BC4-TP03

.gitignore

@@ -0,0 +1,3 @@
+.idea/
+*.iml
+node_modules/

app.js

@@ -0,0 +1,49 @@
+var createError = require('http-errors');
+var express = require('express');
+var path = require('path');
+var cookieParser = require('cookie-parser');
+var logger = require('morgan');
+
+var indexRouter = require('./routes/index');
+var searchRouter = require('./routes/search');
+var apiRouter = require('./routes/api');
+const robots = require('express-robots-txt')
+
+var app = express();
+
+app.use(robots({
+    UserAgent: '*',
+    Disallow: [ '/', '/search' ]
+}));
+
+// view engine setup
+app.set('views', path.join(__dirname, 'views'));
+app.set('view engine', 'pug');
+
+app.use(logger('dev'));
+app.use(express.json());
+app.use(express.urlencoded({ extended: false }));
+app.use(cookieParser());
+app.use(express.static(path.join(__dirname, 'public')));
+
+app.use('/', indexRouter);
+app.use('/search', searchRouter);
+app.use('/api', apiRouter);
+
+// catch 404 and forward to error handler
+app.use(function(req, res, next) {
+  next(createError(404));
+});
+
+// error handler
+app.use(function(err, req, res, next) {
+  // set locals, only providing error in development
+  res.locals.message = err.message;
+  res.locals.error = req.app.get('env') === 'development' ? err : {};
+
+  // render the error page
+  res.status(err.status || 500);
+  res.render('error');
+});
+
+module.exports = app;

bin/www

@@ -0,0 +1,114 @@
+#!/usr/bin/env node
+
+/**
+ * Module dependencies.
+ */
+
+var app = require('../app');
+var debug = require('debug')('nodeexpressvulny:server');
+var http = require('http');
+
+/**
+ * Get port from environment and store in Express.
+ */
+
+var port = normalizePort(process.env.PORT || '3000');
+app.set('port', port);
+
+/**
+ * Create HTTP server.
+ */
+
+var server = http.createServer(app);
+
+/**
+ * Listen on provided port, on all network interfaces.
+ */
+
+server.listen(port);
+server.on('error', onError);
+server.on('listening', onListening);
+
+/**
+ * Normalize a port into a number, string, or false.
+ */
+
+function normalizePort(val) {
+  var port = parseInt(val, 10);
+
+  if (isNaN(port)) {
+    // named pipe
+    return val;
+  }
+
+  if (port >= 0) {
+    // port number
+    return port;
+  }
+
+  return false;
+}
+
+/**
+ * Event listener for HTTP server "error" event.
+ */
+
+function onError(error) {
+  if (error.syscall !== 'listen') {
+    throw error;
+  }
+
+  var bind = typeof port === 'string'
+    ? 'Pipe ' + port
+    : 'Port ' + port;
+
+  // handle specific listen errors with friendly messages
+  switch (error.code) {
+    case 'EACCES':
+      console.error(bind + ' requires elevated privileges');
+      process.exit(1);
+      break;
+    case 'EADDRINUSE':
+      console.error(bind + ' is already in use');
+      process.exit(1);
+      break;
+    default:
+      throw error;
+  }
+}
+
+/**
+ * Event listener for HTTP server "listening" event.
+ */
+
+function onListening() {
+  var addr = server.address();
+  var bind = typeof addr === 'string'
+    ? 'pipe ' + addr
+    : 'port ' + addr.port;
+  debug('Listening on ' + bind);
+}
+
+// Borrowed from https://medium.com/@becintec/building-graceful-node-applications-in-docker-4d2cd4d5d392
+// The signals we want to handle
+// NOTE: although it is tempting, the SIGKILL signal (9) cannot be intercepted and handled
+var signals = {
+  'SIGHUP': 1,
+  'SIGINT': 2,
+  'SIGTERM': 15
+};
+// Do any necessary shutdown logic for our application here
+const shutdown = (signal, value) => {
+  console.log("shutdown!");
+  server.close(() => {
+    console.log(`server stopped by ${signal} with value ${value}`);
+    process.exit(128 + value);
+  });
+};
+// Create a listener for each of the signals that we want to handle
+Object.keys(signals).forEach((signal) => {
+  process.on(signal, () => {
+    console.log(`process received a ${signal} signal`);
+    shutdown(signal, signals[signal]);
+  });
+});

bootstrapdb.js

@@ -0,0 +1,60 @@
+const sqlite3 = require('sqlite3').verbose();
+const db = new sqlite3.Database('./db/vulny.db');
+
+db.serialize(function () {
+  db.run('CREATE TABLE item (id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, name NVARCHAR(1024) NOT NULL, description TEXT)', function (err) {
+    if (err) {
+      console.error(err);
+    } else {
+      const itemTbl = db.prepare('INSERT INTO item VALUES (null, ?, ?)', function (err) {
+        if (err) {
+          console.error(err)
+        }
+      });
+
+      for (var i = 0; i < 3; i++) {
+        itemTbl.run('item-' + i, 'item-' + i + ' is the great item evar');
+      }
+
+      itemTbl.finalize(function (err) {
+        if (err) {
+          console.error(err)
+        } else {
+          db.close(function (err) {
+            if (err) {
+              console.error(err)
+            }
+          });
+        }
+      });
+    }
+  });
+
+
+  db.run('CREATE TABLE user (id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, username NVARCHAR(1024) NOT NULL, password TEXT NOT NULL)', function (err) {
+    if (err) {
+      console.error(err);
+    } else {
+      const userTbl = db.prepare('INSERT INTO user VALUES (null, ?, ?)', function (err) {
+        if (err) {
+          console.error(err)
+        }
+      });
+      userTbl.run('admin', 'S3cr37P@$$w0rD!');
+      userTbl.run('user1', 'bad_password');
+      userTbl.run('user2', 'worse');
+      userTbl.run('user3', 'fail');
+      userTbl.finalize(function (err) {
+        if (err) {
+          console.error(err)
+        } else {
+          db.close(function (err) {
+            if (err) {
+              console.error(err)
+            }
+          });
+        }
+      });
+    }
+  });
+});

package.json

@@ -0,0 +1,19 @@
+{
+  "name": "nodeexpressvulny",
+  "version": "0.0.0",
+  "private": true,
+  "scripts": {
+    "start": "node ./bin/www"
+  },
+  "dependencies": {
+    "cookie-parser": "~1.4.4",
+    "debug": "~2.6.9",
+    "express": "~4.16.1",
+    "express-list-endpoints": "^4.0.1",
+    "http-errors": "~1.6.3",
+    "morgan": "~1.9.1",
+    "pug": "^2.0.4",
+    "sqlite": "^3.0.3",
+    "express-robots-txt": "1.0.0"
+  }
+}

public/stylesheets/style.css

@@ -0,0 +1,8 @@
+body {
+  padding: 50px;
+  font: 14px "Lucida Grande", Helvetica, Arial, sans-serif;
+}
+
+a {
+  color: #00B7FF;
+}

routes/api.js

@@ -0,0 +1,21 @@
+const express = require('express');
+const router = express.Router();
+const searchService = require('../service/search');
+
+router.get('/search', function (req, res, next) {
+
+  const searchText = req.query.searchText !== undefined ? req.query.searchText : '';
+  console.log(req.query);
+  console.log('search text: ' + searchText);
+  searchService.searchByName(searchText, function (err, ret) {
+    if (err) {
+      res.json(err);
+    } else {
+      delete ret.searchText;
+      res.json(ret);
+    }
+  });
+
+});
+
+module.exports = router;

routes/index.js

@@ -0,0 +1,9 @@
+var express = require('express');
+var router = express.Router();
+
+/* GET home page. */
+router.get('/', function(req, res, next) {
+  res.render('index', { title: 'VulnyJS' });
+});
+
+module.exports = router;

routes/search.js

@@ -0,0 +1,22 @@
+const express = require('express');
+const router = express.Router();
+const searchService = require('../service/search');
+
+/* GET search listing. */
+router.get('/', function (req, res, next) {
+  res.render('search', {title: 'Search for items'});
+});
+
+router.post('/', function (req, res, next) {
+  const searchText = req.body.searchText;
+
+  searchService.searchByName(searchText, function (err, ret) {
+    if (err) {
+      res.redirect('/search')
+    } else {
+      res.render('searchResult', ret)
+    }
+  });
+});
+
+module.exports = router;

service/search.js

@@ -0,0 +1,29 @@
+const sqlite3 = require('sqlite3').verbose();
+const db = new sqlite3.Database('./db/vulny.db');
+
+const searchByName = function (searchText, cb) {
+
+  db.all("select id,name,description from item where name like '%" + searchText + "%'", [], function (err, rows) {
+  //db.all("select id,name,description from item where name like '%?%'", [searchText], function (err, rows) {
+    if (err) {
+      console.log('error ' + err);
+      cb(err);
+      //res.redirect('/search')
+    } else {
+      //console.log(req.body);
+      console.log('rows? ' + rows);
+      console.log('got ' + rows.length + ' rows');
+      const ret = {
+        searchText: searchText,
+        rows: rows
+      };
+      cb(null, ret);
+      //res.render('searchResult', ret)
+    }
+  });
+
+};
+
+module.exports = {
+  searchByName: searchByName
+};

views/error.pug

@@ -0,0 +1,6 @@
+extends layout
+
+block content
+  h1= message
+  h2= error.status
+  pre #{error.stack}

views/index.pug

@@ -0,0 +1,7 @@
+extends layout
+
+block content
+  h1= title
+  p Welcome to #{title}
+  h3
+    a(href='/search') Search

views/layout.pug

@@ -0,0 +1,7 @@
+doctype html
+html
+  head
+    title= title
+    link(rel='stylesheet', href='/stylesheets/style.css')
+  body
+    block content

views/search.pug

@@ -0,0 +1,7 @@
+extends layout
+
+block content
+  h1= 'Find some items'
+  form(action='/search', method='post')
+    input(type='text', name='searchText')
+    input(type='submit', name='Search')

views/searchResult.pug

@@ -0,0 +1,16 @@
+extends layout
+
+block content
+  h1!= 'Search Results for: ' + searchText
+  table
+    tr
+      th Id
+      th Name
+      th Description
+    each item in rows
+      tr
+        td= item.id
+        td= item.name
+        td= item.description
+  h3
+    a(href='/search') Search