alexeisnyk · vishal-thenge · Apr 11, 2022 · Apr 11, 2022 · Apr 11, 2022 · Aug 12, 2022
diff --git a/.deepsource.toml b/.deepsource.toml
@@ -0,0 +1,26 @@
+version = 1
+
+[[analyzers]]
+name = "python"
+enabled = true
+
+  [analyzers.meta]
+  runtime_version = "3.x.x"
+
+[[analyzers]]
+name = "shell"
+enabled = true
+
+[[analyzers]]
+name = "javascript"
+enabled = true
+
+  [analyzers.meta]
+  plugins = [
+    "react",
+    "angular",
+    "vue",
+    "ember",
+    "meteor",
+    "angularjs"
+  ]
diff --git a/.github/workflows/fossa-scan.yml b/.github/workflows/fossa-scan.yml
@@ -0,0 +1,39 @@
+name: FOSSA scan
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+
+permissions:
+  contents: read
+
+jobs:
+  fossa-scan:
+    runs-on: ubuntu-latest
+    env:
+      FOSSA_API_KEY: ${{secrets.FOSSA_API_KEY}}
+
+    steps:
+      - name: "Checkout Code"
+        uses: actions/checkout@v3
+
+      - name: "Run FOSSA Scan"
+        uses: fossas/fossa-action@main # Use a specific version if locking is preferred
+        with:
+          api-key: ${{secrets.fossaApiKey}}
+
+      #- name: "Run FOSSA Test"
+      #  uses: fossas/fossa-action@main # Use a specific version if locking is preferred
+      #  with:
+      #    api-key: ${{secrets.fossaApiKey}}
+       #   run-tests: true
+
+      - name: "Run FOSSA CLI"
+        run: |
+            echo "Inside CLI"
+            curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | sudo bash
+            fossa analyze
+
diff --git a/.github/workflows/snyk-container.yml b/.github/workflows/snyk-container.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which checks out the code, builds a container
+# image using Docker and scans that image for vulnerabilities using
+# Snyk. The results are then uploaded to GitHub Security Code Scanning
+#
+# For more examples, including how to limit scans to only high-severity
+# issues, monitor images for newly disclosed vulnerabilities in Snyk and
+# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/
+
+name: Snyk Container
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '40 9 * * 5'
+
+permissions:
+  contents: read
+
+jobs:
+  snyk:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Build a Docker image
+      run: docker build -t your/image-to-test .
+    - name: Run Snyk to check Docker image for vulnerabilities
+      # Snyk can be used to break the build when it detects vulnerabilities.
+      # In this case we want to upload the issues to GitHub Code Scanning
+      continue-on-error: true
+      uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4
+      env:
+        # In order to use the Snyk Action you will need to have a Snyk API token.
+        # More details in https://github.com/snyk/actions#getting-your-snyk-token
+        # or you can signup for free at https://snyk.io/login
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: your/image-to-test
+        args: --file=Dockerfile
+    - name: Upload result to GitHub Code Scanning
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: snyk.sarif
diff --git a/.snyk b/.snyk
@@ -0,0 +1,10 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-JS-VM2-2990237:
+    - '*':
+        reason: text string
+        expires: 2024-08-08T17:33:45.004Z
+        created: 2023-03-23T19:29:29.326Z
+patch: {}
diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
 **Snyk Instructions**
-1. Fork this repo to your own Github account
+1. Fork this repo to your own Github account - test
 2. Import your fork into Snyk via Git
 3. Clone your fork to your local system and ``cd`` yourself to that directory in terminal/command prompt
 4. Download and authenticate Snyk CLI if you haven't already (e.g. install NPM, then run ``npm i snyk -g`` followed by ``snyk auth``)

diff --git a/package.json b/package.json
@@ -183,7 +183,7 @@
     "sinon": "^9.0.2",
     "sinon-chai": "^3.5.0",
     "socket.io-client": "^2.3.0",
-    "standard": "^14.3.4",
+    "standard": "^14.3.8",
     "webdriver-manager": "^12.1.7"
   },
   "engines": {

diff --git a/routes/login2.js b/routes/login2.js
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2014-2021 Bjoern Kimminich.
+ * SPDX-License-Identifier: MIT
+ */
+
+const utils = require('../lib/utils')
+const insecurity = require('../lib/insecurity')
+const models = require('../models/index')
+const challenges = require('../data/datacache').challenges
+const users = require('../data/datacache').users
+const config = require('config')
+
+module.exports = function login () {
+  function afterLogin (user, res, next) {
+    verifyPostLoginChallenges(user)
+    models.Basket.findOrCreate({ where: { UserId: user.data.id }, defaults: {} })
+      .then(([basket]) => {
+        const token = insecurity.authorize(user)
+        user.bid = basket.id // keep track of original basket for challenge solution check
+        insecurity.authenticatedUsers.put(token, user)
+        res.json({ authentication: { token, bid: basket.id, umail: user.data.email } })
+      }).catch(error => {
+        next(error)
+      })
+  }
+
+  return (req, res, next) => {
+    verifyPreLoginChallenges(req)
+    models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${insecurity.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: models.User, plain: true })
+      .then((authenticatedUser) => {
+        let user = utils.queryResultToJson(authenticatedUser)
+        const rememberedEmail = insecurity.userEmailFrom(req)
+        if (rememberedEmail && req.body.oauth) {
+          models.User.findOne({ where: { email: rememberedEmail } }).then(rememberedUser => {
+            user = utils.queryResultToJson(rememberedUser)
+            utils.solveIf(challenges.loginCisoChallenge, () => { return user.data.id === users.ciso.id })
+            afterLogin(user, res, next)
+          })
+        } else if (user.data && user.data.id && user.data.totpSecret !== '') {
+          res.status(401).json({
+            status: 'totp_token_required',
+            data: {
+              tmpToken: insecurity.authorize({
+                userId: user.data.id,
+                type: 'password_valid_needs_second_factor_token'
+              })
+            }
+          })
+        } else if (user.data && user.data.id) {
+          afterLogin(user, res, next)
+        } else {
+          res.status(401).send(res.__('Invalid email or password.'))
+        }
+      }).catch(error => {
+        next(error)
+      })
+  }
+
+  function verifyPreLoginChallenges (req) {
+    utils.solveIf(challenges.weakPasswordChallenge, () => { return req.body.email === 'admin@' + config.get('application.domain') && req.body.password === 'admin123' })
+    utils.solveIf(challenges.loginSupportChallenge, () => { return req.body.email === 'support@' + config.get('application.domain') && req.body.password === 'J6aVjTgOpRs$?5l+Zkq2AYnCE@RF§P' })
+    utils.solveIf(challenges.loginRapperChallenge, () => { return req.body.email === 'mc.safesearch@' + config.get('application.domain') && req.body.password === 'Mr. N00dles' })
+    utils.solveIf(challenges.loginAmyChallenge, () => { return req.body.email === 'amy@' + config.get('application.domain') && req.body.password === 'K1f.....................' })
+    utils.solveIf(challenges.dlpPasswordSprayingChallenge, () => { return req.body.email === 'J12934@' + config.get('application.domain') && req.body.password === '0Y8rMnww$*9VFYE§59-!Fg1L6t&6lB' })
+    utils.solveIf(challenges.oauthUserPasswordChallenge, () => { return req.body.email === 'bjoern.kimminich@gmail.com' && req.body.password === 'bW9jLmxpYW1nQGhjaW5pbW1pay5ucmVvamI=' })
+  }
+
+  function verifyPostLoginChallenges (user) {
+    utils.solveIf(challenges.loginAdminChallenge, () => { return user.data.id === users.admin.id })
+    utils.solveIf(challenges.loginJimChallenge, () => { return user.data.id === users.jim.id })
+    utils.solveIf(challenges.loginBenderChallenge, () => { return user.data.id === users.bender.id })
+    utils.solveIf(challenges.ghostLoginChallenge, () => { return user.data.id === users.chris.id })
+    if (utils.notSolved(challenges.ephemeralAccountantChallenge) && user.data.email === 'acc0unt4nt@' + config.get('application.domain') && user.data.role === 'accounting') {
+      models.User.count({ where: { email: 'acc0unt4nt@' + config.get('application.domain') } }).then(count => {
+        if (count === 0) {
+          utils.solve(challenges.ephemeralAccountantChallenge)
+        }
+      })
+    }
+  }
+}
diff --git a/test.html b/test.html
@@ -0,0 +1 @@
+<html>Hello!</html>
diff --git a/test2.html b/test2.html
@@ -0,0 +1 @@
+<html>Hello!</html>