Add more challenge code snippet markers

oguzhalit · Mar 5, 2021 · 9ac4aad · 9ac4aad
1 parent 39a15a4
commit 9ac4aad
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 6 deletions.
diff --git a/frontend/src/app/register/register.component.ts b/frontend/src/app/register/register.component.ts
@@ -21,15 +21,16 @@ import { SecurityQuestion } from '../Models/securityQuestion.model'
 library.add(faUserPlus, faExclamationCircle)
 dom.watch()
 
+// vuln-code-snippet start passwordRepeatChallenge
 @Component({
  selector: 'app-register',
  templateUrl: './register.component.html',
  styleUrls: ['./register.component.scss']
 })
 export class RegisterComponent implements OnInit {
  public emailControl: FormControl = new FormControl('', [Validators.required, Validators.email])
- public passwordControl: FormControl = new FormControl('', [Validators.required, Validators.minLength(5), Validators.maxLength(20)])
- public repeatPasswordControl: FormControl = new FormControl('', [Validators.required, matchValidator(this.passwordControl)])
+ public passwordControl: FormControl = new FormControl('', [Validators.required, Validators.minLength(5), Validators.maxLength(20)]) // vuln-code-snippet vuln-line passwordRepeatChallenge
+ public repeatPasswordControl: FormControl = new FormControl('', [Validators.required, matchValidator(this.passwordControl)]) // vuln-code-snippet vuln-line passwordRepeatChallenge
  public securityQuestionControl: FormControl = new FormControl('', [Validators.required])
  public securityAnswerControl: FormControl = new FormControl('', [Validators.required])
  public securityQuestions!: SecurityQuestion[]
@@ -97,3 +98,4 @@ function matchValidator (passwordControl: AbstractControl) {
  return null
  }
 }
+// vuln-code-snippet end passwordRepeatChallenge
diff --git a/lib/insecurity.js b/lib/insecurity.js
@@ -98,11 +98,12 @@ function hasValidFormat (coupon) {
  return coupon.match(/(JAN|FEB|MAR|APR|MAY|JUN|JUL|AUG|SEP|OCT|NOV|DEC)[0-9]{2}-[0-9]{2}/)
 }
 
+// vuln-code-snippet start redirectCryptoCurrencyChallenge redirectChallenge
 const redirectAllowlist = new Set([
  'https://github.com/bkimminich/juice-shop',
- 'https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm',
- 'https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW',
- 'https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6',
+ 'https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm', // vuln-code-snippet vuln-line redirectCryptoCurrencyChallenge
+ 'https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW', // vuln-code-snippet vuln-line redirectCryptoCurrencyChallenge
+ 'https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6', // vuln-code-snippet vuln-line redirectCryptoCurrencyChallenge
  'http:https://shop.spreadshirt.com/juiceshop',
  'http:https://shop.spreadshirt.de/juiceshop',
  'https://www.stickeryou.com/products/owasp-juice-shop/794',
@@ -113,10 +114,11 @@ exports.redirectAllowlist = redirectAllowlist
 exports.isRedirectAllowed = url => {
  let allowed = false
  for (const allowedUrl of redirectAllowlist) {
- allowed = allowed || url.includes(allowedUrl)
+ allowed = allowed || url.includes(allowedUrl) // vuln-code-snippet vuln-line redirectChallenge
  }
  return allowed
 }
+// vuln-code-snippet end redirectCryptoCurrencyChallenge redirectChallenge
 
 exports.roles = {
  customer: 'customer',