Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/187 #293

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,4 @@ Icon?
report*.html

# e2e
test/e2e/screenshots/
**/test/e2e/screenshots/
11 changes: 5 additions & 6 deletions .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,17 +24,16 @@ cache:

override:
# use the new "ci" command for fastest installs on CI
- npm ci
- npm run cy:verify
- npm install
- npm run all:cy:verify

before_script:
## we use the '&' ampersand which tells
## travis to run this process in the background
## else it would block execution and hang travis
- docker run -d -p 27017:27017 mongo:4.0
- docker ps -a
- NODE_ENV=test npm start -- --silent &
- npm run all:deps-ci
- NODE_ENV=test npm run all:infra-start -- --silent &

script:
- npm run test:ci
- npm run all:test-ci

File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
119 changes: 119 additions & 0 deletions apps/server-render/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
# NodeGoat

Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications. This project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

## Getting Started
OWASP Top 10 for Node.js web applications:

### Know it!
[Tutorial Guide](http://nodegoat.herokuapp.com/tutorial) explaining how each of the OWASP Top 10 vulnerabilities can manifest in Node.js web apps and how to prevent it.

### Do it!
[A Vulnerable Node.js App for Ninjas](http://nodegoat.herokuapp.com/) to exploit, toast, and fix. You may like to [set up your own copy](#how-to-setup-your-copy-of-nodegoat) of the app to fix and test vulnerabilities. Hint: Look for comments in the source code.
##### Default user accounts
The database comes pre-populated with these user accounts created as part of the seed data -
* Admin Account - u:admin p:Admin_123
* User Accounts (u:user1 p:User1_123), (u:user2 p:User2_123)
* New users can also be added using the sign-up page.

## How to Setup Your Copy of NodeGoat

### OPTION 1 - One click install on Heroku
The the quickest way to get running with NodeGoat is to click the button below to deploy it on Heroku.

Even though it is not essential, but recommended that you fork this repository and deploy the forked repo.
This would allow you to fix vulnerabilities in your own forked version, and deploy and test it on heroku.

[![Deploy](https://www.herokucdn.com/deploy/button.png)](https://heroku.com/deploy)

This Heroku instance uses Free ($0/month) node server and MongoLab add-on.

### OPTION 2 - Run NodeGoat on your machine

If you do not wish to run NodeGoat on Heroku, please follow these steps to setup and run it locally -
* Install [Node.js](http://nodejs.org/) - NodeGoat requires Node v8 or above

* Clone the github repository
```
git clone https://github.com/OWASP/NodeGoat.git
```

*go to the directory
```
cd NodeGoat
```

* Install node modules
```
npm install
```

* Create Mongo DB:
You can create a remote MongoDB instance or use local mongod installation
* A. Using Remote MongoDB
* Create a sandbox mongoDB instance (free) at [mLab](https://mlab.com/plans/pricing/#plan-sandbox)
* Create a new database.
* Create a user.
* Update the `db` property in file `config/env/development.js` to reflect your DB setup. (in format: `mongodb://<username>:<password>@<databasename>`)
* OR B.Using local MongoDB
* If using local Mongo DB instance, start [mongod](http://docs.mongodb.org/manual/reference/program/mongod/#bin.mongod).
* Update the `db` property in file `config/env/development.js` to reflect your DB setup. (in format: `mongodb://localhost:27017/<databasename>`)

* Populate MongoDB with seed data required for the app
* Run the npm-script below to populate the DB with seed data required for the application. Pass the desired environment as argument. If not passed, "development" is the default:
```
npm run db:seed
```
* Start server, this starts the NodeGoat application at url [http://localhost:4000/](http://localhost:4000/)
```
npm start
```

* Start server with nodemon, this starts the NodeGoat application at url [http://localhost:5000/](http://localhost:5000/)
```
npm run dev
```

### OPTION 3 - Run NodeGoat on Docker

**You need to install [docker](https://docs.docker.com/installation/) and [docker compose](https://docs.docker.com/compose/install/) to be able to use this option**

The repo includes the Dockerfile and docker-compose.yml necessary to setup the app and the db instance then connect them together.

* Change the db config in `config/env/development.js` to point to the respective Docker container.
```
db: "mongodb://mongo:27017/nodegoat",
```
* Build the images:
```
docker-compose build
```
* Run the app:
```
docker-compose up
```


#### Customizing the Default Application Configuration
The default application settings (database url, http port, etc.) can be changed by updating the [config file] (https://github.com/OWASP/NodeGoat/blob/master/config/env/all.js).

## Report bugs, Feedback, Comments
* Open a new [issue](https://github.com/OWASP/NodeGoat/issues) or contact team by joining chat at [Slack](https://owasp.slack.com/messages/project-nodegoat/) or [![Join the chat at https://gitter.im/OWASP/NodeGoat](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/OWASP/NodeGoat?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)


## Contributing

Please Follow [the contributing guide](CONTRIBUTING.md)

## Code Of Conduct (CoC)

This project is bound by a [Code of Conduct](CODE_OF_CONDUCT.md).

## Contributors
Here are the amazing [contributors](https://github.com/OWASP/NodeGoat/graphs/contributors) to the NodeGoat project.

## Supports
- Thanks to JetBrains for providing licenses to fantastic [WebStorm IDE](https://www.jetbrains.com/webstorm/) to build this project.

## License
Code licensed under the [Apache License v2.0.](http://www.apache.org/licenses/LICENSE-2.0)
File renamed without changes.
File renamed without changes.
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
const UserDAO = require("./user-dao").UserDAO;

/* The AllocationsDAO must be constructed with a connected database object */
const AllocationsDAO = function(db){
const AllocationsDAO = function(db) {

"use strict";

Expand Down Expand Up @@ -90,7 +90,7 @@ const AllocationsDAO = function(db){
let doneCounter = 0;
const userAllocations = [];

allocations.forEach( alloc => {
allocations.forEach(alloc => {
userDAO.getUserById(alloc.userId, (err, user) => {
if (err) return callback(err, null);

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,6 @@ function BenefitsDAO(db) {
};
}

module.exports = { BenefitsDAO };
module.exports = {
BenefitsDAO
};
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ function ContributionsDAO(db) {
};

contributionsDB.update({
userId
userId
},
contributions, {
upsert: true
Expand Down Expand Up @@ -83,4 +83,6 @@ function ContributionsDAO(db) {
};
}

module.exports = { ContributionsDAO };
module.exports = {
ContributionsDAO
};
Original file line number Diff line number Diff line change
Expand Up @@ -36,4 +36,6 @@ function MemosDAO(db) {

}

module.exports = { MemosDAO };
module.exports = {
MemosDAO
};
Original file line number Diff line number Diff line change
Expand Up @@ -110,4 +110,6 @@ function ProfileDAO(db) {
};
}

module.exports = { ProfileDAO };
module.exports = {
ProfileDAO
};
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,6 @@ function ResearchDAO(db) {
}
}

module.exports = { ResearchDAO };
module.exports = {
ResearchDAO
};
Original file line number Diff line number Diff line change
Expand Up @@ -116,8 +116,10 @@ function UserDAO(db) {
}, {
new: true
},
(err, data) => err ? callback(err, null) : callback(null, data.value.seq));
(err, data) => err ? callback(err, null) : callback(null, data.value.seq));
};
}

module.exports = { UserDAO };
module.exports = {
UserDAO
};
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
const AllocationsDAO = require("../data/allocations-dao").AllocationsDAO;

function AllocationsHandler (db) {
function AllocationsHandler(db) {
"use strict";

const allocationsDAO = new AllocationsDAO(db);
Expand All @@ -10,12 +10,19 @@ function AllocationsHandler (db) {
// Fix for A4 Insecure DOR - take user id from session instead of from URL param
const { userId } = req.session;
*/
const {userId} = req.params;
const { threshold } = req.query
const {
userId
} = req.params;
const {
threshold
} = req.query

allocationsDAO.getByUserIdAndThreshold(userId, threshold, (err, allocations) => {
if (err) return next(err);
return res.render("allocations", { userId, allocations });
return res.render("allocations", {
userId,
allocations
});
});
};
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
const { BenefitsDAO } = require("../data/benefits-dao");
const {
BenefitsDAO
} = require("../data/benefits-dao");

function BenefitsHandler (db) {
function BenefitsHandler(db) {
"use strict";

const benefitsDAO = new BenefitsDAO(db);
Expand All @@ -21,7 +23,10 @@ function BenefitsHandler (db) {
};

this.updateBenefits = (req, res, next) => {
const { userId, benefitStartDate } = req.body;
const {
userId,
benefitStartDate
} = req.body;

benefitsDAO.updateBenefits(userId, benefitStartDate, (error) => {

Expand Down
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@
const ContributionsDAO = require("../data/contributions-dao").ContributionsDAO;

/* The ContributionsHandler must be constructed with a connected db */
function ContributionsHandler (db) {
function ContributionsHandler(db) {
"use strict";

const contributionsDAO = new ContributionsDAO(db);

this.displayContributions = (req, res, next) => {
const { userId } = req.session;
const {
userId
} = req.session;

contributionsDAO.getByUserId(userId, (error, contrib) => {
if (error) return next(error);
Expand All @@ -31,7 +33,9 @@ function ContributionsHandler (db) {
const afterTax = parseInt(req.body.afterTax);
const roth = parseInt(req.body.roth);
*/
const { userId } = req.session;
const {
userId
} = req.session;

//validate contributions
const validations = [isNaN(preTax), isNaN(afterTax), isNaN(roth), preTax < 0, afterTax < 0, roth < 0]
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Error handling middleware

const errorHandler = (err, req, res,next) => {
const errorHandler = (err, req, res, next) => {

"use strict";

Expand All @@ -12,4 +12,6 @@ const errorHandler = (err, req, res,next) => {
});
};

module.exports = { errorHandler };
module.exports = {
errorHandler
};
Original file line number Diff line number Diff line change
Expand Up @@ -76,9 +76,11 @@ const index = (app, db) => {
app.get("/tutorial", (req, res) => {
return res.render("tutorial/a1");
});

app.get("/tutorial/:page", (req, res) => {
const { page } = req.params
const {
page
} = req.params
return res.render(`tutorial/${page}`);
});

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
const MemosDAO = require("../data/memos-dao").MemosDAO;

function MemosHandler (db) {
function MemosHandler(db) {
"use strict";

const memosDAO = new MemosDAO(db);
Expand All @@ -15,7 +15,9 @@ function MemosHandler (db) {

this.displayMemos = (req, res, next) => {

const { userId } = req.session;
const {
userId
} = req.session;

memosDAO.getAllMemos((err, docs) => {
if (err) return next(err);
Expand Down
Loading