From 95169dc0eefe3eaaf08cfc3ab248ec4bcf92135d Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Sun, 21 May 2023 16:39:32 +0300 Subject: [PATCH 1/4] vulnerabilities --- data/static/users.yml | 2 ++ lib/insecurity.ts | 1 + package.json | 3 +++ routes/likeProductReviews.ts | 2 +- routes/updateProductReviews.ts | 13 +++++++++++++ test/smoke/Dockerfile | 1 + 6 files changed, 21 insertions(+), 1 deletion(-) diff --git a/data/static/users.yml b/data/static/users.yml index edfe29291bf..24efd550e93 100644 --- a/data/static/users.yml +++ b/data/static/users.yml @@ -147,6 +147,8 @@ email: wurstbrot username: wurstbrot password: 'EinBelegtesBrotMitSchinkenSCHINKEN!' + totpSecret: IFTXE3SPOEYVURT2MRYGI52TKJ4HC3KH + key: timo role: 'admin' securityQuestion: id: 1 diff --git a/lib/insecurity.ts b/lib/insecurity.ts index 87776eabf9d..585ad31ae6a 100644 --- a/lib/insecurity.ts +++ b/lib/insecurity.ts @@ -20,6 +20,7 @@ import * as utils from './utils' import * as z85 from 'z85' export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-public-key' +const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----' interface ResponseWithUser { status: string diff --git a/package.json b/package.json index e8a5b92f58c..8f6adb419e2 100644 --- a/package.json +++ b/package.json @@ -119,10 +119,12 @@ "cookie-parser": "^1.4.5", "cors": "^2.8.5", "dottie": "^2.0.2", + "download": "^8.0.0", "errorhandler": "^1.5.1", "exif": "^0.6.0", "express": "^4.17.1", "express-ipfilter": "^1.2.0", + "express-jwt": "0.1.3", "express-rate-limit": "^5.3.0", "express-robots-txt": "^0.4.1", "express-security.txt": "^2.0.0", @@ -130,6 +132,7 @@ "file-stream-rotator": "^0.5.7", "file-type": "^16.1.0", "filesniffer": "^1.0.3", + "finale-rest": "^1.1.1", "fs-extra": "^9.0.1", "fuzzball": "^1.3.0", "glob": "^7.1.6", diff --git a/routes/likeProductReviews.ts b/routes/likeProductReviews.ts index c1518601bba..f77e28d2a5e 100644 --- a/routes/likeProductReviews.ts +++ b/routes/likeProductReviews.ts @@ -15,7 +15,7 @@ module.exports = function productReviews () { return (req: Request, res: Response, next: NextFunction) => { const id = req.body.id const user = security.authenticatedUsers.from(req) - db.reviews.findOne({ _id: "a" }).then((review: Review) => { + db.reviews.findOne({ _id: id }).then((review: Review) => { if (!review) { res.status(404).json({ error: 'Not found' }) } else { diff --git a/routes/updateProductReviews.ts b/routes/updateProductReviews.ts index c4e0cf06808..c6d31a3707f 100644 --- a/routes/updateProductReviews.ts +++ b/routes/updateProductReviews.ts @@ -13,6 +13,19 @@ const security = require('../lib/insecurity') // vuln-code-snippet start noSqlReviewsChallenge forgedReviewChallenge module.exports = function productReviews () { return (req: Request, res: Response, next: NextFunction) => { + const user = security.authenticatedUsers.from(req) // vuln-code-snippet vuln-line forgedReviewChallenge + db.reviews.update( // vuln-code-snippet neutral-line forgedReviewChallenge + { _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge + { $set: { message: req.body.message } }, + { multi: true } // vuln-code-snippet vuln-line noSqlReviewsChallenge + ).then( + (result: { modified: number, original: Array<{ author: any }> }) => { + challengeUtils.solveIf(challenges.noSqlReviewsChallenge, () => { return result.modified > 1 }) // vuln-code-snippet hide-line + challengeUtils.solveIf(challenges.forgedReviewChallenge, () => { return user?.data && result.original[0] && result.original[0].author !== user.data.email && result.modified === 1 }) // vuln-code-snippet hide-line + res.json(result) + }, (err: unknown) => { + res.status(500).json(err) + }) } } // vuln-code-snippet end noSqlReviewsChallenge forgedReviewChallenge diff --git a/test/smoke/Dockerfile b/test/smoke/Dockerfile index fee38ec8cca..20df9ef06eb 100644 --- a/test/smoke/Dockerfile +++ b/test/smoke/Dockerfile @@ -1,3 +1,4 @@ +FROM alpine RUN apk add curl From 327b2b83e6dfe531019765eeaf0474982c1a62c3 Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Mon, 22 May 2023 12:56:56 +0300 Subject: [PATCH 2/4] Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index 408174dd00d..47df135bfa8 100644 --- a/README.md +++ b/README.md @@ -325,3 +325,14 @@ OWASP Juice Shop and any contributions are Copyright © by Bjoern Kimminich & th 2014-2023. ![Juice Shop Logo](https://raw.githubusercontent.com/bkimminich/juice-shop/master/frontend/src/assets/public/images/JuiceShop_Logo_400px.png) +123456🙈🤫 +! +comment1 +fix cm 2 +read comment +clean +aaaa +a +a +aaa +aaa From 04efc67a02d8528fb9d1735dfd284c0c567884a5 Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Tue, 6 Jun 2023 14:23:53 +0300 Subject: [PATCH 3/4] Update README.md --- README.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/README.md b/README.md index 47df135bfa8..b6dd6b4beb1 100644 --- a/README.md +++ b/README.md @@ -326,13 +326,3 @@ OWASP Juice Shop and any contributions are Copyright © by Bjoern Kimminich & th ![Juice Shop Logo](https://raw.githubusercontent.com/bkimminich/juice-shop/master/frontend/src/assets/public/images/JuiceShop_Logo_400px.png) 123456🙈🤫 -! -comment1 -fix cm 2 -read comment -clean -aaaa -a -a -aaa -aaa From 169dd50c53bb95e3fb47f0321921682d1947add6 Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Tue, 6 Jun 2023 14:24:45 +0300 Subject: [PATCH 4/4] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b6dd6b4beb1..c0bca98183f 100644 --- a/README.md +++ b/README.md @@ -326,3 +326,4 @@ OWASP Juice Shop and any contributions are Copyright © by Bjoern Kimminich & th ![Juice Shop Logo](https://raw.githubusercontent.com/bkimminich/juice-shop/master/frontend/src/assets/public/images/JuiceShop_Logo_400px.png) 123456🙈🤫 +Update!