juice-shop
28 строк · 1.1 Кб
1/*2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.3* SPDX-License-Identifier: MIT4*/5import utils = require('../lib/utils')7import challengeUtils = require('../lib/challengeUtils')8import { type Request, type Response } from 'express'9import * as db from '../data/mongodb'10import { challenges } from '../data/datacache'11module.exports = function trackOrder () {13return (req: Request, res: Response) => {14const id = !utils.isChallengeEnabled(challenges.reflectedXssChallenge) ? String(req.params.id).replace(/[^\w-]+/g, '') : req.params.id15challengeUtils.solveIf(challenges.reflectedXssChallenge, () => { return utils.contains(id, '<iframe src="javascript:alert(`xss`)">') })17db.ordersCollection.find({ $where: `this.orderId === '${id}'` }).then((order: any) => {18const result = utils.queryResultToJson(order)19challengeUtils.solveIf(challenges.noSqlOrdersChallenge, () => { return result.data.length > 1 })20if (result.data[0] === undefined) {21result.data[0] = { orderId: id }22}23res.json(result)24}, () => {25res.status(400).json({ error: 'Wrong Param' })26})27}28}29