Skip to content

Commit ae564b4

Browse files
committed
👾 Add more javascript vulnerable methods
1 parent 6e11b7f commit ae564b4

File tree

4 files changed

+93
-77
lines changed

4 files changed

+93
-77
lines changed

index.js

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,5 +2,3 @@
22

33
const server = require('./server');
44
server.listen(8001);
5-
6-

package-lock.json

Lines changed: 72 additions & 67 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,9 @@
1919
"node-yaml-config": "0.0.5",
2020
"semver": "5.7.1",
2121
"to": "0.2.9",
22-
"url": "0.11.0"
22+
"url": "0.11.0",
23+
"lodash": "4.17.15",
24+
"marked": "0.3.19"
2325
},
2426
"devDependencies": {
2527
"mocha": "^7.0.1"

server.js

Lines changed: 18 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,13 @@
11
'use strict';
22

3-
const http = require('http'),
4-
algoserv = require('algo-httpserv'),
5-
fs = require('fs'),
6-
yaml = require('js-yaml'),
7-
yamlTo = require('to'),
8-
yamlConf = require('node-yaml-config');// the vulnerable library is include to check whether we have false positives
3+
const http = require('http'),
4+
algoserv = require('algo-httpserv'),
5+
fs = require('fs'),
6+
yaml = require('js-yaml'),
7+
yamlTo = require('to'),
8+
yamlConf = require('node-yaml-config'),// the vunlerable library is include to check whether we have false postives
9+
_zipObjectDeep = require('lodash/zipObjectDeep'),
10+
marked = require('marked');
911

1012

1113
// call vulnerable method js-yaml.load directly
@@ -37,4 +39,13 @@ exports.listen = function() {
3739

3840
exports.close = function(callback) {
3941
this.server.close(callback);
40-
}
42+
}
43+
44+
// call the vulnerable methods like how some real world projects call them
45+
function InlineLexer(links, options) {
46+
marked.InlineLexer.call(this, links, options);
47+
}
48+
49+
function zipObjectDeep(props, values) {
50+
return _zipObjectDeep(props, values);
51+
}

0 commit comments

Comments
 (0)