juice-shop

videoHandler.ts
90 строк · 3.4 Кб
Перенос по словам
1
/*
2
 * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3
 * SPDX-License-Identifier: MIT
4
 */
5

6
import fs = require('fs')
7
import { type Request, type Response } from 'express'
8
import challengeUtils = require('../lib/challengeUtils')
9
import config from 'config'
10
import * as utils from '../lib/utils'
11
import { AllHtmlEntities as Entities } from 'html-entities'
12
import { challenges } from '../data/datacache'
13

14
const pug = require('pug')
15
const themes = require('../views/themes/themes').themes
16
const entities = new Entities()
17

18
exports.getVideo = () => {
19
  return (req: Request, res: Response) => {
20
    const path = videoPath()
21
    const stat = fs.statSync(path)
22
    const fileSize = stat.size
23
    const range = req.headers.range
24
    if (range) {
25
      const parts = range.replace(/bytes=/, '').split('-')
26
      const start = parseInt(parts[0], 10)
27
      const end = parts[1] ? parseInt(parts[1], 10) : fileSize - 1
28
      const chunksize = (end - start) + 1
29
      const file = fs.createReadStream(path, { start, end })
30
      const head = {
31
        'Content-Range': `bytes ${start}-${end}/${fileSize}`,
32
        'Accept-Ranges': 'bytes',
33
        'Content-Length': chunksize,
34
        'Content-Location': '/assets/public/videos/owasp_promo.mp4',
35
        'Content-Type': 'video/mp4'
36
      }
37
      res.writeHead(206, head)
38
      file.pipe(res)
39
    } else {
40
      const head = {
41
        'Content-Length': fileSize,
42
        'Content-Type': 'video/mp4'
43
      }
44
      res.writeHead(200, head)
45
      fs.createReadStream(path).pipe(res)
46
    }
47
  }
48
}
49

50
exports.promotionVideo = () => {
51
  return (req: Request, res: Response) => {
52
    fs.readFile('views/promotionVideo.pug', function (err, buf) {
53
      if (err != null) throw err
54
      let template = buf.toString()
55
      const subs = getSubsFromFile()
56

57
      challengeUtils.solveIf(challenges.videoXssChallenge, () => { return utils.contains(subs, '</script><script>alert(`xss`)</script>') })
58

59
      const theme = themes[config.get<string>('application.theme')]
60
      template = template.replace(/_title_/g, entities.encode(config.get<string>('application.name')))
61
      template = template.replace(/_favicon_/g, favicon())
62
      template = template.replace(/_bgColor_/g, theme.bgColor)
63
      template = template.replace(/_textColor_/g, theme.textColor)
64
      template = template.replace(/_navColor_/g, theme.navColor)
65
      template = template.replace(/_primLight_/g, theme.primLight)
66
      template = template.replace(/_primDark_/g, theme.primDark)
67
      const fn = pug.compile(template)
68
      let compiledTemplate = fn()
69
      compiledTemplate = compiledTemplate.replace('<script id="subtitle"></script>', '<script id="subtitle" type="text/vtt" data-label="English" data-lang="en">' + subs + '</script>')
70
      res.send(compiledTemplate)
71
    })
72
  }
73
  function favicon () {
74
    return utils.extractFilename(config.get('application.favicon'))
75
  }
76
}
77

78
function getSubsFromFile () {
79
  const subtitles = config.get<string>('application.promotion.subtitles') ?? 'owasp_promo.vtt'
80
  const data = fs.readFileSync('frontend/dist/frontend/assets/public/videos/' + subtitles, 'utf8')
81
  return data.toString()
82
}
83

84
function videoPath () {
85
  if (config.get<string>('application.promotion.video') !== null) {
86
    const video = utils.extractFilename(config.get<string>('application.promotion.video'))
87
    return 'frontend/dist/frontend/assets/public/videos/' + video
88
  }
89
  return 'frontend/dist/frontend/assets/public/videos/owasp_promo.mp4'
90
}
91
juice-shop

Использование cookies
