owasp-learning · patched-codes · Nov 23, 2023 · patched-codes · Nov 23, 2023 · patched-codes
diff --git a/app/routes/contributions.js b/app/routes/contributions.js
@@ -26,26 +26,16 @@ function ContributionsHandler(db) {
     };
 
     this.handleContributionsUpdate = (req, res, next) => {
+        // Secure parsing of inputs without using eval()
+        const preTax = parseInt(req.body.preTax, 10);
+        const afterTax = parseInt(req.body.afterTax, 10);
+        const roth = parseInt(req.body.roth, 10);
 
-        /*jslint evil: true */
-        // Insecure use of eval() to parse inputs
-        const preTax = eval(req.body.preTax);
-        const afterTax = eval(req.body.afterTax);
-        const roth = eval(req.body.roth);
+        const { userId } = req.session;
 
-        /*
-        //Fix for A1 -1 SSJS Injection attacks - uses alternate method to eval
-        const preTax = parseInt(req.body.preTax);
-        const afterTax = parseInt(req.body.afterTax);
-        const roth = parseInt(req.body.roth);
-        */
-        const {
-            userId
-        } = req.session;
-
-        //validate contributions
-        const validations = [isNaN(preTax), isNaN(afterTax), isNaN(roth), preTax < 0, afterTax < 0, roth < 0]
-        const isInvalid = validations.some(validation => validation)
+        // Validate contributions
+        const validations = [isNaN(preTax), isNaN(afterTax), isNaN(roth), preTax < 0, afterTax < 0, roth < 0];
+        const isInvalid = validations.some(validation => validation);
         if (isInvalid) {
             return res.render("contributions", {
                 updateError: "Invalid contribution percentages",
@@ -56,14 +46,13 @@ function ContributionsHandler(db) {
         // Prevent more than 30% contributions
         if (preTax + afterTax + roth > 30) {
             return res.render("contributions", {
-                updateError: "Contribution percentages cannot exceed 30 %",
+                updateError: "Contribution percentages cannot exceed 30%",
                 userId,
                 environmentalScripts
             });
         }
 
         contributionsDAO.update(userId, preTax, afterTax, roth, (err, contributions) => {
-
             if (err) return next(err);
 
             contributions.updateSuccess = true;
@@ -72,9 +61,6 @@ function ContributionsHandler(db) {
                 environmentalScripts
             });
         });
-
     };
-
 }
-
-module.exports = ContributionsHandler;
+module.exports = ContributionsHandler;
diff --git a/app/routes/index.js b/app/routes/index.js
@@ -71,7 +71,34 @@ const index = (app, db) => {
     // Handle redirect for learning resources link
     app.get("/learn", isLoggedIn, (req, res) => {
         // Insecure way to handle redirects by taking redirect url from query string
-        return res.redirect(req.query.url);
+// Define an allow-list of trusted URLs
+const trustedUrls = [
+    'http://www.example.com/',
+    'https://www.anothertrusteddomain.com/',
+    // Add other trusted URLs here
+];
+
+// Middleware to validate the redirect URL against the allow-list
+const validateRedirectUrl = (req, res, next) => {
+    const redirectUrl = req.query.url;
+    if (trustedUrls.includes(redirectUrl)) {
+        next(); // URL is trusted, proceed with the redirect
+    } else {
+        // URL is not trusted, handle according to your security policy
+        // Option 1: Block the redirect and send an error message
+        // return res.status(400).send('Invalid redirect URL.');
+
+        // Option 2: Warn the user they are being redirected to an external site
+        // This could involve rendering a warning page with a link for the user to click
+        return res.render('externalRedirectWarning', { redirectUrl });
+    }
+};
+
+// Use the middleware in the route that handles the redirect
+app.get("/learn", isLoggedIn, validateRedirectUrl, (req, res) => {
+    // The URL has been validated against the allow-list and is safe to redirect to
+    return res.redirect(req.query.url);
+});
     });
 
     // Handle redirect for learning resources link
@@ -85,7 +112,22 @@ const index = (app, db) => {
         const {
             page
         } = req.params
-        return res.render(`tutorial/${page}`, {
+// Define an allow list of permitted pages
+const allowedPages = ['introduction', 'basics', 'advanced', 'summary'];
+
+// Validate the 'page' parameter
+const page = req.params.page; // or however you get the 'page' parameter from the user input
+
+// Check if the requested page is in the allow list
+if (allowedPages.includes(page)) {
+    // If the page is allowed, render it
+    return res.render(`tutorial/${page}`, {
+        // ... additional context properties for rendering
+    });
+} else {
+    // If the page is not allowed, render an error page or redirect to a safe default
+    return res.status(404).send('Page not found'); // or res.render('error', { error: 'Page not found' });
+}
             environmentalScripts
         });
     });
@@ -97,4 +139,4 @@ const index = (app, db) => {
     app.use(ErrorHandler);
 };
 
-module.exports = index;
+module.exports = index;
diff --git a/app/views/allocations.html b/app/views/allocations.html
@@ -1,4 +1,6 @@
-{% extends "./layout.html" %} {% block title %}Allocations{% endblock %} {% block content %}
+{% extends "./layout.html" %}
+{% block title %}Allocations{% endblock %}
+{% block content %}
 
 <div class="row">
     <div class="col-lg-12">
@@ -12,14 +14,14 @@ <h3 class="panel-title">
 
             <div class="panel-body">
 
-                <form action="/allocations/{{userId}}" method="get" role="search">
+                <form action="/allocations/{{userId}}" method="post" role="search">
+                    {% csrf_token %}
                     <div class="form-group">
                         <!--Fix for A1 - 2 NoSQL Injection - Provide validation for input.
                         Adhering to defence in depth, on the front-end mostly for UX.
                         The attacker, or user should not be able to enter anything other than 0-99.              
                         Also implement fix in allocations-dao.js-->
-                        <!--<input type="number" min="0" max="99" class="form-control" placeholder="Stocks Threshold" name="threshold" />-->
-                        <input type="text" class="form-control" placeholder="Stocks Threshold" name="threshold" />
+                        <input type="number" min="0" max="99" class="form-control" placeholder="Stocks Threshold" name="threshold" />
                         <p class="help-block">Using above threshold value, it will return all assets allocation above the specified stocks percentage number.</p>
                     </div>
 
@@ -50,4 +52,6 @@ <h3 class="panel-title">
 
     </div>
 </div>
+
 {% endblock %}
+{% endblock %}
diff --git a/app/views/benefits.html b/app/views/benefits.html
@@ -51,16 +51,17 @@
                         <td>{{user.firstName}}</td>
                         <td>{{user.lastName}}</td>
                         <td>
-                            <form method="POST" action="/benefits">
-                                <div class="input-group">
-                                    <input type="hidden" name="userId" value="{{user._id.toString()}}"></input>
-                                    <input type="date" class="form-control" name="benefitStartDate" value="{{user.benefitStartDate}}"></input>
-                                    <span class="input-group-btn">
-                                        <button type="submit" class="btn btn-default">Save</button>
-                                    </span>
-                                </div>
-                                <!-- /input-group -->
-                            </form>
+<form method="POST" action="/benefits">
+    {% csrf_token %}
+    <div class="input-group">
+        <input type="hidden" name="userId" value="{{ user._id.toString }}"></input>
+        <input type="date" class="form-control" name="benefitStartDate" value="{{ user.benefitStartDate }}"></input>
+        <span class="input-group-btn">
+            <button type="submit" class="btn btn-default">Save</button>
+        </span>
+    </div>
+    <!-- /input-group -->
+</form>
                         </td>
                     </tr>
                     {% endfor %}

diff --git a/app/views/login.html b/app/views/login.html
@@ -104,27 +104,26 @@
 
 
 
-                            <form method="post" role="form" method="post" id="loginform">
-                                <div class="form-group">
-                                    <label for="userName">User Name</label>
-                                    <input type="text" class="form-control" id="userName" name="userName" value="{{userName}}" placeholder="Enter User Name">
-                                </div>
-
-                                <div class="form-group">
-                                    <label for="password">Password</label>
-                                    <input type="password" class="form-control" id="password" name="password" value="{{password}}" placeholder="Enter Password">
-                                </div>
-                                <input type="hidden" name="_csrf" value="{{csrftoken}}" />
-
-                                <div class="row">
-                                    <div class="col-lg-4"><a href="/signup">New user? Sign Up</a>
-                                    </div>
-                                    <div class="col-lg-5"></div>
-                                    <div class="col-lg-3">
-                                        <button type="submit" class="btn btn-danger">Submit</button>
-                                    </div>
-                                </div>
-                            </form>
+<form method="post" role="form" id="loginform">
+    {% csrf_token %}
+    <div class="form-group">
+        <label for="userName">User Name</label>
+        <input type="text" class="form-control" id="userName" name="userName" value="{{ userName }}" placeholder="Enter User Name">
+    </div>
+
+    <div class="form-group">
+        <label for="password">Password</label>
+        <input type="password" class="form-control" id="password" name="password" value="{{ password }}" placeholder="Enter Password">
+    </div>
+
+    <div class="row">
+        <div class="col-lg-4"><a href="/signup">New user? Sign Up</a></div>
+        <div class="col-lg-5"></div>
+        <div class="col-lg-3">
+            <button type="submit" class="btn btn-danger">Submit</button>
+        </div>
+    </div>
+</form>
                         </div>
                     </div>
                 </div>

diff --git a/app/views/memos.html b/app/views/memos.html
@@ -1,4 +1,6 @@
-{% extends "./layout.html" %} {% block title %}Memos{% endblock %} {% block content %}
+{% extends "./layout.html" %}
+{% block title %}Memos{% endblock %}
+{% block content %}
 
 <div class="row">
     <div class="col-lg-12">
@@ -13,7 +15,7 @@ <h3 class="panel-title">
             <div class="panel-body">
 
                 <form action="/memos" method="post" role="search">
-
+                    {% csrf_token %}
                     <div class="form-group">
                         <textarea class="form-control" name="memo"></textarea>
                         <p class="help-block">You may use Markdown syntax to format your memo</p>
@@ -35,4 +37,6 @@ <h3 class="panel-title">
 
     </div>
 </div>
+
+{% endblock %}
 {% endblock %}
diff --git a/app/views/profile.html b/app/views/profile.html
@@ -75,7 +75,8 @@ <h3 class="panel-title">Edit Profile</h3>
 
                     <!-- @FIXME use a properly escaped variable that matches the URL context, for example
                     refer to a firstNameSafeURLString field on the doc object set by the controller for this template -->
-                    <a href="{{firstNameSafeString}}">Google search this profile by name</a>
+<!-- Corrected anchor tag with proper URL encoding and concatenation -->
+<a href="/search?name={{firstNameSafeURLString}}">Google search this profile by name</a>
                 </form>
             </div>
         </div>

diff --git a/app/views/research.html b/app/views/research.html
@@ -1,4 +1,6 @@
-{% extends "./layout.html" %} {% block title %}Research{% endblock %} {% block content %}
+{% extends "./layout.html" %}
+{% block title %}Research{% endblock %}
+{% block content %}
 
 <div class="row">
     <div class="col-lg-12">
@@ -12,7 +14,9 @@ <h3 class="panel-title">
 
             <div class="panel-body">
 
-                <form action="/research" method="get" role="search">
+                <!-- Begin form with CSRF token -->
+                <form action="/research" method="post" role="search">
+                    {% csrf_token %}
                     <div class="form-group">
                         <input type="hidden" id="url" name="url" value="https://finance.yahoo.com/quote/"/>
                         <input type="text" class="form-control" placeholder="Stock Symbol" name="symbol" />
@@ -21,10 +25,13 @@ <h3 class="panel-title">
 
                     <button type="submit" class="btn btn-primary">Submit</button>
                 </form>
+                <!-- End form with CSRF token -->
 
             </div>
         </div>
 
     </div>
 </div>
+
 {% endblock %}
+{% endblock %}