-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
Copy pathprofile.js
111 lines (92 loc) · 3.54 KB
/
profile.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
const ProfileDAO = require("../data/profile-dao").ProfileDAO;
const ESAPI = require('node-esapi')
const {
environmentalScripts
} = require("../../config/config");
/* The ProfileHandler must be constructed with a connected db */
function ProfileHandler(db) {
"use strict";
const profile = new ProfileDAO(db);
this.displayProfile = (req, res, next) => {
const {
userId
} = req.session;
profile.getByUserId(parseInt(userId), (err, doc) => {
if (err) return next(err);
doc.userId = userId;
// @TODO @FIXME
// while the developer intentions were correct in encoding the user supplied input so it
// doesn't end up as an XSS attack, the context is incorrect as it is encoding the firstname for HTML
// while this same variable is also used in the context of a URL link element
doc.website = ESAPI.encoder().encodeForHTML(doc.website)
// fix it by replacing the above with another template variable that is used for
// the context of a URL in a link header
// doc.website = ESAPI.encoder().encodeForURL(doc.website)
return res.render("profile", {
...doc,
environmentalScripts
});
});
};
this.handleProfileUpdate = (req, res, next) => {
const {
firstName,
lastName,
ssn,
dob,
address,
bankAcc,
bankRouting
} = req.body;
// Fix for Section: ReDoS attack
// The following regexPattern that is used to validate the bankRouting number is insecure and vulnerable to
// catastrophic backtracking which means that specific type of input may cause it to consume all CPU resources
// with an exponential time until it completes
// --
// The Fix: Instead of using greedy quantifiers the same regex will work if we omit the second quantifier +
// const regexPattern = /([0-9]+)\#/;
const regexPattern = /([0-9]+)+\#/;
// Allow only numbers with a suffix of the letter #, for example: 'XXXXXX#'
const testComplyWithRequirements = regexPattern.test(bankRouting);
// if the regex test fails we do not allow saving
if (testComplyWithRequirements !== true) {
const firstNameSafeString = firstName
return res.render("profile", {
updateError: "Bank Routing number does not comply with requirements for format specified",
firstNameSafeString,
lastName,
ssn,
dob,
address,
bankAcc,
bankRouting,
environmentalScripts
});
}
const {
userId
} = req.session;
profile.updateUser(
parseInt(userId),
firstName,
lastName,
ssn,
dob,
address,
bankAcc,
bankRouting,
(err, user) => {
if (err) return next(err);
// WARN: Applying any sting specific methods here w/o checking type of inputs could lead to DoS by HPP
//firstName = firstName.trim();
user.updateSuccess = true;
user.userId = userId;
return res.render("profile", {
...user,
environmentalScripts
});
}
);
};
}
module.exports = ProfileHandler;