diff --git a/app/routes/allocations.js b/app/routes/allocations.js index b45f1ab..4c2276e 100644 --- a/app/routes/allocations.js +++ b/app/routes/allocations.js @@ -1,6 +1,9 @@ const AllocationsDAO = require("../data/allocations-dao").AllocationsDAO; +const { + environmentalScripts +} = require("../../config/config"); -function AllocationsHandler (db) { +function AllocationsHandler(db) { "use strict"; const allocationsDAO = new AllocationsDAO(db); @@ -10,12 +13,20 @@ function AllocationsHandler (db) { // Fix for A4 Insecure DOR - take user id from session instead of from URL param const { userId } = req.session; */ - const {userId} = req.params; - const { threshold } = req.query + const { + userId + } = req.params; + const { + threshold + } = req.query allocationsDAO.getByUserIdAndThreshold(userId, threshold, (err, allocations) => { if (err) return next(err); - return res.render("allocations", { userId, allocations }); + return res.render("allocations", { + userId, + allocations, + environmentalScripts + }); }); }; } diff --git a/app/routes/benefits.js b/app/routes/benefits.js index 1e81895..edde31b 100644 --- a/app/routes/benefits.js +++ b/app/routes/benefits.js @@ -1,6 +1,11 @@ -const { BenefitsDAO } = require("../data/benefits-dao"); - -function BenefitsHandler (db) { +const { + BenefitsDAO +} = require("../data/benefits-dao"); +const { + environmentalScripts +} = require("../../config/config"); + +function BenefitsHandler(db) { "use strict"; const benefitsDAO = new BenefitsDAO(db); @@ -15,13 +20,17 @@ function BenefitsHandler (db) { users, user: { isAdmin: true - } + }, + environmentalScripts }); }); }; this.updateBenefits = (req, res, next) => { - const { userId, benefitStartDate } = req.body; + const { + userId, + benefitStartDate + } = req.body; benefitsDAO.updateBenefits(userId, benefitStartDate, (error) => { @@ -35,7 +44,8 @@ function BenefitsHandler (db) { user: { isAdmin: true }, - updateSuccess: true + updateSuccess: true, + environmentalScripts }; return res.render("benefits", data); diff --git a/app/routes/contributions.js b/app/routes/contributions.js index 14327c9..4808f06 100644 --- a/app/routes/contributions.js +++ b/app/routes/contributions.js @@ -1,19 +1,27 @@ const ContributionsDAO = require("../data/contributions-dao").ContributionsDAO; +const { + environmentalScripts +} = require("../../config/config"); /* The ContributionsHandler must be constructed with a connected db */ -function ContributionsHandler (db) { +function ContributionsHandler(db) { "use strict"; const contributionsDAO = new ContributionsDAO(db); this.displayContributions = (req, res, next) => { - const { userId } = req.session; + const { + userId + } = req.session; contributionsDAO.getByUserId(userId, (error, contrib) => { if (error) return next(error); contrib.userId = userId; //set for nav menu items - return res.render("contributions", contrib); + return res.render("contributions", { + ...contrib, + environmentalScripts + }); }); }; @@ -31,7 +39,9 @@ function ContributionsHandler (db) { const afterTax = parseInt(req.body.afterTax); const roth = parseInt(req.body.roth); */ - const { userId } = req.session; + const { + userId + } = req.session; //validate contributions const validations = [isNaN(preTax), isNaN(afterTax), isNaN(roth), preTax < 0, afterTax < 0, roth < 0] @@ -39,14 +49,16 @@ function ContributionsHandler (db) { if (isInvalid) { return res.render("contributions", { updateError: "Invalid contribution percentages", - userId + userId, + environmentalScripts }); } // Prevent more than 30% contributions if (preTax + afterTax + roth > 30) { return res.render("contributions", { updateError: "Contribution percentages cannot exceed 30 %", - userId + userId, + environmentalScripts }); } @@ -55,7 +67,10 @@ function ContributionsHandler (db) { if (err) return next(err); contributions.updateSuccess = true; - return res.render("contributions", contributions); + return res.render("contributions", { + ...contributions, + environmentalScripts + }); }); }; diff --git a/app/routes/index.js b/app/routes/index.js index 62ca639..48c888d 100644 --- a/app/routes/index.js +++ b/app/routes/index.js @@ -5,7 +5,9 @@ const ContributionsHandler = require("./contributions"); const AllocationsHandler = require("./allocations"); const MemosHandler = require("./memos"); const ResearchHandler = require("./research"); - +const { + environmentalScripts +} = require("../../config/config"); const ErrorHandler = require("./error").errorHandler; const index = (app, db) => { @@ -74,12 +76,18 @@ const index = (app, db) => { // Handle redirect for learning resources link app.get("/tutorial", (req, res) => { - return res.render("tutorial/a1"); + return res.render("tutorial/a1", { + environmentalScripts + }); }); - + app.get("/tutorial/:page", (req, res) => { - const { page } = req.params - return res.render(`tutorial/${page}`); + const { + page + } = req.params + return res.render(`tutorial/${page}`, { + environmentalScripts + }); }); // Research Page diff --git a/app/routes/memos.js b/app/routes/memos.js index c70af0b..0bdc344 100644 --- a/app/routes/memos.js +++ b/app/routes/memos.js @@ -1,6 +1,9 @@ const MemosDAO = require("../data/memos-dao").MemosDAO; +const { + environmentalScripts +} = require("../../config/config"); -function MemosHandler (db) { +function MemosHandler(db) { "use strict"; const memosDAO = new MemosDAO(db); @@ -15,13 +18,16 @@ function MemosHandler (db) { this.displayMemos = (req, res, next) => { - const { userId } = req.session; + const { + userId + } = req.session; memosDAO.getAllMemos((err, docs) => { if (err) return next(err); return res.render("memos", { memosList: docs, - userId: userId + userId: userId, + environmentalScripts }); }); }; diff --git a/app/routes/profile.js b/app/routes/profile.js index ea73b1d..9d2f924 100644 --- a/app/routes/profile.js +++ b/app/routes/profile.js @@ -1,14 +1,19 @@ const ProfileDAO = require("../data/profile-dao").ProfileDAO; const ESAPI = require('node-esapi') +const { + environmentalScripts +} = require("../../config/config"); /* The ProfileHandler must be constructed with a connected db */ -function ProfileHandler (db) { +function ProfileHandler(db) { "use strict"; const profile = new ProfileDAO(db); this.displayProfile = (req, res, next) => { - const { userId } = req.session; + const { + userId + } = req.session; @@ -25,13 +30,24 @@ function ProfileHandler (db) { // the context of a URL in a link header // doc.website = ESAPI.encoder().encodeForURL(doc.website) - return res.render("profile", doc); + return res.render("profile", { + ...doc, + environmentalScripts + }); }); }; this.handleProfileUpdate = (req, res, next) => { - const {firstName, lastName, ssn, dob, address, bankAcc, bankRouting} = req.body; + const { + firstName, + lastName, + ssn, + dob, + address, + bankAcc, + bankRouting + } = req.body; // Fix for Section: ReDoS attack // The following regexPattern that is used to validate the bankRouting number is insecure and vulnerable to @@ -54,11 +70,14 @@ function ProfileHandler (db) { dob, address, bankAcc, - bankRouting + bankRouting, + environmentalScripts }); } - const { userId } = req.session; + const { + userId + } = req.session; profile.updateUser( parseInt(userId), @@ -78,7 +97,10 @@ function ProfileHandler (db) { user.updateSuccess = true; user.userId = userId; - return res.render("profile", user); + return res.render("profile", { + ...user, + environmentalScripts + }); } ); diff --git a/app/routes/research.js b/app/routes/research.js index 6923256..0645487 100644 --- a/app/routes/research.js +++ b/app/routes/research.js @@ -1,26 +1,33 @@ const ResearchDAO = require("../data/research-dao").ResearchDAO; const needle = require('needle'); +const { + environmentalScripts +} = require("../../config/config"); -function ResearchHandler (db) { +function ResearchHandler(db) { "use strict"; const researchDAO = new ResearchDAO(db); this.displayResearch = (req, res) => { - + if (req.query.symbol) { - const url = req.query.url+req.query.symbol; + const url = req.query.url + req.query.symbol; return needle.get(url, (error, newResponse) => { if (!error && newResponse.statusCode == 200) - res.writeHead(200, {'Content-Type': 'text/html'}); - res.write('

The following is the stock information you requested.

\n\n'); - res.write('\n\n'); - res.write(newResponse.body); - return res.end(); + res.writeHead(200, { + 'Content-Type': 'text/html' + }); + res.write('

The following is the stock information you requested.

\n\n'); + res.write('\n\n'); + res.write(newResponse.body); + return res.end(); }); } - - return res.render("research"); + + return res.render("research", { + environmentalScripts + }); }; } diff --git a/app/routes/session.js b/app/routes/session.js index 64a4e2a..90119c9 100644 --- a/app/routes/session.js +++ b/app/routes/session.js @@ -1,8 +1,11 @@ const UserDAO = require("../data/user-dao").UserDAO; const AllocationsDAO = require("../data/allocations-dao").AllocationsDAO; +const { + environmentalScripts +} = require("../../config/config"); /* The SessionHandler must be constructed with a connected db */ -function SessionHandler (db) { +function SessionHandler(db) { "use strict"; const userDAO = new UserDAO(db); @@ -22,16 +25,16 @@ function SessionHandler (db) { this.isAdminUserMiddleware = (req, res, next) => { if (req.session.userId) { return userDAO.getUserById(req.session.userId, (err, user) => user && user.isAdmin ? next() : res.redirect("/login")); - } + } console.log("redirecting to login"); return res.redirect("/login"); - + }; this.isLoggedInMiddleware = (req, res, next) => { if (req.session.userId) { return next(); - } + } console.log("redirecting to login"); return res.redirect("/login"); }; @@ -40,12 +43,16 @@ function SessionHandler (db) { return res.render("login", { userName: "", password: "", - loginError: "" + loginError: "", + environmentalScripts }); }; this.handleLoginRequest = (req, res, next) => { - const { userName, password } = req.body + const { + userName, + password + } = req.body userDAO.validateLogin(userName, password, (err, user) => { const errorMessage = "Invalid username and/or password"; const invalidUserNameErrorMessage = "Invalid username"; @@ -69,18 +76,19 @@ function SessionHandler (db) { return res.render("login", { userName: userName, password: "", - loginError: invalidUserNameErrorMessage + loginError: invalidUserNameErrorMessage, //Fix for A2-2 Broken Auth - Uses identical error for both username, password error // loginError: errorMessage + environmentalScripts }); } else if (err.invalidPassword) { return res.render("login", { userName: userName, password: "", - loginError: invalidPasswordErrorMessage + loginError: invalidPasswordErrorMessage, //Fix for A2-2 Broken Auth - Uses identical error for both username, password error // loginError: errorMessage - + environmentalScripts }); } else { return next(err); @@ -116,7 +124,8 @@ function SessionHandler (db) { email: "", userNameError: "", emailError: "", - verifyError: "" + verifyError: "", + environmentalScripts }); }; @@ -173,7 +182,14 @@ function SessionHandler (db) { this.handleSignup = (req, res, next) => { - const { email, userName, firstName, lastName, password, verify } = req.body; + const { + email, + userName, + firstName, + lastName, + password, + verify + } = req.body; // set these up in case we have an error case const errors = { @@ -189,7 +205,10 @@ function SessionHandler (db) { if (user) { errors.userNameError = "User name already in use. Please choose another"; - return res.render("signup", errors); + return res.render("signup", { + ...errors, + environmentalScripts + }); } userDAO.addUser(userName, firstName, lastName, password, email, (err, user) => { @@ -203,7 +222,7 @@ function SessionHandler (db) { if (err) return next(err); res.cookie("session", sessionId); req.session.userId = user._id; - return res.render("dashboard", user); + return res.render("dashboard", { ...user, environmentalScripts }); }); */ req.session.regenerate(() => { @@ -211,14 +230,20 @@ function SessionHandler (db) { // Set userId property. Required for left nav menu links user.userId = user._id; - return res.render("dashboard", user); + return res.render("dashboard", { + ...user, + environmentalScripts + }); }); }); }); } else { console.log("user did not validate"); - return res.render("signup", errors); + return res.render("signup", { + ...errors, + environmentalScripts + }); } }; @@ -235,7 +260,10 @@ function SessionHandler (db) { userDAO.getUserById(userId, (err, doc) => { if (err) return next(err); doc.userId = userId; - return res.render("dashboard", doc); + return res.render("dashboard", { + ...doc, + environmentalScripts + }); }); }; } diff --git a/app/views/layout.html b/app/views/layout.html index 6206deb..380ba41 100644 --- a/app/views/layout.html +++ b/app/views/layout.html @@ -121,11 +121,11 @@ - - + + {% for script in environmentalScripts %} + {{script}} + {% endfor %} - + \ No newline at end of file diff --git a/app/views/login.html b/app/views/login.html index b96266f..8fb9462 100644 --- a/app/views/login.html +++ b/app/views/login.html @@ -87,10 +87,10 @@ RetireEasy -
+
Employee Retirement Savings Management -
-
+
+
@@ -141,10 +141,11 @@ - + + {% for script in environmentalScripts %} + {{script}} + {% endfor %} - - + + {% for script in environmentalScripts %} + {{script}} + {% endfor %} diff --git a/app/views/tutorial/layout.html b/app/views/tutorial/layout.html index 1426b10..8a38257 100644 --- a/app/views/tutorial/layout.html +++ b/app/views/tutorial/layout.html @@ -91,10 +91,10 @@

{% block title %}{% endblock %} - - + + {% for script in environmentalScripts %} + {{script}} + {% endfor %} diff --git a/config/env/all.js b/config/env/all.js index fe7078f..b457698 100755 --- a/config/env/all.js +++ b/config/env/all.js @@ -12,5 +12,7 @@ module.exports = { cookieSecret: "session_cookie_secret_key_here", cryptoKey: "a_secure_key_for_crypto_here", cryptoAlgo: "aes256", - hostName: "localhost" + hostName: "localhost", + environmentalScripts: [] }; + diff --git a/config/env/development.js b/config/env/development.js index 40d92bb..0f2a209 100755 --- a/config/env/development.js +++ b/config/env/development.js @@ -5,5 +5,6 @@ module.exports = { // Required from Zap 2.4.1. This key is set in Zap Options -> API _Api Key. zapApiKey: "v9dn0balpqas1pcc281tn5ood1", // Required if debugging security regression tests. - zapApiFeedbackSpeed: 5000 // Milliseconds. + zapApiFeedbackSpeed: 5000, // Milliseconds. + environmentalScripts: [``] }; diff --git a/package-lock.json b/package-lock.json index 16cb387..787432a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -6770,8 +6770,7 @@ "version": "1.1.0", "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", "integrity": "sha1-PXz0Rk22RG6mRL9LOVB/mFEAjo4=", - "dev": true, - "optional": true + "dev": true }, "gauge": { "version": "2.6.0", @@ -6817,7 +6816,6 @@ "resolved": "https://registry.npmjs.org/string-width/-/string-width-1.0.2.tgz", "integrity": "sha1-EYvfW4zcUaKn5w0hHgfisLmxB9M=", "dev": true, - "optional": true, "requires": { "code-point-at": "^1.0.0", "is-fullwidth-code-point": "^1.0.0", @@ -6829,7 +6827,6 @@ "resolved": "https://registry.npmjs.org/code-point-at/-/code-point-at-1.0.0.tgz", "integrity": "sha1-9psZLT99keOC5Lcb3bd4eGGasMY=", "dev": true, - "optional": true, "requires": { "number-is-nan": "^1.0.0" }, @@ -6838,8 +6835,7 @@ "version": "1.0.0", "resolved": "https://registry.npmjs.org/number-is-nan/-/number-is-nan-1.0.0.tgz", "integrity": "sha1-wCD1KcUoKt/dIz2R1LGBw9aG3Es=", - "dev": true, - "optional": true + "dev": true } } }, @@ -6848,7 +6844,6 @@ "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-1.0.0.tgz", "integrity": "sha1-754xOG8DGn8NZDr4L95QxFfvAMs=", "dev": true, - "optional": true, "requires": { "number-is-nan": "^1.0.0" }, @@ -6857,8 +6852,7 @@ "version": "1.0.0", "resolved": "https://registry.npmjs.org/number-is-nan/-/number-is-nan-1.0.0.tgz", "integrity": "sha1-wCD1KcUoKt/dIz2R1LGBw9aG3Es=", - "dev": true, - "optional": true + "dev": true } } } @@ -8147,7 +8141,6 @@ "resolved": "https://registry.npmjs.org/align-text/-/align-text-0.1.4.tgz", "integrity": "sha1-DNkKVhCT810KmSVsIrcGlDP60Rc=", "dev": true, - "optional": true, "requires": { "kind-of": "^3.0.2", "longest": "^1.0.1", @@ -9021,8 +9014,7 @@ "version": "1.0.1", "resolved": "https://registry.npmjs.org/longest/-/longest-1.0.1.tgz", "integrity": "sha1-MKCy2jj3N3DoKUoNIuZiXtd9AJc=", - "dev": true, - "optional": true + "dev": true }, "loose-envify": { "version": "1.2.0", @@ -12279,7 +12271,6 @@ "resolved": "https://registry.npmjs.org/boom/-/boom-0.4.2.tgz", "integrity": "sha1-emNune1O/O+xnO9JR6PGffrukRs=", "dev": true, - "optional": true, "requires": { "hoek": "0.9.x" } @@ -12346,8 +12337,7 @@ "version": "0.9.1", "resolved": "https://registry.npmjs.org/hoek/-/hoek-0.9.1.tgz", "integrity": "sha1-PTIkYrrfB3Fup+uFuviAec3c5QU=", - "dev": true, - "optional": true + "dev": true }, "http-signature": { "version": "0.10.1",