Merge pull request #135 from bkimminich/node_v0_12_migration

Node v0 12 migration
juice-shop · Dec 7, 2015 · af897a4 · af897a4
2 parents 7a6d4ba + 616cb46
commit af897a4
Show file tree

Hide file tree

Showing 10 changed files with 28 additions and 24 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,6 +1,8 @@
 language: node_js
 node_js:
 - 0.10
+- 0.11
+- 0.12
 branches:
   except:
   - gh-pages

diff --git a/lib/insecurity.js b/lib/insecurity.js
@@ -32,7 +32,7 @@ exports.denyAll = function () {
 };
 
 exports.authorize = function (user, role) {
-    return jwt.sign(user || {}, role || defaultSecret, { expiresInMinutes: 60 * 5 });
+    return jwt.sign(user || {}, role || defaultSecret, { expiresIn: 3600 * 5 });
 };
 
 exports.sanitizeHtml = function (html) {

diff --git a/package.json b/package.json
@@ -98,6 +98,6 @@
     },
     "subdomain": "juice-shop",
     "engines": {
-        "node": ">=0.10.40 <0.11"
+        "node": ">=0.10.40 <1"
     }
 }
diff --git a/test/server/basketApiSpec.js b/test/server/basketApiSpec.js
@@ -63,7 +63,7 @@ frisby.create('PUT update existing basket is not part of API')
     .addHeaders(authHeader)
     .put(API_URL + '/Baskets/1', {
         UserId: 2
-    })
+    }, {json: true})
     .expectStatus(200)
     .expectJSON({status : 'error'})
     .toss();
@@ -101,7 +101,7 @@ frisby.create('POST new basket item with negative quantity')
         BasketId: 3,
         ProductId: 1,
         quantity: -100
-    })
+    }, {json: true})
     .expectStatus(200)
     .after(function() {
         frisby.create('POST placing an order for a basket with a negative total cost')

diff --git a/test/server/basketItemApiSpec.js b/test/server/basketItemApiSpec.js
@@ -29,7 +29,7 @@ frisby.create('GET existing basket item by id is forbidden via public API')
 frisby.create('PUT update existing basket item is forbidden via public API')
     .put(API_URL + '/BasketItems/1', {
         quantity: 2
-    })
+    }, {json: true})
     .expectStatus(401)
     .toss();
 
@@ -50,7 +50,7 @@ frisby.create('POST new basket item')
         BasketId: 2,
         ProductId: 2,
         quantity: 1
-    })
+    }, {json: true})
     .expectStatus(200)
     .afterJSON(function(basketItem) {
         frisby.create('GET existing basket item by id')
@@ -62,7 +62,7 @@ frisby.create('POST new basket item')
                     .addHeaders(authHeader)
                     .put(API_URL + '/BasketItems/' + basketItem.data.id, {
                         quantity: 2
-                    })
+                    }, {json: true})
                     .expectStatus(200)
                     .afterJSON(function() {
                         frisby.create('DELETE existing basket item')

diff --git a/test/server/challengeApiSpec.js b/test/server/challengeApiSpec.js
@@ -43,7 +43,7 @@ frisby.create('PUT update existing challenge is forbidden via public API even wh
         name: 'Vulnerability',
         description: "I am a vulnerability!!!",
         difficulty: 3
-    })
+    }, {json: true})
     .expectStatus(401)
     .toss();
 

diff --git a/test/server/feedbackApiSpec.js b/test/server/feedbackApiSpec.js
@@ -11,7 +11,7 @@ frisby.create('POST new feedback')
     .post(API_URL + '/Feedbacks', {
         comment: 'Perfect!',
         rating: 5
-    })
+    }, {json: true})
     .expectStatus(200)
     .expectHeaderContains('content-type', 'application/json')
     .expectJSONTypes('data', {
@@ -29,7 +29,7 @@ frisby.create('POST new feedback')
                     .addHeaders(authHeader)
                     .put(API_URL + '/Feedbacks/' + feedback.data.id, {
                         rating: 2
-                    })
+                    }, {json: true})
                     .expectStatus(200)
                     .afterJSON(function () {
                         frisby.create('DELETE existing feedback')
@@ -55,7 +55,7 @@ frisby.create('PUT update existing feedback is forbidden via public API')
     .put(API_URL + '/Feedbacks/1', {
         comment: "This sucks like nothing has ever sucked before",
         rating: 1
-    })
+    }, {json: true})
     .expectStatus(401)
     .toss();
 
@@ -74,7 +74,7 @@ frisby.create('POST sanitizes unsafe HTML from comment')
     .post(API_URL + '/Feedbacks', {
         comment: 'I am a harm<script>steal-cookie</script><img src="csrf-attack"/><iframe src="evil-content"></iframe>less comment.',
         rating: 1
-    })
+    }, {json: true})
     .expectStatus(200)
     .expectJSON('data', {
         comment: 'I am a harmless comment.'
@@ -85,7 +85,7 @@ frisby.create('POST fails to sanitize masked CSRF-attack by not applying sanitiz
     .post(API_URL + '/Feedbacks', {
         comment: 'The sanitize-html module up to at least version 1.4.2 has this issue: <<script>alert("XSS3")</script>script>alert("XSS3")<</script>/script>',
         rating: 1
-    })
+    }, {json: true})
     .expectStatus(200)
     .expectJSON('data', {
         comment: 'The sanitize-html module up to at least version 1.4.2 has this issue: <script>alert("XSS3")</script>'

diff --git a/test/server/productApiSpec.js b/test/server/productApiSpec.js
@@ -66,7 +66,7 @@ frisby.create('POST new product is forbidden via public API')
 frisby.create('PUT update existing product is possible due to Missing Function-Level Access Control vulnerability')
     .put(API_URL + '/Products/9', {
         description: "<a href=\"http://kimminich.de\" target=\"_blank\">"
-    })
+    }, {json: true})
     .expectStatus(200)
     .expectHeaderContains('content-type', 'application/json')
     .expectJSON('data', {
@@ -77,7 +77,7 @@ frisby.create('PUT update existing product is possible due to Missing Function-L
 frisby.create('PUT update existing product does not filter XSS attacks')
     .put(API_URL + '/Products/8', {
         description: "<script>alert(\'XSS4\')</script>"
-    })
+    }, {json: true})
     .expectStatus(200)
     .expectHeaderContains('content-type', 'application/json')
     .expectJSON('data', {
@@ -97,7 +97,7 @@ frisby.create('POST new product')
         description: "Made from ugly dirt.",
         price: 0.99,
         image: 'dirt_juice.jpg'
-    })
+    }, {json: true})
     .expectHeaderContains('content-type', 'application/json')
     .expectJSONTypes('data', {
         id: Number,
@@ -151,7 +151,7 @@ frisby.create('POST new product does not filter XSS attacks')
         description: '<script>alert("XSS4")</script>',
         price: 9999.99,
         image: 'xss_juice.jpg'
-    })
+    }, {json: true})
     .expectHeaderContains('content-type', 'application/json')
     .expectJSON('data', {
         description: '<script>alert("XSS4")</script>'

diff --git a/test/server/redirectSpec.js b/test/server/redirectSpec.js
@@ -47,15 +47,17 @@ frisby.create('GET error message with information leakage when calling /redirect
     .expectStatus(500)
     .expectHeaderContains('content-type', 'text/html')
     .expectBodyContains('<h1>Juice Shop (Express ~')
-    .expectBodyContains('TypeError: Cannot call method &#39;indexOf&#39; of undefined')
+    .expectBodyContains('TypeError')
+    .expectBodyContains('&#39;indexOf&#39; of undefined')
     .toss();
 
 frisby.create('GET error message with information leakage when calling /redirect with unrecognized query parameter')
     .get(URL + "/redirect?x=y")
     .expectStatus(500)
     .expectHeaderContains('content-type', 'text/html')
     .expectBodyContains('<h1>Juice Shop (Express ~')
-    .expectBodyContains('TypeError: Cannot call method &#39;indexOf&#39; of undefined')
+    .expectBodyContains('TypeError')
+    .expectBodyContains('&#39;indexOf&#39; of undefined')
     .toss();
 
 frisby.create('GET error message hinting at whitelist validation when calling /redirect with an unrecognized "to" target')

diff --git a/test/server/userApiSpec.js b/test/server/userApiSpec.js
@@ -12,7 +12,7 @@ frisby.create('POST new user')
     .post(API_URL + '/Users', {
         email: 'horst@horstma.nn',
         password: 'hooooorst'
-    })
+    }, {json: true})
     .expectStatus(200)
     .expectHeaderContains('content-type', 'application/json')
     .expectJSONTypes('data', {
@@ -139,7 +139,7 @@ frisby.create('GET existing user by id is forbidden via public API')
 frisby.create('PUT update existing user is forbidden via public API')
     .put(API_URL + '/Users/1', {
         email: 'administr@t.or'
-    })
+    }, {json: true})
     .expectStatus(401)
     .toss();
 
@@ -151,7 +151,7 @@ frisby.create('DELETE existing user is forbidden via public API')
 frisby.create('PUT update Benders password to "slurmCl4ssic"')
     .put(API_URL + '/Users/3', {
         password: 'slurmCl4ssic'
-    })
+    }, {json: true})
     .addHeaders(authHeader)
     .expectStatus(200)
     .expectJSON('data', {
@@ -290,12 +290,12 @@ frisby.create('POST new user with XSS attack in email address')
     .post(API_URL + '/Users', {
         email: '<script>alert("XSS2")</script>',
         password: 'does.not.matter'
-    })
+    }, {json: true})
     .expectStatus(200)
     .expectHeaderContains('content-type', 'application/json')
     .expectJSON('data', {
         email: '<script>alert("XSS2")</script>'
-    }).toss();
+    }, {json: true}).toss();
 
 frisby.create('GET who-am-i request returns nothing on missing auth token')
     .get(REST_URL + '/user/whoami')