NoSQL-injection-example/server.js at master · ricardojoserf/NoSQL-injection-example · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
// Config values
var mongo_ip = 'localhost';
var mongo_port = '27017';
var mongo_db = 'db_nosql';
var mongo_col = 'no_sql_collection';


// DB
var MongoClient = require('mongodb').MongoClient;
var mongodb = require('mongodb');
var db;
MongoClient.connect("mongodb://"+mongo_ip+":"+mongo_port+"/"+mongo_db, function(err, database) {
	if(err) throw err;
	db = database;
});


/// Auxiliar functions
function isJsonString(str) {
    try {
        JSON.parse(str);
    } catch (e) {
        return false;
    }
    return true;
}


function validateField(str){
	var json_str = '{ "str": '+str+' }';
	var validity_str = isJsonString(json_str);
	if (! validity_str){
		str = '"'+str+'"';
	}
	return str;
}


function checkUsername(str) {
    var pattern = new RegExp(/[~`!#$%\^&*+=\-\[\]\\';,{}|\\":<>\?]/); //unacceptable chars
    if (pattern.test(str)) {
        return false;
    }
    return true;
}


function checkPassword(str) {
    var pattern = new RegExp(/[~`!#%\^&*+=\-\[\]\\';,|<>\?]/); //unacceptable chars
    if (pattern.test(str)) {
        return false;
    }
    return true;
}


/// Express
var express = require('express');
var app = express();
app.use(express.static(__dirname));
var ejs = require('ejs');
app.set('view engine', 'ejs');
var bodyParser = require('body-parser')
app.use(bodyParser.urlencoded({
	extended: true
}));
app.use(bodyParser.json());


app.get('/', function(req, res) {
	res.sendFile('index.html', {});
});


app.post('/', function(req, res) {
	// {"$ne": null} // {"$gt": ""}

	if(! checkUsername(req.body.user)){ res.render('error', {error: 'Injection detected in the username field' }); return; }
	if(! checkPassword(req.body.pass)){ res.render('error', {error: 'Injection detected in the password field' }); return; }

	var user = validateField(req.body.user);
	var pass = validateField(req.body.pass);
	var query = JSON.parse( '{ "user": '+user+', "pass": '+pass+' }' );
	db.collection(mongo_col).findOne(query, function (err, user) {
		if (err) {
			return res.status(500).send({message: err.message});
		}
		else if (!user) {
			res.render('error', {error: 'Sorry user not found!' });
		}
		else{
		    res.render('result', {user: user.user, pass: user.pass });
		}
	});
});


var server = app.listen(8000, function () {
	console.log('Visit port :%d', server.address().port);
});