Feature 2

java-app/pom.xml

@@ -85,13 +85,11 @@
       <artifactId>arquillian-container-impl-base</artifactId>
       <version>1.7.0.Alpha12</version>
      </dependency>
-     <!-- 
      <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
-      <version>2.9.10.3</version>
+      <version>2.9.10.4</version>
      </dependency>
-     -->
       <dependency>
       <groupId>org.jboss.shrinkwrap</groupId>
       <artifactId>shrinkwrap-impl-base</artifactId>

sast.ts

@@ -0,0 +1,193 @@
+/*
+ * Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * SPDX-License-Identifier: MIT
+ */
+
+import models = require('../models/index')
+import { type Request, type Response, type NextFunction } from 'express'
+import { UserModel } from '../models/user'
+
+import * as utils from '../lib/utils'
+const challengeUtils = require('../lib/challengeUtils')
+const challenges = require('../data/datacache').challenges
+
+class ErrorWithParent extends Error {
+  parent: Error | undefined
+}
+
+// vuln-code-snippet start unionSqlInjectionChallenge dbSchemaChallenge
+module.exports = function searchProducts () {
+  return (req: Request, res: Response, next: NextFunction) => {
+    let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
+    criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
+    models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge
+      .then(([products]: any) => {
+        const dataString = JSON.stringify(products)
+        if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start
+          let solved = true
+          UserModel.findAll().then(data => {
+            const users = utils.queryResultToJson(data)
+            if (users.data?.length) {
+              for (let i = 0; i < users.data.length; i++) {
+                solved = solved && utils.containsOrEscaped(dataString, users.data[i].email) && utils.contains(dataString, users.data[i].password)
+                if (!solved) {
+                  break
+                }
+              }
+              if (solved) {
+                challengeUtils.solve(challenges.unionSqlInjectionChallenge)
+              }
+            }
+          }).catch((error: Error) => {
+            next(error)
+          })
+        }
+        if (challengeUtils.notSolved(challenges.dbSchemaChallenge)) {
+          let solved = true
+          models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]: any) => {
+            const tableDefinitions = utils.queryResultToJson(data)
+            if (tableDefinitions.data?.length) {
+              for (let i = 0; i < tableDefinitions.data.length; i++) {
+                if (tableDefinitions.data[i].sql) {
+                  solved = solved && utils.containsOrEscaped(dataString, tableDefinitions.data[i].sql)
+                  if (!solved) {
+                    break
+                  }
+                }
+              }
+              if (solved) {
+                challengeUtils.solve(challenges.dbSchemaChallenge)
+              }
+            }
+          })
+        } // vuln-code-snippet hide-end
+        for (let i = 0; i < products.length; i++) {
+          products[i].name = req.__(products[i].name)
+          products[i].description = req.__(products[i].description)
+        }
+        res.json(utils.queryResultToJson(products))
+      }).catch((error: ErrorWithParent) => {
+        next(error.parent)
+      })
+  }
+}
+
+
+// vuln-code-snippet start unionSqlInjectionChallenge dbSchemaChallenge
+module.exports = function searchProducts () {
+  return (req: Request, res: Response, next: NextFunction) => {
+    let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
+    criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
+    models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`,
+      { replacements: { criteria: '%' + criteria + '%' }, type: models.sequelize.QueryTypes.SELECT } // use parameterized query
+    )
+      .then(([products]: any) => {
+        const dataString = JSON.stringify(products)
+        if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start
+          let solved = true
+          UserModel.findAll().then(data => {
+            const users = utils.queryResultToJson(data)
+            if (users.data?.length) {
+              for (let i = 0; i < users.data.length; i++) {
+                solved = solved && utils.containsOrEscaped(dataString, users.data[i].email) && utils.contains(dataString, users.data[i].password)
+                if (!solved) {
+                  break
+                }
+              }
+              if (solved) {
+                challengeUtils.solve(challenges.unionSqlInjectionChallenge)
+              }
+            }
+          }).catch((error: Error) => {
+            next(error)
+          })
+        }
+        if (challengeUtils.notSolved(challenges.dbSchemaChallenge)) {
+          let solved = true
+          models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]: any) => {
+            const tableDefinitions = utils.queryResultToJson(data)
+            if (tableDefinitions.data?.length) {
+              for (let i = 0; i < tableDefinitions.data.length; i++) {
+                if (tableDefinitions.data[i].sql) {
+                  solved = solved && utils.containsOrEscaped(dataString, tableDefinitions.data[i].sql)
+                  if (!solved) {
+                    break
+                  }
+                }
+              }
+              if (solved) {
+                challengeUtils.solve(challenges.dbSchemaChallenge)
+              }
+            }
+          })
+        } // vuln-code-snippet hide-end
+        for (let i = 0; i < products.length; i++) {
+          products[i].name = req.__(products[i].name)
+          products[i].description = req.__(products[i].description)
+        }
+        res.json(utils.queryResultToJson(products))
+      }).catch((error: ErrorWithParent) => {
+        next(error.parent)
+      })
+  }
+}
+
+
+// vuln-code-snippet start unionSqlInjectionChallenge dbSchemaChallenge
+module.exports = function searchProducts () {
+  return (req: Request, res: Response, next: NextFunction) => {
+    let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
+    criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
+    const query = `SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name`;
+    const options = { replacements: { criteria: `%${criteria}%` }, type: QueryTypes.SELECT };
+    models.sequelize.query(query, options)
+      .then(([products]: any) => {
+        const dataString = JSON.stringify(products)
+        if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start
+          let solved = true
+          UserModel.findAll().then(data => {
+            const users = utils.queryResultToJson(data)
+            if (users.data?.length) {
+              for (let i = 0; i < users.data.length; i++) {
+                solved = solved && utils.containsOrEscaped(dataString, users.data[i].email) && utils.contains(dataString, users.data[i].password)
+                if (!solved) {
+                  break
+                }
+              }
+              if (solved) {
+                challengeUtils.solve(challenges.unionSqlInjectionChallenge)
+              }
+            }
+          }).catch((error: Error) => {
+            next(error)
+          })
+        }
+        if (challengeUtils.notSolved(challenges.dbSchemaChallenge)) {
+          let solved = true
+          models.sequelize.query('SELECT sql FROM sqlite_master').then(([data]: any) => {
+            const tableDefinitions = utils.queryResultToJson(data)
+            if (tableDefinitions.data?.length) {
+              for (let i = 0; i < tableDefinitions.data.length; i++) {
+                if (tableDefinitions.data[i].sql) {
+                  solved = solved && utils.containsOrEscaped(dataString, tableDefinitions.data[i].sql)
+                  if (!solved) {
+                    break
+                  }
+                }
+              }
+              if (solved) {
+                challengeUtils.solve(challenges.dbSchemaChallenge)
+              }
+            }
+          })
+        } // vuln-code-snippet hide-end
+        for (let i = 0; i < products.length; i++) {
+          products[i].name = req.__(products[i].name)
+          products[i].description = req.__(products[i].description)
+        }
+        res.json(utils.queryResultToJson(products))
+      }).catch((error: ErrorWithParent) => {
+        next(error.parent)
+      })
+  }
+}

secret.py

@@ -0,0 +1 @@
+password = 'fjdkf7GG@9ikDF5!nZzzz'