/
insecurity.js
118 lines (102 loc) · 4.27 KB
/
insecurity.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
/* jslint node: true */
const crypto = require('crypto')
const expressJwt = require('express-jwt')
const jwt = require('jsonwebtoken')
const sanitizeHtml = require('sanitize-html')
const z85 = require('z85')
const utils = require('./utils')
const publicKey = '-----BEGIN RSA PUBLIC KEY-----\r\nMIGJAoGBAM3CosR73CBNcJsLv5E90NsFt6qN1uziQ484gbOoule8leXHFbyIzPQRozgEpSpiwhr6d2/c0CfZHEJ3m5tV0klxfjfM7oqjRMURnH/rmBjcETQ7qzIISZQ/iptJ3p7Gi78X5ZMhLNtDkUFU9WaGdiEb+SnC39wjErmJSfmGb7i1AgMBAAE=\r\n-----END RSA PUBLIC KEY-----'
const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----'
exports.hash = data => crypto.createHash('md5').update(data).digest('hex')
exports.hmac = data => crypto.createHmac('sha256', '07-92-75-2C-DB-D3').update(data).digest('hex')
exports.cutOffPoisonNullByte = str => {
const nullByte = '%00'
if (utils.contains(str, nullByte)) {
return str.substring(0, str.indexOf(nullByte))
}
return str
}
exports.isAuthorized = role => expressJwt({secret: role || publicKey})
exports.denyAll = () => expressJwt({secret: '' + Math.random()})
exports.authorize = (user, role) => jwt.sign(user || {}, role || privateKey, { expiresIn: 3600 * 5, algorithm: 'RS256' })
exports.sanitizeHtml = html => sanitizeHtml(html)
exports.authenticatedUsers = {
tokenMap: {},
idMap: {},
put: function (token, user) {
this.tokenMap[token] = user
this.idMap[user.data.id] = token
},
get: function (token) {
if (token) {
return this.tokenMap[utils.unquote(token)]
} else {
return undefined
}
},
tokenOf: function (user) {
if (user) {
return this.idMap[user.id]
} else {
return undefined
}
},
from: function (req) {
if (req.headers && req.headers.authorization) {
const parts = req.headers.authorization.split(' ')
if (parts.length === 2) {
const scheme = parts[0]
const token = parts[1]
if (/^Bearer$/i.test(scheme)) {
return this.get(token)
}
}
}
return undefined
}
}
exports.userEmailFrom = req => {
if (req.headers && req.headers['x-user-email']) {
return req.headers['x-user-email']
}
return undefined
}
exports.generateCoupon = (date, discount) => {
const coupon = utils.toMMMYY(date) + '-' + discount
return z85.encode(coupon)
}
exports.discountFromCoupon = coupon => {
if (coupon) {
const decoded = z85.decode(coupon)
if (decoded && hasValidFormat(decoded.toString())) {
const parts = decoded.toString().split('-')
const validity = parts[0]
if (utils.toMMMYY(new Date()) === validity) {
const discount = parts[1]
return parseInt(discount)
}
}
}
return undefined
}
function hasValidFormat (coupon) {
return coupon.match(/(JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)[0-9]{2}-[0-9]{2}/)
}
const redirectWhitelist = [
'https://github.com/bkimminich/juice-shop',
'https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm',
'https://gratipay.com/juice-shop',
'http://flattr.com/thing/3856930/bkimminichjuice-shop-on-GitHub',
'http://shop.spreadshirt.com/juiceshop',
'http://shop.spreadshirt.de/juiceshop',
'https://www.stickermule.com/user/1070702817/stickers',
'https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW'
]
exports.redirectWhitelist = redirectWhitelist
exports.isRedirectAllowed = url => {
let allowed = false
redirectWhitelist.forEach(allowedUrl => {
allowed = allowed || url.indexOf(allowedUrl) > -1
})
return allowed
}