ci: integrate Bright CI pipeline for security testing and remediation

routes/order.ts

@@ -144,6 +144,7 @@ export function placeOrder () {
                 })
               } else {
                 next(new Error('Insufficient wallet balance.'))
+                return
               }
             }
             WalletModel.increment({ balance: totalPoints }, { where: { UserId: req.body.UserId } }).catch((error: unknown) => {

routes/search.ts

@@ -20,7 +20,10 @@ export function searchProducts () {
   return (req: Request, res: Response, next: NextFunction) => {
     let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
     criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
-    models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge
+    models.sequelize.query('SELECT * FROM Products WHERE ((name LIKE :criteria OR description LIKE :criteria) AND deletedAt IS NULL) ORDER BY name', {
+      replacements: { criteria: `%${criteria}%` },
+      type: models.sequelize.QueryTypes.SELECT
+    })
       .then(([products]: any) => {
         const dataString = JSON.stringify(products)
         if (challengeUtils.notSolved(challenges.unionSqlInjectionChallenge)) { // vuln-code-snippet hide-start

server.ts

@@ -31,6 +31,7 @@ import securityTxt from 'express-security.txt'
 import { rateLimit } from 'express-rate-limit'
 import { getStream } from 'file-stream-rotator'
 import type { Request, Response, NextFunction } from 'express'
+import { AsyncLocalStorage } from 'node:async_hooks'
 
 import { sequelize } from './models'
 import { UserModel } from './models/user'
@@ -174,6 +175,25 @@ restoreOverwrittenFilesWithOriginals().then(() => {
   app.locals.abused_ssti_bug = false
   app.locals.abused_ssrf_bug = false
 
+  /* Unhandled rejections handling with AsyncLocalStorage */
+  const als = new AsyncLocalStorage()
+  app.use((req: Request, res: Response, next: NextFunction) => {
+    als.run({ res }, () => { next() })
+  })
+  const onFatal = (reason: any) => {
+    console.error('[unhandledRejection]', reason)
+
+    const store = als.getStore() as { res?: Response } | undefined
+    const res = store?.res
+
+    if (res && !res.headersSent && !res.writableEnded) {
+      res.status(500).json({ error: 'Internal server error' })
+    }
+  }
+
+  process.on('uncaughtException', onFatal)
+  process.on('unhandledRejection', onFatal)
+
   /* Compression for all requests */
   app.use(compression())
 
@@ -370,6 +390,7 @@ restoreOverwrittenFilesWithOriginals().then(() => {
   app.post('/api/Hints', security.denyAll())
   app.route('/api/Hints/:id')
     .get(security.denyAll())
+    .put(security.isAuthorized())
     .delete(security.denyAll())
   /* Complaints: POST and GET allowed when logged in only */
   app.get('/api/Complaints', security.isAuthorized())
@@ -641,7 +662,7 @@ restoreOverwrittenFilesWithOriginals().then(() => {
 
   /* File Serving */
   app.get('/the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg', serveEasterEgg())
-  app.get('/this/page/is/hidden/behind/an/incredibly/high/paywall/that/could/only/be/unlocked/by/sending/1btc/to/us', servePremiumContent())
+  app.get('/this/page/is/hidden/behind/an/incredibly/high/paywall/that/could/only/be/unlocked/by/sending/1btc-to-us', servePremiumContent())
   app.get('/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility', servePrivacyPolicyProof())
 
   /* Route for dataerasure page */