-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex-new.js
212 lines (176 loc) · 6.07 KB
/
index-new.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
require('dotenv').config();
const express = require('express');
const bodyParser = require('body-parser');
const { Pool } = require('pg');
const bcrypt = require('bcrypt');
const csrf = require('csurf');
const winston = require('winston');
const cookieParser = require('cookie-parser');
const xss = require('xss');
const rateLimit = require('express-rate-limit');
const validator = require('validator');
const app = express();
const port = 3000;
const pool = new Pool({
user: process.env.DB_USER,
host: process.env.DB_HOST,
database: process.env.DB_NAME,
password: process.env.DB_PASSWORD,
port: process.env.DB_PORT,
});
const logger = winston.createLogger({
level: 'info',
format: winston.format.json(),
transports: [
new winston.transports.File({ filename: 'combined.log' }),
new winston.transports.Console()
],
});
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));
app.use(cookieParser());
app.use(csrf({ cookie: { httpOnly: true, secure: true, sameSite: 'Strict' } }));
app.get('/v2/form', function (req, res) {
// pass the csrfToken to the view
res.status(201).send({ csrfToken: req.csrfToken() })
})
// 1. Secured route to prevent SQL Injection
//4. sensitive data exposure
app.get('/v2/user/:id', async (req, res) => {
const userId = req.params.id;
try {
// Use parameterized queries to avoid SQL Injection
const result = await pool.query('SELECT email FROM users WHERE id = $1', [userId]);
res.json(result.rows);
} catch (err) {
console.error(err);
res.status(500).send('Server error');
}
});
//2: Fix XSS Vulnerability
let comments = []
app.get('/v2/comments', (req, res) => {
res.send(`
<html>
<body>
<h1>Comments</h1>
<form action="/comments" method="post">
<textarea name="comment"></textarea>
<button type="submit">Submit</button>
</form>
<ul>
${comments.map(comment => `<li>${xss(comment)}</li>`).join('')}
</ul>
</body>
</html>
`);
});
app.post('/v2/comments', (req, res) => {
const { comment } = req.body;
comments.push(xss(comment)); // Sanitize input to prevent XSS
res.redirect('/v2/comments');
});
//3. Broken Authentication Vulnerability
//8. Fix for Insufficient Logging & Monitoring
// Rate limit to prevent brute force login attempts
const loginLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5, // Limit each IP to 5 requests per windowMs
message: 'Too many login attempts. Please try again later.',
});
app.post('/v2/login', loginLimiter, async (req, res) => {
const { email, password } = req.body;
try {
// Fetch user from the database by email
const result = await pool.query('SELECT * FROM users WHERE email = $1', [email]);
if (result.rows.length === 0) {
// Log failed login attempt
logger.warn(`Failed login attempt for email: ${email}`);
return res.status(401).send('Invalid email or password');
}
const user = result.rows[0];
// Compare the submitted password with the stored hashed password
const match = await bcrypt.compare(password, user.password);
if (!match) {
// Log failed login attempt
logger.warn(`Failed login attempt for email: ${email}`);
return res.status(401).send('Invalid email or password');
}
// Log successful login
logger.info(`Successful login for email: ${email}`);
// Login success: send user info back (be cautious about exposing sensitive data)
res.status(200).send(`Welcome, ${user.email}`);
} catch (err) {
// Log unexpected server errors
logger.error(`Server error during login attempt for email: ${email}`, { error: err.message });
res.status(500).send('Server error');
}
});
// 5. Broken Access Control Vulnerability
// Middleware to authenticate user and attach the userId to the request
const authenticateUser = (req, res, next) => {
req.userId = req.headers['userid']; // Suppose the logged-in user has userId = 1
if (req.userId != 1) {
return res.status(403).send('Unauthorized');
}
next();
};
app.put('/v2/user/password/update', authenticateUser, async (req, res) => {
const userId = req.userId; // Get the logged-in user's ID
const { newPassword } = req.body;
try {
const hashedPassword = await bcrypt.hash(newPassword, 10);
// Now the user can only update their own password
const result = await pool.query(
'UPDATE users SET password = $1 WHERE id = $2 RETURNING *',
[hashedPassword, userId]
);
if (result.rowCount === 0) {
return res.status(404).send('User not found');
}
res.status(200).send('Password updated successfully');
} catch (err) {
console.error(err);
res.status(500).send('Server error');
}
});
// 6. CSRF token middleware
app.post('/v2/user/email/update', async (req, res) => {
const { userId, email } = req.body;
try {
await pool.query('UPDATE users SET email = $1 WHERE id = $2', [email, userId]);
res.status(200).send('Email updated successfully');
} catch (err) {
console.error(err);
res.status(500).send('Server error');
}
});
// 7. Fix Insecure Deserialization Vulnerability
app.post('/v2/user/update', async (req, res) => {
try {
// Safely parse the user input (with validation)
let user;
try {
user = JSON.parse(req.body.user);
} catch (err) {
return res.status(400).send('Invalid input format'); // Prevent invalid JSON
}
// Validate and sanitize input fields
if (!user.email || !user.id || !validator.isEmail(user.email) || !validator.isInt(user.id.toString())) {
return res.status(400).send('Invalid data');
}
// Safely process the update after validation
const result = await pool.query('UPDATE users SET email = $1 WHERE id = $2', [user.email, user.id]);
if (result.rowCount === 0) {
return res.status(404).send('User not found');
}
res.status(200).send('User updated successfully');
} catch (err) {
console.error(err);
res.status(500).send('Server error');
}
});
// Start Server
app.listen(port, () => {
console.log(`Server is running on http://localhost:${port}`);
});