README.md #365
Open
README.md #365
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix NoSQL injection solution
fix: startup logs stringified objects incorrectly
fix: example of xss in bad context using a dedicated profile field
Collection drop commands were sent without waiting for their completion. The userId counter insert could complete before the counter collection drop. In that case the new counter would be deleted
* Make the web service connect to the mongo service, not mLab * Update readme to remove the "change config" step * Import NODE_ENV into the web service so the appropriate config is used
* Skip devDependency install by default * Use lowercase NODE_ENV so Heroku can strip devDependencies in production
* MONGOLAB_URI isn't needed as the mongolab addon has been removed * Removed the old mlab connection URI as that database will be deleted * Default db is localhost:27017, for all other cases set MONGODB_URI (don't commit database credentials to a public repo)
* Heroku section includes database set up instructions * "Remote MongoDB" sections cover Atlas instead of mLab * "Remote MongoDB" sections use MONGODB_URI env var (don't commit DB password) * Adjusted layout and fixed some typos
Also corrected the example connection string, which was in the wrong format
* Moved examples for NoSQL and SSJS attacks into a new panel * Added a note to the new panel about Atlas M0 (doesn't support js queries) * Updated log injection section formatting to match the others
Remove mongolab addon from Heroku deploy
Adjustments to livereload to stop (timeout) in prod
Add cross-env for Windows scripts compatibility
…ion_string Insecure Default - mongodb connection string
* Set config.baseUrl and visit relative URLs to avoid Cypress bug which runs "before" hooks twice (github.com/cypress-io/cypress/issues/2777) * Remove "after" hook dbResets; make tests responsible for their own initial state, not that of the subsequent test
Ignore the warning in development.js, as the livereload script is even harder to understand when broken up into multiple strings.
Fix crash when research page server-side request fails
This enables Cypress video recording (only in the E2E CI workflow). If the Cypress test fails then videos and screenshots for the failed spec(s) are uploaded as build artifacts
Replaced stale links with appropriate alternatives and added dependabot. Fixes OWASP#234
docs: README file cleanup
OP_QUERY was deprecated in 5.0. Fix Mongo version to 4.0 instead of "latest".
fix: revert marked changes back to make sure we use the vulnerable version
Fix Mongo version to before OP_QUERY deprecation
test/pathc 1
Update links in A9 Tutorial description
Enable video recording and upload on failure
Add lint workflow
fix: update instructions about tutorial
fix: mongodb 4.4 is compatible
…assets Express uses a middleware system to execute code, modify requests and responses, and perform other tasks whenever a network action takes place. The order you define these middleware matters. From the [express documentation](https://expressjs.com/en/guide/writing-middleware.html): > The order of middleware loading is important: middleware functions that are loaded first are also executed first. > *This* is the problem we can look for. Here's an example of what not to do: ```javascript app.use(session()); app.use(express.static(__dirname + '/public')); ``` In this case, the session handler is initialized before returning a static asset. Instead, we want to confirm that the static asset middleware, `express.static` is set prior to the `session` middleware. ```javascript app.use(express.static(__dirname + '/public')); // any other middelware app.use(session()); ``` This will serve static assets as expected, but not apply the session middleware to them since it is defined later.
doc: annotate server.js with extra info regarding session and static …
Add individual routes for each tutorial page instead of using a single parameterized route. The parameterized route allowed the user to pass unexpected :page values. Relative paths could be specified to access arbitrary files with extension ".html". Specifying any other extension would cause express to dynamically require the module with the matching name. This allowed loading of locally or globally installed modules, and also permitted dependency enumeration.
…WASP#233 from rcowsill/fix/path-traversal Fix path traversal vulnerability
<b>percentages</b> deducted
Add blank space after strong tag (minor fix)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.