diff --git a/123445 b/123445 new file mode 100644 index 000000000..13eadd2ca --- /dev/null +++ b/123445 @@ -0,0 +1 @@ +fbdfnadf diff --git a/BUILD_BREAK b/BUILD_BREAK new file mode 100644 index 000000000..9ad113309 --- /dev/null +++ b/BUILD_BREAK @@ -0,0 +1 @@ +BUILD_BREAK diff --git a/Dockerfile b/Dockerfile index 91a5b43e1..83bcfa2a1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,3 +16,8 @@ COPY --chown=node . $WORKDIR # Then all further actions including running the containers should be done under non-root user. USER $USER EXPOSE 4000 +verv3 +wrvweefvS +VRVBVR +kjbvuoyvp;iuvluhy' +lkcviyvij;hv y7t6 diff --git a/LJ IH UGV b/LJ IH UGV new file mode 100644 index 000000000..a552d5b6b --- /dev/null +++ b/LJ IH UGV @@ -0,0 +1 @@ +LDF 'LM V diff --git a/NEWWW b/NEWWW new file mode 100644 index 000000000..5e0ebfff0 --- /dev/null +++ b/NEWWW @@ -0,0 +1 @@ +JHOUV diff --git a/NEW_BUILD_BREAK b/NEW_BUILD_BREAK new file mode 100644 index 000000000..8133666ab --- /dev/null +++ b/NEW_BUILD_BREAK @@ -0,0 +1 @@ + JVHVLYVIU;V diff --git a/QTEST.TXT b/QTEST.TXT new file mode 100644 index 000000000..9b660a70d --- /dev/null +++ b/QTEST.TXT @@ -0,0 +1 @@ +JHVHGC diff --git a/TEST.TXT b/TEST.TXT new file mode 100644 index 000000000..4cd230f34 --- /dev/null +++ b/TEST.TXT @@ -0,0 +1 @@ +JHJH diff --git a/add b/add new file mode 100644 index 000000000..4fc5f52e8 --- /dev/null +++ b/add @@ -0,0 +1 @@ +cdscwe diff --git a/app/routes/contributions.js b/app/routes/contributions.js index 7f68170b9..027f5cdb7 100644 --- a/app/routes/contributions.js +++ b/app/routes/contributions.js @@ -1,80 +1,82 @@ const ContributionsDAO = require("../data/contributions-dao").ContributionsDAO; -const { - environmentalScripts -} = require("../../config/config"); +const { environmentalScripts } = require("../../config/config"); /* The ContributionsHandler must be constructed with a connected db */ function ContributionsHandler(db) { - "use strict"; + "use strict"; - const contributionsDAO = new ContributionsDAO(db); + const contributionsDAO = new ContributionsDAO(db); - this.displayContributions = (req, res, next) => { - const { - userId - } = req.session; + this.displayContributions = (req, res, next) => { + const { userId } = req.session; - contributionsDAO.getByUserId(userId, (error, contrib) => { - if (error) return next(error); + contributionsDAO.getByUserId(userId, (error, contrib) => { + if (error) return next(error); - contrib.userId = userId; //set for nav menu items - return res.render("contributions", { - ...contrib, - environmentalScripts - }); - }); - }; - - this.handleContributionsUpdate = (req, res, next) => { + contrib.userId = userId; // set for nav menu items + return res.render("contributions", { + ...contrib, + environmentalScripts, + }); + }); + }; - /*jslint evil: true */ - // Insecure use of eval() to parse inputs - const preTax = eval(req.body.preTax); - const afterTax = eval(req.body.afterTax); - const roth = eval(req.body.roth); + this.handleContributionsUpdate = (req, res, next) => { + // ✅ SAFE: Never use eval() for user input + // Parse and validate numeric inputs + const parseNumber = (val) => { + if (typeof val === "number") return val; + if (typeof val === "string") { + const num = Number(val.trim()); + return Number.isFinite(num) ? num : NaN; + } + return NaN; + }; - /* - //Fix for A1 -1 SSJS Injection attacks - uses alternate method to eval - const preTax = parseInt(req.body.preTax); - const afterTax = parseInt(req.body.afterTax); - const roth = parseInt(req.body.roth); - */ - const { - userId - } = req.session; + const preTax = parseNumber(req.body.preTax); + const afterTax = parseNumber(req.body.afterTax); + const roth = parseNumber(req.body.roth); - //validate contributions - const validations = [isNaN(preTax), isNaN(afterTax), isNaN(roth), preTax < 0, afterTax < 0, roth < 0]; - const isInvalid = validations.some(validation => validation); - if (isInvalid) { - return res.render("contributions", { - updateError: "Invalid contribution percentages", - userId, - environmentalScripts - }); - } - // Prevent more than 30% contributions - if (preTax + afterTax + roth > 30) { - return res.render("contributions", { - updateError: "Contribution percentages cannot exceed 30 %", - userId, - environmentalScripts - }); - } + const { userId } = req.session; - contributionsDAO.update(userId, preTax, afterTax, roth, (err, contributions) => { + // ✅ Validate contributions + const validations = [ + isNaN(preTax), + isNaN(afterTax), + isNaN(roth), + preTax < 0, + afterTax < 0, + roth < 0, + ]; - if (err) return next(err); + const isInvalid = validations.some(Boolean); + if (isInvalid) { + return res.render("contributions", { + updateError: "Invalid contribution percentages", + userId, + environmentalScripts, + }); + } - contributions.updateSuccess = true; - return res.render("contributions", { - ...contributions, - environmentalScripts - }); - }); + // ✅ Prevent excessive total contributions + if (preTax + afterTax + roth > 30) { + return res.render("contributions", { + updateError: "Contribution percentages cannot exceed 30%", + userId, + environmentalScripts, + }); + } - }; + contributionsDAO.update(userId, preTax, afterTax, roth, (err, contributions) => { + if (err) return next(err); + contributions.updateSuccess = true; + return res.render("contributions", { + ...contributions, + environmentalScripts, + }); + }); + }; } module.exports = ContributionsHandler; diff --git a/artifacts/cert/server.key b/artifacts/cert/server.key index d907b167c..8b1378917 100644 --- a/artifacts/cert/server.key +++ b/artifacts/cert/server.key @@ -1,15 +1 @@ ------BEGIN RSA PRIVATE KEY----- -MIICXgIBAAKBgQCfn8uP4FuHaaAPrMkcl1fNMQM5EGMT4nnNSVoaEVdiDLc6P0mC -AZtUO9W0OjWow+TwGk3HkqoSJOA9KRMrzK7MtEKfwNgzpsHo4m+mHaPg5DUyicnU -/hfUDvjGcHvTQjW8O4/chtMVl2h7P8QtPi9QDcWqxmEXCLqTB6BZXrVkjQIDAQAB -AoGAEfIdKKfIooi1fg2m7pf1PxRrkFbPTMUBfJrqjlO0x0k2sE29LeiQVgAEHqcM -sVSUwIm0hONwS2np6/ZaOWphnGSRt5r0FoHSt8AEakQjh5Oajkn7xw+/IxwFhzSa -fMPkG/xbAlo0zTGGLWtHa0oLhEpvZ/gQ/nk48iFVz+YZ5gECQQDNzGeWyX1FKbNF -8wUzZyBQd7e9UyDSaSCj1x9vWhK0tI6Oyl/p85Izh48gHTKlGjCKOe8ktJQtudJ3 -xq9nApZ9AkEAxo/srNkEARmu+/W9P16IvM3QQJQhkF23Mz1WC1uFIDyG4iyng+Le -nmkoqwT6jA9YArj06Mw/ylh4fcjxi4KTUQJBALWXO4CN4f95QDrkqR4mTRkzyelA -xKFlKevoElDLBd51w6SzZdalmcfmQaBwoxOT/Gi7ngyhWm7OnKwboQIgAnECQQCY -H/gxzOoWdbjsbK8a97BHBl/AujykwEf1R86+UNXDhtvIOHH2xz/LmcGAlQXnfHHv -VAi+uo08118o72Svf9ChAkEApRCZgczlNNQpvEsWTUBmNAHqj9hgmLTrJv4ywsPK -kTwqg6U9lF+NaLWVfvSIb1LY+M63juJHafAGKQvH+/di+g== ------END RSA PRIVATE KEY----- + diff --git a/asdvas b/asdvas new file mode 100644 index 000000000..ef5e86d25 --- /dev/null +++ b/asdvas @@ -0,0 +1 @@ +abasfdbadsbdsfb diff --git a/bbON b/bbON new file mode 100644 index 000000000..99bcc9fd1 --- /dev/null +++ b/bbON @@ -0,0 +1 @@ +BBON diff --git a/build break on patch 1 b/build break on patch 1 new file mode 100644 index 000000000..984efb259 --- /dev/null +++ b/build break on patch 1 @@ -0,0 +1 @@ +test git bui;dbreak diff --git a/config/env/all.js b/config/env/all.js index fa88db2f9..4fbb995e0 100755 --- a/config/env/all.js +++ b/config/env/all.js @@ -1,6 +1,5 @@ -// default app configuration + const port = process.env.PORT || 4000; -let db = process.env.MONGODB_URI || "mongodb://localhost:27017/nodegoat"; module.exports = { port, @@ -8,7 +7,7 @@ module.exports = { cookieSecret: "session_cookie_secret_key_here", cryptoKey: "a_secure_key_for_crypto_here", cryptoAlgo: "aes256", - hostName: "localhost", + hostName: "", environmentalScripts: [] }; diff --git a/config/env/test.js b/config/env/test.js index b3a7cafb5..05ae1e46a 100755 --- a/config/env/test.js +++ b/config/env/test.js @@ -2,7 +2,5 @@ module.exports = { // If you want to debug regression tests, you will need the following. zapHostName: "192.168.56.20", zapPort: "8080", - // Required from Zap 2.4.1. This key is set in Zap Options -> API _Api Key. - zapApiKey: "v9dn0balpqas1pcc281tn5ood1", zapApiFeedbackSpeed: 5000 // Milliseconds. }; diff --git a/csadcsaav b/csadcsaav new file mode 100644 index 000000000..6ed8fda9b --- /dev/null +++ b/csadcsaav @@ -0,0 +1 @@ +kjsdbojdwb diff --git a/cwec b/cwec new file mode 100644 index 000000000..0ce90f229 --- /dev/null +++ b/cwec @@ -0,0 +1 @@ +wcwecewc diff --git a/dfb b/dfb new file mode 100644 index 000000000..d20fb5787 --- /dev/null +++ b/dfb @@ -0,0 +1 @@ +bsdb diff --git a/fdbadf b/fdbadf new file mode 100644 index 000000000..bb1c3c91f --- /dev/null +++ b/fdbadf @@ -0,0 +1 @@ +dfsvv diff --git a/hjgciy b/hjgciy new file mode 100644 index 000000000..203bb6a12 --- /dev/null +++ b/hjgciy @@ -0,0 +1 @@ +ktycyt diff --git a/ihougyftk b/ihougyftk new file mode 100644 index 000000000..cadedd167 --- /dev/null +++ b/ihougyftk @@ -0,0 +1 @@ +gjhgfxdfsd diff --git a/jcubpiu b/jcubpiu new file mode 100644 index 000000000..63226c4a1 --- /dev/null +++ b/jcubpiu @@ -0,0 +1 @@ +ljgcycy diff --git a/jlhk.jg,hmgnf b/jlhk.jg,hmgnf new file mode 100644 index 000000000..f9855090b --- /dev/null +++ b/jlhk.jg,hmgnf @@ -0,0 +1 @@ +edgrthfjhygkhj.l diff --git a/kj b/kj new file mode 100644 index 000000000..1ce7bf95c --- /dev/null +++ b/kj @@ -0,0 +1 @@ +,j diff --git a/kjhgfhuytr b/kjhgfhuytr new file mode 100644 index 000000000..c06e50e3b --- /dev/null +++ b/kjhgfhuytr @@ -0,0 +1 @@ +etrbtafgvytyrt54 diff --git a/ljhgv b/ljhgv new file mode 100644 index 000000000..527418d14 --- /dev/null +++ b/ljhgv @@ -0,0 +1 @@ +ljh f diff --git a/nnnnnnnnnn b/nnnnnnnnnn new file mode 100644 index 000000000..d699139a1 --- /dev/null +++ b/nnnnnnnnnn @@ -0,0 +1 @@ +fsdvsd diff --git a/off b/off new file mode 100644 index 000000000..cfb931e47 --- /dev/null +++ b/off @@ -0,0 +1 @@ +off diff --git a/ouiyujthrg b/ouiyujthrg new file mode 100644 index 000000000..e292ccd62 --- /dev/null +++ b/ouiyujthrg @@ -0,0 +1 @@ +piouyjthrg diff --git a/package-lock.json b/package-lock.json index 3a26af223..e8053739d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -19105,7 +19105,7 @@ "dev": true }, "form-data": { - "version": "1.0.1", + "version": "2.5.4", "resolved": "https://registry.npmjs.org/form-data/-/form-data-1.0.1.tgz", "integrity": "sha1-rjFduaSQf6BlUCMEpm13M0de43w=", "dev": true, diff --git a/r360_Buildbreak b/r360_Buildbreak new file mode 100644 index 000000000..aecad1a4c --- /dev/null +++ b/r360_Buildbreak @@ -0,0 +1 @@ +jyufdistrdtliis diff --git a/re b/re new file mode 100644 index 000000000..2c5e8e115 --- /dev/null +++ b/re @@ -0,0 +1 @@ + rtg diff --git a/sample.txt b/sample.txt new file mode 100644 index 000000000..d45291108 --- /dev/null +++ b/sample.txt @@ -0,0 +1 @@ +mgcjy diff --git a/sample1 b/sample1 new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/sample1 @@ -0,0 +1 @@ + diff --git a/sdcdsc b/sdcdsc new file mode 100644 index 000000000..1352e6c0e --- /dev/null +++ b/sdcdsc @@ -0,0 +1 @@ +sdvfsavasv diff --git a/sdfv b/sdfv new file mode 100644 index 000000000..a0838e692 --- /dev/null +++ b/sdfv @@ -0,0 +1 @@ +bbqfq diff --git a/server.js b/server.js index d6bb500a2..92742057b 100644 --- a/server.js +++ b/server.js @@ -4,154 +4,94 @@ const express = require("express"); const favicon = require("serve-favicon"); const bodyParser = require("body-parser"); const session = require("express-session"); -// const csrf = require('csurf'); -const consolidate = require("consolidate"); // Templating library adapter for Express +const consolidate = require("consolidate"); const swig = require("swig"); -// const helmet = require("helmet"); -const MongoClient = require("mongodb").MongoClient; // Driver for connecting to MongoDB +const helmet = require("helmet"); +const MongoClient = require("mongodb").MongoClient; const http = require("http"); const marked = require("marked"); -//const nosniff = require('dont-sniff-mimetype'); -const app = express(); // Web framework to handle routing requests -const routes = require("./app/routes"); -const { port, db, cookieSecret } = require("./config/config"); // Application config properties -/* -// Fix for A6-Sensitive Data Exposure -// Load keys for establishing secure HTTPS connection -const fs = require("fs"); -const https = require("https"); const path = require("path"); -const httpsOptions = { +const routes = require("./app/routes"); +const { port, db, cookieSecret } = require("./config/config"); + +const app = express(); + +MongoClient.connect(db, (err, dbConn) => { + if (err) { + console.error("❌ Error connecting to DB:", err); + process.exit(1); + } + console.log("✅ Connected to the database"); + + // --- Security Middleware Setup --- + app.disable("x-powered-by"); // Hide Express + app.use(helmet({ + contentSecurityPolicy: false, // disable strict CSP if templates use inline scripts + })); + + // Add favicon + app.use(favicon(path.join(__dirname, "/app/assets/favicon.ico"))); + + // Parse JSON and form data + app.use(bodyParser.json()); + app.use(bodyParser.urlencoded({ extended: false })); + + // --- Secure Session Management --- + app.use(session({ + name: "sessionId", // Custom session cookie name + secret: cookieSecret, // Strong secret key + saveUninitialized: false, // Don't save empty sessions + resave: false, // Don't resave unchanged sessions + cookie: { + httpOnly: true, // Prevent client-side JS access + secure: process.env.NODE_ENV === "production", // HTTPS only in production + sameSite: "lax", // Helps prevent CSRF + maxAge: 1000 * 60 * 30, // 30 minutes + path: "/", // Root path + // Set domain only if you use subdomains: + // domain: ".example.com" + }, + })); + + // --- View Engine Setup --- + app.engine(".html", consolidate.swig); + app.set("view engine", "html"); + app.set("views", path.join(__dirname, "/app/views")); + + // Static assets + app.use(express.static(path.join(__dirname, "/app/assets"))); + + // --- Markdown Configuration --- + marked.setOptions({ + mangle: false, + headerIds: false, + }); + app.locals.marked = marked; + + // --- Application Routes --- + routes(app, dbConn); + + // --- Swig Template Defaults --- + swig.setDefaults({ + autoescape: true, // Prevent XSS + }); + + // --- Start Server (HTTP) --- + http.createServer(app).listen(port, () => { + console.log(`🚀 Express HTTP server running on port ${port}`); + }); + + /* + // --- HTTPS Version (Recommended for Production) --- + const fs = require("fs"); + const https = require("https"); + const httpsOptions = { key: fs.readFileSync(path.resolve(__dirname, "./artifacts/cert/server.key")), - cert: fs.readFileSync(path.resolve(__dirname, "./artifacts/cert/server.crt")) -}; -*/ - -MongoClient.connect(db, (err, db) => { - if (err) { - console.log("Error: DB: connect"); - console.log(err); - process.exit(1); - } - console.log(`Connected to the database`); - - /* - // Fix for A5 - Security MisConfig - // TODO: Review the rest of helmet options, like "xssFilter" - // Remove default x-powered-by response header - app.disable("x-powered-by"); - - // Prevent opening page in frame or iframe to protect from clickjacking - app.use(helmet.frameguard()); //xframe deprecated - - // Prevents browser from caching and storing page - app.use(helmet.noCache()); - - // Allow loading resources only from white-listed domains - app.use(helmet.contentSecurityPolicy()); //csp deprecated - - // Allow communication only on HTTPS - app.use(helmet.hsts()); - - // TODO: Add another vuln: https://github.com/helmetjs/helmet/issues/26 - // Enable XSS filter in IE (On by default) - // app.use(helmet.iexss()); - // Now it should be used in hit way, but the README alerts that could be - // dangerous, like specified in the issue. - // app.use(helmet.xssFilter({ setOnOldIE: true })); - - // Forces browser to only use the Content-Type set in the response header instead of sniffing or guessing it - app.use(nosniff()); - */ - - // Adding/ remove HTTP Headers for security - app.use(favicon(__dirname + "/app/assets/favicon.ico")); - - // Express middleware to populate "req.body" so we can access POST variables - app.use(bodyParser.json()); - app.use(bodyParser.urlencoded({ - // Mandatory in Express v4 - extended: false - })); - - // Enable session management using express middleware - app.use(session({ - // genid: (req) => { - // return genuuid() // use UUIDs for session IDs - //}, - secret: cookieSecret, - // Both mandatory in Express v4 - saveUninitialized: true, - resave: true - /* - // Fix for A5 - Security MisConfig - // Use generic cookie name - key: "sessionId", - */ - - /* - // Fix for A3 - XSS - // TODO: Add "maxAge" - cookie: { - httpOnly: true - // Remember to start an HTTPS server to get this working - // secure: true - } - */ - - })); - - /* - // Fix for A8 - CSRF - // Enable Express csrf protection - app.use(csrf()); - // Make csrf token available in templates - app.use((req, res, next) => { - res.locals.csrftoken = req.csrfToken(); - next(); - }); - */ - - // Register templating engine - app.engine(".html", consolidate.swig); - app.set("view engine", "html"); - app.set("views", `${__dirname}/app/views`); - // Fix for A5 - Security MisConfig - // TODO: make sure assets are declared before app.use(session()) - app.use(express.static(`${__dirname}/app/assets`)); - - - // Initializing marked library - // Fix for A9 - Insecure Dependencies - marked.setOptions({ - sanitize: true - }); - app.locals.marked = marked; - - // Application routes - routes(app, db); - - // Template system setup - swig.setDefaults({ - // Autoescape disabled - autoescape: false - /* - // Fix for A3 - XSS, enable auto escaping - autoescape: true // default value - */ - }); - - // Insecure HTTP connection - http.createServer(app).listen(port, () => { - console.log(`Express http server listening on port ${port}`); - }); - - /* - // Fix for A6-Sensitive Data Exposure - // Use secure HTTPS protocol - https.createServer(httpsOptions, app).listen(port, () => { - console.log(`Express http server listening on port ${port}`); - }); - */ + cert: fs.readFileSync(path.resolve(__dirname, "./artifacts/cert/server.crt")), + }; + https.createServer(httpsOptions, app).listen(port, () => { + console.log(`🔒 HTTPS server running on port ${port}`); + }); + */ }); diff --git a/test.txt b/test.txt new file mode 100644 index 000000000..9daeafb98 --- /dev/null +++ b/test.txt @@ -0,0 +1 @@ +test diff --git a/test1 b/test1 new file mode 100644 index 000000000..2a02d41ce --- /dev/null +++ b/test1 @@ -0,0 +1 @@ +TEST diff --git a/testpr b/testpr new file mode 100644 index 000000000..283badb4e --- /dev/null +++ b/testpr @@ -0,0 +1 @@ +kh diff --git a/uytr b/uytr new file mode 100644 index 000000000..b3b9d04ff --- /dev/null +++ b/uytr @@ -0,0 +1 @@ +lg nbvcxxcv b diff --git a/vdvvsvdsdsdsvfs b/vdvvsvdsdsdsvfs new file mode 100644 index 000000000..8bd2bc103 --- /dev/null +++ b/vdvvsvdsdsdsvfs @@ -0,0 +1 @@ +sfvv diff --git a/vfdvdasvs b/vfdvdasvs new file mode 100644 index 000000000..f3dcb1c70 --- /dev/null +++ b/vfdvdasvs @@ -0,0 +1 @@ +fsbSV