juice-shop
71 строка · 1.9 Кб
1/*2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.3* SPDX-License-Identifier: MIT4*/5/* jslint node: true */7import * as utils from '../lib/utils'8import * as challengeUtils from '../lib/challengeUtils'9import {10Model,11type InferAttributes,12type InferCreationAttributes,13DataTypes,14type CreationOptional,15type Sequelize16} from 'sequelize'17import { type BasketItemModel } from './basketitem'18import { challenges } from '../data/datacache'19import * as security from '../lib/insecurity'20class Product extends Model<22InferAttributes<Product>,23InferCreationAttributes<Product>24> {25declare id: CreationOptional<number>26declare name: string27declare description: string28declare price: number29declare deluxePrice: number30declare image: string31declare BasketItem?: CreationOptional<BasketItemModel> // Note this is optional since it's only populated when explicitly requested in code32}33const ProductModelInit = (sequelize: Sequelize) => {35Product.init(36{37id: {38type: DataTypes.INTEGER,39primaryKey: true,40autoIncrement: true41},42name: DataTypes.STRING,43description: {44type: DataTypes.STRING,45set (description: string) {46if (utils.isChallengeEnabled(challenges.restfulXssChallenge)) {47challengeUtils.solveIf(challenges.restfulXssChallenge, () => {48return utils.contains(49description,50'<iframe src="javascript:alert(`xss`)">'51)52})53} else {54description = security.sanitizeSecure(description)55}56this.setDataValue('description', description)57}58},59price: DataTypes.DECIMAL,60deluxePrice: DataTypes.DECIMAL,61image: DataTypes.STRING62},63{64tableName: 'Products',65sequelize,66paranoid: true67}68)69}70export { Product as ProductModel, ProductModelInit }72