diff --git a/package-lock.json b/package-lock.json index fef2be2035..9e40dfbb81 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,7 +9,7 @@ "version": "1.0.1", "license": "Apache-2.0", "dependencies": { - "adm-zip": "0.4.7", + "adm-zip": "0.5.2", "body-parser": "1.9.0", "cfenv": "^1.0.4", "consolidate": "0.14.5", @@ -37,6 +37,7 @@ "npmconf": "0.0.24", "optional": "^0.1.3", "st": "0.2.4", + "stimulus_reflex": "3.4.1", "stream-buffers": "^3.0.1", "tap": "^11.1.3", "typeorm": "^0.2.24", @@ -48,6 +49,29 @@ "snyk": "^1.244.0" } }, + "node_modules/@hotwired/stimulus": { + "version": "3.2.2", + "resolved": "https://registry.npmjs.org/@hotwired/stimulus/-/stimulus-3.2.2.tgz", + "integrity": "sha512-eGeIqNOQpXoPAIP7tC1+1Yc1yl1xnwYqg+3mzqxyrbE5pg5YFBZcA6YoTiByJB6DKAEsiWtl6tjTJS4IYtbB7A==", + "license": "MIT", + "peer": true + }, + "node_modules/@hotwired/stimulus-webpack-helpers": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/@hotwired/stimulus-webpack-helpers/-/stimulus-webpack-helpers-1.0.1.tgz", + "integrity": "sha512-wa/zupVG0eWxRYJjC1IiPBdt3Lruv0RqGN+/DTMmUWUyMAEB27KXmVY6a8YpUVTM7QwVuaLNGW4EqDgrS2upXQ==", + "license": "MIT", + "peer": true, + "peerDependencies": { + "@hotwired/stimulus": ">= 3.0" + } + }, + "node_modules/@rails/actioncable": { + "version": "7.1.3", + "resolved": "https://registry.npmjs.org/@rails/actioncable/-/actioncable-7.1.3.tgz", + "integrity": "sha512-ojNvnoZtPN0pYvVFtlO7dyEN9Oml1B6IDM+whGKVak69MMYW99lC2NOWXWeE3bmwEydbP/nn6ERcpfjHVjYQjA==", + "license": "MIT" + }, "node_modules/@sindresorhus/is": { "version": "0.14.0", "resolved": "https://registry.npmjs.org/@sindresorhus/is/-/is-0.14.0.tgz", @@ -332,11 +356,12 @@ } }, "node_modules/adm-zip": { - "version": "0.4.7", - "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.7.tgz", - "integrity": "sha1-hgbCy/HEJs6MjsABdER/1Jtur8E=", + "version": "0.5.2", + "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.5.2.tgz", + "integrity": "sha512-lUI3ZSNsfQXNYNzGjt68MdxzCs0eW29lgL74y/Y2h4nARgHmH3poFWuK3LonvFbNHFt4dTb2X/QQ4c1ZUWWsJw==", + "license": "MIT", "engines": { - "node": ">=0.3.0" + "node": ">=6.0" } }, "node_modules/agent-base": { @@ -1010,6 +1035,15 @@ "resolved": "https://registry.npmjs.org/bytes/-/bytes-1.0.0.tgz", "integrity": "sha1-NWnt6Lo0MV+rmcPpLLBMciDeH6g=" }, + "node_modules/cable_ready": { + "version": "5.0.5", + "resolved": "https://registry.npmjs.org/cable_ready/-/cable_ready-5.0.5.tgz", + "integrity": "sha512-qPC6zaI8h59BzMH3MxtpuMC+H33VJTA2eVddL6fZSWz01jJ2Y3okld01oYWQoKwE2yle/tvHbyuhoKxD4mhEuw==", + "license": "MIT", + "dependencies": { + "morphdom": "2.6.1" + } + }, "node_modules/cacheable-request": { "version": "6.1.0", "resolved": "https://registry.npmjs.org/cacheable-request/-/cacheable-request-6.1.0.tgz", @@ -4716,6 +4750,12 @@ "node": ">= 0.8" } }, + "node_modules/morphdom": { + "version": "2.6.1", + "resolved": "https://registry.npmjs.org/morphdom/-/morphdom-2.6.1.tgz", + "integrity": "sha512-Y8YRbAEP3eKykroIBWrjcfMw7mmwJfjhqdpSvoqinu8Y702nAwikpXcNFDiIkyvfCLxLM9Wu95RZqo4a9jFBaA==", + "license": "MIT" + }, "node_modules/mpath": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/mpath/-/mpath-0.1.1.tgz", @@ -10985,6 +11025,31 @@ "node": ">= 0.6" } }, + "node_modules/stimulus": { + "version": "3.2.2", + "resolved": "https://registry.npmjs.org/stimulus/-/stimulus-3.2.2.tgz", + "integrity": "sha512-sEGK0ofeMuW+B2oPLTigCqxl47P9vRfZxeqzY5Hk1u0QPWS8DZhW+VOEEyngtzdHM+MutXKGBT8BkUKoA0060Q==", + "license": "MIT", + "peer": true, + "dependencies": { + "@hotwired/stimulus": "^3.2.2", + "@hotwired/stimulus-webpack-helpers": "^1.0.0" + } + }, + "node_modules/stimulus_reflex": { + "version": "3.4.1", + "resolved": "https://registry.npmjs.org/stimulus_reflex/-/stimulus_reflex-3.4.1.tgz", + "integrity": "sha512-YbFcuE4HndNe9RBQvF/Vu+7GDt0zLGdhQTXuGfLDVti1qggPG3kPgV1YBZ9volzBTGUmLp2PQbxG9j5AIyYp5A==", + "hasInstallScript": true, + "license": "MIT", + "dependencies": { + "@rails/actioncable": ">= 6.0", + "cable_ready": ">= 4.5.0" + }, + "peerDependencies": { + "stimulus": ">= 1.1" + } + }, "node_modules/stream-browserify": { "version": "2.0.2", "resolved": "https://registry.npmjs.org/stream-browserify/-/stream-browserify-2.0.2.tgz", @@ -12581,6 +12646,24 @@ } }, "dependencies": { + "@hotwired/stimulus": { + "version": "3.2.2", + "resolved": "https://registry.npmjs.org/@hotwired/stimulus/-/stimulus-3.2.2.tgz", + "integrity": "sha512-eGeIqNOQpXoPAIP7tC1+1Yc1yl1xnwYqg+3mzqxyrbE5pg5YFBZcA6YoTiByJB6DKAEsiWtl6tjTJS4IYtbB7A==", + "peer": true + }, + "@hotwired/stimulus-webpack-helpers": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/@hotwired/stimulus-webpack-helpers/-/stimulus-webpack-helpers-1.0.1.tgz", + "integrity": "sha512-wa/zupVG0eWxRYJjC1IiPBdt3Lruv0RqGN+/DTMmUWUyMAEB27KXmVY6a8YpUVTM7QwVuaLNGW4EqDgrS2upXQ==", + "peer": true, + "requires": {} + }, + "@rails/actioncable": { + "version": "7.1.3", + "resolved": "https://registry.npmjs.org/@rails/actioncable/-/actioncable-7.1.3.tgz", + "integrity": "sha512-ojNvnoZtPN0pYvVFtlO7dyEN9Oml1B6IDM+whGKVak69MMYW99lC2NOWXWeE3bmwEydbP/nn6ERcpfjHVjYQjA==" + }, "@sindresorhus/is": { "version": "0.14.0", "resolved": "https://registry.npmjs.org/@sindresorhus/is/-/is-0.14.0.tgz", @@ -12832,9 +12915,9 @@ "dev": true }, "adm-zip": { - "version": "0.4.7", - "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.4.7.tgz", - "integrity": "sha1-hgbCy/HEJs6MjsABdER/1Jtur8E=" + "version": "0.5.2", + "resolved": "https://registry.npmjs.org/adm-zip/-/adm-zip-0.5.2.tgz", + "integrity": "sha512-lUI3ZSNsfQXNYNzGjt68MdxzCs0eW29lgL74y/Y2h4nARgHmH3poFWuK3LonvFbNHFt4dTb2X/QQ4c1ZUWWsJw==" }, "agent-base": { "version": "4.3.0", @@ -13456,6 +13539,14 @@ "resolved": "https://registry.npmjs.org/bytes/-/bytes-1.0.0.tgz", "integrity": "sha1-NWnt6Lo0MV+rmcPpLLBMciDeH6g=" }, + "cable_ready": { + "version": "5.0.5", + "resolved": "https://registry.npmjs.org/cable_ready/-/cable_ready-5.0.5.tgz", + "integrity": "sha512-qPC6zaI8h59BzMH3MxtpuMC+H33VJTA2eVddL6fZSWz01jJ2Y3okld01oYWQoKwE2yle/tvHbyuhoKxD4mhEuw==", + "requires": { + "morphdom": "2.6.1" + } + }, "cacheable-request": { "version": "6.1.0", "resolved": "https://registry.npmjs.org/cacheable-request/-/cacheable-request-6.1.0.tgz", @@ -16555,6 +16646,11 @@ } } }, + "morphdom": { + "version": "2.6.1", + "resolved": "https://registry.npmjs.org/morphdom/-/morphdom-2.6.1.tgz", + "integrity": "sha512-Y8YRbAEP3eKykroIBWrjcfMw7mmwJfjhqdpSvoqinu8Y702nAwikpXcNFDiIkyvfCLxLM9Wu95RZqo4a9jFBaA==" + }, "mpath": { "version": "0.1.1", "resolved": "https://registry.npmjs.org/mpath/-/mpath-0.1.1.tgz", @@ -21357,6 +21453,25 @@ "integrity": "sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow=", "dev": true }, + "stimulus": { + "version": "3.2.2", + "resolved": "https://registry.npmjs.org/stimulus/-/stimulus-3.2.2.tgz", + "integrity": "sha512-sEGK0ofeMuW+B2oPLTigCqxl47P9vRfZxeqzY5Hk1u0QPWS8DZhW+VOEEyngtzdHM+MutXKGBT8BkUKoA0060Q==", + "peer": true, + "requires": { + "@hotwired/stimulus": "^3.2.2", + "@hotwired/stimulus-webpack-helpers": "^1.0.0" + } + }, + "stimulus_reflex": { + "version": "3.4.1", + "resolved": "https://registry.npmjs.org/stimulus_reflex/-/stimulus_reflex-3.4.1.tgz", + "integrity": "sha512-YbFcuE4HndNe9RBQvF/Vu+7GDt0zLGdhQTXuGfLDVti1qggPG3kPgV1YBZ9volzBTGUmLp2PQbxG9j5AIyYp5A==", + "requires": { + "@rails/actioncable": ">= 6.0", + "cable_ready": ">= 4.5.0" + } + }, "stream-browserify": { "version": "2.0.2", "resolved": "https://registry.npmjs.org/stream-browserify/-/stream-browserify-2.0.2.tgz", diff --git a/package.json b/package.json index d5f9362a36..011d1e1fd5 100644 --- a/package.json +++ b/package.json @@ -15,7 +15,7 @@ "test": "snyk test" }, "dependencies": { - "adm-zip": "0.4.7", + "adm-zip": "0.5.2", "body-parser": "1.9.0", "cfenv": "^1.0.4", "consolidate": "0.14.5", @@ -46,7 +46,8 @@ "stream-buffers": "^3.0.1", "tap": "^11.1.3", "typeorm": "^0.2.24", - "validator": "^13.5.2" + "validator": "^13.5.2", + "stimulus_reflex": "3.4.1" }, "devDependencies": { "browserify": "^13.1.1", diff --git a/routes/index.js b/routes/index.js index a8e1683557..3da70232fc 100644 --- a/routes/index.js +++ b/routes/index.js @@ -36,7 +36,7 @@ exports.index = function (req, res, next) { // Insert new vulnerable code: - +/* exports.loginHandler = function (req, res, next) { if (validator.isEmail(req.body.username)) { User.find({ username: req.body.username, password: req.body.password }, function (err, users) { @@ -69,9 +69,10 @@ if (validator.isEmail(req.body.username)) { } else { return res.status(401).send() }; +*/ // Fixed code: validator.escape() is used to sanitize the input parameters (username and password) before using them in the database query. -/* + exports.loginHandler = function (req, res, next) { // Validate if the username is in email format if (validator.isEmail(req.body.username)) { @@ -99,7 +100,7 @@ exports.loginHandler = function (req, res, next) { return res.status(401).send("Unauthorized"); } }; -*/ + function adminLoginSuccess(redirectPage, session, username, res) { session.loggedIn = 1 @@ -238,7 +239,7 @@ exports.create = function (req, res, next) { }; // Insert new vulnerable code: -/* + exports.destroy = function (req, res, next) { Todo.findById(req.params.id, function (err, todo) { @@ -279,7 +280,7 @@ exports.update = function (req, res, next) { }); }); }; -*/ + // ** express turns the cookie key to lowercase ** exports.current_user = function (req, res, next) {