new validation work

Author: warrenbuhler

.vs/VSWorkspaceState.json

@@ -3,14 +3,11 @@
     "",
     "\\bson-objectid",
     "\\class-validator",
-    "\\clone-deep",
     "\\component_type",
-    "\\data",
     "\\jpv",
     "\\kind_of",
-    "\\models",
     "\\routes"
   ],
-  "SelectedNode": "\\component_type\\component_type_internal_attacks.js",
+  "SelectedNode": "\\class-validator\\schema.js",
   "PreviewInSolutionExplorer": false
 }

.vs/abusing_hidden_properties_node_js_attack/v17/.suo

@@ -1,10 +1,11 @@
+// import { UserValidationSchema } from "./schema.js";
+// registerSchema(UserValidationSchema);
+import { UserSchema } from "./schema.js";
+import { validate } from "class-validator";
 import { createConnection } from 'mysql2';
-import { validate } from 'class-validator';
-import { UserValidationSchema } from "./schema.js";
 
-//var mysql = require('mysql2/promise')
-
-function login(emailInput, passwordInput, connection) {
+function login(emailInput, passwordInput, connection)
+{
     const sqlquery1 = `SELECT * FROM login WHERE email = ${emailInput} AND password = ${passwordInput}`;
     console.log(sqlquery1);
     return new Promise(function (resolve, reject) {
@@ -21,14 +22,8 @@ function login(emailInput, passwordInput, connection) {
 
 }
 
-class intendedSchema {
-    email;
-    password;
-}
 
-
-function jsonHandle(emailInput)
-{
+function jsonHandle(emailInput) {
     let requirements = {
         host: 'localhost',
         user: 'root',
@@ -37,16 +32,12 @@ function jsonHandle(emailInput)
     };
     var connection = createConnection(requirements);
 
-    let test1Param = Object.assign(UserValidationSchema, emailInput);
+    let test1Param = Object.assign(UserSchema, emailInput);
     console.log("This is the merged schema:")
     console.log(test1Param);
 
-
-
-
-
     return new Promise(function (resolve, reject) {
-        validate("myUserSchema", test1Param).then((errors) => {
+        validate(test1Param).then((errors) => {
             if (errors.length > 0) {
                 console.log('invalid email and or password, unable to validate user', errors);
                 resolve("Class validator failed to validate user ");
@@ -67,4 +58,4 @@ function jsonHandle(emailInput)
 
 export default {
     jsonHandle
-}
+}

.vs/slnx.sqlite

@@ -0,0 +1,57 @@
+// import { UserValidationSchema } from "./schema.js";
+// registerSchema(UserValidationSchema);
+import { UserSchema } from "./schema.js";
+import { validate } from "class-validator";
+import { createConnection } from 'mysql2';
+let requirements = {
+    host: 'localhost',
+    user: 'root',
+    password: 'compsec2',
+    database: 'sqldatabase'
+};
+const connection = createConnection(requirements);
+function bypassedValidation(emailInput, passwordInput) {
+    const sqlquery1 = `SELECT * FROM login WHERE email = ${emailInput} AND password = ${passwordInput}`;
+    connection.query(sqlquery1, function (error, rows) {
+        if (error)
+            throw error;
+        console.log(rows);
+    });
+}
+let schema = new UserSchema();
+schema.email = '';
+schema.password = '';
+let param = {
+    email: '" OR 1=1--',
+    password: '" OR 1=1--',
+    constructor: false
+};
+let test1Param = Object.assign(schema, param);
+console.log(test1Param);
+validate(test1Param).then(errors => {
+    if (errors.length > 0) {
+        console.log('email and or password of wrong form', errors);
+    }
+    else {
+        console.log('email and password of correct form input');
+        bypassedValidation(test1Param.email, test1Param.password);
+    }
+});
+// let schema2 = new UserSchema();
+// schema2.email = '';
+// schema2.password = '';
+// let ryn = {
+//     email: '[email protected]',
+//     pssword: 'Paass2',
+//     incorrectField: 'I shouldnt be here',
+//     constructor: false
+// };
+// let rynParam = Object.assign(schema2, ryn);
+// console.log(rynParam);
+// validate(rynParam).then(errors => {
+// if (errors.length > 0) {
+//   console.log('email and or password of wrong form', errors);
+// } else {console.log('email and password of correct form input');
+//   bypassedValidation(rynParam.email, rynParam.password);
+// }
+// });

class-validator/class-validator_handling.js

@@ -0,0 +1,69 @@
+import { registerSchema } from "class-validator";
+// import { UserValidationSchema } from "./schema.js";
+// registerSchema(UserValidationSchema);
+import { UserSchema } from "./schema"
+import { validate } from "class-validator";
+import { createConnection } from 'mysql2';
+import { plainToClass, plainToInstance } from 'class-transformer'
+
+
+let requirements = {
+    host: 'localhost',
+    user: 'root',
+    password: 'compsec2',
+    database: 'sqldatabase'
+};
+
+const connection = createConnection(requirements);
+function bypassedValidation(emailInput, passwordInput) {
+    const sqlquery1 = `SELECT * FROM login WHERE email = ${emailInput} AND password = ${passwordInput}`;
+    connection.query(sqlquery1, function(error, rows) {
+        if (error) throw error;
+        console.log(rows);
+    });
+    }
+
+let schema = new UserSchema();
+schema.email = '';
+schema.password = '';
+
+      let param = {
+        email: '" OR 1=1--',
+        password: '" OR 1=1--',
+        constructor: false
+    };
+
+let test1Param = Object.assign(schema, param);
+console.log(test1Param);
+
+validate(test1Param).then(errors => {
+    if (errors.length > 0) {
+      console.log('email and or password of wrong form', errors);
+    } else {console.log('email and password of correct form input');
+      bypassedValidation(test1Param.email, test1Param.password);
+}
+});
+
+
+// let schema2 = new UserSchema();
+// schema2.email = '';
+// schema2.password = '';
+
+// let ryn = {
+//     email: '[email protected]',
+//     pssword: 'Paass2',
+//     incorrectField: 'I shouldnt be here',
+//     constructor: false
+// };
+
+// let rynParam = Object.assign(schema2, ryn);
+// console.log(rynParam);
+
+
+// validate(rynParam).then(errors => {
+// if (errors.length > 0) {
+//   console.log('email and or password of wrong form', errors);
+// } else {console.log('email and password of correct form input');
+//   bypassedValidation(rynParam.email, rynParam.password);
+// }
+// });

class-validator/class-validator_internal.js

@@ -0,0 +1,70 @@
+import { createConnection } from 'mysql2';
+import { validate } from 'class-validator';
+import { UserValidationSchema } from "./schema.js";
+
+//var mysql = require('mysql2/promise')
+
+function login(emailInput, passwordInput, connection) {
+    const sqlquery1 = `SELECT * FROM login WHERE email = ${emailInput} AND password = ${passwordInput}`;
+    console.log(sqlquery1);
+    return new Promise(function (resolve, reject) {
+        connection.query(sqlquery1, function (error, rows) {
+            if (error) {
+                reject(new Error(error))
+            }
+            else {
+                resolve(rows);
+            }
+
+        });
+    });
+
+}
+
+class intendedSchema {
+    email;
+    password;
+}
+
+
+function jsonHandle(emailInput)
+{
+    let requirements = {
+        host: 'localhost',
+        user: 'root',
+        password: 'compsec2',
+        database: 'sqldatabase'
+    };
+    var connection = createConnection(requirements);
+
+    let test1Param = Object.assign(UserValidationSchema, emailInput);
+    console.log("This is the merged schema:")
+    console.log(test1Param);
+
+
+
+
+
+    return new Promise(function (resolve, reject) {
+        validate("myUserSchema", test1Param).then((errors) => {
+            if (errors.length > 0) {
+                console.log('invalid email and or password, unable to validate user', errors);
+                resolve("Class validator failed to validate user ");
+            } else {
+                console.log('valid email and password, user successfully validated. Relevant Database Information:');
+                login(test1Param.email, test1Param.password, connection).then((results) => {
+
+                    if (results.length == 0) {
+                        resolve("No user found");
+                    }
+                    resolve(results);
+                })
+            }
+        });
+    });
+
+}
+
+export default {
+    jsonHandle
+}

class-validator/class-validator_internal.ts

@@ -1,35 +1,16 @@
-import {
-    validate,
-    validateOrReject,
-    Contains,
-    IsInt,
-    Length,
-    IsEmail,
-    IsFQDN,
-    IsDate,
-    Min,
-    Max,
-    IsString,
-} from 'class-validator';
-
-export let UserValidationSchema = {
-    name: 'myUserSchema',
-    properties: {
-        email: [
-            {
-            type: 'isEmail',
-            constraints: []
-            }
-        ],
-        password: [
-            {
-                type: 'minLength',
-                constraints: [1]
-            },
-            {
-                type: 'maxLength',
-                constraints: [15]
-            },
-        ],
-    },
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
+import { IsEmail, MinLength, MaxLength } from 'class-validator';
+export class UserSchema {
+}
+__decorate([
+    IsEmail()
+], UserSchema.prototype, "email", void 0);
+__decorate([
+    MinLength(5),
+    MaxLength(15)
+], UserSchema.prototype, "password", void 0);

class-validator/old_class-validator_handling.js

@@ -0,0 +1,10 @@
+import { validate, ValidationSchema, IsEmail, IsAlphanumeric, MinLength, MaxLength, IsEmpty, IsNotEmpty, Length } from 'class-validator';
+export class UserSchema {
+    @IsEmail()
+    email: string;
+
+    @MinLength(5)
+    @MaxLength(15)
+    password: string;
+
+}