Conversation
- Added continue-on-error: true to all Snyk scan steps - Ensures workflow completes and shows results from all scans - Artifacts will contain full security report even if vulnerabilities are found
add snyk iac test to the github actions yml
New endpoint
test a new endpoint
project name
New endpoint
test new name and target for yml
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| '/': '/' | ||
| }[char] || char)); | ||
|
|
||
| const { startVulnerableResponse } = require('../service/xssResponder'); |
There was a problem hiding this comment.
Bug: Import of non-existent exported function
The code imports startVulnerableResponse from ../service/xssResponder, but service/xssResponder.js only exports processUserInput. This will cause a runtime error when the module is loaded since startVulnerableResponse will be undefined.
| const userInput = req.query.input || 'No input provided'; | ||
|
|
||
| // SECURE: Properly escape user input before including in HTML | ||
| const safeInput = escape(userInput); |
There was a problem hiding this comment.
Bug: Wrong escape function used for HTML sanitization
The endpoint labeled as "SECURE" uses JavaScript's deprecated escape() function for HTML sanitization, but this function is designed for URL encoding (converting characters to %XX sequences), not HTML escaping. It does not escape <, >, or other HTML-significant characters, leaving this "secure" endpoint still vulnerable to XSS attacks. The code has a custom sanitizeInput function defined that would work correctly but it's not used here.
| app.use(session({ | ||
| secret: 'keyboard cat', | ||
| name: 'connect.sid', | ||
| name: 'connect.sid ', |
There was a problem hiding this comment.
Bug: Session cookie name contains trailing space
The session cookie name is set to 'connect.sid ' with a trailing space. This could cause session handling issues since cookie names with trailing whitespace may be handled inconsistently across browsers and servers, potentially breaking session persistence or causing authentication problems.
| }); | ||
| }); | ||
|
|
||
| module.exports = router; |
There was a problem hiding this comment.
Bug: New route module never registered with Express app
The routes/xss-vulnerable.js router module is created with /secure and /secure/json endpoints, but it is never imported or mounted in app.js. Other routes like routesUsers follow the pattern of being required and then mounted with app.use('/path', router), but this new route module is missing both steps. The endpoints will be completely inaccessible at runtime.
1 participant
Note
Adds a Snyk CI workflow for container/IaC scanning, introduces XSS demo endpoints and services, includes Terraform config/tooling, updates Dockerfile, and adds security-related deps.
.github/workflows/snyk-security-scan.ymlfor Snyk container and IaC scans with artifact upload.codeql-analysis.yml,snyk-code*.yml,snyk-test-sarif.yml.routes/xss-vulnerable.jswith secure HTML/JSON echo endpoints and CSP/XSS headers.service/xssResponder.js,service/xssResponsePipeline.js,service/xssResponseSender.js.vulnerable.tf(intentionally insecure demo) andscripts/test-terraform.shfor Terraform init/validate/plan.Dockerfileto usenode:14.18.1and addENTRYPOINT ["npm", "start"].dompurify,express-validator,html-escaper,jsdominpackage.json(lockfile updated)..gitignoreto ignore Snyk AI rules files.Written by Cursor Bugbot for commit 2f7cf56. This will update automatically on new commits. Configure here.