Merge branch 'main' of https://github.com/moogiio/SecureCodePuzzles into main

Author: topkekhacker

Node/Answers/a001.js

@@ -0,0 +1,39 @@
+const express = require('express');
+const mysql = require('mysql2');
+const config = require('./config'); // Assuming configuration is stored in a separate file
+
+const app = express();
+
+// Create a MySQL connection
+const connection = mysql.createConnection({
+  host: config.host,
+  user: config.user,
+  password: config.password,
+  database: config.database
+});
+
+app.get('/api/sql/user', (req, res) => {
+  const id = req.query.id;
+  
+  // Use parameterized query
+  const query = 'SELECT * FROM Users WHERE Id = ?';
+  
+  connection.query(query, [id], (error, results) => {
+    if (error) {
+      return res.status(500).json({ error: 'Database error' });
+    }
+    
+    if (results.length > 0) {
+      const user = results[0];
+      const returnString = `Name: ${user.Name}. Description: ${user.Description}`;
+      res.send(returnString);
+    } else {
+      res.send('');
+    }
+  });
+});
+
+const port = 3000;
+app.listen(port, () => {
+  console.log(`Server running on port ${port}`);
+});

Node/Answers/a002.js

@@ -0,0 +1,37 @@
+const express = require('express');
+const app = express();
+
+// Simulating a database context
+const db = {
+  findItems: (query) => {
+    // Simulate database search
+    return [{ name: 'Item 1' }, { name: 'Item 2' }];
+  }
+};
+
+function sanitizeInput(input) {
+  // In a real scenario, this would actually sanitize the input
+  return input;
+}
+
+app.get('/api/search', (req, res) => {
+  const query = req.query.query;
+  const cleanQuery = sanitizeInput(query);
+
+  const search = {
+    query: sanitizeInput(query),
+    items: []
+  };
+
+  try {
+    search.items = db.findItems(cleanQuery);
+    res.json(search);
+  } catch (e) {
+    res.status(500).json({ error: 'An error occurred during search' });
+  }
+});
+
+const port = 3000;
+app.listen(port, () => {
+  console.log(`Server running on port ${port}`);
+});

Node/Answers/a003.js

@@ -0,0 +1,21 @@
+const libxmljs = require('libxmljs');
+
+const xml = `<?xml version="1.0" ?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "EXTERNAL_FILE">]> <product id="1"> <description>&xxe;</description></product>`;
+
+function parseXmlSecurely() {
+  try {
+    const xmlDoc = libxmljs.parseXml(xml, {
+      nonet: true,  // Disable network access
+      recover: true,  // Recover from errors
+      noent: false,  // Don't substitute entities
+      dtdload: false,  // Don't load external DTDs
+      dtdattr: false,  // Don't default DTD attributes
+    });
+    return xmlDoc.root().text();
+  } catch (error) {
+    console.error('XML parsing error:', error);
+    return null;
+  }
+}
+
+console.log(parseXmlSecurely());

Node/Answers/a005/a005_rev1.js

@@ -0,0 +1,36 @@
+class PriceCalculator {
+    calculate(amount, type, years) {
+      if (typeof amount !== 'number' || amount < 0) {
+        throw new Error('Amount must be a non-negative number');
+      }
+      if (!Number.isInteger(type) || type < 1 || type > 4) {
+        throw new Error('Type must be an integer between 1 and 4');
+      }
+      if (!Number.isInteger(years) || years < 0) {
+        throw new Error('Years must be a non-negative integer');
+      }
+  
+      const discountRate = Math.min(years, 5) / 100;
+      
+      let basePrice;
+      switch (type) {
+        case 1:
+          basePrice = amount;
+          break;
+        case 2:
+          basePrice = amount * 0.9;
+          break;
+        case 3:
+          basePrice = amount * 0.7;
+          break;
+        case 4:
+          basePrice = amount * 0.5;
+          break;
+      }
+  
+      const discount = basePrice * discountRate;
+      return basePrice - discount;
+    }
+  }
+  
+  module.exports = PriceCalculator;

Node/Answers/a005/a005_rev2.js

@@ -0,0 +1,37 @@
+class PriceCalculator {
+    constructor() {
+      this.typeDiscounts = {
+        1: 0,
+        2: 0.1,
+        3: 0.3,
+        4: 0.5
+      };
+      this.maxYearsDiscount = 5;
+    }
+  
+    calculate(amount, type, years) {
+      this.validateInputs(amount, type, years);
+  
+      const baseDiscount = this.typeDiscounts[type] || 0;
+      const yearsDiscount = Math.min(years, this.maxYearsDiscount) / 100;
+  
+      const basePrice = amount * (1 - baseDiscount);
+      const yearlyDiscount = basePrice * yearsDiscount;
+  
+      return basePrice - yearlyDiscount;
+    }
+  
+    validateInputs(amount, type, years) {
+      if (typeof amount !== 'number' || amount < 0) {
+        throw new Error('Amount must be a non-negative number');
+      }
+      if (!Number.isInteger(type) || !this.typeDiscounts.hasOwnProperty(type)) {
+        throw new Error(`Type must be one of: ${Object.keys(this.typeDiscounts).join(', ')}`);
+      }
+      if (!Number.isInteger(years) || years < 0) {
+        throw new Error('Years must be a non-negative integer');
+      }
+    }
+  }
+  
+  module.exports = PriceCalculator;

Node/Answers/a005/a005_rev3.js

@@ -0,0 +1,44 @@
+class PriceCalculator {
+    constructor(config = {}) {
+      this.typeDiscounts = config.typeDiscounts || {
+        1: 0,
+        2: 0.1,
+        3: 0.3,
+        4: 0.5
+      };
+      this.maxYearsDiscount = config.maxYearsDiscount || 5;
+      this.yearlyDiscountRate = config.yearlyDiscountRate || 0.01; // 1% per year
+    }
+  
+    calculate(amount, type, years) {
+      try {
+        this.validateInputs(amount, type, years);
+  
+        const baseDiscount = this.typeDiscounts[type];
+        const yearsDiscount = Math.min(years, this.maxYearsDiscount) * this.yearlyDiscountRate;
+  
+        const basePrice = amount * (1 - baseDiscount);
+        const yearlyDiscount = basePrice * yearsDiscount;
+  
+        const finalPrice = basePrice - yearlyDiscount;
+        return Number(finalPrice.toFixed(2)); // Round to 2 decimal places
+      } catch (error) {
+        console.error('Calculation error:', error.message);
+        throw error;
+      }
+    }
+  
+    validateInputs(amount, type, years) {
+      if (typeof amount !== 'number' || isNaN(amount) || amount < 0) {
+        throw new Error('Amount must be a non-negative number');
+      }
+      if (!Number.isInteger(type) || !this.typeDiscounts.hasOwnProperty(type)) {
+        throw new Error(`Type must be one of: ${Object.keys(this.typeDiscounts).join(', ')}`);
+      }
+      if (!Number.isInteger(years) || years < 0) {
+        throw new Error('Years must be a non-negative integer');
+      }
+    }
+  }
+  
+  module.exports = PriceCalculator;

Node/p001.js

@@ -0,0 +1,38 @@
+const express = require('express');
+const mysql = require('mysql2');
+const config = require('./config'); // Assuming configuration is stored in a separate file
+
+const app = express();
+
+// Create a MySQL connection
+const connection = mysql.createConnection({
+  host: config.host,
+  user: config.user,
+  password: config.password,
+  database: config.database
+});
+
+app.get('/api/sql/user', (req, res) => {
+  const id = req.query.id;
+  
+  const query = `SELECT * FROM Users WHERE Id = ${id}`;
+  
+  connection.query(query, (error, results) => {
+    if (error) {
+      return res.status(500).json({ error: 'Database error' });
+    }
+    
+    if (results.length > 0) {
+      const user = results[0];
+      const returnString = `Name: ${user.Name}. Description: ${user.Description}`;
+      res.send(returnString);
+    } else {
+      res.send('');
+    }
+  });
+});
+
+const port = 3000;
+app.listen(port, () => {
+  console.log(`Server running on port ${port}`);
+});

Node/p002.js

@@ -0,0 +1,37 @@
+const express = require('express');
+const app = express();
+
+// Simulating a database context
+const db = {
+  findItems: (query) => {
+    // Simulate database search
+    return [{ name: 'Item 1' }, { name: 'Item 2' }];
+  }
+};
+
+function sanitizeInput(input) {
+  // In a real scenario, this would actually sanitize the input
+  return input;
+}
+
+app.get('/api/search', (req, res) => {
+  const query = req.query.query;
+  const cleanQuery = sanitizeInput(query);
+
+  const search = {
+    query: query,
+    items: []
+  };
+
+  try {
+    search.items = db.findItems(cleanQuery);
+    res.json(search);
+  } catch (e) {
+    res.status(500).json({ error: 'An error occurred during search' });
+  }
+});
+
+const port = 3000;
+app.listen(port, () => {
+  console.log(`Server running on port ${port}`);
+});

Node/p003.js

@@ -0,0 +1,21 @@
+const { DOMParser } = require('xmldom');
+const fs = require('fs');
+
+const xml = `<?xml version="1.0" ?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "EXTERNAL_FILE">]> <product id="1"> <description>&xxe;</description></product>`;
+
+function parseXmlDocument() {
+  const parser = new DOMParser();
+  const xmlDoc = parser.parseFromString(xml, 'text/xml');
+  return xmlDoc.documentElement.textContent;
+}
+
+function parseXmlReader() {
+  const parser = new DOMParser({
+    resolveExternalEntities: true
+  });
+  const xmlDoc = parser.parseFromString(xml, 'text/xml');
+  return xmlDoc.documentElement.textContent;
+}
+
+console.log(parseXmlDocument());
+console.log(parseXmlReader());

Node/p004.js

@@ -0,0 +1,48 @@
+const express = require('express');
+const router = express.Router();
+
+class UserService {
+  constructor(configuration, userRepository) {
+    this.configuration = configuration;
+    this.userRepository = userRepository;
+  }
+
+  getUser(query) {
+    return this.findUserInDatabase(query);
+  }
+
+  getUserModel(user) {
+    const u = this.findUserInDatabase(user);
+    if (u != null) {
+      return u; // Assuming UserModel is just a plain object in JS
+    }
+    return {}; // Equivalent to new UserModel() in C#
+  }
+
+  findUserInDatabase(query) {
+    return this.userRepository.findUser(query);
+  }
+}
+
+const configuration = {}; 
+const userRepository = {
+  findUser: (query) => {
+    console.log('Finding user with query:', query);
+    return null; // Simulating no user found
+  }
+};
+
+const userService = new UserService(configuration, userRepository);
+
+// Setting up routes
+router.get('/user', (req, res) => {
+  const result = userService.getUser(req.query);
+  res.json(result);
+});
+
+router.post('/user', (req, res) => {
+  const result = userService.getUserModel(req.body);
+  res.json(result);
+});
+
+module.exports = router;