switched to es6 modules

Author: warrenbuhler

.vs/abusing_hidden_properties_node_js_attack/v17/.suo

@@ -1,4 +1,8 @@
-const ObjectID = require("bson-objectid");
+import ObjectID from "bson-objectid";
+import pkg from 'bson-objectid';
+const { isValid } = pkg;
+
+
 
 // Receives a JSON object and returns the bson-object ID
 function jsonDemo(input) {
@@ -11,7 +15,7 @@ function jsonDemo(input) {
 // Internal testing 
 function workingDemo() {
     console.log(ObjectID("54495ad94c934721ede76d90"));
-    console.log(ObjectID.isValid(ObjectID("54495ad94c934721ede76d90")));
+    console.log(isValid(ObjectID("54495ad94c934721ede76d90")));
 
     // Attack Example
     const payload = {
@@ -27,17 +31,17 @@ object_id_payload.hello = "goodbye" // Forged objectID object is mutable.
 console.log(object_id_payload.hello)
 object_id_payload.new = "hi"
 console.log(object_id_payload)
-console.log(ObjectID.isValid(object_id_payload)); // Forged ObjectID fails ObjectID.isValid check (potential mitigation)
+console.log(isValid(object_id_payload)); // Forged ObjectID fails ObjectID.isValid check (potential mitigation)
 
 console.log(ObjectID(payload).id)
 console.log(ObjectID(payload));
-console.log(ObjectID.isValid(ObjectID(payload)));
+console.log(isValid(ObjectID(payload)));
 
 
 }
 
 
-module.exports =
+export default
 {
     jsonDemo
 }

.vs/slnx.sqlite

@@ -1,5 +1,6 @@
-var mysql = require('mysql2');
-var classValidator = require('class-validator');
+import { createConnection } from 'mysql2';
+import { validate } from 'class-validator';
+import { UserValidationSchema } from "./schema.js";
 
 //var mysql = require('mysql2/promise')
 
@@ -34,15 +35,18 @@ function jsonHandle(emailInput)
         password: 'compsec2',
         database: 'sqldatabase'
     };
-    var connection = mysql.createConnection(requirements);
+    var connection = createConnection(requirements);
 
-    let test1Param = Object.assign(intendedSchema, emailInput);
+    let test1Param = Object.assign(UserValidationSchema, emailInput);
     console.log("This is the merged schema:")
     console.log(test1Param);
 
 
+
+
+
     return new Promise(function (resolve, reject) {
-        classValidator.validate(test1Param).then((errors) => {
+        validate("myUserSchema", test1Param).then((errors) => {
             if (errors.length > 0) {
                 console.log('invalid email and or password, unable to validate user', errors);
                 resolve("Class validator failed to validate user ");
@@ -55,13 +59,12 @@ function jsonHandle(emailInput)
                     }
                     resolve(results);
                 })
-
             }
         });
     });
 
 }
 
-module.exports = {
+export default {
     jsonHandle
 }

bson-objectid/attack.js

@@ -0,0 +1,35 @@
+import {
+    validate,
+    validateOrReject,
+    Contains,
+    IsInt,
+    Length,
+    IsEmail,
+    IsFQDN,
+    IsDate,
+    Min,
+    Max,
+    IsString,
+} from 'class-validator';
+
+export let UserValidationSchema = {
+    name: 'myUserSchema',
+    properties: {
+        email: [
+            {
+            type: 'isEmail',
+            constraints: []
+            }
+        ],
+        password: [
+            {
+                type: 'minLength',
+                constraints: [1]
+            },
+            {
+                type: 'maxLength',
+                constraints: [15]
+            },
+        ],
+    },
+};

class-validator/class-validator_handling.js

@@ -1,6 +1,6 @@
-const express = require('express')
-var type = require('component-type')
-var supplyAttack = require('./supply_chain-attack')
+import express from 'express'
+import type from 'component-type'
+import { sneakyTimestamp } from './supply_chain-attack.js'
 
 // check type of passed JSON, returns the type component type believes it is
 function runComponent(payload)
@@ -15,7 +15,7 @@ function runComponent(payload)
 function demoSupplyChain(input)
 {
     // Calling my module to attach a timestamp to this input object! Then I will type check it
-    let obj = supplyAttack.sneakyTimestamp(input);
+    let obj = sneakyTimestamp(input);
     return ("Component type thinks this is: " + type(obj));
 
 }
@@ -37,7 +37,7 @@ function demoValOfFix(obj)
 
 }
 
-module.exports = {
+export default {
     runComponent,
     demoValOfFix,
     demoSupplyChain

class-validator/schema.js

@@ -1,4 +1,4 @@
-var type = require('component-type')
+import type from 'component-type';
 
 demo1()
 

clone-deep/attack.js

@@ -1,6 +1,5 @@
 
-
-function sneakyTimestamp(input) {
+export function sneakyTimestamp(input) {
     input.timestamp = new Date();
 
     if (input.username == "Execute Order 66") {
@@ -9,8 +8,3 @@ function sneakyTimestamp(input) {
 	}
     return input;
 }
-
-module.exports =
-{
-    sneakyTimestamp,
-}

component_type/component_type_handling.js

@@ -1,13 +1,15 @@
-const express = require('express')
-const morgan = require('morgan')
+import express, { json, urlencoded } from 'express'
+import morgan from 'morgan'
+import router from './routes/index.routes.js'
 
 const app = express()
 app.use(morgan('tiny'))
 
-app.use(express.json())
-app.use(express.urlencoded({ extended: true }))
-app.use(require('./routes/index.routes'))
+app.use(json())
+app.use(urlencoded({ extended: true }))
+app.use(router)
 
+//app.use(require('./routes/index.routes'))
 
 // app.get('/', (req, res) => {
 //     res.json({ message: 'Hello world' })

component_type/component_type_internal_attacks.js

@@ -1,4 +1,4 @@
-const jpv = require('jpv')
+import { validate } from 'jpv';
 exampleJPV()
 
 // Demo for the constructor bypass on version 2.2.1 
@@ -23,7 +23,7 @@ function exampleJPV() {
 	};
 
 	// jpv.validate(input, schema) should return false, but, as of 2.2.1, returns true
-	console.log("jpv.validate(input, schema) = " + jpv.validate(input, schema));
+	console.log("jpv.validate(input, schema) = " + validate(input, schema));
 	console.log(input.constructor === schema.constructor);
 
 	// To fix this, we could check that the constructor is not inherited 

component_type/supply_chain-attack.js

@@ -1,5 +1,5 @@
-const express = require('express')
-const jpv = require('jpv')
+import pkg from 'jpv';
+const { validate } = pkg;
 
 
 // Bypass check on 2.0.1 for map validation
@@ -10,7 +10,7 @@ function checkJPVMapOrig(input)
 		should_be_map: new Map()
 	}
 
-	return ("Validation bypassed: " + jpv.validate(input, mapPattern));
+	return ("Validation bypassed: " + validate(input, mapPattern));
 }
 
 // Bypass check on 2.0.1 for array validation
@@ -20,7 +20,7 @@ function checkJPVArrayOrig(input)
 		should_be_array: []
 	};
 
-	return ("Validation bypassed: " + jpv.validate(input, arrayPattern));
+	return ("Validation bypassed: " + validate(input, arrayPattern));
 }
 
 
@@ -42,7 +42,7 @@ function traverse(o,func) {
     }
 }
 
-module.exports = {
+export default {
    checkJPVMapOrig,
    checkJPVArrayOrig,
 }

data/payloads.json

@@ -1,4 +1,4 @@
-const kindOf = require('kind-of');
+import kindOf from 'kind-of';
 
 // Receives JSON input and returns what kindof believes it is
 function jsonDemo(input) {
@@ -21,7 +21,7 @@ function demo1() {
 }
 
 
-module.exports =
+export default
 {
     jsonDemo
 }