Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/192 #197

Draft
wants to merge 43 commits into
base: feature/192
Choose a base branch
from
Draft

Feature/192 #197

wants to merge 43 commits into from

Conversation

sher04lock
Copy link

Following discussion in #194 I've forked branch from @KoolTheba and started working on implementing new endpoints and examples of vulnerabilities.

This Pull Request is still WIP.
It was created to allow reviewers gradually review and comment on new changes, as there will be a lot of them.

For now, new API application includes:

  • Base express app structure
  • Authenticating using express-session
  • Connecting to MongoDB
  • Tests with Jest
  • Fully mocking Mongo database in tests
  • Script for reseting and initilizing database with sample data (the same data and structure was used as in initial NodeGoat application)
  • Endpoints:
    • POST /api/v1/login
    • GET /api/v1/profile
    • PUT /api/v1/profile/:id
    • GET /api/v1/allocations/:userId

Each implemented vulnerability includes tests for checking:

  • Whether vulnerability is present - these tests should be disabled once vulnerability is fixed in the code to prevent failures,
  • Whether vulnerability has been fixed - these tests are disabled and meant to be manually enabled once vulnerability is fixed in the code.

Vulnerabilities implemented:

  1. API1:2019 Broken Object Level Authorization
  2. API2:2019 Broken User Authentication
  3. API3:2019 Excessive Data Exposure
  4. API6:2019 Mass Assignment

If I implement new endpoints before this PR gets merged, I'll include them as part of this PR.

UlisesGascon and others added 30 commits March 18, 2020 17:46
@UlisesGascon
server-render app moved to new location apps/server-render
805d251
@UlisesGascon
Added Lerna initialization
70316df
@UlisesGascon
update exception rules
364b36b
@UlisesGascon
server-render app renamed
01e72af
@UlisesGascon
Added githooks tasks to server-render
d9e8a23
@UlisesGascon
Added main project tasks
2a79334 
- Added Husky
- Added main tasks as mirror (all:* and server-render:* patterns)
@UlisesGascon
Lint execution 💪
f211301
@UlisesGascon
CI extended to work with Lerna
fd4f30e
@UlisesGascon
CI improvements
de13e15
@UlisesGascon
WIP.CI improvements
52af9e8
@KoolTheba
feat(react client): added autogenerated react app
8fd44fb 
Related OWASP#192
@KoolTheba
feat(react api): added autogenerated express project
0f3fb39 
Related OWASP#192
@KoolTheba
chore(react api): upgraded dependencies
f7aebe7 
- Related OWASP#192
```
 cookie-parser   ~1.4.4  →   ~1.4.5
 debug           ~2.6.9  →   ~4.1.1
 express        ~4.16.1  →  ~4.17.1
 http-errors     ~1.6.3  →   ~1.7.3
 morgan          ~1.9.1  →  ~1.10.0
```
@KoolTheba
feat(react api): added config files
8b1884d 
- Related OWASP#192
- Added depedency `[email protected]`
- Added main config file
@KoolTheba
chore(files): updated gitignore rules
5034336 
See: https://www.gitignore.io/api/node,code,linux,macos,windows,webstorm,sublimetext
@KoolTheba
fix(react api): project name
9ba3401 
Related OWASP#192
@KoolTheba
refactor(react api): ES6 migration
0efe7f0 
Related OWASP#192
@KoolTheba
refactor(react api): ES6 migration
49493d9 
Related OWASP#192
@KoolTheba
feat(react api): added standard linter
67cefa0 
- Related OWASP#192
- Added dev dependency `[email protected]`
- Added npm tasks for linting
@KoolTheba
feat(react api): added lint git hook
d316b82 
Related OWASP#192
@KoolTheba
chore(react api): files linted
bcaf6ef
@KoolTheba
feat(react api): added test environment
414e602 
- Related OWASP#192
- Added dev dependencies `[email protected]` & `[email protected]`
- Added npm tasks for testing
@KoolTheba
feat(react api): added test git hook
83e6b58 
Related OWASP#192
@KoolTheba
chore(react api): update linting rules
00bc5f3
@KoolTheba
feat(react api): added initial tests
e591970 
Related OWASP#192
@KoolTheba
chore(react client): upgrade testing dependencies
fed2529 
- Updated testing dependencies
```
@testing-library/jest-dom    ^4.2.4  →   ^5.1.1
 @testing-library/react       ^9.3.2  →  ^10.0.1
 @testing-library/user-event  ^7.1.2  →  ^10.0.0
```
@KoolTheba
feat(react client): added linter to project
a24718b 
- Related OWASP#192
@KoolTheba
feat(react client): added npm tasks for linting
b77296b 
- Related OWASP#192
@KoolTheba
chore(react client): files linted
780c963 
- Added jest to eslint rules
- Linted files
@KoolTheba
WIP(react client): npm tasks for testing
fc07d62 
- Related OWASP#192
- Added watch and CI support
- Missing coverage and snapshot update
KoolTheba and others added 13 commits March 22, 2020 17:55
@KoolTheba
feat(react client): added styled component & material UI
2f07bf1 
Related OWASP#192
@KoolTheba
feat(react client): added material ui icons
25addff 
Related OWASP#192
@KoolTheba
feat(react client): updated app component
5731cd9 
Related OWASP#192
@sher04lock
add missing grunt package
fc987c8
@sher04lock
feat(react api): added scripts for initilising database
afc7103
@sher04lock
feat(react api): added connection to Mongo database
dc89933
@sher04lock
feat(react api): added logger utility
df023e3
@sher04lock
feat(react api): added endpoint for accesing user profile
46be7c6
@sher04lock
feat(react api): added login endpoint
d1ad10d
@sher04lock
feat(react api): added endpoint for updating user profile with API6 v…
9e559e7 
…ulnerability
@sher04lock
feat(react api): added express-session auth mechanism
8bff52f
@sher04lock
feat(react api): use non-deprecated settings to connect to Mongo
953b4f0
@sher04lock
feat(react api): add endpoints for accessing allocations with API1 vu…
d790023 
…lnerability
@sher04lock sher04lock marked this pull request as draft May 17, 2020 13:17
@ckarande
Copy link
Member

@sher04lock great progress! I will review and get back to you if any early feedback. Thanks for the WIP PR.

@UlisesGascon UlisesGascon self-assigned this May 30, 2020
@UlisesGascon UlisesGascon added this to the v1.6 milestone May 30, 2020
@UlisesGascon UlisesGascon mentioned this pull request May 30, 2020
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@UlisesGascon UlisesGascon Awaiting requested review from UlisesGascon

@ckarande ckarande Awaiting requested review from ckarande

Assignees

@UlisesGascon UlisesGascon

Labels
enhancement
Projects
None yet
Milestone
v1.6
Development

Successfully merging this pull request may close these issues.
4 participants
@sher04lock @ckarande @UlisesGascon @KoolTheba