extra code comments

Author: warrenbuhler

.vs/slnx.sqlite

@@ -1,6 +1,14 @@
 const ObjectID = require("bson-objectid");
 
-// Working Example
+// Receives a JSON object and returns the bson-object ID
+function jsonDemo(input) {
+    console.log(input);
+    console.log(ObjectID(input));
+    console.log(ObjectID(input).id);
+    return ("bson-object ID says the id should be " + ObjectID(input).id);
+}
+
+// Internal testing 
 function workingDemo() {
     console.log(ObjectID("54495ad94c934721ede76d90"));
     console.log(ObjectID.isValid(ObjectID("54495ad94c934721ede76d90")));
@@ -28,12 +36,6 @@ console.log(ObjectID.isValid(ObjectID(payload)));
 
 }
 
-function jsonDemo(input) {
-    console.log(input);
-    console.log(ObjectID(input));
-    console.log(ObjectID(input).id);
-    return ("bson-object ID says the id should be " + ObjectID(input).id);
-}
 
 module.exports =
 {

bson-objectid/attack.js

@@ -2,7 +2,7 @@ const express = require('express')
 var type = require('component-type')
 var supplyAttack = require('./supply_chain-attack')
 
-// check type of passed JSON, confirm whether the type check can be tricked
+// check type of passed JSON, returns the type component type believes it is
 function runComponent(payload)
 {
     return new Promise((resolve, reject) => {
@@ -11,14 +11,16 @@ function runComponent(payload)
 
 }
 
+// Call into another function to demo what a supply attack might look like
 function demoSupplyChain(input)
 {
     // Calling my module to attach a timestamp to this input object! Then I will type check it
-    let obj = supplyAttack.supplyAttack(input);
+    let obj = supplyAttack.sneakyTimestamp(input);
     return ("Component type thinks this is: " + type(obj));
 
 }
 
+// Used to demonstrate what our fix to the component-type external value-of attack is 
 function demoValOfFix(obj)
 {
     if (typeof obj.valueOf === 'function')

component_type/component_type_handling.js

@@ -1,29 +1,10 @@
 var type = require('component-type')
 
-class testPollution {
-    constructor() {
-        Object.defineProperties(this, {
-            [Symbol.toStringTag]: {
-                value: "Array",
-                writable: true
-            }
-        });
-        this.valueOf = function valueOf() { return true; };
-    }
-}
-
-
-class vals {
-    constructor() { }
-
-}
-
-
 demo1()
 
-function demo1()
-{
-  // validated how component-type works
+// Do a long demo of how component-type can be tricked by internal attackers
+function demo1() {
+    // validated how component-type works
     var check = new testPollution();
     var dateObj = new Date;
     console.log("This is the component type result on a date object")
@@ -33,7 +14,7 @@ function demo1()
     console.log("   obj[Symbol.toStringTag] = 'Array';");
     dateObj[Symbol.toStringTag] = 'Array';
     console.log("component type will now return array for the date object!");
-    console.log("   "+ type(dateObj));
+    console.log("   " + type(dateObj));
 
     console.log("\n\n");
     console.log("This is a custom made polluted object, we overode its toStringTag in the constructor");
@@ -53,4 +34,26 @@ function demo1()
     console.log("\n\n");
 }
 
+// Example of how a constructor for an object can set its toStringTag to a different value
+class testPollution {
+    constructor() {
+        Object.defineProperties(this, {
+            [Symbol.toStringTag]: {
+                value: "Array",
+                writable: true
+            }
+        });
+        this.valueOf = function valueOf() { return true; };
+    }
+}
+
+// empty class used to show the value of attack by an internal or supply chain adversary
+class vals {
+    constructor() { }
+
+}
+
+
+
+
 

component_type/component_type_internal_attacks.js

@@ -1,6 +1,6 @@
 
 
-function supplyAttack(input) {
+function sneakyTimestamp(input) {
     input.timestamp = new Date();
 
     if (input.username == "Execute Order 66") {
@@ -12,5 +12,5 @@ function supplyAttack(input) {
 
 module.exports =
 {
-    supplyAttack,
+    sneakyTimestamp,
 }

component_type/supply_chain-attack.js

@@ -1,7 +1,12 @@
 const kindOf = require('kind-of');
 
+// Receives JSON input and returns what kindof believes it is
+function jsonDemo(input) {
+    return "Should return object, but instead returns " + kindOf(input)
+}
 
 
+// used for internal testing 
 const objectPretendingToBeSet = {
     "id": "54495ad94c934721ede76d90",
     "username": "bob",
@@ -10,13 +15,11 @@ const objectPretendingToBeSet = {
     "constructor":{"name":"Set"}
 }
 
+// used in internal testing
 function demo1() {
     console.log(kindOf(objectPretendingToBeSet));
 }
 
-function jsonDemo(input) {
-    return "Should return object, but instead returns " + kindOf(input)
-}
 
 module.exports =
 {