juice-shop

1
/*
2
 * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3
 * SPDX-License-Identifier: MIT
4
 */
5

6
import * as models from '../models/index'
7
import { type Request, type Response, type NextFunction } from 'express'
8
import { UserModel } from '../models/user'
9
import { challenges } from '../data/datacache'
10

11
import * as utils from '../lib/utils'
12
const challengeUtils = require('../lib/challengeUtils')
13

14
class ErrorWithParent extends Error {
15
  parent: Error | undefined
16
}
17

18
// vuln-code-snippet start unionSqlInjectionChallenge dbSchemaChallenge
19
module.exports = function searchProducts () {
20
  return (req: Request, res: Response, next: NextFunction) => {
21
    let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
22
    criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
23
    models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge
24
      .then(([products]: any) => {
25
        const dataString = JSON.stringify(products)
26
        if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start
27
          let solved = true
28
          UserModel.findAll().then(data => {
29
            const users = utils.queryResultToJson(data)
30
            if (users.data?.length) {
31
              for (let i = 0; i < users.data.length; i++) {
32
                solved = solved && utils.containsOrEscaped(dataString, users.data[i].email) && utils.contains(dataString, users.data[i].password)
33
                if (!solved) {
34
                  break
35
                }
36
              }
37
              if (solved) {
38
                challengeUtils.solve(challenges.unionSqlInjectionChallenge)
39
              }
40
            }
41
          }).catch((error: Error) => {
42
            next(error)
43
          })
44
        }
45
        if (challengeUtils.notSolved(challenges.dbSchemaChallenge)) {
46
          let solved = true
47
          void models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]: any) => {
48
            const tableDefinitions = utils.queryResultToJson(data)
49
            if (tableDefinitions.data?.length) {
50
              for (let i = 0; i < tableDefinitions.data.length; i++) {
51
                if (tableDefinitions.data[i].sql) {
52
                  solved = solved && utils.containsOrEscaped(dataString, tableDefinitions.data[i].sql)
53
                  if (!solved) {
54
                    break
55
                  }
56
                }
57
              }
58
              if (solved) {
59
                challengeUtils.solve(challenges.dbSchemaChallenge)
60
              }
61
            }
62
          })
63
        } // vuln-code-snippet hide-end
64
        for (let i = 0; i < products.length; i++) {
65
          products[i].name = req.__(products[i].name)
66
          products[i].description = req.__(products[i].description)
67
        }
68
        res.json(utils.queryResultToJson(products))
69
      }).catch((error: ErrorWithParent) => {
70
        next(error.parent)
71
      })
72
  }
73
}
74
// vuln-code-snippet end unionSqlInjectionChallenge dbSchemaChallenge
75