forked from juice-shop/juice-shop
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathshowProductReviews.ts
48 lines (43 loc) · 1.7 KB
/
showProductReviews.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
/*
* Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
* SPDX-License-Identifier: MIT
*/
import utils = require('../lib/utils')
import challengeUtils = require('../lib/challengeUtils')
import { type Request, type Response, type NextFunction } from 'express'
import { type Review } from 'data/types'
const challenges = require('../data/datacache').challenges
const security = require('../lib/insecurity')
const db = require('../data/mongodb')
// Blocking sleep function as in native MongoDB
// @ts-expect-error FIXME Type safety broken for global object
global.sleep = (time: number) => {
// Ensure that users don't accidentally dos their servers for too long
if (time > 2000) {
time = 2000
}
const stop = new Date().getTime()
while (new Date().getTime() < stop + time) {
;
}
}
module.exports = function productReviews () {
return (req: Request, res: Response, next: NextFunction) => {
const id = utils.disableOnContainerEnv() ? Number(req.params.id) : req.params.id
// Measure how long the query takes, to check if there was a nosql dos attack
const t0 = new Date().getTime()
db.reviews.find({ $where: 'this.product == ' + id }).then((reviews: Review[]) => {
const t1 = new Date().getTime()
challengeUtils.solveIf(challenges.noSqlCommandChallenge, () => { return (t1 - t0) > 2000 })
const user = security.authenticatedUsers.from(req)
for (let i = 0; i < reviews.length; i++) {
if (user === undefined || reviews[i].likedBy.includes(user.data.email)) {
reviews[i].liked = true
}
}
res.json(utils.queryResultToJson(reviews))
}, () => {
res.status(400).json({ error: 'Wrong Params' })
})
}
}