Updated to sequelize4

- Updated sequelize dependency version
- Changed .success to .then
- Changed the model hooks to setter methods

lib/utils.js

@@ -85,7 +85,7 @@ exports.ctfFlag = text => {
 exports.solve = function (challenge, isRestore) {
   const self = this
   challenge.solved = true
-  challenge.save().success(solvedChallenge => {
+  challenge.save().then(solvedChallenge => {
     solvedChallenge.description = entities.decode(sanitizeHtml(solvedChallenge.description, {
       allowedTags: [],
       allowedAttributes: []

models/feedback.js

@@ -5,40 +5,31 @@ const challenges = require('../data/datacache').challenges
 
 module.exports = (sequelize, DataTypes) => {
   const Feedback = sequelize.define('Feedback', {
-    comment: DataTypes.STRING,
-    rating: DataTypes.INTEGER
+    comment: {
+        type: DataTypes.STRING,
+        set(comment) {
+            this.setDataValue('answer', insecurity.sanitizeHtml(comment));
+            if (utils.notSolved(challenges.persistedXssChallengeFeedback) && utils.contains(comment, '<script>alert("XSS4")</script>')) {
+              utils.solve(challenges.persistedXssChallengeFeedback)
+            }
+        }
+    },
+    rating: {
+        type: DataTypes.INTEGER,
+        set(rating) {
+            this.setDataValue('rating', insecurity.sanitizeHtml(rating));
+            if (utils.notSolved(challenges.zeroStarsChallenge) && (rating === 0 || rating === undefined)) {
+              utils.solve(challenges.zeroStarsChallenge)
+            }
+        }
+    }
   },
     {
       classMethods: {
         associate: function (models) {
           Feedback.belongsTo(models.User) // no FK constraint to allow anonymous feedback posts
         }
-      },
-
-      hooks: {
-        beforeCreate: function (feedback, fn) {
-          htmlSanitizationHook(feedback)
-          zeroFeedbackHook(feedback)
-          fn(null, feedback)
-        },
-        beforeUpdate: function (feedback, fn) {
-          htmlSanitizationHook(feedback)
-          fn(null, feedback)
-        }
       }
     })
   return Feedback
 }
-
-function htmlSanitizationHook (feedback) {
-  feedback.comment = insecurity.sanitizeHtml(feedback.comment)
-  if (utils.notSolved(challenges.persistedXssChallengeFeedback) && utils.contains(feedback.comment, '<script>alert("XSS4")</script>')) {
-    utils.solve(challenges.persistedXssChallengeFeedback)
-  }
-}
-
-function zeroFeedbackHook (feedback) {
-  if (utils.notSolved(challenges.zeroStarsChallenge) && (feedback.rating === 0 || feedback.rating === undefined)) {
-    utils.solve(challenges.zeroStarsChallenge)
-  }
-}

models/product.js

@@ -5,31 +5,30 @@ const challenges = require('../data/datacache').challenges
 module.exports = (sequelize, DataTypes) => {
   const Product = sequelize.define('Product', {
     name: DataTypes.STRING,
-    description: DataTypes.STRING,
+    description: {
+        type: DataTypes.STRING,
+        set(description) {
+            if (utils.notSolved(challenges.restfulXssChallenge) && utils.contains(description, '<script>alert("XSS3")</script>')) {
+              utils.solve(challenges.restfulXssChallenge)
+            }
+            this.setDataValue('description', description);
+        }
+    },
     price: DataTypes.DECIMAL,
     image: DataTypes.STRING
   }, {
     paranoid: true,
     classMethods: {
       associate: function (models) {
         Product.hasMany(models.Basket, {through: models.BasketItem})
-      }},
-
-    hooks: {
-      beforeCreate: function (product, fn) {
-        xssChallengeProductHook(product)
-        fn(null, product)
-      },
-      beforeUpdate: function (product, fn) {
-        xssChallengeProductHook(product)
-        fn(null, product)
       }
-    }})
+    },
+  })
   return Product
 }
 
 function xssChallengeProductHook (product) {
-  if (utils.notSolved(challenges.restfulXssChallenge) && utils.contains(product.description, '<script>alert("XSS3")</script>')) {
+  if (utils.notSolved(challenges.restfulXssChallenge) && utils.contains(description, '<script>alert("XSS3")</script>')) {
     utils.solve(challenges.restfulXssChallenge)
   }
 }

models/securityAnswer.js

@@ -3,7 +3,12 @@ const insecurity = require('../lib/insecurity')
 
 module.exports = (sequelize, DataTypes) => {
   const SecurityAnswer = sequelize.define('SecurityAnswer', {
-    answer: DataTypes.STRING,
+    answer: {
+        type: DataTypes.STRING,
+        set(answer) {
+            this.setDataValue('answer', insecurity.hmac(answer));
+        }
+    },
     UserId: {type: DataTypes.INTEGER, unique: true}
   },
     {
@@ -12,23 +17,7 @@ module.exports = (sequelize, DataTypes) => {
           SecurityAnswer.belongsTo(models.User)
           SecurityAnswer.belongsTo(models.SecurityQuestion, { constraints: true, foreignKeyConstraint: true })
         }
-      },
-      hooks: {
-        beforeCreate: function (answer, fn) {
-          hmacAnswerHook(answer)
-          fn(null, answer)
-        },
-        beforeUpdate: function (answer, fn) { // Pitfall: Will hash the hashed answer again if answer was not updated!
-          hmacAnswerHook(answer)
-          fn(null, answer)
-        }
       }
     })
   return SecurityAnswer
 }
-
-function hmacAnswerHook (answer) {
-  if (answer.answer) {
-    answer.answer = insecurity.hmac(answer.answer)
-  };
-}

models/user.js

@@ -5,33 +5,23 @@ const challenges = require('../data/datacache').challenges
 
 module.exports = (sequelize, DataTypes) => {
   const User = sequelize.define('User', {
-    email: {type: DataTypes.STRING, unique: true},
-    password: DataTypes.STRING
-  },
-    {
-      hooks: {
-        beforeCreate: function (user, fn) {
-          hashPasswordHook(user)
-          xssChallengeUserHook(user)
-          fn(null, user)
-        },
-        beforeUpdate: function (user, fn) { // Pitfall: Will hash the hashed password again if password was not updated!
-          hashPasswordHook(user)
-          fn(null, user)
+    email: {
+        type: DataTypes.STRING,
+        unique: true,
+        set(email) {
+            if (utils.notSolved(challenges.persistedXssChallengeUser) && utils.contains(user.email, '<script>alert("XSS2")</script>')) {
+              utils.solve(challenges.persistedXssChallengeUser)
+            }
+            this.setDataValue('email', email);
         }
-      }}
-    )
-  return User
-}
-
-function hashPasswordHook (user) {
-  if (user.password) {
-    user.password = insecurity.hash(user.password)
-  };
-}
+    },
+    password: {
+        type: DataTypes.STRING,
+        set(clearTextPassword) {
+          this.setDataValue('password', insecurity.hash(clearTextPassword));
+        }
+    }
+  })
 
-function xssChallengeUserHook (user) {
-  if (utils.notSolved(challenges.persistedXssChallengeUser) && utils.contains(user.email, '<script>alert("XSS2")</script>')) {
-    utils.solve(challenges.persistedXssChallengeUser)
-  }
+  return User
 }

package.json

@@ -70,7 +70,7 @@
     "replace": "~0.3",
     "request": "~2.81.0",
     "sanitize-html": "1.4.2",
-    "sequelize": "~1.7",
+    "sequelize": "~4",
     "sequelize-restful": "~0.4",
     "serve-favicon": "~2.4",
     "serve-index": "~1.9",

routes/authenticatedUsers.js

@@ -4,7 +4,7 @@ const models = require('../models/index')
 
 exports = module.exports = function retrieveUserList () {
   return (req, res, next) => {
-    models.User.findAll().success(users => {
+    models.User.findAll().then(users => {
       const usersWithLoginStatus = utils.queryResultToJson(users)
       usersWithLoginStatus.data.forEach(user => {
         user.token = insecurity.authenticatedUsers.tokenOf(user)

routes/basket.js

@@ -7,7 +7,7 @@ exports = module.exports = function retrieveBasket () {
   return (req, res, next) => {
     const id = req.params.id
     models.Basket.find({ where: { id: id }, include: [ models.Product ] })
-      .success(basket => {
+      .then(basket => {
         /* jshint eqeqeq:false */
         if (utils.notSolved(challenges.basketChallenge)) {
           const user = insecurity.authenticatedUsers.from(req)

routes/changePassword.js

@@ -19,8 +19,8 @@ exports = module.exports = function changePassword () {
         if (currentPassword && insecurity.hash(currentPassword) !== loggedInUser.data.password) {
           res.status(401).send('Current password is not correct.')
         } else {
-          models.User.find(loggedInUser.data.id).success(user => {
-            user.updateAttributes({ password: newPassword }).success(user => {
+          models.User.find(loggedInUser.data.id).then(user => {
+            user.updateAttributes({ password: newPassword }).then(user => {
               if (utils.notSolved(challenges.csrfChallenge) && user.id === 3) {
                 if (user.password === insecurity.hash('slurmCl4ssic')) {
                   utils.solve(challenges.csrfChallenge)

routes/coupon.js

@@ -7,9 +7,9 @@ exports = module.exports = function applyCoupon () {
     let coupon = req.params.coupon ? decodeURIComponent(req.params.coupon) : undefined
     const discount = insecurity.discountFromCoupon(coupon)
     coupon = discount ? coupon : null
-    models.Basket.find(id).success(basket => {
+    models.Basket.find(id).then(basket => {
       if (basket) {
-        basket.updateAttributes({ coupon: coupon }).success(() => {
+        basket.updateAttributes({ coupon: coupon }).then(() => {
           if (discount) {
             res.json({ discount: discount })
           } else {

routes/login.js

@@ -13,7 +13,7 @@ exports = module.exports = function login () {
     } else if (utils.notSolved(challenges.loginBenderChallenge) && user.data.id === 3) {
       utils.solve(challenges.loginBenderChallenge)
     }
-    models.Basket.findOrCreate({ UserId: user.data.id }).success(basket => {
+    models.Basket.findOrCreate({ UserId: user.data.id }).then(basket => {
       const token = insecurity.authorize(user)
       user.bid = basket.id // keep track of original basket for challenge solution check
       insecurity.authenticatedUsers.put(token, user)
@@ -34,12 +34,12 @@ exports = module.exports = function login () {
       utils.solve(challenges.oauthUserPasswordChallenge)
     }
     models.sequelize.query('SELECT * FROM Users WHERE email = \'' + (req.body.email || '') + '\' AND password = \'' + insecurity.hash(req.body.password || '') + '\'', models.User, { plain: true })
-      .success(authenticatedUser => {
+      .then(authenticatedUser => {
         let user = utils.queryResultToJson(authenticatedUser)
 
         const rememberedEmail = insecurity.userEmailFrom(req)
         if (rememberedEmail && req.body.oauth) {
-          models.User.find({ where: {email: rememberedEmail} }).success(rememberedUser => {
+          models.User.find({ where: {email: rememberedEmail} }).then(rememberedUser => {
             user = utils.queryResultToJson(rememberedUser)
             if (utils.notSolved(challenges.loginCisoChallenge) && user.data.id === 5) {
               utils.solve(challenges.loginCisoChallenge)

routes/order.js

@@ -11,7 +11,7 @@ exports = module.exports = function placeOrder () {
   return (req, res, next) => {
     const id = req.params.id
     models.Basket.find({ where: { id: id }, include: [ models.Product ] })
-      .success(basket => {
+      .then(basket => {
         if (basket) {
           const customer = insecurity.authenticatedUsers.from(req)
           const orderNo = insecurity.hash(new Date() + '_' + id)

routes/resetPassword.js

@@ -21,10 +21,10 @@ exports = module.exports = function resetPassword () {
           model: models.User,
           where: { email: email }
         }]
-      }).success(data => {
+      }).then(data => {
         if (insecurity.hmac(answer) === data.answer) {
-          models.User.find(data.UserId).success(user => {
-            user.updateAttributes({ password: newPassword }).success(user => {
+          models.User.find(data.UserId).then(user => {
+            user.updateAttributes({ password: newPassword }).then(user => {
               if (utils.notSolved(challenges.resetPasswordJimChallenge) && user.id === 2 && answer === 'Samuel') {
                 utils.solve(challenges.resetPasswordJimChallenge)
               }

routes/search.js

@@ -9,11 +9,11 @@ exports = module.exports = function searchProducts () {
       utils.solve(challenges.localXssChallenge)
     }
     models.sequelize.query('SELECT * FROM Products WHERE ((name LIKE \'%' + criteria + '%\' OR description LIKE \'%' + criteria + '%\') AND deletedAt IS NULL) ORDER BY name')
-      .success(products => {
+      .then(products => {
         if (utils.notSolved(challenges.unionSqlInjectionChallenge)) {
           const dataString = JSON.stringify(products)
           let solved = true
-          models.User.findAll().success(data => {
+          models.User.findAll().then(data => {
             const users = utils.queryResultToJson(data)
             if (users.data && users.data.length) {
               for (let i = 0; i < users.data.length; i++) {

routes/securityQuestion.js

@@ -8,9 +8,9 @@ exports = module.exports = function securityQuestion () {
         model: models.User,
         where: { email: email }
       }]
-    }).success(answer => {
+    }).then(answer => {
       if (answer) {
-        models.SecurityQuestion.find(answer.SecurityQuestionId).success(question => {
+        models.SecurityQuestion.find(answer.SecurityQuestionId).then(question => {
           res.json({ question: question })
         }).error(error => {
           next(error)

routes/verify.js

@@ -41,7 +41,7 @@ exports.errorHandlingChallenge = () => (err, req, res, next) => {
 
 exports.databaseRelatedChallenges = () => (req, res, next) => {
   if (utils.notSolved(challenges.changeProductChallenge) && products.osaft) {
-    products.osaft.reload().success(() => {
+    products.osaft.reload().then(() => {
       if (!utils.contains(products.osaft.description, 'https://www.owasp.org/index.php/O-Saft')) {
         if (utils.contains(products.osaft.description, '<a href="http://kimminich.de" target="_blank">More...</a>')) {
           utils.solve(challenges.changeProductChallenge)
@@ -50,47 +50,47 @@ exports.databaseRelatedChallenges = () => (req, res, next) => {
     })
   }
   if (utils.notSolved(challenges.feedbackChallenge)) {
-    models.Feedback.findAndCountAll({ where: { rating: 5 } }).success(feedbacks => {
+    models.Feedback.findAndCountAll({ where: { rating: 5 } }).then(feedbacks => {
       if (feedbacks.count === 0) {
         utils.solve(challenges.feedbackChallenge)
       }
     })
   }
   if (utils.notSolved(challenges.knownVulnerableComponentChallenge)) {
     models.Feedback.findAndCountAll({ where: models.Sequelize.or(models.Sequelize.and([ 'comment LIKE \'%sanitize-html%\'' ], [ 'comment LIKE \'%1.4.2%\'' ]), models.Sequelize.and([ 'comment LIKE \'%sequelize%\'' ], [ 'comment LIKE \'%1.7%\'' ])) }
-    ).success(data => {
+    ).then(data => {
       if (data.count > 0) {
         utils.solve(challenges.knownVulnerableComponentChallenge)
       }
     })
   }
   if (utils.notSolved(challenges.weirdCryptoChallenge)) {
     models.Feedback.findAndCountAll({ where: models.Sequelize.or([ 'comment LIKE \'%z85%\'' ], [ 'comment LIKE \'%base85%\'' ], [ 'comment LIKE \'%hashids%\'' ], [ 'comment LIKE \'%md5%\'' ], [ 'comment LIKE \'%base64%\'' ]) }
-    ).success(data => {
+    ).then(data => {
       if (data.count > 0) {
         utils.solve(challenges.weirdCryptoChallenge)
       }
     })
   }
   if (utils.notSolved(challenges.jwtSecretChallenge)) {
     models.Feedback.findAndCountAll({ where: 'comment LIKE \'%' + insecurity.defaultSecret + '%\'' }
-    ).success(data => {
+    ).then(data => {
       if (data.count > 0) {
         utils.solve(challenges.jwtSecretChallenge)
       }
     })
   }
   if (utils.notSolved(challenges.typosquattingNpmChallenge)) {
     models.Feedback.findAndCountAll({ where: 'comment LIKE \'%epilogue-js%\'' }
-    ).success(data => {
+    ).then(data => {
       if (data.count > 0) {
         utils.solve(challenges.typosquattingNpmChallenge)
       }
     })
   }
   if (utils.notSolved(challenges.typosquattingBowerChallenge)) {
     models.Feedback.findAndCountAll({ where: 'comment LIKE \'%angular-tooltipp%\'' }
-    ).success(data => {
+    ).then(data => {
       if (data.count > 0) {
         utils.solve(challenges.typosquattingBowerChallenge)
       }