Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/192 #197

Draft
wants to merge 43 commits into
base: feature/192
Choose a base branch
from
Draft

Feature/192 #197

wants to merge 43 commits into from

Conversation

sher04lock
Copy link

Following discussion in #194 I've forked branch from @KoolTheba and started working on implementing new endpoints and examples of vulnerabilities.

This Pull Request is still WIP.
It was created to allow reviewers gradually review and comment on new changes, as there will be a lot of them.

For now, new API application includes:

  • Base express app structure
  • Authenticating using express-session
  • Connecting to MongoDB
  • Tests with Jest
  • Fully mocking Mongo database in tests
  • Script for reseting and initilizing database with sample data (the same data and structure was used as in initial NodeGoat application)
  • Endpoints:
    • POST /api/v1/login
    • GET /api/v1/profile
    • PUT /api/v1/profile/:id
    • GET /api/v1/allocations/:userId

Each implemented vulnerability includes tests for checking:

  • Whether vulnerability is present - these tests should be disabled once vulnerability is fixed in the code to prevent failures,
  • Whether vulnerability has been fixed - these tests are disabled and meant to be manually enabled once vulnerability is fixed in the code.

Vulnerabilities implemented:

  1. API1:2019 Broken Object Level Authorization
  2. API2:2019 Broken User Authentication
  3. API3:2019 Excessive Data Exposure
  4. API6:2019 Mass Assignment

If I implement new endpoints before this PR gets merged, I'll include them as part of this PR.

UlisesGascon and others added 30 commits March 18, 2020 17:46
- Added Husky
- Added main tasks as mirror (all:* and server-render:* patterns)
- Related OWASP#192
```
 cookie-parser   ~1.4.4  →   ~1.4.5
 debug           ~2.6.9  →   ~4.1.1
 express        ~4.16.1  →  ~4.17.1
 http-errors     ~1.6.3  →   ~1.7.3
 morgan          ~1.9.1  →  ~1.10.0
```
- Related OWASP#192
- Added depedency `[email protected]`
- Added main config file
- Related OWASP#192
- Added dev dependency `[email protected]`
- Added npm tasks for linting
- Related OWASP#192
- Added dev dependencies `[email protected]` & `[email protected]`
- Added npm tasks for testing
- Updated testing dependencies
```
@testing-library/jest-dom    ^4.2.4  →   ^5.1.1
 @testing-library/react       ^9.3.2  →  ^10.0.1
 @testing-library/user-event  ^7.1.2  →  ^10.0.0
```
- Added jest to eslint rules
- Linted files
- Related OWASP#192
- Added watch and CI support
- Missing coverage and snapshot update
@sher04lock sher04lock marked this pull request as draft May 17, 2020 13:17
@ckarande
Copy link
Member

@sher04lock great progress! I will review and get back to you if any early feedback. Thanks for the WIP PR.

@UlisesGascon UlisesGascon self-assigned this May 30, 2020
@UlisesGascon UlisesGascon added this to the v1.6 milestone May 30, 2020
@UlisesGascon UlisesGascon mentioned this pull request May 30, 2020
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants