Merge branch 'upgrade-sequelize' into develop

.gitignore

@@ -16,6 +16,9 @@ out/
 # VIM swap files
 *.swp
 
+# Vs Code
+.vscode/
+
 # Orig from merges
 *.orig
 

app/js/controllers/BasketController.js

@@ -19,7 +19,7 @@ angular.module('juiceShop').controller('BasketController', [
 
     function load () {
       basketService.find($window.sessionStorage.bid).then(function (basket) {
-        $scope.products = basket.products
+        $scope.products = basket.Products
         for (var i = 0; i < $scope.products.length; i++) {
           $scope.products[i].description = $sce.trustAsHtml($scope.products[i].description)
         }

app/js/controllers/SearchResultController.js

@@ -25,12 +25,12 @@ angular.module('juiceShop').controller('SearchResultController', [
 
     $scope.addToBasket = function (id) {
       basketService.find($window.sessionStorage.bid).then(function (basket) {
-        var productsInBasket = basket.products
+        var productsInBasket = basket.Products
         var found = false
         for (var i = 0; i < productsInBasket.length; i++) {
           if (productsInBasket[i].id === id) {
             found = true
-            basketService.get(productsInBasket[i].basketItem.id).then(function (existingBasketItem) {
+            basketService.get(productsInBasket[i].BasketItem.id).then(function (existingBasketItem) {
               var newQuantity = existingBasketItem.quantity + 1
               basketService.put(existingBasketItem.id, {quantity: newQuantity}).then(function (updatedBasketItem) {
                 productService.get(updatedBasketItem.ProductId).then(function (product) {

app/views/Basket.html

@@ -19,15 +19,15 @@ <h3 class="page-header page-header-sm">
                 <td>{{product.price}}</td>
                 <td>
                     <div class="btn-group">
-                        <a class="btn btn-default btn-xs" ng-click="dec(product.basketItem.id)"><i class="fa fa-minus-square"></i></a>
-                        <span class="btn btn-default btn-xs">{{product.basketItem.quantity}}</span>
-                        <a class="btn btn-default btn-xs" ng-click="inc(product.basketItem.id)"><i class="fa fa-plus-square"></i></a>
+                        <a class="btn btn-default btn-xs" ng-click="dec(product.BasketItem.id)"><i class="fa fa-minus-square"></i></a>
+                        <span class="btn btn-default btn-xs">{{product.BasketItem.quantity}}</span>
+                        <a class="btn btn-default btn-xs" ng-click="inc(product.BasketItem.id)"><i class="fa fa-plus-square"></i></a>
                     </div>
                 </td>
-                <td>{{(product.price*product.basketItem.quantity).toFixed(2)}}</td>
+                <td>{{(product.price*product.BasketItem.quantity).toFixed(2)}}</td>
                 <td>
                     <div class="btn-group">
-                        <a class="btn btn-default btn-xs" ng-click="delete(product.basketItem.id)"><i class="fa fa-trash-o"></i></a>
+                        <a class="btn btn-default btn-xs" ng-click="delete(product.BasketItem.id)"><i class="fa fa-trash-o"></i></a>
                     </div>
                 </td>
             </tr>

ftp/package.json.bak

@@ -1,6 +1,6 @@
 {
   "name": "juice-shop",
-  "version": "5.0.0-SNAPSHOT",
+  "version": "5.1.0-SNAPSHOT",
   "description": "An intentionally insecure JavaScript Web Application",
   "homepage": "https://www.owasp.org/index.php/OWASP_Juice_Shop_Project",
   "author": "Björn Kimminich <[email protected]> (https://www.owasp.org/index.php/User:Bjoern_Kimminich)",
@@ -43,11 +43,11 @@
     "cookie-parser": "~1.4",
     "cors": "~2.8",
     "dottie": "~2.0",
-    "errorhandler": "~1.5",
     "epilogue-js": "~0.7",
+    "errorhandler": "~1.5",
     "express": "~4.15",
     "express-jwt": "~5.3",
-    "fs-extra": "^3.0.0",
+    "fs-extra": "~4.0",
     "glob": "~5.0",
     "grunt": "~1.0",
     "grunt-angular-templates": "~1.1",
@@ -58,19 +58,19 @@
     "grunt-contrib-uglify": "~3.0",
     "grunt-text-replace": "~0.4",
     "hashids": "~1.1",
-    "helmet": "~3.6",
+    "helmet": "~3.8",
     "html-entities": "~1.2",
-    "js-yaml": "3.8.2",
-    "jsonwebtoken": "~7.4",
+    "js-yaml": "3.9",
+    "jsonwebtoken": "~8",
     "jssha": "~2.3",
+    "marsdb": "^0.6.11",
     "morgan": "~1.8",
     "multer": "~1.3",
     "pdfkit": "~0.8",
     "replace": "~0.3",
     "request": "~2.81.0",
     "sanitize-html": "1.4.2",
-    "sequelize": "~1.7",
-    "sequelize-restful": "~0.4",
+    "sequelize": "~4",
     "serve-favicon": "~2.4",
     "serve-index": "~1.9",
     "socket.io": "~2.0",
@@ -81,14 +81,13 @@
     "chai": "~4",
     "codeclimate-test-reporter": "~0.5",
     "cross-spawn": "~5.1",
-    "form-data": "~2.2",
+    "form-data": "~2.3",
     "frisby": "~2.0",
     "http-server": "~0.10",
-    "istanbul": "~0.4",
     "jasmine-reporters": "~2.2",
-    "jest": "~20",
+    "jest": "~21",
     "karma": "~1.7",
-    "karma-chrome-launcher": "~2.1",
+    "karma-chrome-launcher": "~2.2",
     "karma-cli": "~1.0",
     "karma-coverage": "~1.1",
     "karma-firefox-launcher": "~1.0",
@@ -99,11 +98,11 @@
     "lcov-result-merger": "~1.2",
     "mocha": "~3",
     "nyc": "~11",
-    "phantomjs-prebuilt": "~2.1",
-    "protractor": "~4",
+    "phantomjs-prebuilt": "~2",
+    "protractor": "~5",
     "shelljs": "~0.7",
-    "sinon": "~2.3",
-    "sinon-chai": "~2.12",
+    "sinon": "~3",
+    "sinon-chai": "~2.13",
     "socket.io-client": "~2.0",
     "standard": "~10",
     "stryker": "~0",
@@ -113,9 +112,6 @@
     "stryker-karma-runner": "~0",
     "stryker-mocha-runner": "~0"
   },
-  "peerDependencies": {
-    "phantomjs-prebuilt": "~2.1"
-  },
   "repository": {
     "type": "git",
     "url": "https://github.com/bkimminich/juice-shop.git"
@@ -127,8 +123,8 @@
   "scripts": {
     "postinstall": "bower install && grunt minify && grunt docker",
     "start": "node app",
-    "test": "standard && karma start karma.conf.js && nyc mocha test/server",
-    "frisby": "istanbul cover ./test/apiTests.js",
+    "test": "standard && karma start karma.conf.js && nyc --report-dir=./build/reports/coverage/server-tests mocha test/server",
+    "frisby": "nyc --report-dir=./build/reports/coverage/api-tests node ./test/apiTests.js",
     "preupdate-webdriver": "npm install",
     "update-webdriver": "webdriver-manager update",
     "preprotractor": "npm run update-webdriver",
@@ -165,8 +161,7 @@
     "reporter": [
       "lcov",
       "text-summary"
-    ],
-    "report-dir": "./build/reports/coverage/server-tests"
+    ]
   },
   "jest": {
     "testMatch": [

lib/utils.js

@@ -85,7 +85,7 @@ exports.ctfFlag = text => {
 exports.solve = function (challenge, isRestore) {
   const self = this
   challenge.solved = true
-  challenge.save().success(solvedChallenge => {
+  challenge.save().then(solvedChallenge => {
     solvedChallenge.description = entities.decode(sanitizeHtml(solvedChallenge.description, {
       allowedTags: [],
       allowedAttributes: []

models/basket.js

@@ -2,13 +2,12 @@
 module.exports = (sequelize, DataTypes) => {
   const Basket = sequelize.define('Basket', {
     coupon: DataTypes.STRING
-  },
-    {
-      classMethods: {
-        associate: function (models) {
-          Basket.belongsTo(models.User, { constraints: true, foreignKeyConstraint: true })
-          Basket.hasMany(models.Product, {through: models.BasketItem})
-        }}}
-    )
+  })
+
+  Basket.associate = function (models) {
+    Basket.belongsTo(models.User, { constraints: true, foreignKeyConstraint: true })
+    Basket.belongsToMany(models.Product, { through: models.BasketItem })
+  }
+
   return Basket
 }

models/complaint.js

@@ -3,13 +3,11 @@ module.exports = (sequelize, DataTypes) => {
   const Complaint = sequelize.define('Complaint', {
     message: DataTypes.STRING,
     file: DataTypes.STRING
-  },
-    {
-      classMethods: {
-        associate: function (models) {
-          Complaint.belongsTo(models.User, { constraints: true, foreignKeyConstraint: true })
-        }
-      }
-    })
+  })
+
+  Complaint.associate = function (models) {
+    Complaint.belongsTo(models.User, { constraints: true, foreignKeyConstraint: true })
+  }
+
   return Complaint
 }

models/feedback.js

@@ -5,40 +5,30 @@ const challenges = require('../data/datacache').challenges
 
 module.exports = (sequelize, DataTypes) => {
   const Feedback = sequelize.define('Feedback', {
-    comment: DataTypes.STRING,
-    rating: DataTypes.INTEGER
-  },
-    {
-      classMethods: {
-        associate: function (models) {
-          Feedback.belongsTo(models.User) // no FK constraint to allow anonymous feedback posts
+    comment: {
+      type: DataTypes.STRING,
+      set (comment) {
+        const sanitizedComment = insecurity.sanitizeHtml(comment)
+        this.setDataValue('comment', sanitizedComment)
+        if (utils.notSolved(challenges.persistedXssChallengeFeedback) && utils.contains(sanitizedComment, '<script>alert("XSS4")</script>')) {
+          utils.solve(challenges.persistedXssChallengeFeedback)
         }
-      },
-
-      hooks: {
-        beforeCreate: function (feedback, fn) {
-          htmlSanitizationHook(feedback)
-          zeroFeedbackHook(feedback)
-          fn(null, feedback)
-        },
-        beforeUpdate: function (feedback, fn) {
-          htmlSanitizationHook(feedback)
-          fn(null, feedback)
+      }
+    },
+    rating: {
+      type: DataTypes.INTEGER,
+      set (rating) {
+        this.setDataValue('rating', rating)
+        if (utils.notSolved(challenges.zeroStarsChallenge) && (rating === 0 || rating === undefined)) {
+          utils.solve(challenges.zeroStarsChallenge)
         }
       }
-    })
-  return Feedback
-}
+    }
+  })
 
-function htmlSanitizationHook (feedback) {
-  feedback.comment = insecurity.sanitizeHtml(feedback.comment)
-  if (utils.notSolved(challenges.persistedXssChallengeFeedback) && utils.contains(feedback.comment, '<script>alert("XSS4")</script>')) {
-    utils.solve(challenges.persistedXssChallengeFeedback)
+  Feedback.associate = function (models) {
+    Feedback.belongsTo(models.User) // no FK constraint to allow anonymous feedback posts
   }
-}
 
-function zeroFeedbackHook (feedback) {
-  if (utils.notSolved(challenges.zeroStarsChallenge) && (feedback.rating === 0 || feedback.rating === undefined)) {
-    utils.solve(challenges.zeroStarsChallenge)
-  }
+  return Feedback
 }

models/product.js

@@ -5,31 +5,22 @@ const challenges = require('../data/datacache').challenges
 module.exports = (sequelize, DataTypes) => {
   const Product = sequelize.define('Product', {
     name: DataTypes.STRING,
-    description: DataTypes.STRING,
+    description: {
+      type: DataTypes.STRING,
+      set (description) {
+        if (utils.notSolved(challenges.restfulXssChallenge) && utils.contains(description, '<script>alert("XSS3")</script>')) {
+          utils.solve(challenges.restfulXssChallenge)
+        }
+        this.setDataValue('description', description)
+      }
+    },
     price: DataTypes.DECIMAL,
     image: DataTypes.STRING
-  }, {
-    paranoid: true,
-    classMethods: {
-      associate: function (models) {
-        Product.hasMany(models.Basket, {through: models.BasketItem})
-      }},
+  }, { paranoid: true })
 
-    hooks: {
-      beforeCreate: function (product, fn) {
-        xssChallengeProductHook(product)
-        fn(null, product)
-      },
-      beforeUpdate: function (product, fn) {
-        xssChallengeProductHook(product)
-        fn(null, product)
-      }
-    }})
-  return Product
-}
-
-function xssChallengeProductHook (product) {
-  if (utils.notSolved(challenges.restfulXssChallenge) && utils.contains(product.description, '<script>alert("XSS3")</script>')) {
-    utils.solve(challenges.restfulXssChallenge)
+  Product.associate = function (models) {
+    Product.belongsToMany(models.Basket, { through: models.BasketItem })
   }
+
+  return Product
 }

models/recycle.js

@@ -5,13 +5,11 @@ module.exports = (sequelize, DataTypes) => {
     address: DataTypes.STRING,
     isPickup: { type: DataTypes.BOOLEAN, defaultValue: false },
     date: DataTypes.DATE
-  },
-    {
-      classMethods: {
-        associate: function (models) {
-          Recycle.belongsTo(models.User, { constraints: true, foreignKeyConstraint: true })
-        }
-      }
-    })
+  })
+
+  Recycle.associate = function (models) {
+    Recycle.belongsTo(models.User, { constraints: true, foreignKeyConstraint: true })
+  }
+
   return Recycle
 }

models/securityAnswer.js

@@ -3,32 +3,19 @@ const insecurity = require('../lib/insecurity')
 
 module.exports = (sequelize, DataTypes) => {
   const SecurityAnswer = sequelize.define('SecurityAnswer', {
-    answer: DataTypes.STRING,
-    UserId: {type: DataTypes.INTEGER, unique: true}
-  },
-    {
-      classMethods: {
-        associate: function (models) {
-          SecurityAnswer.belongsTo(models.User)
-          SecurityAnswer.belongsTo(models.SecurityQuestion, { constraints: true, foreignKeyConstraint: true })
-        }
-      },
-      hooks: {
-        beforeCreate: function (answer, fn) {
-          hmacAnswerHook(answer)
-          fn(null, answer)
-        },
-        beforeUpdate: function (answer, fn) { // Pitfall: Will hash the hashed answer again if answer was not updated!
-          hmacAnswerHook(answer)
-          fn(null, answer)
-        }
+    answer: {
+      type: DataTypes.STRING,
+      set (answer) {
+        this.setDataValue('answer', insecurity.hmac(answer))
       }
-    })
-  return SecurityAnswer
-}
+    },
+    UserId: { type: DataTypes.INTEGER, unique: true }
+  })
 
-function hmacAnswerHook (answer) {
-  if (answer.answer) {
-    answer.answer = insecurity.hmac(answer.answer)
-  };
+  SecurityAnswer.associate = function (models) {
+    SecurityAnswer.belongsTo(models.User)
+    SecurityAnswer.belongsTo(models.SecurityQuestion, { constraints: true, foreignKeyConstraint: true })
+  }
+
+  return SecurityAnswer
 }