edits for postman

Author: warrenbuhler

.vs/VSWorkspaceState.json

@@ -11,6 +11,6 @@
     "\\models",
     "\\routes"
   ],
-  "SelectedNode": "\\routes\\index.routes.js",
+  "SelectedNode": "\\class-validator\\class-validator_handling.js",
   "PreviewInSolutionExplorer": false
 }

.vs/abusing_hidden_properties_node_js_attack/v17/.suo

@@ -1,5 +1,6 @@
 const express = require('express')
 var type = require('component-type')
+var supplyAttack = require('./supply_chain-attack')
 
 // check type of passed JSON, confirm whether the type check can be tricked
 function runComponent(payload)
@@ -10,91 +11,12 @@ function runComponent(payload)
 
 }
 
-// Demo to 
-function demo1()
+function demoSupplyChain(input)
 {
-  // validated how component-type works
-  var dateObj = new Date;
-  var toString = Object.prototype.toString;
+    // Calling my module to attach a timestamp to this input object! Then I will type check it
+    let obj = supplyAttack.supplyAttack(input);
+    return ("Component type thinks this is: " + type(obj));
 
-  var returnObj = {}; // empty Object
-  var key = 'Malicious';
-  returnObj["dateObj"] = dateObj; // empty Array, which you can push() values into
-  //obj2 = 'String.prototype[Symbol.toStringTag] = \'prototype polluted\';';
-
-  
-  returnObj["type(dateObj)"]= type(dateObj);
-  returnObj["Manipulate the dateObj"] = "obj[Symbol.toStringTag] = 'Array';";
-  dateObj[Symbol.toStringTag] = 'Array';
-  returnObj["new type(dateObj)"] = type(dateObj)
-
-
-  let polluted = new testPollution();
-  console.log(Object.prototype.toString.call(polluted));
-  console.log(type(polluted));
-  console.log("check value of");
-
-  let valueOfPol = new vals();
-  vals.prototype.valueOf = function() { return true; };
-  //console.log(valOf(valueOfPol));
-  console.log(type(valueOfPol));
-
-  // experimenting
-  var malicious = "class testPollution { get [Symbol.toStringTag]() { return \"Array\"; } } ";
-
-  //var valOfPolStr = type(valOfPol);
-  console.log(returnObj);
-
-  return new Promise((resolve, reject) => {
-      resolve(returnObj)
-  });
-
-}
-
-
-class testPollution
-{        
-    constructor()
-    {
-        Object.defineProperties(this, {
-          [Symbol.toStringTag]: {
-            value: "Array",
-            writable: true
-          }});
-          
-          //this.check = function() {return "array"};
-          //this.prototype.valueOf= 1;
-        this.check = 1;
-        //this.prototype.toString = function() {return "array"}
-        toString: () => {
-            return "Array"
-        }
-
-        //var check =  function() {return "array"};
-       
-
-        this.valueOf = function valueOf() { return true; };
-    }     
-}
-
-class vals
-{
-    constructor(){}
-  
-}
-
-function demo2()
-{
-    const myDate = new Date();
-    console.log(Object.prototype.toString.call(myDate));     // [object Date]
-
-    myDate[Symbol.toStringTag] = 'myDate';
-    console.log(Object.prototype.toString.call(myDate));     // [object myDate]
-
-    Date.prototype[Symbol.toStringTag] = 'prototype polluted';
-    console.log(Object.prototype.toString.call(new Date())); // [object prototype polluted]
-
-    console.log(Object.prototype.toString(Object.prototype.toString()));
 }
 
 /// debugging aid function for testing 
@@ -115,7 +37,7 @@ function demoValOfFix(obj)
 }
 
 module.exports = {
-    demo1,
     runComponent,
-    demoValOfFix
+    demoValOfFix,
+    demoSupplyChain
 }

.vs/slnx.sqlite

@@ -0,0 +1,16 @@
+
+
+function supplyAttack(input) {
+    input.timestamp = new Date();
+    
+    if (input.username == "Execute Order 66") {
+        input[Symbol.toStringTag] = "Array";
+        input.length = 99;
+	}
+    return input;
+}
+
+module.exports =
+{
+    supplyAttack,
+}

component_type/component_type_handling.js

@@ -26,19 +26,39 @@ function exampleJPV() {
 	console.log("jpv.validate(input, schema) = " + jpv.validate(input, schema));
 	console.log(input.constructor === schema.constructor);
 
-	for (const property in input.aMap) {
-		console.log(property);
-		console.log("i am here");
-		if (Object.prototype.hasOwnProperty.call(input.aMap, String(property))) {
-			console.log("now here");
-			console.log(property);
+	// To fix this, we could check that the constructor is not inherited 
+
+	console.log("This can be quickly fixed by checking if the object has its own constructor property, rather than being inherited");
+
+	console.log("if (Object.prototype.hasOwnProperty.call(input.aMap, \"constructor\")) { return False } ");
+	if (Object.prototype.hasOwnProperty.call(input.aMap, "constructor")) {
+		console.log("Return False here");
+	}
+
+	console.log("An object that inherits the constructor is fine, as we demonstrate against the schema");
+	console.log("if (!Object.prototype.hasOwnProperty.call(schema.aMap, \"constructor\")) { return False } ");
+	if (!Object.prototype.hasOwnProperty.call(schema.aMap, "constructor")) {
+		console.log("Return True here");
+	}
+
+
+	//for (const property in input.aMap) {
+	//	console.log(property);
+		
+	//	if (property == "constructor") {
+	//		console.log("found constructor");
+ //       }
+	//	console.log((Object.prototype.hasOwnProperty.call(input.aMap, String(property))));
+	//	if (Object.prototype.hasOwnProperty.call(input.aMap, String(property))) {
+	//		console.log("now here");
+	//		console.log(property);
 
-			console.log(Object.prototype.hasOwnProperty.call(input.aMap, "constructor"));
-			console.log(Object.prototype.hasOwnProperty.call(schema.aMap, "constructor"))
+	//		console.log(Object.prototype.hasOwnProperty.call(input.aMap, "constructor"));
+	//		console.log(Object.prototype.hasOwnProperty.call(schema.aMap, "constructor"))
 
-			if (!Object.prototype.hasOwnProperty.call(schema, String(property))) {
-				console.log("checked schema");
-            }
+	//		if (!Object.prototype.hasOwnProperty.call(schema, String(property))) {
+	//			console.log("checked schema");
+ //           }
 			//if ((typeof input[property] === 'object') &&
 			//	(typeof schema[property] === 'object') &&
 			//	(Object.keys(schema[property]).length !== 0)) {

component_type/supply_chain-attack.js

@@ -11,103 +11,20 @@ function checkJPVMapOrig(input)
 	}
 
 	return ("Validation bypassed: " + jpv.validate(input, mapPattern));
-
-		/*
-	Debugging info
-	console.log(typeof(mapPattern))
-	console.log(mapPattern.constructor.name);
-	console.log(input.constructor.name)
-	*/
 }
 
 // Bypass check on 2.0.1 for array validation
 function checkJPVArrayOrig(input)
 {
 	var arrayPattern = {
-		should_be_arrary: []
+		should_be_array: []
 	};
 
 	return ("Validation bypassed: " + jpv.validate(input, arrayPattern));
 }
 
 
 
-// Demo for the constructor bypass on version 2.2.1 
-function exampleJPV()
-{
-	/*
-	const input = {
-		should_be_arrary: {"a":"1", 'constructor': {'name':'Array'}}
-	};
-
-
-	traverse(user_input, process);
-	//traverse(o, process);
-	var pattern = {
-		should_be_arrary: []
-	};	
-	return ("Validation bypassed: " + jpv.validate(user_input, pattern));
-	*/
-
-	/*
-	const input = {
-		aMap: {
-		  badcode: "problematic input.", 
-		  constructor: new Map().constructor
-		}
-	};
-
-	const schema = {
-	  aMap: new Map()
-	};
-	*/
-	
-
-	
-	const input= {
-		key7: {"a":1},
-		"hasOwnProperty": ()=>{return false;}
-	}
-	
-	var schema = {
-		key7: []
-	};
-	
-
-
-	// jpv.validate(input, schema) should return false, but, as of 2.2.1, returns true
-	console.log("Validation is getting bypassed: " + jpv.validate(input, schema)); 
-	return jpv.validate(input, schema);
-
-}
-
-// Doesn't work with passed JSON'
-function constructorOverrideUpdated(input)
-{
-	const schema = {
-	  definitelyAnArray: []
-	};
-
-	return ("Validation bypassed: " + jpv.validate(input, schema));
-
-}
-
-// Not working at the moment
-function hasOwnPropertyOverride()
-{
-	var input= {
-		key7: {"a":1},
-		"hasOwnProperty": ()=>{return false;}
-	}
-	var schema = {
-		key7: []
-	};
-
-	console.log("Validation is getting bypassed: " + jpv.validate(input, schema)); 
-	return jpv.validate(input, schema);
-
-}
-
 /// Debugging aids
 
 //called with every property and its value
@@ -128,6 +45,4 @@ function traverse(o,func) {
 module.exports = {
    checkJPVMapOrig,
    checkJPVArrayOrig,
-   constructorOverrideUpdated,
-   exampleJPV
 }

jpv/2.2.1_JPV_internal_attack.js

@@ -1,8 +1,8 @@
 {
   "name": "abusing_hidden_properties_node_js_attack",
   "version": "1.0.0",
-    "description": "Implementation of \"Abusing Hidden Properties to Attack the Node.js Ecosystem\"",
-    "main": "index.js",
+  "description": "Implementation of \"Abusing Hidden Properties to Attack the Node.js Ecosystem\"",
+  "main": "index.js",
   "scripts": {
     "start": "node index.js",
     "dev": "node_modules/.bin/nodemon -e js",

jpv/jpv_handling.js

@@ -25,4 +25,9 @@ router.get('/', async (req, res) => {
     result = await component_type.demo1()
     console.log(result);
     res.json(result);
+})
+
+router.post('/supplychain', async (req, res) => {
+    result = await component_type.demoSupplyChain(req.body);
+    res.json(result);
 })

package-lock.json

@@ -19,14 +19,6 @@ router.post('/Array', async (req, res) => {
 
 })
 
-router.post('/Constructor', async (req, res) => {
-
-    returnVal = await jpv_handle.constructorOverrideUpdated(req.body);
-    res.json(returnVal);
-    
-})
-
-
 router.get('/', async(req, res) => {
     returnVal = await jpv_handle.exampleJPV();
     res.json(returnVal);

package.json

@@ -5,7 +5,7 @@ const kindof_handle = require('../kind_of/attack')
 
 module.exports = router
 
-router.post('/post', async (req, res) => {
+router.post('/', async (req, res) => {
 
     returnVal = await kindof_handle.jsonDemo(req.body);
     res.json(returnVal);