Test Jit's Detection: Code Samples and Targets

Test out Jit's detection capabilities using the code samples and test targets below.

Scan code for vulnerabilities (Python)

File name: test.py

import yaml

def exploitable_yaml_load(**kwargs):
    """
    The string `!!python/object/new:os.system` is a YAML tag that tells the parser
    to create a new Python object by calling 'os.system' with 'echo EXPLOIT!' as its argument.
    When using 'yaml.unsafe_load', this can lead to arbitrary command execution.
    """
    yaml.unsafe_load("!!python/object/new:os.system [echo EXPLOIT!]", **kwargs)

Expected output:

Scan code for vulnerabilities (Javascript)

File name: test.js

document.getElementById('userForm').addEventListener('submit', function(e) {
  e.preventDefault();
  
  // This is an unsafe practice and can lead to XSS vulnerabilities
  const userInput = document.getElementById('userInput').value;
  document.getElementById('content').innerHTML = userInput;
});

Expected output:

Scan code for vulnerabilities (GO)

File name: test.go

package testutil // import "github.com/docker/docker/testutil"

import "math/rand"

// GenerateRandomAlphaOnlyString generates an alphabetical random string with length n.
func GenerateRandomAlphaOnlyString(n int) string {
	// make a really long string
	letters := []byte("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
	b := make([]byte, n)
	for i := range b {
		b[i] = letters[rand.Intn(len(letters))] //nolint: gosec // G404: Use of weak random number generator (math/rand instead of crypto/rand)
	}
	return string(b)
}

Expected output:

Scan code dependencies for vulnerabilities (Node)

File name: package.json

{
  "name": "dependencygoat2",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "minimist": "0.0.8"
  }
}

Expected output:

Scan code dependencies for vulnerabilities (Python)

File name: requirements.txt

requests==2.18.2
urllib3==1.26.4

Expected output:

Scan code for hard-coded secrets (Multi-languages)

File name: secret.txt

MY_AWS_SECRET="AKIAIOSFODNN7EXAMPLE"

Expected output:

Scan IaC for static misconfigurations (Terraform)

Code sample: EC2 instance has Public IP

File name: public-ip.tf

//test public ip
data "aws_ami" "ubuntu1" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  owners = ["099720109477"] # Canonical
}

resource "aws_instance" "web2" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = "t3.micro"

  tags = {
    Name = "HelloWorld"
  }
}

resource "aws_instance" "web3" {
  ami           = data.aws_ami.ubuntu.id
  associate_public_ip_address = true
  instance_type = "t3.micro"

  tags = {
    Name = "HelloWorld"
  }
}

Expected output:

Code sample: S3 Bucket without restriction of Public Bucket

File Name: public-bucket.tf

//test public bucket
resource "aws_s3_bucket" "positive1" {
  bucket = "example"
}

// comment
resource "aws_s3_bucket_public_access_block" "positive2" {
  bucket = aws_s3_bucket.example.id

  block_public_acls   = true
  block_public_policy = true
  restrict_public_buckets = false
}

resource "aws_s3_bucket_public_access_block" "positive3" {
  bucket = aws_s3_bucket.example.id

  block_public_acls   = true
  block_public_policy = true
}

Expected output:

Code sample: ALB listening on HTTP

File Name: alb-http.tf

resource "aws_lb_listener" "listener6" {
  load_balancer_arn = aws_lb.test3.arn
  port = 80
  default_action {
    type = "redirect"

    redirect {
      port        = "80"
      protocol    = "HTTP"
      status_code = "HTTP_301"
    }
  }
}

resource "aws_lb" "test3" {
  name = "test123"
  load_balancer_type = "application"
  subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
  internal = true
}

Expected output:

Run a Web Application Scanner / Ensure Your APIs are Secure (ZAP-based security requirements)

Use the following tests to verify that your security requirements based on ZAP (which include Run a Web Application Scanner and Ensure Your APIs are Secure) are functional.

Test target: Google Firing Range

https://www.zaproxy.org/docs/scans/firingrange/

Test target: Google Security Crawl Maze

https://www.zaproxy.org/docs/scans/crawlmaze/

Test target: OWASP Benchmark

https://www.zaproxy.org/docs/scans/benchmark/

Test target: Websites Vulnerable to SSTI

https://www.zaproxy.org/docs/scans/ssti/

Test target: Yahoo Webseclab

https://www.zaproxy.org/docs/scans/webseclab/

name: Sync Jit Teams
on:
  schedule:
    - cron: "0 3 * * *"
  workflow_dispatch:

jobs:
  sync-teams:
    runs-on: ubuntu-latest
    steps:
    - name: Check out code
      uses: actions/checkout@v3
    - name: Call action
      uses: jitsecurity/[email protected]
      with:
        JIT_CLIENT_ID: ${{ secrets.JIT_CLIENT_ID }}
        JIT_CLIENT_SECRET: ${{ secrets.JIT_CLIENT_SECRET }}
        ORGANIZATION_NAME: ${{ github.repository_owner }}
        GITHUB_API_TOKEN: ${{ secrets.MY_GITHUB_API_TOKEN }}
        TEAM_WILDCARD_TO_EXCLUDE: "*dev*, *test*"