juice-shop
/
server.ts
733 строки · 34.5 Кб
1/*2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.3* SPDX-License-Identifier: MIT4*/5import dataErasure from './routes/dataErasure'6import fs = require('fs')7import { type Request, type Response, type NextFunction } from 'express'8import { sequelize } from './models'9import { UserModel } from './models/user'10import { QuantityModel } from './models/quantity'11import { CardModel } from './models/card'12import { PrivacyRequestModel } from './models/privacyRequests'13import { AddressModel } from './models/address'14import { SecurityAnswerModel } from './models/securityAnswer'15import { SecurityQuestionModel } from './models/securityQuestion'16import { RecycleModel } from './models/recycle'17import { ComplaintModel } from './models/complaint'18import { ChallengeModel } from './models/challenge'19import { BasketItemModel } from './models/basketitem'20import { FeedbackModel } from './models/feedback'21import { ProductModel } from './models/product'22import { WalletModel } from './models/wallet'23import logger from './lib/logger'24import config from 'config'25import path from 'path'26import morgan from 'morgan'27import colors from 'colors/safe'28import * as utils from './lib/utils'29import * as Prometheus from 'prom-client'30import datacreator from './data/datacreator'31handleXmlUpload66} = require('./routes/fileUpload')67const profileImageFileUpload = require('./routes/profileImageFileUpload')68const profileImageUrlUpload = require('./routes/profileImageUrlUpload')69const redirect = require('./routes/redirect')70const vulnCodeSnippet = require('./routes/vulnCodeSnippet')71const vulnCodeFixes = require('./routes/vulnCodeFixes')72const angular = require('./routes/angular')73const easterEgg = require('./routes/easterEgg')74const premiumReward = require('./routes/premiumReward')75const privacyPolicyProof = require('./routes/privacyPolicyProof')76const appVersion = require('./routes/appVersion')77const repeatNotification = require('./routes/repeatNotification')78const continueCode = require('./routes/continueCode')79const restoreProgress = require('./routes/restoreProgress')80const fileServer = require('./routes/fileServer')81const quarantineServer = require('./routes/quarantineServer')82const keyServer = require('./routes/keyServer')83const logFileServer = require('./routes/logfileServer')84const metrics = require('./routes/metrics')85const currentUser = require('./routes/currentUser')86const login = require('./routes/login')87const changePassword = require('./routes/changePassword')88const resetPassword = require('./routes/resetPassword')89const securityQuestion = require('./routes/securityQuestion')90const search = require('./routes/search')91const coupon = require('./routes/coupon')92const basket = require('./routes/basket')93const order = require('./routes/order')94const verify = require('./routes/verify')95const recycles = require('./routes/recycles')96const b2bOrder = require('./routes/b2bOrder')97const showProductReviews = require('./routes/showProductReviews')98const createProductReviews = require('./routes/createProductReviews')99const checkKeys = require('./routes/checkKeys')100const nftMint = require('./routes/nftMint')101const web3Wallet = require('./routes/web3Wallet')102const updateProductReviews = require('./routes/updateProductReviews')103const likeProductReviews = require('./routes/likeProductReviews')104const security = require('./lib/insecurity')105const app = express()106const server = require('http').Server(app)107const appConfiguration = require('./routes/appConfiguration')108const captcha = require('./routes/captcha')109const trackOrder = require('./routes/trackOrder')110const countryMapping = require('./routes/countryMapping')111const basketItems = require('./routes/basketItems')112const saveLoginIp = require('./routes/saveLoginIp')113const userProfile = require('./routes/userProfile')114const updateUserProfile = require('./routes/updateUserProfile')115const videoHandler = require('./routes/videoHandler')116const twoFactorAuth = require('./routes/2fa')117const languageList = require('./routes/languages')118const imageCaptcha = require('./routes/imageCaptcha')119const dataExport = require('./routes/dataExport')120const address = require('./routes/address')121const payment = require('./routes/payment')122const wallet = require('./routes/wallet')123const orderHistory = require('./routes/orderHistory')124const delivery = require('./routes/delivery')125const deluxe = require('./routes/deluxe')126const memory = require('./routes/memory')127const chatbot = require('./routes/chatbot')128const locales = require('./data/static/locales.json')129const i18n = require('i18n')130const antiCheat = require('./lib/antiCheat')131// Wraps the function and measures its (async) execution time140const collectDurationPromise = (name: string, func: (...args: any) => Promise<any>) => {141return async (...args: any) => {142const end = startupGauge.startTimer({ task: name })143try {144const res = await func(...args)145end()146return res147} catch (err) {148console.error('Error in timed startup function: ' + name, err)149throw err150}151}152}153/* Sets view engine to hbs */155app.set('view engine', 'hbs')156// Function called first to ensure that all the i18n files are reloaded successfully before other linked operations.162restoreOverwrittenFilesWithOriginals().then(() => {163/* Locals */164app.locals.captchaId = 0165app.locals.captchaReqId = 1166app.locals.captchaBypassReqTimes = []167app.locals.abused_ssti_bug = false168app.locals.abused_ssrf_bug = false169}660const uploadToDisk = multer({661storage: multer.diskStorage({662destination: (req: Request, file: any, cb: any) => {663const isValid = mimeTypeMap[file.mimetype]664let error: Error | null = new Error('Invalid mime type')665if (isValid) {666error = null667}668cb(error, path.resolve('frontend/dist/frontend/assets/public/images/uploads/'))669},670filename: (req: Request, file: any, cb: any) => {671const name = security.sanitizeFilename(file.originalname)672.toLowerCase()673.split(' ')674.join('-')675const ext = mimeTypeMap[file.mimetype]676cb(null, name + '-' + Date.now() + '.' + ext)677}678})679})680}685logger.info(`Entity models ${colors.bold(Object.keys(sequelize.models).length.toString())} of ${colors.bold(expectedModels.length.toString())} are initialized (${colors.green('OK')})`)686// vuln-code-snippet start exposedMetricsChallenge688/* Serve metrics */689let metricsUpdateLoop: any690const Metrics = metrics.observeMetrics() // vuln-code-snippet neutral-line exposedMetricsChallenge691app.get('/metrics', metrics.serveMetrics()) // vuln-code-snippet vuln-line exposedMetricsChallenge692errorhandler.title = `${config.get<string>('application.name')} (Express ${utils.version('express')})`693}719}729// vuln-code-snippet end exposedMetricsChallenge730// stop server on sigint or sigterm signals732process.on('SIGINT', () => { close(0) })733process.on('SIGTERM', () => { close(0) })734