juice-shop
28 строк · 1.1 Кб
1/*
2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3* SPDX-License-Identifier: MIT
4*/
5
6import utils = require('../lib/utils')
7import challengeUtils = require('../lib/challengeUtils')
8import { type Request, type Response } from 'express'
9import * as db from '../data/mongodb'
10import { challenges } from '../data/datacache'
11
12module.exports = function trackOrder () {
13return (req: Request, res: Response) => {
14const id = !utils.isChallengeEnabled(challenges.reflectedXssChallenge) ? String(req.params.id).replace(/[^\w-]+/g, '') : req.params.id
15
16challengeUtils.solveIf(challenges.reflectedXssChallenge, () => { return utils.contains(id, '<iframe src="javascript:alert(`xss`)">') })
17db.ordersCollection.find({ $where: `this.orderId === '${id}'` }).then((order: any) => {
18const result = utils.queryResultToJson(order)
19challengeUtils.solveIf(challenges.noSqlOrdersChallenge, () => { return result.data.length > 1 })
20if (result.data[0] === undefined) {
21result.data[0] = { orderId: id }
22}
23res.json(result)
24}, () => {
25res.status(400).json({ error: 'Wrong Param' })
26})
27}
28}
29