👾 Add more javascript vulnerable methods

jsyeo · jsyeo · commit ae564b469d72 · 2020-09-24T16:29:41.000+08:00
diff --git a/index.js b/index.js
@@ -2,5 +2,3 @@
 
 const server = require('./server');
 server.listen(8001);
-
-
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -19,7 +19,9 @@
     "node-yaml-config": "0.0.5",
     "semver": "5.7.1",
     "to": "0.2.9",
-    "url": "0.11.0"
+    "url": "0.11.0",
+    "lodash": "4.17.15",
+    "marked": "0.3.19"
   },
   "devDependencies": {
     "mocha": "^7.0.1"
diff --git a/server.js b/server.js
@@ -1,11 +1,13 @@
 'use strict';
 
-const	http     = require('http'),
-    algoserv = require('algo-httpserv'),
-    fs	     = require('fs'),
-    yaml     = require('js-yaml'),
-    yamlTo   = require('to'),
-    yamlConf = require('node-yaml-config');// the vulnerable library is include to check whether we have false positives
+const http           = require('http'),
+      algoserv       = require('algo-httpserv'),
+      fs             = require('fs'),
+      yaml           = require('js-yaml'),
+      yamlTo         = require('to'),
+      yamlConf       = require('node-yaml-config'),// the vunlerable library is include to check whether we have false postives
+      _zipObjectDeep = require('lodash/zipObjectDeep'),
+      marked         = require('marked');
 
 
 // call vulnerable method js-yaml.load directly
@@ -37,4 +39,13 @@ exports.listen = function() {
 
 exports.close = function(callback) {
     this.server.close(callback);
-}
+}
+
+// call the vulnerable methods like how some real world projects call them
+function InlineLexer(links, options) {
+  marked.InlineLexer.call(this, links, options);
+}
+
+function zipObjectDeep(props, values) {
+  return _zipObjectDeep(props, values);
+}
