Add blueprint retrieval challenge

(see juice-shop#331)
FeeB · Jun 19, 2017 · a1ba7ae · a1ba7ae
1 parent 20549d4
commit a1ba7ae
Show file tree

Hide file tree

Showing 8 changed files with 50 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -68,6 +68,7 @@ app/public/images/products/*.*
 !app/public/images/products/white_raffards.jpg
 !app/public/images/products/woodruff_syrup.jpg
 !app/public/images/products/3d_keychain.jpg
+!app/public/images/products/placeholder.dxf
 
 # Custom configuration files
 config/*.yml

diff --git a/app/public/images/products/placeholder.dxf b/app/public/images/products/placeholder.dxf
diff --git a/config/default.yml b/config/default.yml
@@ -109,4 +109,5 @@ products:
     description: 'This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.'
     price: 99.99
     image: '3d_keychain.jpg'
+    fileForRetrieveBlueprintChallenge: 'placeholder.dxf'
 
diff --git a/data/datacreator.js b/data/datacreator.js
@@ -488,6 +488,17 @@ function createChallenges () {
   }).success(function (challenge) {
     challenges.jwtSecretChallenge = challenge
   })
+  models.Challenge.create({
+    name: 'Retrieve Blueprint',
+    category: 'Forgotten Content',
+    description: 'Deprive the shop of earnings by downloading the blueprint for one of its products.',
+    difficulty: 3,
+    hint: addHint(''),
+    hintUrl: addHint(''),
+    solved: false
+  }).success(function (challenge) {
+    challenges.retrieveBlueprintChallenge = challenge
+  })
 }
 
 function createUsers () {
@@ -569,6 +580,14 @@ function createProducts () {
       description += ' (Seasonal special offer! Limited availability!)'
     } else if (product.useForProductTamperingChallenge) {
       description += ' <a href="https://www.owasp.org/index.php/O-Saft" target="_blank">More...</a>'
+    } else if (product.fileForRetrieveBlueprintChallenge) {
+      var blueprint = product.fileForRetrieveBlueprintChallenge
+      if (utils.startsWith(blueprint, 'http')) {
+        var blueprintUrl = blueprint
+        blueprint = decodeURIComponent(blueprint.substring(blueprint.lastIndexOf('/') + 1))
+        utils.downloadToFile(blueprintUrl, 'app/public/images/products/' + blueprint)
+      }
+      datacache.retrieveBlueprintChallengeFile = blueprint
     }
     var price = product.price || Math.floor(Math.random())
     var image = product.image || 'undefined.png'

diff --git a/routes/verify.js b/routes/verify.js
@@ -31,6 +31,8 @@ exports.accessControlChallenges = function () {
       utils.solve(challenges.geocitiesThemeChallenge)
     } else if (utils.notSolved(challenges.extraLanguageChallenge) && utils.endsWith(req.url, '/tlh.json')) {
       utils.solve(challenges.extraLanguageChallenge)
+    } else if (utils.notSolved(challenges.retrieveBlueprintChallenge) && utils.endsWith(req.url, cache.retrieveBlueprintChallengeFile)) {
+      utils.solve(challenges.retrieveBlueprintChallenge)
     }
     next()
   }

diff --git a/server.js b/server.js
@@ -95,6 +95,7 @@ app.use(favicon(path.join(__dirname, 'app/public/' + icon)))
 
 /* Checks for solved challenges */
 app.use('/public/images/tracking', verify.accessControlChallenges())
+app.use('/public/images/products', verify.accessControlChallenges())
 app.use('/i18n', verify.accessControlChallenges())
 
 /* /ftp directory browsing and file download */

diff --git a/test/api/fileServingSpec.js b/test/api/fileServingSpec.js
@@ -1,7 +1,17 @@
 var frisby = require('frisby')
+var config = require('config')
 
 var URL = 'http://localhost:3000'
 
+var blueprint
+for (var i = 0; i < config.get('products').length; i++) {
+  var product = config.get('products')[ i ]
+  if (product.fileForRetrieveBlueprintChallenge) {
+    blueprint = product.fileForRetrieveBlueprintChallenge
+    break
+  }
+}
+
 frisby.create('GET index.html when visiting application URL')
   .get(URL)
   .expectStatus(200)
@@ -199,6 +209,11 @@ frisby.create('GET Klingon translation file for "Extra Language" challenge')
   .expectHeaderContains('content-type', 'application/json')
   .toss()
 
+frisby.create('GET blueprint file for "Retrieve Blueprint" challenge')
+  .get(URL + '/public/images/products/' + blueprint)
+  .expectStatus(200)
+  .toss()
+
 frisby.create('GET /encryptionkeys serves a directory listing')
   .get(URL + '/encryptionkeys')
   .expectStatus(200)

diff --git a/test/server/verifySpec.js b/test/server/verifySpec.js
@@ -3,6 +3,7 @@ var chai = require('chai')
 var sinonChai = require('sinon-chai')
 var expect = chai.expect
 chai.use(sinonChai)
+var cache = require('../../data/datacache')
 
 describe('verify', function () {
   var verify = require('../../routes/verify')
@@ -100,6 +101,16 @@ describe('verify', function () {
 
       expect(challenges.extraLanguageChallenge.solved).to.equal(true)
     })
+
+    it('"retrieveBlueprintChallenge" is solved when the blueprint file is requested', function () {
+      challenges.retrieveBlueprintChallenge = { solved: false, save: save }
+      cache.retrieveBlueprintChallengeFile = 'test.dxf'
+      req.url = 'http://juice-sh.op/public/images/products/test.dxf'
+
+      verify.accessControlChallenges()(req, res, next)
+
+      expect(challenges.retrieveBlueprintChallenge.solved).to.equal(true)
+    })
   })
 
   describe('"errorHandlingChallenge"', function () {