Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Node v0 12 migration #135

Merged
merged 4 commits into from
Dec 7, 2015
Merged

Node v0 12 migration #135

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a08fa26
using `expiresIn` (in seconds)
bkimminich Dec 7, 2015
cdfa3e7
ensure comp. with node 0.11 and 0.12
bkimminich Dec 7, 2015
6f62b7c
made redirect error expectation more robust
bkimminich Dec 7, 2015
616cb46
added `{json: true}` appendix on PUTs
bkimminich Dec 7, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 2 additions & 0 deletions .travis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
language: node_js
node_js:
- 0.10
- 0.11
- 0.12
branches:
except:
- gh-pages
Expand Down
2 changes: 1 addition & 1 deletion lib/insecurity.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ exports.denyAll = function () {
};

exports.authorize = function (user, role) {
return jwt.sign(user || {}, role || defaultSecret, { expiresInMinutes: 60 * 5 });
return jwt.sign(user || {}, role || defaultSecret, { expiresIn: 3600 * 5 });
};

exports.sanitizeHtml = function (html) {
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,6 @@
},
"subdomain": "juice-shop",
"engines": {
"node": ">=0.10.40 <0.11"
"node": ">=0.10.40 <1"
}
}
4 changes: 2 additions & 2 deletions test/server/basketApiSpec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ frisby.create('PUT update existing basket is not part of API')
.addHeaders(authHeader)
.put(API_URL + '/Baskets/1', {
UserId: 2
})
}, {json: true})
.expectStatus(200)
.expectJSON({status : 'error'})
.toss();
Expand Down Expand Up @@ -101,7 +101,7 @@ frisby.create('POST new basket item with negative quantity')
BasketId: 3,
ProductId: 1,
quantity: -100
})
}, {json: true})
.expectStatus(200)
.after(function() {
frisby.create('POST placing an order for a basket with a negative total cost')
Expand Down
6 changes: 3 additions & 3 deletions test/server/basketItemApiSpec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ frisby.create('GET existing basket item by id is forbidden via public API')
frisby.create('PUT update existing basket item is forbidden via public API')
.put(API_URL + '/BasketItems/1', {
quantity: 2
})
}, {json: true})
.expectStatus(401)
.toss();

Expand All @@ -50,7 +50,7 @@ frisby.create('POST new basket item')
BasketId: 2,
ProductId: 2,
quantity: 1
})
}, {json: true})
.expectStatus(200)
.afterJSON(function(basketItem) {
frisby.create('GET existing basket item by id')
Expand All @@ -62,7 +62,7 @@ frisby.create('POST new basket item')
.addHeaders(authHeader)
.put(API_URL + '/BasketItems/' + basketItem.data.id, {
quantity: 2
})
}, {json: true})
.expectStatus(200)
.afterJSON(function() {
frisby.create('DELETE existing basket item')
Expand Down
2 changes: 1 addition & 1 deletion test/server/challengeApiSpec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ frisby.create('PUT update existing challenge is forbidden via public API even wh
name: 'Vulnerability',
description: "I am a vulnerability!!!",
difficulty: 3
})
}, {json: true})
.expectStatus(401)
.toss();

Expand Down
10 changes: 5 additions & 5 deletions test/server/feedbackApiSpec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ frisby.create('POST new feedback')
.post(API_URL + '/Feedbacks', {
comment: 'Perfect!',
rating: 5
})
}, {json: true})
.expectStatus(200)
.expectHeaderContains('content-type', 'application/json')
.expectJSONTypes('data', {
Expand All @@ -29,7 +29,7 @@ frisby.create('POST new feedback')
.addHeaders(authHeader)
.put(API_URL + '/Feedbacks/' + feedback.data.id, {
rating: 2
})
}, {json: true})
.expectStatus(200)
.afterJSON(function () {
frisby.create('DELETE existing feedback')
Expand All @@ -55,7 +55,7 @@ frisby.create('PUT update existing feedback is forbidden via public API')
.put(API_URL + '/Feedbacks/1', {
comment: "This sucks like nothing has ever sucked before",
rating: 1
})
}, {json: true})
.expectStatus(401)
.toss();

Expand All @@ -74,7 +74,7 @@ frisby.create('POST sanitizes unsafe HTML from comment')
.post(API_URL + '/Feedbacks', {
comment: 'I am a harm<script>steal-cookie</script><img src="csrf-attack"/><iframe src="evil-content"></iframe>less comment.',
rating: 1
})
}, {json: true})
.expectStatus(200)
.expectJSON('data', {
comment: 'I am a harmless comment.'
Expand All @@ -85,7 +85,7 @@ frisby.create('POST fails to sanitize masked CSRF-attack by not applying sanitiz
.post(API_URL + '/Feedbacks', {
comment: 'The sanitize-html module up to at least version 1.4.2 has this issue: <<script>alert("XSS3")</script>script>alert("XSS3")<</script>/script>',
rating: 1
})
}, {json: true})
.expectStatus(200)
.expectJSON('data', {
comment: 'The sanitize-html module up to at least version 1.4.2 has this issue: <script>alert("XSS3")</script>'
Expand Down
8 changes: 4 additions & 4 deletions test/server/productApiSpec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ frisby.create('POST new product is forbidden via public API')
frisby.create('PUT update existing product is possible due to Missing Function-Level Access Control vulnerability')
.put(API_URL + '/Products/9', {
description: "<a href=\"http://kimminich.de\" target=\"_blank\">"
})
}, {json: true})
.expectStatus(200)
.expectHeaderContains('content-type', 'application/json')
.expectJSON('data', {
Expand All @@ -77,7 +77,7 @@ frisby.create('PUT update existing product is possible due to Missing Function-L
frisby.create('PUT update existing product does not filter XSS attacks')
.put(API_URL + '/Products/8', {
description: "<script>alert(\'XSS4\')</script>"
})
}, {json: true})
.expectStatus(200)
.expectHeaderContains('content-type', 'application/json')
.expectJSON('data', {
Expand All @@ -97,7 +97,7 @@ frisby.create('POST new product')
description: "Made from ugly dirt.",
price: 0.99,
image: 'dirt_juice.jpg'
})
}, {json: true})
.expectHeaderContains('content-type', 'application/json')
.expectJSONTypes('data', {
id: Number,
Expand Down Expand Up @@ -151,7 +151,7 @@ frisby.create('POST new product does not filter XSS attacks')
description: '<script>alert("XSS4")</script>',
price: 9999.99,
image: 'xss_juice.jpg'
})
}, {json: true})
.expectHeaderContains('content-type', 'application/json')
.expectJSON('data', {
description: '<script>alert("XSS4")</script>'
Expand Down
6 changes: 4 additions & 2 deletions test/server/redirectSpec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,15 +47,17 @@ frisby.create('GET error message with information leakage when calling /redirect
.expectStatus(500)
.expectHeaderContains('content-type', 'text/html')
.expectBodyContains('<h1>Juice Shop (Express ~')
.expectBodyContains('TypeError: Cannot call method &#39;indexOf&#39; of undefined')
.expectBodyContains('TypeError')
.expectBodyContains('&#39;indexOf&#39; of undefined')
.toss();

frisby.create('GET error message with information leakage when calling /redirect with unrecognized query parameter')
.get(URL + "/redirect?x=y")
.expectStatus(500)
.expectHeaderContains('content-type', 'text/html')
.expectBodyContains('<h1>Juice Shop (Express ~')
.expectBodyContains('TypeError: Cannot call method &#39;indexOf&#39; of undefined')
.expectBodyContains('TypeError')
.expectBodyContains('&#39;indexOf&#39; of undefined')
.toss();

frisby.create('GET error message hinting at whitelist validation when calling /redirect with an unrecognized "to" target')
Expand Down
10 changes: 5 additions & 5 deletions test/server/userApiSpec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ frisby.create('POST new user')
.post(API_URL + '/Users', {
email: 'horst@horstma.nn',
password: 'hooooorst'
})
}, {json: true})
.expectStatus(200)
.expectHeaderContains('content-type', 'application/json')
.expectJSONTypes('data', {
Expand Down Expand Up @@ -139,7 +139,7 @@ frisby.create('GET existing user by id is forbidden via public API')
frisby.create('PUT update existing user is forbidden via public API')
.put(API_URL + '/Users/1', {
email: 'administr@t.or'
})
}, {json: true})
.expectStatus(401)
.toss();

Expand All @@ -151,7 +151,7 @@ frisby.create('DELETE existing user is forbidden via public API')
frisby.create('PUT update Benders password to "slurmCl4ssic"')
.put(API_URL + '/Users/3', {
password: 'slurmCl4ssic'
})
}, {json: true})
.addHeaders(authHeader)
.expectStatus(200)
.expectJSON('data', {
Expand Down Expand Up @@ -290,12 +290,12 @@ frisby.create('POST new user with XSS attack in email address')
.post(API_URL + '/Users', {
email: '<script>alert("XSS2")</script>',
password: 'does.not.matter'
})
}, {json: true})
.expectStatus(200)
.expectHeaderContains('content-type', 'application/json')
.expectJSON('data', {
email: '<script>alert("XSS2")</script>'
}).toss();
}, {json: true}).toss();

frisby.create('GET who-am-i request returns nothing on missing auth token')
.get(REST_URL + '/user/whoami')
Expand Down