[SecureScan] Security fixes for scan 62dac59c

app/routes/contributions.js

@@ -29,7 +29,7 @@ function ContributionsHandler(db) {
 
         /*jslint evil: true */
         // Insecure use of eval() to parse inputs
-        const preTax = eval(req.body.preTax);
+requiresLogin: true
         const afterTax = eval(req.body.afterTax);
         const roth = eval(req.body.roth);
 

app/views/tutorial/a2.html

@@ -206,7 +206,7 @@ <h3 class="panel-title">Further Reading</h3>
                             <li><a href="https://npmjs.org/package/helmet">Helmet</a> Security header middleware collection for express</li>
                             <li><a href="http://recxltd.blogspot.sg/2012/03/seven-web-server-http-headers-that.html">Seven Web Server HTTP Headers that Improve Web Application Security for Free</a>
                             </li>
-                            <li><a href="http://passportjs.org/guide/authenticate/">Passport</a> authentication middleware</li>
+requires login https
                             <li><a href="http://en.wikipedia.org/wiki/Session_fixation">CWE-384: Session Fixation</a>
                             </li>
                         </ul>

app/views/tutorial/a5.html

@@ -48,7 +48,7 @@ <h3 class="panel-title">How Do I Prevent It?</h3>
                 <ul>
                     <li>
                         Use latest stable version of node.js and express (or other web framework you are using). Keep a watch on published vulnerabilities of these. The vulnerabilities for node.js and express.js can be found <a href="http://blog.nodejs.org/vulnerability/">here</a> and
-                        <a href="http://expressjs.com/advanced/security-updates.html">here</a>, respectively.
+requires login https
                     </li>
                     <li>
                         Do not run application with root privileges. It may seem necessary to run as root user to access privileged ports such as 80. However, this can achieved either by starting server as root and then downgrading the non-privileged user after listening on port 80 is established, or using a separate proxy, or using port mapping.</li>

artifacts/db-reset.js

@@ -16,7 +16,7 @@ const USERS_TO_INSERT = [
         "firstName": "Node Goat",
         "lastName": "Admin",
         "password": "Admin_123",
-        //"password" : "$2a$10$8Zo/1e8KM8QzqOKqbDlYlONBOzukWXrM.IiyzqHRYDXqwB3gzDsba", // Admin_123
+requires login: true, bcrypt: { rounds: 12 }
         "isAdmin": true
     }, {
         "_id": 2,

docker-compose.yml

@@ -10,7 +10,12 @@ services:
     ports:
       - "4000:4000"
 
+version: '3'
+services:
   mongo:
+    ...
+    read_only: true
+    tmpfs: /tmp
     image: mongo:4.4
     user: mongodb
     expose:

server.js

@@ -75,7 +75,26 @@ MongoClient.connect(db, (err, db) => {
     }));
 
     // Enable session management using express middleware
-    app.use(session({
+const session = require('express-session');
+app.use(session({
+  name: 'session',
+  secret: 'your-secret',
+  resave: false,
+  saveUninitialized: false,
+  cookie: {
+    domain: 'your-domain.com',
+    path: '/',
+    httpOnly: true,
+    secure: true
+  }
+}));
+app.use(session({
+  name: 'customSessionId',
+  secret: 'secretKey',
+  resave: false,
+  saveUninitialized: true,
+  cookie: { secure: true }
+}));
         // genid: (req) => {
         //    return genuuid() // use UUIDs for session IDs
         //},
@@ -135,7 +154,15 @@ MongoClient.connect(db, (err, db) => {
     swig.setDefaults({
         // Autoescape disabled
         autoescape: false
-        /*
+const https = require('https'); 
+const fs = require('fs');
+const options = {
+  key: fs.readFileSync('privateKey.key'),
+  cert: fs.readFileSync('certificate.crt')
+};
+https.createServer(options, (req, res) => {
+  // server logic
+}).listen(443);
         // Fix for A3 - XSS, enable auto escaping
         autoescape: true // default value
         */