juice-shop
71 строка · 1.9 Кб
1/*
2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3* SPDX-License-Identifier: MIT
4*/
5
6/* jslint node: true */
7import * as utils from '../lib/utils'
8import * as challengeUtils from '../lib/challengeUtils'
9import {
10Model,
11type InferAttributes,
12type InferCreationAttributes,
13DataTypes,
14type CreationOptional,
15type Sequelize
16} from 'sequelize'
17import { type BasketItemModel } from './basketitem'
18import { challenges } from '../data/datacache'
19import * as security from '../lib/insecurity'
20
21class Product extends Model<
22InferAttributes<Product>,
23InferCreationAttributes<Product>
24> {
25declare id: CreationOptional<number>
26declare name: string
27declare description: string
28declare price: number
29declare deluxePrice: number
30declare image: string
31declare BasketItem?: CreationOptional<BasketItemModel> // Note this is optional since it's only populated when explicitly requested in code
32}
33
34const ProductModelInit = (sequelize: Sequelize) => {
35Product.init(
36{
37id: {
38type: DataTypes.INTEGER,
39primaryKey: true,
40autoIncrement: true
41},
42name: DataTypes.STRING,
43description: {
44type: DataTypes.STRING,
45set (description: string) {
46if (utils.isChallengeEnabled(challenges.restfulXssChallenge)) {
47challengeUtils.solveIf(challenges.restfulXssChallenge, () => {
48return utils.contains(
49description,
50'<iframe src="javascript:alert(`xss`)">'
51)
52})
53} else {
54description = security.sanitizeSecure(description)
55}
56this.setDataValue('description', description)
57}
58},
59price: DataTypes.DECIMAL,
60deluxePrice: DataTypes.DECIMAL,
61image: DataTypes.STRING
62},
63{
64tableName: 'Products',
65sequelize,
66paranoid: true
67}
68)
69}
70
71export { Product as ProductModel, ProductModelInit }
72