Permalink
Browse files

Move Docker/Heroku checks into utils functions

  • Loading branch information...
bkimminich committed Sep 2, 2018
1 parent 6d0a69b commit 4a6f5ddb4ea162fd56cd8fa72b1fbceb29308bc4
Showing with 21 additions and 21 deletions.
  1. +1 −12 data/datacreator.js
  2. +15 −0 lib/utils.js
  3. +1 −3 routes/fileUpload.js
  4. +2 −3 test/api/fileUploadSpec.js
  5. +2 −3 test/e2e/complainSpec.js
View
@@ -4,8 +4,6 @@ const datacache = require('./datacache')
const config = require('config')
const utils = require('../lib/utils')
const mongodb = require('./mongodb')
const isDocker = require('is-docker')
const isHeroku = require('is-heroku')
const fs = require('fs')
const path = require('path')
@@ -41,15 +39,6 @@ module.exports = async () => {
}
}
function determineRuntime (disabledEnv) {
if (isDocker()) {
return disabledEnv && (disabledEnv === 'Docker' || disabledEnv.includes('Docker')) ? 'Docker' : null
} else if (isHeroku) {
return disabledEnv && (disabledEnv === 'Heroku' || disabledEnv.includes('Heroku')) ? 'Heroku' : null
}
return null
}
async function createChallenges () {
const showHints = config.get('application.showChallengeHints')
@@ -67,7 +56,7 @@ async function createChallenges () {
solved: false,
hint: showHints ? hint : null,
hintUrl: showHints ? hintUrl : null,
disabledEnv: determineRuntime(disabledEnv)
disabledEnv: utils.determineDisabledContainerEnv(disabledEnv)
})
datacache.challenges[key] = challenge
} catch (err) {
View
@@ -11,6 +11,8 @@ const config = require('config')
const entities = new Entities()
const download = require('download')
const crypto = require('crypto')
const isDocker = require('is-docker')
const isHeroku = require('is-heroku')
const months = ['JAN', 'FEB', 'MAR', 'APR', 'MAY', 'JUN', 'JUL', 'AUG', 'SEP', 'OCT', 'NOV', 'DEC']
@@ -164,3 +166,16 @@ exports.jwtFrom = ({ headers }) => {
exports.randomHexString = (length) => {
return crypto.randomBytes(Math.ceil(length / 2)).toString('hex').slice(0, length)
}
exports.runsOnContainerEnv = () => {
return isDocker() || isHeroku
}
exports.determineDisabledContainerEnv = (disabledEnv) => {
if (isDocker()) {
return disabledEnv && (disabledEnv === 'Docker' || disabledEnv.includes('Docker')) ? 'Docker' : null
} else if (isHeroku) {
return disabledEnv && (disabledEnv === 'Heroku' || disabledEnv.includes('Heroku')) ? 'Heroku' : null
}
return null
}
View
@@ -2,8 +2,6 @@ const utils = require('../lib/utils')
const challenges = require('../data/datacache').challenges
const libxml = require('libxmljs')
const vm = require('vm')
const isDocker = require('is-docker')
const isHeroku = require('is-heroku')
module.exports = function fileUpload () {
return (req, res, next) => {
@@ -19,7 +17,7 @@ module.exports = function fileUpload () {
if (utils.notSolved(challenges.deprecatedInterfaceChallenge)) {
utils.solve(challenges.deprecatedInterfaceChallenge)
}
if (file.buffer && !isDocker() && !isHeroku) { // XXE attacks in Docker/Heroku containers regularly cause "segfault" crashes
if (file.buffer && !utils.runsOnContainerEnv()) { // XXE attacks in Docker/Heroku containers regularly cause "segfault" crashes
const data = file.buffer.toString()
try {
const sandbox = { libxml, data }
@@ -2,8 +2,7 @@ const frisby = require('frisby')
const fs = require('fs')
const path = require('path')
const FormData = require('form-data')
const isDocker = require('is-docker')
const isHeroku = require('is-heroku')
const utils = require('../../lib/utils')
const URL = 'http://localhost:3000'
@@ -61,7 +60,7 @@ describe('/file-upload', () => {
.done(done)
})
if (!isDocker() && !isHeroku) { // XXE attacks in Docker/Heroku containers regularly cause "segfault" crashes
if (!utils.runsOnContainerEnv()) {
it('POST file type XML with XXE attack against Windows', done => {
file = path.resolve(__dirname, '../files/xxeForWindows.xml')
form = new FormData()
View
@@ -1,7 +1,6 @@
const config = require('config')
const path = require('path')
const isDocker = require('is-docker')
const isHeroku = require('is-heroku')
const utils = require('../../lib/utils')
describe('/#/complain', () => {
let file, complaintMessage, submitButton
@@ -62,7 +61,7 @@ describe('/#/complain', () => {
protractor.expect.challengeSolved({ challenge: 'Deprecated Interface' })
})
if (!isDocker() && !isHeroku) { // XXE attacks in Docker/Heroku containers regularly cause "segfault" crashes
if (!utils.runsOnContainerEnv()) {
describe('challenge "xxeFileDisclosure"', () => {
it('should be possible to retrieve file from Windows server via .xml upload with XXE attack', () => {
complaintMessage.sendKeys('XXE File Exfiltration Windows!')

0 comments on commit 4a6f5dd

Please sign in to comment.