by

Discovering Vulnerabilities in Open-Source Software Using SAST Tools: A Deep Dive into OpenResty

Introduction

In today's digital landscape, open-source software plays a crucial role in powering systems across various industries, from information technology to healthcare. While these software solutions offer numerous benefits, they also present unique security challenges. The publicly available nature of their code base makes it easier for both attackers and security researchers to identify zero-day vulnerabilities, potentially leading to system exploitation or, conversely, enhanced security through responsible disclosure.

As a leading UK-based cybersecurity firm, we recognise the importance of proactively identifying and addressing vulnerabilities in open-source software. This blog post will delve into the process of discovering vulnerabilities using Static Application Security Testing (SAST) tools, with a specific focus on OpenResty, a popular dynamic web platform.

Understanding OpenResty

OpenResty is a powerful web platform that extends the capabilities of the Nginx HTTP server by integrating it with LuaJIT, a just-in-time compiler for the Lua programming language. This combination creates a flexible environment for developing high-performance web applications, efficiently handling HTTP traffic, and building robust server-side solutions.

Key Features of OpenResty:

1. High Performance: Built on Nginx's foundation, OpenResty inherits its exceptional performance and scalability, further enhanced by LuaJIT's efficient execution of Lua scripts.

2. Extensibility: Developers can write custom logic in Lua to handle HTTP requests, manipulate responses, and interact with databases directly within the Nginx environment.

3. Rich Ecosystem: OpenResty boasts a wide range of modules, facilitating seamless integration with popular databases like MySQL, PostgreSQL, Redis, and Memcached.

4. Asynchronous I/O: Support for non-blocking I/O operations makes OpenResty ideal for high-performance web applications that must handle numerous simultaneous connections efficiently.

Common Use Cases for OpenResty

OpenResty finds application in various scenarios where performance, scalability, and flexibility are paramount:

1. Web Application Servers: OpenResty can serve as a full-featured web application server, handling routing, API endpoints, and complex business logic with ease.

2. API Gateways: With its ability to handle and manipulate HTTP requests efficiently, OpenResty is often used as an API gateway, performing tasks like load balancing, authentication, and caching.

3. Reverse Proxy: OpenResty can act as a reverse proxy, forwarding client requests to back end servers and modifying responses as needed.

4. Content Delivery Networks (CDNs): Given its performance and scalability, OpenResty is well-suited for use in CDNs, where it can efficiently serve static content and manage large volumes of traffic.

Notable Software Utilising OpenResty

1. Kong: Kong is a popular API gateway built on top of OpenResty. It leverages OpenResty’s capabilities to provide a flexible and scalable platform for managing and securing APIs.

2. APISIX: Apache APISIX is an open-source API gateway that also builds on OpenResty. It supports dynamic routing, load balancing, and traffic control, among other features.

3. LEDE Project: The LEDE Project (Linux Embedded Development Environment) uses OpenResty for managing HTTP interfaces in embedded devices, particularly in networking equipment.

Static Application Security Testing (SAST) Explained

Static Application Security Testing is a crucial methodology in the cybersecurity arsenal, analysing source code, bytecode, or binaries of an application without execution. This approach is instrumental in identifying security vulnerabilities such as SQL injection, cross-site scripting (XSS), buffer overflows, and other coding errors that could lead to security breaches.

How SAST Works:

SAST tools work by performing a comprehensive analysis of the application's code. Here’s a general process of how these tools operate:

1. Code Parsing: The SAST tool begins by parsing the source code, bytecode, or binary to create a model of the application. This model represents the logical structure of the code, including control flow, data flow, and call graphs.

2. Pattern Matching: The tool then compares the parsed code against a database of known security vulnerabilities, coding best practices, and compliance requirements. This involves pattern matching, where the tool looks for code patterns that resemble known vulnerabilities.

3. Data Flow Analysis: SAST tools perform data flow analysis to track how data moves through the application. This helps identify vulnerabilities such as insecure data handling, unvalidated input, or sensitive data exposure.

4. Control Flow Analysis: This step examines the paths that the application can take during execution, helping identify logical errors or security issues that may arise from improper control flow.

5. Reporting: After the analysis is complete, the tool generates a report that lists the identified vulnerabilities, their locations in the code, severity levels, and recommendations for remediation.

6. Remediation: Developers use the report to fix the identified issues. Since SAST is typically integrated into the development process, it allows developers to address security issues early, reducing the cost and effort required for later remediation.

Open Source SAST Tools: SonarQube, Snyk, and Semgrep

In this section, we'll explore three popular open-source SAST tools: SonarQube, Snyk, and Semgrep. Each tool offers unique features and capabilities for identifying vulnerabilities in open-source software.

1. SonarQube

Overview: SonarQube is one of the most widely adopted open-source platforms for continuous inspection of code quality and security. It performs static analysis of code to detect bugs, code smells, and security vulnerabilities across various programming languages.


 Key Features:

• Multi-language Support: SonarQube supports more than 25 programming languages, including Java, C#, JavaScript, Python, and more.

• Comprehensive Analysis: It covers not just security vulnerabilities but also code quality issues such as duplications, code complexity, and technical debt.

• Integration: SonarQube integrates seamlessly with CI/CD pipelines, including tools like Jenkins, GitLab CI, and GitHub Actions, allowing for automated and continuous analysis of code.

• Customizable Rules: Users can create custom rules and profiles to match the specific needs of their projects and teams.

• Security Reports: SonarQube provides detailed reports on vulnerabilities, including their locations in the code, severity levels, and suggested remediation steps.

2. Snyk

Overview: Snyk is a developer-first security platform that helps find and fix vulnerabilities in code, dependencies, containers, and Infrastructure as Code (IaC). While Snyk offers both open-source and commercial versions, it is particularly known for its ease of use and integration into the development workflow.

Key Features:

• Vulnerability Scanning: Snyk scans your codebase and dependencies for known vulnerabilities, providing detailed information on each issue, including severity, exploitability, and potential impact.

• Automated Fixes: Snyk goes beyond detection by suggesting and sometimes automatically applying fixes, such as upgrading vulnerable dependencies.

• CI/CD Integration: Snyk integrates with CI/CD pipelines, including Jenkins, CircleCI, and GitHub Actions, enabling automated security testing as part of the development lifecycle.

• Git Integration: Snyk can be integrated directly with version control systems like GitHub, GitLab, and Bitbucket, enabling automated pull request checks for security vulnerabilities.

• Policy Enforcement: Snyk allows organizations to define security policies and enforce them across teams, ensuring compliance with security best practices.

3. Semgrep

Overview: Semgrep is an open-source static analysis tool that combines the simplicity of grep with the power of a full-fledged SAST tool. It is designed to find security vulnerabilities, code quality issues, and enforce coding standards across a variety of programming languages.

Key Features:

• Custom Rule Writing: Semgrep allows developers to write custom rules in YAML, which can be tailored to specific coding standards or security guidelines. This flexibility makes it powerful for both security and code quality enforcement.

• Language Support: Semgrep supports a wide range of languages, including Python, JavaScript, Java, Go, and more. Its language-agnostic approach allows it to be used across diverse codebases.

• Speed: Semgrep is designed to be fast, making it suitable for integration into CI/CD pipelines where quick feedback is essential.

• Predefined Rule Sets: Semgrep comes with a collection of community-contributed rule sets that cover common security vulnerabilities and coding mistakes, making it easy to get started.

• CI/CD Integration: Like other modern SAST tools, Semgrep integrates with CI/CD systems, ensuring that code is continuously checked against security and quality rules as part of the build process.

General SAST Tools Installation Guide

1. SonarQube

Prerequisites
Before you begin, ensure you have the following installed on your system:

• Docker: You can install Docker by following the official Docker installation guide.

• Docker Compose: Docker Compose is typically included with Docker Desktop. For Linux, you can install it by following the Docker Compose installation guide.

Step 1: Clone the SonarQube Docker Repository

To get started, you'll need to clone the Dockerized SonarQube repository. This repository provides a ready-to-use Docker Compose configuration for SonarQube.

git clone https://github.com/emad-zaamout/SonarQube-Dockerized.git 
cd SonarQube-Dockerized

Step 2: Run SonarQube with Docker Compose

Now that you have the repository cloned, you can start SonarQube and its accompanying PostgreSQL database using Docker Compose.

docker-compose up -d

• The -d flag runs the containers in the background, allowing you to continue using your terminal.

• Docker Compose will automatically download the required Docker images and start the SonarQube and PostgreSQL containers.

Step 3: Access the SonarQube Dashboard

Once the containers are up and running, you can access the SonarQube dashboard through your web browser.

• Open your browser and navigate to http://localhost:9000

• You'll be greeted by the SonarQube login screen. Use the default credentials to log in:

    Username: admin
    Password: admin

2. Snyk

Step 1: Sign Up for Snyk

Before installing Snyk, you'll need to sign up for a free account:

1. Visit the Snyk website at https://snyk.io/ 

2. Sign up using your email, GitHub, or another available method.

Step 2: Install the Snyk CLI

The Snyk CLI (Command Line Interface) allows you to integrate Snyk directly into your development workflow. There are several ways to install it, depending on your environment.

Option 1: Node.js (via npm)

If you have Node.js installed, the easiest way to install Snyk is via npm:  npm install -g snyk

Option 2: Using Docker

If you prefer not to install it globally, or if you're running in a CI/CD pipeline, you can use Docker docker run -it snyk/snyk-cli

Option 3: Direct Download

Alternatively, you can download the binary directly from the Snyk GitHub repository https://github.com/snyk/snyk/releases  and place it in your system’s PATH.

Step 3: Authenticate Snyk

Once the CLI is installed, you'll need to authenticate it with your Snyk account.

1. Run the following command:
snyk auth

2. This will open a browser window where you can log in and connect your CLI to your Snyk account.

Step 4: Scan Your Project

With Snyk set up, you can start scanning your projects for vulnerabilities.

1. Navigate to your project directory:
cd /path/to/your/project

2. Run the following command to scan for vulnerabilities:
snyk test

3. To monitor your project for new vulnerabilities over time, use:
snyk monitor

3. Semgrep

Step 1: Install Semgrep

Semgrep can be installed using various methods depending on your operating system and preferences.

• Using pip (Python): If you have Python installed, the easiest way to install Semgrep is via pip: pip install semgrep

• Homebrew (macOS): If you're on macOS, you can use Homebrew to install Semgrep: brew install semgrep

• Using Docker: If you prefer to avoid installing it directly on your system, you can run Semgrep via Docker: docker run --rm -v "$(pwd):/src" returntocorp/semgrep --config auto

Step 2: Run Semgrep on Your Code

Once installed, you can start analyzing your code with Semgrep. Here’s how:

1. Navigate to your project directory: cd /path/to/your/project

2. Run the following command to scan your code using predefined rules: semgrep --config auto

The --config auto flag tells Semgrep to automatically detect the appropriate rules for your codebase.

Vulnerability Discovered by each tools

1. Sonarqube

The figure below illustrates the SonarQube User Interface, showcasing a comprehensive list of vulnerabilities identified by the tool. While SonarQube provides a powerful mechanism for detecting potential security issues, it's important to remember that no SAST tool is infallible. False positives can occur, and some findings may not pose an actual risk. Therefore, it's crucial to manually review the identified vulnerabilities to accurately assess their relevance and impact, ensuring that genuine issues are addressed while unnecessary noise is filtered out. This careful review process enhances the overall effectiveness of your code security efforts.

2. Snyk

The figure below displays the Snyk tool interface, showcasing the command used to scan the project and a detailed list of vulnerabilities categorized by severity—Low, Medium, and High. Snyk performs its code review by analyzing the project's dependencies, code, and configurations against a continuously updated database of known vulnerabilities. It scans for issues in open-source libraries, container images, and infrastructure as code, identifying potential security flaws across the entire stack. After the scan, Snyk categorizes the vulnerabilities based on their severity and potential impact, providing actionable insights on how to fix them. However, as with any automated tool, it's important to manually review these findings to ensure accuracy. While Snyk effectively identifies vulnerabilities, some flagged issues may not be critical, and others could be false positives. 

3. SemGrep

The figure below illustrates the Semgrep interface, displaying the command used to perform the code audit along with the findings categorized by their nature—such as security vulnerabilities, code quality issues, or compliance violations. Semgrep conducts its code audit by parsing the source code and applying a set of customizable rules that can be tailored to the specific needs of the project. Unlike many other tools, Semgrep allows for precise pattern matching within the code, enabling it to identify issues at a granular level across various programming languages. Semgrep's audit process involves scanning the codebase for patterns that could indicate potential vulnerabilities or coding standards violations. The tool uses both predefined and custom rules to highlight issues that need attention, providing developers with detailed reports on the identified problems.


Breakdown of Vulnerabilities

1. Weak Hashing Algorithm used

Location: bundle/nginx-1.25.3/src/event/ngx_event_openssl.c

A computer code with text

Description automatically generated

Description: The figure above highlights the use of the weak hashing algorithm SHA-1 in the code, which is considered a significant security vulnerability. SHA-1 is a cryptographic hash function that was once widely used for securing data. However, it has been proven vulnerable to collision attacks, where two different inputs can produce the same hash value. This vulnerability undermines the integrity and security of data protected by SHA-1, as an attacker could potentially forge data that produces the same hash, leading to unauthorized access or data manipulation.

Impact: In the context of an OpenResty application, using SHA-1 for hashing sensitive information, such as passwords or cryptographic keys, could expose the application to security risks. Attackers could exploit this weakness to crack hashed passwords or bypass authentication mechanisms, compromising the overall security of the application. 

Mitigation: To mitigate this risk, it is recommended to use stronger and more secure hashing algorithms, such as SHA-256 or SHA-3, which provide better resistance against collision and preimage attacks, thereby ensuring the integrity and confidentiality of the data handled by the application. 

2. Unsanitised Input (Possible Path Traversal)

Location: bundle/opm-0.0.8/util/fmtMd.js

A screen shot of a computer code

Description automatically generated

Description: The figure above illustrates a potential vulnerability in the code where the infile variable is passed directly for processing without proper sanitization. This scenario suggests a possible path traversal vulnerability, where an attacker could manipulate the infile input to navigate the file system outside the intended directory.

Impact: In an OpenResty application, this type of vulnerability can be particularly dangerous. If an attacker can control the infile variable, they could craft input that includes sequences like ../ (dot-dot-slash) to traverse directories and access files outside the intended path. For example, instead of accessing a permitted file, the attacker could gain access to sensitive files such as configuration files, user data, or even system files, which could lead to data breaches or system compromise.

Path traversal vulnerabilities can severely affect an OpenResty application by exposing critical information, allowing unauthorized file access, or even enabling further attacks such as remote code execution if an attacker can write to or execute files.

Mitigation: To mitigate this risk, it is essential to implement robust input validation and sanitisation for all variables used in file paths. This includes:
• Restricting input to a predefined set of allowed file names or directories
• Avoiding direct use of user input in file paths without thorough validation
• Implementing a whitelist approach for permitted file access
• Using secure file handling libraries that prevent path traversal attacks

3. Unsafe function strcpy used

Location: build/LuaJIT-2.1-20231117/src/lj_debug.c

A screen shot of a computer code

Description automatically generated

Description: The figure above demonstrates a potential security vulnerability where the strcpy function is used in the code. strcpy is an unsafe function because it does not perform bounds checking on the destination buffer, meaning it will copy data from the source to the destination until a null terminator is encountered, regardless of the size of the destination buffer.

Impact: In an OpenResty application, using strcpy can lead to a buffer overflow if the source string is larger than the destination buffer. Buffer overflows occur when data exceeds the buffer's allocated memory, potentially overwriting adjacent memory areas. This can corrupt data, crash the application, or, worse, allow an attacker to inject and execute arbitrary code, leading to a complete system compromise.


This vulnerability is particularly concerning in web applications like those built with OpenResty, where user inputs or external data might be processed. An attacker could exploit this weakness by providing specially crafted input that triggers the buffer overflow, potentially gaining control over the application or server.


Mitigation: To mitigate this risk, it is essential to replace strcpy with safer alternatives such as strncpy or snprintf, which allow specifying the maximum number of bytes to copy, thereby preventing buffer overflows. Additionally, always ensure that buffer sizes are properly checked and managed to avoid such vulnerabilities.


Conclusion

Our in-depth analysis of OpenResty using SAST tools has revealed several critical vulnerabilities that could potentially compromise the security of applications built on this platform. As a UK-based cybersecurity firm, we emphasise the importance of addressing these issues promptly to maintain the integrity and security of systems utilising OpenResty.

To mitigate these risks effectively, we recommend the following actions:

1. Update Cryptographic Practices: Replace weak hashing algorithms like SHA-1 with more secure alternatives such as SHA-256 or SHA-3.

2. Implement Robust Input Validation: Enforce strict input sanitisation and validation practices, particularly for variables used in file path operations.

3. Use Safe String Handling Functions: Replace unsafe functions like strcpy with bounds-checked alternatives such as strncpy or snprintf.

4. Regular Security Audits: Conduct periodic security assessments using a combination of SAST tools and manual code reviews to identify and address potential vulnerabilities proactively.

5. Stay Informed: Keep abreast of the latest security advisories and updates for OpenResty and its components, applying patches promptly when available.

By integrating these security measures and leveraging SAST tools effectively, organisations can significantly enhance the security posture of their OpenResty-based applications. Remember, maintaining robust security is an ongoing process that requires vigilance, proactive measures, and a commitment to best practices in software development and deployment.

For further assistance in securing your OpenResty applications or to learn more about our comprehensive cybersecurity services, please don't hesitate to contact our team of experts at ProCheckUp.