Merge branch 'juice-shop:master' into master

srikharshashi · Jun 2, 2024 · 6c08019 · 6c08019
2 parents c0ff041 + 1c04f0e
commit 6c08019
Show file tree

Hide file tree

Showing 668 changed files with 2,643 additions and 3,582 deletions.
diff --git a/.eslintrc.js b/.eslintrc.js
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
  * SPDX-License-Identifier: MIT
  */
 
@@ -21,6 +21,7 @@ module.exports = {
     project: './tsconfig.json'
   },
   ignorePatterns: [
+    '.eslintrc.js',
     'app/private/**',
     'vagrant/**',
     'frontend/**',
@@ -34,11 +35,8 @@ module.exports = {
       rules: {
         'no-void': 'off', // conflicting with recommendation from @typescript-eslint/no-floating-promises
         // FIXME warnings below this line need to be checked and fixed.
-        '@typescript-eslint/no-misused-promises': 'off',
         '@typescript-eslint/explicit-function-return-type': 'off',
-        '@typescript-eslint/restrict-plus-operands': 'off',
         '@typescript-eslint/strict-boolean-expressions': 'off',
-        '@typescript-eslint/restrict-template-expressions': 'off',
         '@typescript-eslint/no-var-requires': 'off'
       }
     }

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,3 +1,3 @@
 /vagrant/ @wurstbrot
 /test/cypress/ @ShubhamPalriwala
-/frontend/src/app/score-board-preview @J12934
+/frontend/src/app/score-board @J12934
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -18,7 +18,8 @@ on:
       - 'data/static/i18n/*.json'
       - 'frontend/src/assets/i18n/*.json'
 env:
-  ANGULAR_CLI_VERSION: 15
+  NODE_DEFAULT_VERSION: 20
+  ANGULAR_CLI_VERSION: 17
   CYCLONEDX_NPM_VERSION: '^1.12.0'
 jobs:
   lint:
@@ -29,7 +30,7 @@ jobs:
       - name: "Use Node.js 18"
         uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1
         with:
-          node-version: 20
+          node-version: ${{ env.NODE_DEFAULT_VERSION }}
       - name: "Install CLI tools"
         run: npm install -g @angular/cli@$ANGULAR_CLI_VERSION
       - name: "Install application minimalistically"
@@ -61,7 +62,7 @@ jobs:
       - name: "Use Node.js 18"
         uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1
         with:
-          node-version: 20
+          node-version: ${{ env.NODE_DEFAULT_VERSION }}
       - name: "Install CLI tools"
         run: npm install -g @angular/cli@$ANGULAR_CLI_VERSION
       - name: "Install application"
@@ -183,7 +184,7 @@ jobs:
       - name: "Use Node.js 18"
         uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1
         with:
-          node-version: 20
+          node-version: ${{ env.NODE_DEFAULT_VERSION }}
       - name: "Install CLI tools"
         run: npm install -g @angular/cli@$ANGULAR_CLI_VERSION
       - name: "Install application"
@@ -219,7 +220,7 @@ jobs:
       - name: "Use Node.js 18"
         uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1
         with:
-          node-version: 20
+          node-version: ${{ env.NODE_DEFAULT_VERSION }}
       - name: "Install CLI tools"
         run: npm install -g @angular/cli
       - name: "Install application"
@@ -260,7 +261,7 @@ jobs:
       - name: "Use Node.js 18"
         uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1
         with:
-          node-version: 20
+          node-version: ${{ env.NODE_DEFAULT_VERSION }}
       - name: "Install CLI tools"
         run: |
           npm install -g @angular/cli@$ANGULAR_CLI_VERSION

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,7 +4,7 @@ on:
     tags:
       - v*
 env:
-  ANGULAR_CLI_VERSION: 15
+  ANGULAR_CLI_VERSION: 17
   CYCLONEDX_NPM_VERSION: '^1.12.0'
 jobs:
   package:

diff --git a/.well-known/csaf/2017/juice-shop-sa-20200513-express-jwt.json b/.well-known/csaf/2017/juice-shop-sa-20200513-express-jwt.json
@@ -0,0 +1,121 @@
+{
+  "document": {
+    "acknowledgments": [
+      {
+        "organization": "OWASP Juice Shop",
+        "summary": "Probably the most modern and sophisticated insecure web application"
+      }
+    ],
+    "aggregate_severity": {
+      "text": "Critical"
+    },
+    "category": "csaf_security_advisory",
+    "csaf_version": "2.0",
+    "lang": "en",
+    "notes": [
+      {
+        "category": "legal_disclaimer",
+        "text": "The Juice Shop contains vulnerabilities. Only use it in an isolated. ONLY run the Juice Shop in a training environment.",
+        "title": "Isolated Env."
+      }
+    ],
+    "publisher": {
+      "category": "vendor",
+      "contact_details": "timo.pagel@owasp.org",
+      "issuing_authority": "OWASP Juice Shop",
+      "name": "OWASP Juice Shop Core Team",
+      "namespace": "https://github.com/juice-shop/juice-shop"
+    },
+    "title": "juice-shop-sa-20200513-express-jwt",
+    "tracking": {
+      "current_release_date": "2024-03-03T11:00:00.000Z",
+      "generator": {
+        "date": "2024-03-03T19:30:53.428Z",
+        "engine": {
+          "name": "Secvisogram",
+          "version": "2.5.0"
+        }
+      },
+      "id": "juice-shop-sa-20200513-express-jwt",
+      "initial_release_date": "2024-03-03T11:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-03-03T11:00:00.000Z",
+          "number": "1.0.0",
+          "summary": "Initial public release."
+        }
+      ],
+      "status": "final",
+      "version": "1.0.0"
+    }
+  },
+  "product_tree": {
+    "branches": [
+      {
+        "category": "product_version_range",
+        "name": ">=v6.0.0",
+        "product": {
+          "name": "OWASP Juice Shop",
+          "product_id": "juice-shop/juice-shop",
+          "product_identification_helper": {
+            "purl": "pkg:docker/bkimminich/juice-shop"
+          }
+        }
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-2020-15084",
+      "notes": [
+        {
+          "category": "details",
+          "text": "The Juice Shop is currently vulnerable to JWT null algorithm attacks . We will soon release a patch",
+          "title": "Vulnerable to Null JWT Algorithm"
+        }
+      ],
+      "product_status": {
+        "known_affected": [
+          "juice-shop/juice-shop"
+        ]
+      },
+      "remediations": [
+        {
+          "category": "workaround",
+          "date": "2020-07-01T10:00:00.000Z",
+          "details": "Check for the expected JWT algorithm type in a WAF/Proxy/Loadbalancer in front of the Juice Shop.",
+          "product_ids": [
+            "juice-shop/juice-shop"
+          ],
+          "url": "https://github.com/advisories/GHSA-6g6m-m6h5-w9gf"
+        }
+      ],
+      "scores": [
+        {
+          "cvss_v3": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "NONE",
+            "baseScore": 9.1,
+            "baseSeverity": "CRITICAL",
+            "confidentialityImpact": "HIGH",
+            "environmentalScore": 9.1,
+            "environmentalSeverity": "CRITICAL",
+            "integrityImpact": "HIGH",
+            "privilegesRequired": "NONE",
+            "scope": "UNCHANGED",
+            "temporalScore": 9.1,
+            "temporalSeverity": "CRITICAL",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
+            "version": "3.1"
+          },
+          "products": [
+            "juice-shop/juice-shop"
+          ]
+        }
+      ],
+      "title": "CVE-2020-15084"
+    }
+  ]
+}
diff --git a/.well-known/csaf/2017/juice-shop-sa-20200513-express-jwt.json.asc b/.well-known/csaf/2017/juice-shop-sa-20200513-express-jwt.json.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQQjcrKxKup64wAbs/vQj7FuICnYcAUCZid3ggAKCRDQj7FuICnY
+cItlAP4tS43N//qIKXUZTLOMnd8cRMv25KfRF5WZ3OazSZxyLAEAkQluY3UwxO0m
+Ybd/wfOOJ9DE7qjjZyFcf6le4Bl1pAI=
+=n7jT
+-----END PGP SIGNATURE-----
diff --git a/.well-known/csaf/2017/juice-shop-sa-20200513-express-jwt.json.sha512 b/.well-known/csaf/2017/juice-shop-sa-20200513-express-jwt.json.sha512
@@ -0,0 +1 @@
+7e7ce7c65db3bf0625fcea4573d25cff41f2f7e3474f2c74334b14fc65bb4fd26af802ad17a3a03bf0eee6827a00fb8f7905f338c31b5e6ea9cb31620242e843  juice-shop-sa-20200513-express-jwt.json
diff --git a/.well-known/csaf/2021/juice-shop-sa-20211014-proto.json b/.well-known/csaf/2021/juice-shop-sa-20211014-proto.json
@@ -0,0 +1,85 @@
+{
+  "document": {
+    "acknowledgments": [
+      {
+        "organization": "OWASP Juice Shop",
+        "summary": "Probably the most modern and sophisticated insecure web application"
+      }
+    ],
+    "aggregate_severity": {
+      "text": "High"
+    },
+    "category": "csaf_security_advisory",
+    "csaf_version": "2.0",
+    "lang": "en",
+    "notes": [
+      {
+        "category": "legal_disclaimer",
+        "text": "The Juice Shop contains vulnerabilities. Only use it in an isolated. ONLY run the Juice Shop in a training environment.",
+        "title": "Isolated Env."
+      }
+    ],
+    "publisher": {
+      "category": "vendor",
+      "contact_details": "timo.pagel@owasp.org",
+      "issuing_authority": "OWASP Juice Shop",
+      "name": "OWASP Juice Shop Core Team",
+      "namespace": "https://github.com/juice-shop/juice-shop"
+    },
+    "title": "juice-shop-sa-20211014-proto",
+    "tracking": {
+      "current_release_date": "2021-10-14T10:00:00.000Z",
+      "generator": {
+        "date": "2024-03-09T14:24:03.158Z",
+        "engine": {
+          "name": "Secvisogram",
+          "version": "2.5.0"
+        }
+      },
+      "id": "juice-shop-sa-20211014-proto",
+      "initial_release_date": "2024-03-03T11:00:00.000Z",
+      "revision_history": [
+        {
+          "date": "2024-03-03T11:00:00.000Z",
+          "number": "1.0.0",
+          "summary": "Initial public release."
+        }
+      ],
+      "status": "final",
+      "version": "1.0.0"
+    }
+  },
+  "product_tree": {
+    "branches": [
+      {
+        "category": "product_version_range",
+        "name": ">=v12.10.2",
+        "product": {
+          "name": "OWASP Juice Shop",
+          "product_id": "juice-shop/juice-shop",
+          "product_identification_helper": {
+            "purl": "pkg:docker/bkimminich/juice-shop"
+          }
+        }
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-2020-36604",
+      "notes": [
+        {
+          "category": "details",
+          "text": "A proof of an exploit does not exists, but it might be possible to exploit the Juice Shop through the vulnerability.",
+          "title": "Notes"
+        }
+      ],
+      "product_status": {
+        "known_affected": [
+          "juice-shop/juice-shop"
+        ]
+      },
+      "title": "The Juice Shop uses the library hoek which might be subject to prototype pollution via the clone function."
+    }
+  ]
+}
diff --git a/.well-known/csaf/2021/juice-shop-sa-20211014-proto.json.asc b/.well-known/csaf/2021/juice-shop-sa-20211014-proto.json.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQQjcrKxKup64wAbs/vQj7FuICnYcAUCZid3yAAKCRDQj7FuICnY
+cJo1AP0ZdiEeoFAUcCm6j6lrGIbrPjElYFcgeX1yRbx1plzaCwEA4BH2nvY/VuLH
+cZI6JuYTsPoeAkzwDsWWTCJGM7u12QU=
+=UeTn
+-----END PGP SIGNATURE-----
diff --git a/.well-known/csaf/2021/juice-shop-sa-20211014-proto.json.sha512 b/.well-known/csaf/2021/juice-shop-sa-20211014-proto.json.sha512
@@ -0,0 +1 @@
+c4eedb2d5ac0b0c11666d87247e1011de4fa5db7e741a4c090374a039e1ce31210d08e63b27d5fabb307705ebbfa1bbbcfe56e5ba0c3528deb00af273f670778  juice-shop-sa-20211014-proto.json
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		7e7ce7c65db3bf0625fcea4573d25cff41f2f7e3474f2c74334b14fc65bb4fd26af802ad17a3a03bf0eee6827a00fb8f7905f338c31b5e6ea9cb31620242e843 juice-shop-sa-20200513-express-jwt.json
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		c4eedb2d5ac0b0c11666d87247e1011de4fa5db7e741a4c090374a039e1ce31210d08e63b27d5fabb307705ebbfa1bbbcfe56e5ba0c3528deb00af273f670778 juice-shop-sa-20211014-proto.json