Merge pull request #2 from DataDog/emilehugo.spir/prepare-release

Prepare for release

README.md

@@ -318,6 +318,18 @@ The OWASP Juice Shop core project team are:
 For a list of all contributors to the OWASP Juice Shop please visit our
 [HALL_OF_FAME.md](HALL_OF_FAME.md).
 
+### Datadog customizations
+
+This repo is a fork of the main project with the following changes applied:
+
+- Datadog's Node.js tracer installed and configured by default
+- SDK integration enabling the Datadog tracer to track:
+   - User logins
+   - User signups
+   - User activity
+   - Sensitive actions
+- Update the application's configuration to enable a few more vulnerabilities (SSTI, RCE...)
+
 ## Licensing
 
 [![license](https://img.shields.io/github/license/bkimminich/juice-shop.svg)](LICENSE)

lib/insecurity.ts

@@ -93,12 +93,12 @@ const authenticatedUsers: IAuthenticatedUsers = {
       return undefined
     }
     const user = this.tokenMap[utils.unquote(token)]
-    if(user) {
+    if (user?.data) {
       tracer.setUser({
         id: user.data.email,
         ref: user.data.id,
-        role: user.data.id === user.data.id ? 'admin' : 'user'
-      });
+        role: user.data.id === users.admin.id ? 'admin' : 'user'
+      })
     }
     return user
   },
@@ -208,13 +208,15 @@ exports.appendUserId = () => {
   return (req: Request, res: Response, next: NextFunction) => {
     try {
       const user = authenticatedUsers.tokenMap[utils.jwtFrom(req)]
-      tracer.setUser({
-        id: user.data.email,
-        ref: user.data.id,
-        role: user.data.id === users.admin.id ? 'admin' : 'user'
-      })
-
-      req.body.UserId = user.data.id
+      if (user?.data) {
+        tracer.setUser({
+          id: user.data.email,
+          ref: user.data.id,
+          role: user.data.id === users.admin.id ? 'admin' : 'user'
+        })
+
+        req.body.UserId = user.data.id
+      }
       next()
     } catch (error: any) {
       res.status(401).json({ status: 'error', message: error })

package.json

@@ -117,6 +117,7 @@
     "config": "^3.3.7",
     "cookie-parser": "^1.4.5",
     "cors": "^2.8.5",
+    "dd-trace": ">=4.2.0",
     "dottie": "^2.0.2",
     "download": "^8.0.0",
     "errorhandler": "^1.5.1",

routes/captcha.ts

@@ -42,12 +42,12 @@ captchas.verifyCaptcha = () => (req: Request, res: Response, next: NextFunction)
       tracer.appsec.trackCustomEvent('activity.sensitive', {
         name: 'captcha_solve',
         success: true
-      });
+      })
     } else {
       tracer.appsec.trackCustomEvent('activity.sensitive', {
         name: 'captcha_solve',
         success: false
-      });
+      })
       res.status(401).send(res.__('Wrong answer to CAPTCHA. Please try again.'))
     }
   }).catch((error: Error) => {

routes/profileImageUrlUpload.ts

@@ -15,7 +15,6 @@ const logger = require('../lib/logger')
 module.exports = function profileImageUrlUpload () {
   return (req: Request, res: Response, next: NextFunction) => {
     if (req.body.imageUrl !== undefined) {
-      const mainRes = res;
       const url = req.body.imageUrl
       if (url.match(/(.)*solve\/challenges\/server-side(.)*/) !== null) req.app.locals.abused_ssrf_bug = true
       const loggedInUser = security.authenticatedUsers.get(req.cookies.token)
@@ -25,26 +24,19 @@ module.exports = function profileImageUrlUpload () {
           .on('error', function (err: unknown) {
             UserModel.findByPk(loggedInUser.data.id).then(async (user: UserModel | null) => { return await user?.update({ profileImage: url }) }).catch((error: Error) => { next(error) })
             logger.warn(`Error retrieving user profile image: ${utils.getErrorMessage(err)}; using image link directly`)
-            res.location(process.env.BASE_PATH + '/profile');
-            res.redirect(process.env.BASE_PATH + '/profile');
           })
           .on('response', function (res: Response) {
             if (res.statusCode === 200) {
               const ext = ['jpg', 'jpeg', 'png', 'svg', 'gif'].includes(url.split('.').slice(-1)[0].toLowerCase()) ? url.split('.').slice(-1)[0].toLowerCase() : 'jpg'
               imageRequest.pipe(fs.createWriteStream(`frontend/dist/frontend/assets/public/images/uploads/${loggedInUser.data.id}.${ext}`))
               UserModel.findByPk(loggedInUser.data.id).then(async (user: UserModel | null) => { return await user?.update({ profileImage: `/assets/public/images/uploads/${loggedInUser.data.id}.${ext}` }) }).catch((error: Error) => { next(error) })
             } else UserModel.findByPk(loggedInUser.data.id).then(async (user: UserModel | null) => { return await user?.update({ profileImage: url }) }).catch((error: Error) => { next(error) })
-            mainRes.location(process.env.BASE_PATH + '/profile');
-            mainRes.redirect(process.env.BASE_PATH + '/profile');
           })
       } else {
         next(new Error('Blocked illegal activity by ' + req.socket.remoteAddress))
-        res.location(process.env.BASE_PATH + '/profile')
-        res.redirect(process.env.BASE_PATH + '/profile')
       }
-    } else {
-      res.location(process.env.BASE_PATH + '/profile')
-      res.redirect(process.env.BASE_PATH + '/profile')
     }
+    res.location(process.env.BASE_PATH + '/profile')
+    res.redirect(process.env.BASE_PATH + '/profile')
   }
 }

server.ts

@@ -2,6 +2,7 @@
  * Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
+import './tracer'
 import dataErasure from './routes/dataErasure'
 import fs = require('fs')
 import { Request, Response, NextFunction } from 'express'

tracer.ts

@@ -0,0 +1,5 @@
+import tracer from 'dd-trace'
+tracer.init({
+  appsec: true
+})
+export default tracer