juice-shop

1
/*
2
 * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3
 * SPDX-License-Identifier: MIT
4
 */
5

6
import challengeUtils = require('../lib/challengeUtils')
7
import { type Request, type Response, type NextFunction } from 'express'
8
import { type Review } from '../data/types'
9
import * as db from '../data/mongodb'
10
import { challenges } from '../data/datacache'
11

12
const security = require('../lib/insecurity')
13

14
module.exports = function productReviews () {
15
  return (req: Request, res: Response, next: NextFunction) => {
16
    const id = req.body.id
17
    const user = security.authenticatedUsers.from(req)
18
    db.reviewsCollection.findOne({ _id: id }).then((review: Review) => {
19
      if (!review) {
20
        res.status(404).json({ error: 'Not found' })
21
      } else {
22
        const likedBy = review.likedBy
23
        if (!likedBy.includes(user.data.email)) {
24
          db.reviewsCollection.update(
25
            { _id: id },
26
            { $inc: { likesCount: 1 } }
27
          ).then(
28
            () => {
29
              // Artificial wait for timing attack challenge
30
              setTimeout(function () {
31
                db.reviewsCollection.findOne({ _id: id }).then((review: Review) => {
32
                  const likedBy = review.likedBy
33
                  likedBy.push(user.data.email)
34
                  let count = 0
35
                  for (let i = 0; i < likedBy.length; i++) {
36
                    if (likedBy[i] === user.data.email) {
37
                      count++
38
                    }
39
                  }
40
                  challengeUtils.solveIf(challenges.timingAttackChallenge, () => { return count > 2 })
41
                  db.reviewsCollection.update(
42
                    { _id: id },
43
                    { $set: { likedBy } }
44
                  ).then(
45
                    (result: any) => {
46
                      res.json(result)
47
                    }, (err: unknown) => {
48
                      res.status(500).json(err)
49
                    })
50
                }, () => {
51
                  res.status(400).json({ error: 'Wrong Params' })
52
                })
53
              }, 150)
54
            }, (err: unknown) => {
55
              res.status(500).json(err)
56
            })
57
        } else {
58
          res.status(403).json({ error: 'Not allowed' })
59
        }
60
      }
61
    }, () => {
62
      res.status(400).json({ error: 'Wrong Params' })
63
    })
64
  }
65
}
66