.com/presentation/d/1a2DEwlg6Ssnqqwu98su5ykK_8YhL_8dKToJ2T6fxzfI/edit?usp=sharing

Licencia

GPL-3.0

footer

batimagen's People

Contributors

elenamlopez avatar franciscovaldesoiro avatar ulisesgascon avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

elenamlopez sergitxu gavioto

batimagen's Issues

CVE-2019-10744 (High) detected in lodash-4.17.11.tgz

CVE-2019-10744 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /batimagen/package.json

Path to vulnerable library: /tmp/git/batimagen/node_modules/lodash/package.json

Dependency Hierarchy:

  • snyk-1.189.0.tgz (Root Library)
    • lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: 8ffa6931485ab67537327529dd72290783159077

Vulnerability Details

A Prototype Pollution vulnerability was found in lodash through version 4.17.11.

Publish Date: 2019-07-08

URL: CVE-2019-10744

CVSS 2 Score Details (7.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: lodash/lodash@a01e4fa

Release Date: 2019-07-08

Fix Resolution: 4.17.12

Step up your Open Source Security Game with WhiteSource here

Preparar el Sprint 1 (MVP)

Pendiente

  • Negociar las features
  • Dividir las tareas
  • Acordar una fecha de entrega, previsible antes del 19 de Mayo

WS-2019-0310 (High) detected in https-proxy-agent-2.2.1.tgz

WS-2019-0310 - High Severity Vulnerability

Vulnerable Library - https-proxy-agent-2.2.1.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/https-proxy-agent/package.json

Dependency Hierarchy:

  • vision-0.25.0.tgz (Root Library)
    • google-gax-0.25.4.tgz
      • google-auth-library-3.1.0.tgz
        • https-proxy-agent-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 4ca62256d58578677914676b0e282fb69b9fb06a

Vulnerability Details

"in 'https-proxy-agent', before v2.2.3, there is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.

Publish Date: 2019-10-07

URL: WS-2019-0310

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1184

Release Date: 2019-10-07

Fix Resolution: https-proxy-agent - 2.2.3

Step up your Open Source Security Game with WhiteSource here

CVE-2017-18214 High Severity Vulnerability detected by WhiteSource

CVE-2017-18214 - High Severity Vulnerability

Vulnerable Library - moment-2.15.2.tgz

Parse, validate, manipulate, and display dates

path: /tmp/git/batimagen/node_modules/emailjs/node_modules/moment/package.json

Library home page: https://registry.npmjs.org/moment/-/moment-2.15.2.tgz

Dependency Hierarchy:

  • node-virustotal-2.4.2.tgz (Root Library)
    • emailjs-1.0.12.tgz
      • moment-2.15.2.tgz (Vulnerable Library)

Vulnerability Details

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.

Publish Date: 2018-03-04

URL: CVE-2017-18214

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: moment/moment@69ed9d4

Release Date: 2017-11-29

Fix Resolution: Replace or update the following files: regex.js, moment-with-locales.js, moment.js

Step up your Open Source Security Game with WhiteSource here

view results

Pendiente

  • Estructurar contenido

Contenido

Metadata

  • Mostrarse tal y como esta pero con la letra más pequeña

Virus

  • Botón gigante que te lleva a la web de totalvirus con el reporte generado target: _blank

Analisis por IA

  • Botones gigantes deplegables de las secciones principales.

Sección "Detected Faces"

  • Relevantes: detectionConfidence (% éxito) y los xxxxxLikehood

Roadmap HackMiami Con 7 💪

Pendiente

Previas

Código

Opcional

  • Re-diseño y trabajo con Ancoar
  • Testing :trollface:

Documentación

Notas

Roadmap

  • 0.2.0 con Docker (crítico) Deadline Semana 12'19 (Docker + Previo)
  • 1.0.0 con todo lo demás (menos crítico) Semana 14'19 (Código)
  • Semana Santa documentación, Slides, etc...

Nombre de las releases

WS-2019-0314 (Medium) detected in express-fileupload-1.0.0.tgz

WS-2019-0314 - Medium Severity Vulnerability

Vulnerable Library - express-fileupload-1.0.0.tgz

Simple express file upload middleware that wraps around Busboy

Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/express-fileupload/package.json

Dependency Hierarchy:

  • express-fileupload-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 4ca62256d58578677914676b0e282fb69b9fb06a

Vulnerability Details

In "richardgirges/express-fileupload", versions prior to v1.1.6-alpha.6 are vulnerable to DOS, as a result of an unparsed file name.

Publish Date: 2019-10-18

URL: WS-2019-0314

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1216

Release Date: 2019-10-18

Fix Resolution: 1.1.6-alpha.6

Step up your Open Source Security Game with WhiteSource here

Research

Primer barrido de librerías

Recomendadas por Kr0n0

  • exiftool A node.js wrapper around exiftool, a commandline utility that can extract metadata from many different filetypes, including JPEG, PNG, PDF, WMV, MOV. For a full list see the exiftool list of supported filetypes.

Node Jsdom Scrape Google's Reverse Image Search

"I want to programatically find a list of URLs for similar images given an image URL. I can't find any free image search APIs so I'm trying to do this by scraping Google's Search by Image...."

Stegdetect:
Librería para detectar contenido esteganográfico: La esteganografía (del griego στεγανος steganos, "cubierto" u "oculto", y γραφος graphos, "escritura") trata el estudio y aplicación de técnicas que permiten ocultar mensajes u objetos, dentro de otros, llamados portadores, de modo que no se perciba su existencia Wikipedia.

Dockerizar la app

Como desarrollador deseo dockerizar la app.

Recursos:

- https://semaphoreci.com/community/tutorials/dockerizing-a-node-js-web-application

Integrar Stegdetect

Propuesto originalmente por @Kr0n0

Stegdetect:
Librería para detectar contenido esteganográfico: La esteganografía (del griego στεγανος steganos, "cubierto" u "oculto", y γραφος graphos, "escritura") trata el estudio y aplicación de técnicas que permiten ocultar mensajes u objetos, dentro de otros, llamados portadores, de modo que no se perciba su existencia Wikipedia.

CVE-2019-20149 (Medium) detected in kind-of-3.2.2.tgz

CVE-2019-20149 - Medium Severity Vulnerability

Vulnerable Library - kind-of-3.2.2.tgz

Get the native type of a value.

Library home page: https://registry.npmjs.org/kind-of/-/kind-of-3.2.2.tgz

Path to dependency file: /tmp/ws-scm/batimagen/package.json

Path to vulnerable library: /tmp/ws-scm/batimagen/node_modules/kind-of/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Root Library)
    • pug-filters-3.1.0.tgz
      • uglify-js-2.8.29.tgz
        • yargs-3.10.0.tgz
          • cliui-2.1.0.tgz
            • center-align-0.1.3.tgz
              • align-text-0.1.4.tgz
                • kind-of-3.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 493cbe24d8ebe21f21db697094d361ce17d6718d

Vulnerability Details

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Publish Date: 2019-12-30

URL: CVE-2019-20149

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

Necesitamos un logo. Ayudanos!

Hola!

Nos gustaría que nos ayudaras con un hermoso logo que represente nuestro proyecto. Nuestro proyecto se encarga de analizar los metadatos de la imágenes y documentos y es una herramienta para concienciar al mundo sobre el peligro inherente de los metadatos (datos de los datos). Por ejemplo tus fotografías pueden incluir información oculta como la ubicación.

Para hacerte una idea de como funciona este proyecto te hemos dejado esta presentación

¿Que necesitamos/nos gustaría?

  • Un logo en formato vectorial
  • Colores que usamos (jugamos con un estilo terminal verde y negro)
  • Es importante que el logo pueda funcionar (esquematico o no) como favicon para web también
  • Nos gustaría tenerlo para la próxima release dedicada a Georgia O'Keeffe (versión actual Frida Kahlo)

🙏 Ayúdanos, ¡Te esperamos!

  • Si tienes una propuesta, simplemente añadela a este issue, puedes usar drag and drop
  • Si hay varias propuestas, nos quedaremos con la más votada 👍

view index

Pendiente

  • Hacer algo con el "logo"
  • Pasar todo a ingles
  • Arreglar los estilos del formulario
  • Botones de "efecto hacker"
  • Espacio para el disclaimer
  • Espacio para la licencia
  • Link + ¿texto? sobre OSW Guilds
  • Link a Github

CVE-2020-7598 (Medium) detected in minimist-0.0.8.tgz, minimist-1.2.0.tgz

CVE-2020-7598 - Medium Severity Vulnerability

Vulnerable Libraries - minimist-0.0.8.tgz, minimist-1.2.0.tgz

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/mkdirp/node_modules/minimist/package.json,/node_modules/minimist/package.json

Dependency Hierarchy:

  • node-virustotal-2.4.2.tgz (Root Library)
    • tar-2.2.1.tgz
      • fstream-1.0.11.tgz
        • mkdirp-0.5.1.tgz
          • minimist-0.0.8.tgz (Vulnerable Library)
minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/grpc/node_modules/minimist/package.json

Dependency Hierarchy:

  • vision-0.25.0.tgz (Root Library)
    • google-gax-0.25.4.tgz
      • grpc-1.19.0.tgz
        • node-pre-gyp-0.12.0.tgz
          • rc-1.2.8.tgz
            • minimist-1.2.0.tgz (Vulnerable Library)

Found in HEAD commit: aa82ff1f68d02ea40b74454bc494aa11785f428a

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94

Release Date: 2020-03-11

Fix Resolution: minimist - 0.2.1,1.2.3

Step up your Open Source Security Game with WhiteSource here

CVE-2017-18214 High Severity Vulnerability detected by WhiteSource

CVE-2017-18214 - High Severity Vulnerability

Vulnerable Library - moment-2.15.2.tgz

Parse, validate, manipulate, and display dates

path: /tmp/git/batimagen/node_modules/emailjs/node_modules/moment/package.json

Library home page: https://registry.npmjs.org/moment/-/moment-2.15.2.tgz

Dependency Hierarchy:

  • node-virustotal-2.4.2.tgz (Root Library)
    • emailjs-1.0.12.tgz
      • moment-2.15.2.tgz (Vulnerable Library)

Found in HEAD commit: 96c5623166ed27190affa49ce1f351458a85858a

Vulnerability Details

The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.

Publish Date: 2018-03-04

URL: CVE-2017-18214

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/532

Release Date: 2017-11-27

Fix Resolution: Update to version 2.19.3

Step up your Open Source Security Game with WhiteSource here

CVE-2018-20834 (High) detected in tar-2.2.1.tgz

CVE-2018-20834 - High Severity Vulnerability

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tar/package.json

Dependency Hierarchy:

  • node-virustotal-2.4.2.tgz (Root Library)
    • tar-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: e3c9fb28a65279a6f1183d5fb3c95bb64f92b509

Vulnerability Details

A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).

Publish Date: 2019-04-30

URL: CVE-2018-20834

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082

Release Date: 2019-04-30

Fix Resolution: 2.2.2,4.4.2

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7699 (High) detected in express-fileupload-1.0.0.tgz

CVE-2020-7699 - High Severity Vulnerability

Vulnerable Library - express-fileupload-1.0.0.tgz

Simple express file upload middleware that wraps around Busboy

Library home page: https://registry.npmjs.org/express-fileupload/-/express-fileupload-1.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/express-fileupload/package.json

Dependency Hierarchy:

  • express-fileupload-1.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 002a5d2a7f8a8c7e9bf7c418545f1586e0729b0a

Vulnerability Details

This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.

Publish Date: 2020-07-30

URL: CVE-2020-7699

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: richardgirges/express-fileupload#236

Release Date: 2020-07-30

Fix Resolution: 1.1.8

Step up your Open Source Security Game with WhiteSource here

CVE-2018-16487 (High) detected in lodash-4.17.4.tgz

CVE-2018-16487 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.4.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz

Path to dependency file: /batimagen/package.json

Path to vulnerable library: /tmp/git/batimagen/node_modules/@goblindb/goblindb/node_modules/lodash/package.json

Dependency Hierarchy:

  • goblindb-0.1.1.tgz (Root Library)
    • lodash-4.17.4.tgz (Vulnerable Library)

Found in HEAD commit: 35b57dd298c3e989d269b49de4e8701f9c5b5a10

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

Step up your Open Source Security Game with WhiteSource here

Definir Tareas

Definir listado de tareas y determinar tecnologías a utilizar en el desarrollo.
¿Express?
¿Auth para usuarios?
¿Guardar datos?
Aplicación de escritorio o tiramos de consola?

....
Vivo en mar de dudas

RoadMap for Release 2.0 (next one)

Changes requested

Infrastructure

  • Let's split the build to 2 steps: Batimage-core-env and batimagen
  • Upgrade to ubuntu latest
  • Improve docker behaviour as main task
  • Docker multistaging, see
  • Reduce docker weight
  • Travis CI
  • Improve Docker build steps

Backend

  • #53 Husky for linter with Standard and Prettier
  • Let's use debug to simplify the logging stuff
  • #54 Upgrade dependencies
  • Convert ./lib/phoenix.js internal module to external dependency in NPM
  • Define new architecture for Backend to support large files (database and better HTTP Handler, API endpoints)
  • Define a new way to manage the workflows using worksmith

Frontend

  • Migration from Jade to Ejs (TBC with frontend architecture). Leader: @KoolTheba
  • New frontend architecture? Based on new Backend features such as Api Rest
  • New Frontend Redesign Brainstorming. _Related: #16 _
  • Missing back button

New features

Testing

  • Let's add unit testing with Jest, btw!
  • Let's add e2e testing with cypress
  • Let's add functional testing with Jest for workflows

Documentation

  • We need a landing?
  • Installation guide [EN/ES]
  • Youtube videos about Batimagen
  • Full demo video

Miscellaneous

  • We need a logo! 💪
  • Release name: Georgia O'Keeffe

Legacy Matters

  • Forensic Paper Dependency #21
  • ⚠️ WS-2019-0047 Medium Severity Vulnerability detected by WhiteSource #30
  • ⚠️ CVE-2017-18214 High Severity Vulnerability detected by WhiteSource #24
  • ⚠️ remove old branches from this project. leader: @UlisesGascon

BUG: Reload original image at forensic tab

As user I want to see the original image again, after load other analysis in the forensic tab.

After analyce an image, go to firensic tab, change the view, press 'original' button. Th eimage link is broken.

CVE-2020-15366 (Medium) detected in ajv-6.10.0.tgz

CVE-2020-15366 - Medium Severity Vulnerability

Vulnerable Library - ajv-6.10.0.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.10.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ajv/package.json

Dependency Hierarchy:

  • node-virustotal-2.4.2.tgz (Root Library)
    • request-2.88.0.tgz
      • har-validator-5.1.3.tgz
        • ajv-6.10.0.tgz (Vulnerable Library)

Found in HEAD commit: b2e815be74ae58d35be335bf7aabcc699c1db776

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/ajv-validator/ajv/releases/tag/v6.12.3

Release Date: 2020-07-15

Fix Resolution: ajv - 6.12.3

Step up your Open Source Security Game with WhiteSource here

CVE-2018-3721 (Medium) detected in lodash-4.17.4.tgz

CVE-2018-3721 - Medium Severity Vulnerability

Vulnerable Library - lodash-4.17.4.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz

Path to dependency file: /batimagen/package.json

Path to vulnerable library: /tmp/git/batimagen/node_modules/@goblindb/goblindb/node_modules/lodash/package.json

Dependency Hierarchy:

  • goblindb-0.1.1.tgz (Root Library)
    • lodash-4.17.4.tgz (Vulnerable Library)

Found in HEAD commit: 35b57dd298c3e989d269b49de4e8701f9c5b5a10

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

Step up your Open Source Security Game with WhiteSource here

cambiar la tarea "start"

en el package.json hay una tarea que es:

"scripts": {
    "start": "node run tokens && node server.js",
    "tokens": "export GOOGLE_APPLICATION_CREDENTIALS='./SECRET_gcloud.json'"
  }

el de Start hay que cambiar node run tokens..... por npm run tokens...

Hacemos un kamban?

Pues eso... un project con su kamban?
Cómo organizar las quedadas...
Cuaderno de Bitácora para anotar lo que se acuerde en reuniones?
Style code?
....
....

WS-2019-0100 (Medium) detected in fstream-1.0.11.tgz

WS-2019-0100 - Medium Severity Vulnerability

Vulnerable Library - fstream-1.0.11.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz

Path to dependency file: /batimagen/package.json

Path to vulnerable library: /tmp/git/batimagen/node_modules/fstream/package.json

Dependency Hierarchy:

  • node-virustotal-2.4.2.tgz (Root Library)
    • tar-2.2.1.tgz
      • fstream-1.0.11.tgz (Vulnerable Library)

Found in HEAD commit: 26e6736935fbc7d62f8a1dd88261f54b72d049c1

Vulnerability Details

Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite.

Publish Date: 2019-05-23

URL: WS-2019-0100

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/886

Release Date: 2019-05-23

Fix Resolution: 1.0.12

Step up your Open Source Security Game with WhiteSource here

Integrar ebemunk/phoenix/

ebemunk/phoenix

Pendiente:

  • Script de instalación
  • Analizar los métodos más relevantes
  • Construir un modulo tirando de process childs
  • Integrar el módulo con batimagen
  • Integrar las imágenes en la respuesta

Fix for version 1.0.1

  • - Actualizar el repalce de textos
  • - Probar el replace con varios ficheros con muchos espacios
  • - Subir el package a la version 1.0.1
  • - Cerrar definitivamente la docu
  • - Ver que funcionan bien los cambios en los botones de forensica
  • - Verificar que el PR de Fran del config.js no se ha propagado (no hacia falta cambiar nada en el config.js)
  • - Hacer un PR de dev a Master

CVE-2019-13173 (Medium) detected in fstream-1.0.11.tgz

CVE-2019-13173 - Medium Severity Vulnerability

Vulnerable Library - fstream-1.0.11.tgz

Advanced file system stream things

Library home page: https://registry.npmjs.org/fstream/-/fstream-1.0.11.tgz

Path to dependency file: /batimagen/package.json

Path to vulnerable library: /tmp/git/batimagen/node_modules/fstream/package.json

Dependency Hierarchy:

  • node-virustotal-2.4.2.tgz (Root Library)
    • tar-2.2.1.tgz
      • fstream-1.0.11.tgz (Vulnerable Library)

Found in HEAD commit: 26e6736935fbc7d62f8a1dd88261f54b72d049c1

Vulnerability Details

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Publish Date: 2019-07-02

URL: CVE-2019-13173

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13173

Release Date: 2019-07-02

Fix Resolution: 1.0.12

Step up your Open Source Security Game with WhiteSource here

CVE-2020-7720 (High) detected in node-forge-0.8.1.tgz

CVE-2020-7720 - High Severity Vulnerability

Vulnerable Library - node-forge-0.8.1.tgz

JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.

Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.8.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-forge/package.json

Dependency Hierarchy:

  • vision-0.25.0.tgz (Root Library)
    • google-gax-0.25.4.tgz
      • google-auth-library-3.1.0.tgz
        • gtoken-2.3.3.tgz
          • google-p12-pem-1.0.4.tgz
            • node-forge-0.8.1.tgz (Vulnerable Library)

Found in HEAD commit: 8998924e18246d26bca1a44a8961c821ae9ca27e

Vulnerability Details

The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions.

Publish Date: 2020-09-01

URL: CVE-2020-7720

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md

Release Date: 2020-09-01

Fix Resolution: node-forge - 0.10.0

Step up your Open Source Security Game with WhiteSource here

CVE-2020-8203 (High) detected in lodash-4.17.11.tgz

CVE-2020-8203 - High Severity Vulnerability

Vulnerable Library - lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

  • pug-2.0.3.tgz (Root Library)
    • pug-filters-3.1.0.tgz
      • constantinople-3.1.2.tgz
        • babel-types-6.26.0.tgz
          • lodash-4.17.11.tgz (Vulnerable Library)

Found in HEAD commit: b2e815be74ae58d35be335bf7aabcc699c1db776

Vulnerability Details

Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.

Publish Date: 2020-07-15

URL: CVE-2020-8203

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1523

Release Date: 2020-07-15

Fix Resolution (lodash): 4.17.19

Direct dependency fix Resolution (pug): 2.0.4

Step up your Open Source Security Game with WhiteSource here

WS-2019-0185 (High) detected in lodash.merge-4.6.1.tgz

WS-2019-0185 - High Severity Vulnerability

Vulnerable Library - lodash.merge-4.6.1.tgz

The Lodash method `_.merge` exported as a module.

Library home page: https://registry.npmjs.org/lodash.merge/-/lodash.merge-4.6.1.tgz

Path to dependency file: batimagen/package.json

Path to vulnerable library: batimagen/node_modules/lodash.merge/package.json

Dependency Hierarchy:

  • vision-0.25.0.tgz (Root Library)
    • lodash.merge-4.6.1.tgz (Vulnerable Library)

Found in HEAD commit: c0a367c5b1397d97c121bb83f39950920f054dca

Vulnerability Details

lodash.merge before 4.6.2 is vulnerable to prototype pollution. The function merge() may allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2019-08-14

URL: WS-2019-0185

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: N/A
    • Attack Complexity: N/A
    • Privileges Required: N/A
    • User Interaction: N/A
    • Scope: N/A
  • Impact Metrics:
    • Confidentiality Impact: N/A
    • Integrity Impact: N/A
    • Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1066

Release Date: 2019-08-14

Fix Resolution: 4.6.2

Step up your Open Source Security Game with WhiteSource here

CVE-2020-15168 (Medium) detected in node-fetch-2.3.0.tgz

CVE-2020-15168 - Medium Severity Vulnerability

Vulnerable Library - node-fetch-2.3.0.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.3.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-fetch/package.json

Dependency Hierarchy:

  • vision-0.25.0.tgz (Root Library)
    • google-gax-0.25.4.tgz
      • google-auth-library-3.1.0.tgz
        • gaxios-1.8.2.tgz
          • node-fetch-2.3.0.tgz (Vulnerable Library)

Found in HEAD commit: 5445622de0cdb12895bce18c7de0dc2268316ed1

Vulnerability Details

node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Publish Date: 2020-09-10

URL: CVE-2020-15168

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w7rc-rwvf-8q5r

Release Date: 2020-09-17

Fix Resolution: 2.6.1,3.0.0-beta.9

Step up your Open Source Security Game with WhiteSource here

WS-2017-3737 (Medium) detected in shelljs-0.7.8.tgz

WS-2017-3737 - Medium Severity Vulnerability

Vulnerable Library - shelljs-0.7.8.tgz

Portable Unix shell commands for Node.js

Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.7.8.tgz

Path to dependency file: /batimagen/package.json

Path to vulnerable library: /tmp/git/batimagen/node_modules/shelljs/package.json

Dependency Hierarchy:

  • node-virustotal-2.4.2.tgz (Root Library)
    • shelljs-0.7.8.tgz (Vulnerable Library)

Found in HEAD commit: 26e6736935fbc7d62f8a1dd88261f54b72d049c1

Vulnerability Details

Shelljs 0.8.3 and before are vulnerable to Command Injection. Commands can be invoked from shell.exec(), those commands will include input from external sources, to be passed as arguments to system executables and allowing an attacker to inject arbitrary commands.

Publish Date: 2019-06-16

URL: WS-2017-3737

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

WS-2019-0047 Medium Severity Vulnerability detected by WhiteSource

WS-2019-0047 - Medium Severity Vulnerability

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Path to dependency file: /batimagen/package.json

Path to vulnerable library: /tmp/git/batimagen/node_modules/tar/package.json

Dependency Hierarchy:

  • node-virustotal-2.4.2.tgz (Root Library)
    • tar-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: 536e0619968e6016b2dff478b60b3e774ac99c70

Vulnerability Details

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Publish Date: 2019-04-05

URL: WS-2019-0047

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/803

Release Date: 2019-04-05

Fix Resolution: 4.4.2

Step up your Open Source Security Game with WhiteSource here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.