Migrate remaining commonjs require in models to esm

data/static/codefixes/loginAdminChallenge_1.ts

@@ -18,7 +18,7 @@ module.exports = function login () {
       res.status(451).send(res.__('SQL Injection detected.'))
     }
     models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: models.User, plain: true })
-      .then((authenticatedUser: { data: User }) => {
+      .then((authenticatedUser) => {
         const user = utils.queryResultToJson(authenticatedUser)
         if (user.data?.id && user.data.totpSecret !== '') {
           res.status(401).json({

data/static/codefixes/loginAdminChallenge_2.ts

@@ -16,7 +16,7 @@ module.exports = function login () {
   return (req: Request, res: Response, next: NextFunction) => {
     models.sequelize.query(`SELECT * FROM Users WHERE email = $1 AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`,
       { bind: [ req.body.email ], model: models.User, plain: true })
-      .then((authenticatedUser: { data: User }) => {
+      .then((authenticatedUser) => {
         const user = utils.queryResultToJson(authenticatedUser)
         if (user.data?.id && user.data.totpSecret !== '') {
           res.status(401).json({

data/static/codefixes/loginAdminChallenge_3.ts

@@ -16,7 +16,7 @@ module.exports = function login () {
   return (req: Request, res: Response, next: NextFunction) => {
     models.sequelize.query(`SELECT * FROM Users WHERE email = $1 AND password = $2 AND deletedAt IS NULL`,
       { bind: [ req.body.email, req.body.password ], model: models.User, plain: true })
-      .then((authenticatedUser: { data: User }) => {
+      .then((authenticatedUser) => {
         const user = utils.queryResultToJson(authenticatedUser)
         if (user.data?.id && user.data.totpSecret !== '') {
           res.status(401).json({

data/static/codefixes/loginAdminChallenge_4_correct.ts

@@ -16,7 +16,7 @@ module.exports = function login () {
   return (req: Request, res: Response, next: NextFunction) => {
     models.sequelize.query(`SELECT * FROM Users WHERE email = $1 AND password = $2 AND deletedAt IS NULL`,
       { bind: [ req.body.email, security.hash(req.body.password) ], model: models.User, plain: true })
-      .then((authenticatedUser: { data: User }) => {
+      .then((authenticatedUser) => {
         const user = utils.queryResultToJson(authenticatedUser)
         if (user.data?.id && user.data.totpSecret !== '') {
           res.status(401).json({

data/static/codefixes/loginBenderChallenge_1.ts

@@ -18,7 +18,7 @@ module.exports = function login () {
       res.status(451).send(res.__('SQL Injection detected.'))
     }
     models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: models.User, plain: true })
-      .then((authenticatedUser: { data: User }) => {
+      .then((authenticatedUser) => {
         const user = utils.queryResultToJson(authenticatedUser)
         if (user.data?.id && user.data.totpSecret !== '') {
           res.status(401).json({

data/static/codefixes/loginBenderChallenge_2_correct.ts

@@ -16,7 +16,7 @@ module.exports = function login () {
   return (req: Request, res: Response, next: NextFunction) => {
     models.sequelize.query(`SELECT * FROM Users WHERE email = $mail AND password = $pass AND deletedAt IS NULL`,
       { bind: { mail: req.body.email, pass: security.hash(req.body.password) }, model: models.User, plain: true })
-      .then((authenticatedUser: { data: User }) => {
+      .then((authenticatedUser) => {
         const user = utils.queryResultToJson(authenticatedUser)
         if (user.data?.id && user.data.totpSecret !== '') {
           res.status(401).json({

data/static/codefixes/loginBenderChallenge_3.ts

@@ -16,7 +16,7 @@ module.exports = function login () {
   return (req: Request, res: Response, next: NextFunction) => {
     models.sequelize.query(`SELECT * FROM Users WHERE email = :mail AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`,
       { replacements: { mail: req.body.email }, model: models.User, plain: true })
-      .then((authenticatedUser: { data: User }) => {
+      .then((authenticatedUser) => {
         const user = utils.queryResultToJson(authenticatedUser)
         if (user.data?.id && user.data.totpSecret !== '') {
           res.status(401).json({

data/static/codefixes/loginBenderChallenge_4.ts

@@ -15,7 +15,7 @@ module.exports = function login () {
 
   return (req: Request, res: Response, next: NextFunction) => {
     models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: models.User, plain: false })
-      .then((authenticatedUser: { data: User }) => {
+      .then((authenticatedUser) => {
         const user = utils.queryResultToJson(authenticatedUser)
         if (user.data?.id && user.data.totpSecret !== '') {
           res.status(401).json({

data/static/codefixes/loginJimChallenge_1_correct.ts

@@ -16,7 +16,7 @@ module.exports = function login () {
   return (req: Request, res: Response, next: NextFunction) => {
     models.sequelize.query(`SELECT * FROM Users WHERE email = $1 AND password = $2 AND deletedAt IS NULL`,
       { bind: [ req.body.email, security.hash(req.body.password) ], model: models.User, plain: true })
-      .then((authenticatedUser: { data: User }) => {
+      .then((authenticatedUser) => {
         const user = utils.queryResultToJson(authenticatedUser)
         if (user.data?.id && user.data.totpSecret !== '') {
           res.status(401).json({

data/static/codefixes/loginJimChallenge_2.ts

@@ -15,7 +15,7 @@ module.exports = function login () {
 
   return (req: Request, res: Response, next: NextFunction) => {
     models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: models.User, plain: false })
-      .then((authenticatedUser: { data: User }) => {
+      .then((authenticatedUser) => {
         const user = utils.queryResultToJson(authenticatedUser)
         if (user.data?.id && user.data.totpSecret !== '') {
           res.status(401).json({

data/static/codefixes/loginJimChallenge_3.ts

@@ -16,7 +16,7 @@ module.exports = function login () {
   return (req: Request, res: Response, next: NextFunction) => {
     models.sequelize.query(`SELECT * FROM Users WHERE email = ? AND password = ? AND deletedAt IS NULL`,
       { replacements: [ req.body.email, req.body.password ], model: models.User, plain: true })
-      .then((authenticatedUser: { data: User }) => {
+      .then((authenticatedUser) => {
         const user = utils.queryResultToJson(authenticatedUser)
         if (user.data?.id && user.data.totpSecret !== '') {
           res.status(401).json({

data/static/codefixes/loginJimChallenge_4.ts

@@ -18,7 +18,7 @@ module.exports = function login () {
       res.status(451).send(res.__('SQL Injection detected.'))
     }
     models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: models.User, plain: true })
-      .then((authenticatedUser: { data: User }) => {
+      .then((authenticatedUser) => {
         const user = utils.queryResultToJson(authenticatedUser)
         if (user.data?.id && user.data.totpSecret !== '') {
           res.status(401).json({

data/static/codefixes/weakPasswordChallenge_1_correct.ts

@@ -1,7 +1,7 @@
 User.init(
       password: {
         type: DataTypes.STRING,
-        set (clearTextPassword) {
+        set (clearTextPassword: string) {
           validatePasswordHasAtLeastTenChar(clearTextPassword)
           validatePasswordIsNotInTopOneMillionCommonPasswordsList(clearTextPassword)
           this.setDataValue('password', security.hash(clearTextPassword))

data/static/codefixes/weakPasswordChallenge_2.ts

@@ -1,7 +1,7 @@
 User.init(
       password: {
         type: DataTypes.STRING,
-        set (clearTextPassword) {
+        set (clearTextPassword: string) {
           validatePasswordHasAtLeastOneNumber(clearTextPassword)
           validatePasswordHasAtLeastOneSpecialChar(clearTextPassword)
           validatePasswordHasAtLeastOneUpperCaseChar(clearTextPassword)

data/static/codefixes/weakPasswordChallenge_3.ts

@@ -1,7 +1,7 @@
 User.init(
       password: {
         type: DataTypes.STRING,
-        set (clearTextPassword) {
+        set (clearTextPassword: string) {
           validatePasswordHasAtLeastOneNumber(clearTextPassword)
           validatePasswordHasAtLeastOneSpecialChar(clearTextPassword)
           validatePasswordHasAtLeastOneUpperCaseChar(clearTextPassword)

data/static/codefixes/weakPasswordChallenge_4.ts

@@ -1,7 +1,7 @@
 User.init(
       password: {
         type: DataTypes.STRING,
-        set (clearTextPassword) {
+        set (clearTextPassword: string) {
           validatePasswordIsNotInTopOneMillionCommonPasswordsList(clearTextPassword)
           this.setDataValue('password', security.hash(clearTextPassword))
         }

lib/botUtils.ts

@@ -2,15 +2,15 @@
  * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
-import * as models from '../models/index'
+import { ProductModel } from '../models/product'
 import { type Product } from '../data/types'
 import fuzz from 'fuzzball'
 import { challenges } from '../data/datacache'
 import * as security from './insecurity'
 import * as challengeUtils from './challengeUtils'
 
 async function productPrice (query: string, user: string) {
-  const [products] = await models.sequelize.query('SELECT * FROM Products')
+  const products = await ProductModel.findAll()
   const queriedProducts = products
     .filter((product: Product) => fuzz.partial_ratio(query, product.name) > 60)
     .map((product: Product) => `${product.name} costs ${product.price}¤`)

lib/insecurity.ts

@@ -60,7 +60,7 @@ export const decode = (token: string) => { return jws.decode(token).payload }
 export const sanitizeHtml = (html: string) => sanitizeHtmlLib(html)
 export const sanitizeLegacy = (input = '') => input.replace(/<(?:\w+)\W+?[\w]/gi, '')
 export const sanitizeFilename = (filename: string) => sanitizeFilenameLib(filename)
-export const sanitizeSecure = (html: string): string | null => {
+export const sanitizeSecure = (html: string): string => {
   const sanitized = sanitizeHtml(html)
   if (sanitized === html) {
     return html

models/feedback.ts

@@ -4,9 +4,8 @@
  */
 
 /* jslint node: true */
-import utils = require('../lib/utils')
-import challengeUtils = require('../lib/challengeUtils')
-
+import * as utils from '../lib/utils'
+import * as challengeUtils from '../lib/challengeUtils'
 import {
   Model,
   type InferAttributes,
@@ -16,7 +15,7 @@ import {
   type Sequelize
 } from 'sequelize'
 import { challenges } from '../data/datacache'
-const security = require('../lib/insecurity')
+import * as security from '../lib/insecurity'
 
 class Feedback extends Model<
 InferAttributes<Feedback>,

models/index.ts

@@ -23,19 +23,17 @@ import { SecurityAnswerModelInit } from './securityAnswer'
 import { SecurityQuestionModelInit } from './securityQuestion'
 import { UserModelInit } from './user'
 import { WalletModelInit } from './wallet'
+import { Sequelize, Transaction } from 'sequelize'
 
 /* jslint node: true */
-
-const Sequelize = require('sequelize')
-
 const sequelize = new Sequelize('database', 'username', 'password', {
   dialect: 'sqlite',
   retry: {
     match: [/SQLITE_BUSY/],
     name: 'query',
     max: 5
   },
-  transactionType: 'IMMEDIATE',
+  transactionType: Transaction.TYPES.IMMEDIATE,
   storage: 'data/juiceshop.sqlite',
   logging: false
 })

models/product.ts

@@ -4,8 +4,8 @@
  */
 
 /* jslint node: true */
-import utils = require('../lib/utils')
-import challengeUtils = require('../lib/challengeUtils')
+import * as utils from '../lib/utils'
+import * as challengeUtils from '../lib/challengeUtils'
 import {
   Model,
   type InferAttributes,
@@ -16,7 +16,7 @@ import {
 } from 'sequelize'
 import { type BasketItemModel } from './basketitem'
 import { challenges } from '../data/datacache'
-const security = require('../lib/insecurity')
+import * as security from '../lib/insecurity'
 
 class Product extends Model<
 InferAttributes<Product>,

models/securityAnswer.ts

@@ -12,7 +12,7 @@ import {
   type CreationOptional,
   type Sequelize
 } from 'sequelize'
-const security = require('../lib/insecurity')
+import * as security from '../lib/insecurity'
 
 class SecurityAnswer extends Model<
 InferAttributes<SecurityAnswer>,
@@ -42,7 +42,7 @@ const SecurityAnswerModelInit = (sequelize: Sequelize) => {
       },
       answer: {
         type: DataTypes.STRING,
-        set (answer) {
+        set (answer: string) {
           this.setDataValue('answer', security.hmac(answer))
         }
       }

models/user.ts

@@ -13,10 +13,10 @@ import {
   type CreationOptional,
   type Sequelize
 } from 'sequelize'
-import challengeUtils = require('../lib/challengeUtils')
+import * as challengeUtils from '../lib/challengeUtils'
 import * as utils from '../lib/utils'
 import { challenges } from '../data/datacache'
-const security = require('../lib/insecurity')
+import * as security from '../lib/insecurity'
 
 class User extends Model<
 InferAttributes<User>,
@@ -73,7 +73,7 @@ const UserModelInit = (sequelize: Sequelize) => { // vuln-code-snippet start wea
       }, // vuln-code-snippet hide-end
       password: {
         type: DataTypes.STRING,
-        set (clearTextPassword) {
+        set (clearTextPassword: string) {
           this.setDataValue('password', security.hash(clearTextPassword)) // vuln-code-snippet vuln-line weakPasswordChallenge
         }
       }, // vuln-code-snippet end weakPasswordChallenge

routes/login.ts

@@ -34,7 +34,7 @@ module.exports = function login () {
   return (req: Request, res: Response, next: NextFunction) => {
     verifyPreLoginChallenges(req) // vuln-code-snippet hide-line
     models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: UserModel, plain: true }) // vuln-code-snippet vuln-line loginAdminChallenge loginBenderChallenge loginJimChallenge
-      .then((authenticatedUser: { data: User }) => { // vuln-code-snippet neutral-line loginAdminChallenge loginBenderChallenge loginJimChallenge
+      .then((authenticatedUser) => { // vuln-code-snippet neutral-line loginAdminChallenge loginBenderChallenge loginJimChallenge
         const user = utils.queryResultToJson(authenticatedUser)
         if (user.data?.id && user.data.totpSecret !== '') {
           res.status(401).json({

routes/search.ts

@@ -3,7 +3,7 @@
  * SPDX-License-Identifier: MIT
  */
 
-import models = require('../models/index')
+import * as models from '../models/index'
 import { type Request, type Response, type NextFunction } from 'express'
 import { UserModel } from '../models/user'
 import { challenges } from '../data/datacache'
@@ -44,7 +44,7 @@ module.exports = function searchProducts () {
         }
         if (challengeUtils.notSolved(challenges.dbSchemaChallenge)) {
           let solved = true
-          models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]: any) => {
+          void models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]: any) => {
             const tableDefinitions = utils.queryResultToJson(data)
             if (tableDefinitions.data?.length) {
               for (let i = 0; i < tableDefinitions.data.length; i++) {