From 140755a9ae05e915c4a7a8cb6a7c75d0244b1888 Mon Sep 17 00:00:00 2001
From: William Franco <william.franco@g.globo>
Date: Wed, 7 Aug 2024 16:11:41 -0300
Subject: [PATCH] feat: fixing stegonography

---
 .../a5/stegonography/app/index.js             | 159 +++++++++---------
 .../stegonography/deployments/generate-env.sh |  34 +++-
 2 files changed, 110 insertions(+), 83 deletions(-)

diff --git a/owasp-top10-2021-apps/a5/stegonography/app/index.js b/owasp-top10-2021-apps/a5/stegonography/app/index.js
index 21770652e..d4aa35f75 100644
--- a/owasp-top10-2021-apps/a5/stegonography/app/index.js
+++ b/owasp-top10-2021-apps/a5/stegonography/app/index.js
@@ -1,5 +1,3 @@
-// Stegonography steganography app
-const express = require("express");
 const bodyParser = require("body-parser");
 const app = express();
 const router = express.Router();
@@ -33,113 +31,124 @@ MongoClient.connect(url, function(err, db) {
 });
 
 // Create "users" collection
-var url = "mongodb://db:27017/stego"
+var url = "mongodb://db:27017/"+process.env.MONGO_DATABASE
 MongoClient.connect(url, function(err, db) {
     if (err) throw err;
-    var dbo = db.db("stego");
+    var dbo = db.db(process.env.MONGO_DATABASE);
     dbo.createCollection("users", function(err, ress) {
         if (err) throw err;
         console.log("Users collection created!");
         db.close();
     })
-});
 
 // Add "admin" default user to the database
-MongoClient.connect(url, function(err, db) {
+MongoClient.connect(url, function (err, db) {
+  if (err) throw err;
+  var dbo = db.db(process.env.MONGO_DATABASE);
+  var myobj = { username: process.env.USER, password: process.env.PASS };
+  dbo.collection("users").insertOne(myobj, function (err, res) {
     if (err) throw err;
-    var dbo = db.db("stego");
-    var myobj = { username: "admin", password: "admin" };
-    dbo.collection("users").insertOne(myobj, function(err, res) {
-        if (err) throw err;
-        console.log("Admin user added to the database");
-        db.close();
-    });
+    console.log("Admin user added to the database");
+    db.close();
+  });
 });
 
 // User login route, get webpage
-router.get("/login", function(req,res) {
-    res.render("login.html");
-})
+router.get("/login", function (req, res) {
+  res.render("login.html");
+});
 
 // User login route, submit POST request to server
-router.post("/login", function(req,res)  {
-    var username = req.body.user.name;
-    var password = req.body.user.password;
-    
-    // Verifies user credentials
-    function VerifiesUser(callback) {
-        MongoClient.connect(url, function(err, db) {
-            if (err) throw err;
-            var dbo = db.db("stego");
-            var query = { username: username, password: password };
-            dbo.collection("users").find(query).toArray(function(err, result) {
-                if (err) throw err;
-                db.close();
-                if( result.length == 0 ){
-                    callback('not_found')
-                } else {
-                    callback(result[0].username);
-                }
-            });
+router.post("/login", function (req, res) {
+  var username = req.body.user.name;
+  var password = req.body.user.password;
+
+  // Verifies user credentials
+  function VerifiesUser(callback) {
+    MongoClient.connect(url, function (err, db) {
+      if (err) throw err;
+      var dbo = db.db(process.env.MONGO_DATABASE);
+      var query = { username: username, password: password };
+      dbo
+        .collection("users")
+        .find(query)
+        .toArray(function (err, result) {
+          if (err) throw err;
+          db.close();
+          if (result.length == 0) {
+            callback("not_found");
+          } else {
+            callback(result[0].username);
+          }
         });
-    };
-
-    VerifiesUser((username) => { 
-        if (username == "admin") {
-            var token = jwt.sign({ username }, process.env.SECRET, {
-                expiresIn: 300 // Token expires in 5 minutes
-            });
-            res.cookie('nodejsSessionToken', token).redirect(301, "/admin");
-        } else {
-            res.status(500).send('Invalid username or password!').redirect(301, "/logout");
-        }
     });
-})
+  }
+
+  // User: admin, password: admin, userRole: 1 //normal 2 //admin
+
+  VerifiesUser((username) => {
+    if (username == process.env.USER) {
+      var token = jwt.sign({ username }, process.env.SECRET, {
+        expiresIn: 300, // Token expires in 5 minutes
+      });
+      res.cookie("SessionToken", token).redirect(301, "/as-admin");
+    } else {
+      res
+        .status(500)
+        .send("Invalid username or password!")
+        .redirect(301, "/logout");
+    }
+  });
+});
 
 // Logout route to deauthorize user session tokens
-router.get("/logout", function(req, res) {
-    res.status(200).clearCookie('nodejsSessionToken').redirect(301, "/");
+router.get("/logout", function (req, res) {
+  res.status(200).clearCookie("SessionToken").redirect(301, "/");
 });
 
 // Admin maintenance page
 router.get("/admin", verifyJWT, (req, res, next) => {
-    res.status(200).render("admin.html");
+  res.status(200).render("admin.html");
 });
 
 // Change password route
-router.get("/changepassword", verifyJWT, function(req, res, next) {
-    // Code to change user password in the database
-})
+router.get("/changepassword", verifyJWT, function (req, res, next) {
+  // Code to change user password in the database
+});
 
 // Healthcheck route
-router.get("/healthcheck", function(req,res) {
-    res.send("WORKING");
-})
+router.get("/healthcheck", function (req, res) {
+  res.send("WORKING");
+});
 
 // Main page
-router.get("/", function(req,res) {
-    res.render("index.html")
-})
+router.get("/", function (req, res) {
+  res.render("index.html");
+});
 
 // Returns the error web-page if none other is found
-app.use('/', router);
-app.use(function(req, res, next) {
-    res.status(404).render("error.html")
+app.use("/", router);
+app.use(function (req, res, next) {
+  res.status(404).render("error.html");
 });
 // Listen on port 10006
 app.listen(10006, () => {
-    console.log("Server running on port 10006!");
-})
+  console.log("Server running on port 10006!");
+});
 
 // Verifies the JWT token
-function verifyJWT(req, res, next){
-    var token = req.cookies.nodejsSessionToken;
-    if (!token) return res.status(401).send({auth: false, message: 'No token provided'});
-
-    jwt.verify(token, process.env.SECRET, function(err, decoded) {
-        if (err) return res.status(500).send({ auth: false, message: 'Failed to authenticate token.' });
-        
-        req.userId = decoded.id;
-        next();
-      });
-}
\ No newline at end of file
+function verifyJWT(req, res, next) {
+  var token = req.cookies.SessionToken;
+  if (!token)
+    return res.status(401).send({ auth: false, message: "No token provided" });
+
+  jwt.verify(token, process.env.SECRET, function (err, decoded) {
+    if (err)
+      return res
+        .status(500)
+        .send({ auth: false, message: "Failed to authenticate token." });
+
+    req.userId = decoded.id;
+    next();
+  });
+}
diff --git a/owasp-top10-2021-apps/a5/stegonography/deployments/generate-env.sh b/owasp-top10-2021-apps/a5/stegonography/deployments/generate-env.sh
index dd1d378e0..fb71b5bce 100755
--- a/owasp-top10-2021-apps/a5/stegonography/deployments/generate-env.sh
+++ b/owasp-top10-2021-apps/a5/stegonography/deployments/generate-env.sh
@@ -4,23 +4,41 @@
 #
 
 # API environment variables
-SECRET=$RANDOM$RANDOM
+SECRET=$(pwgen -s $KEY_LENGTH 1 | md5sum | awk '{print $1}')
+USER=$(pwgen -s $KEY_LENGTH 1 | md5sum | awk '{print $1}')
+PASS=$(pwgen -s $KEY_LENGTH 1 | md5sum | awk '{print $1}')
 
 echo "#.env" > app/.env
 echo "SECRET=$SECRET" >> app/.env
+# echo "USER=$USER" >> app/.env
+# echo "PASS=$PASS" >> app/.env
 
 
 # Database environment variables
-# MONGO_DATABASE="stego"
-MONGO_DATABASE_USERNAME=User$RANDOM$RANDOM
-MONGO_DATABASE_PASSWORD=Pass$RANDOM$RANDOM
-# MONGO_PORT=27017
+MONGO_DATABASE="stego$(pwgen -s $KEY_LENGTH 1 | md5sum | awk '{print $1}')"
+MONGO_DATABASE_USERNAME=User$(pwgen -s $KEY_LENGTH 1 | md5sum | awk '{print $1}')
+MONGO_DATABASE_PASSWORD=Pass$(pwgen -s $KEY_LENGTH 1 | md5sum | awk '{print $1}')
+MONGO_PORT=27017
+MONGO_ROOT_PASSWORD=Root$(pwgen -s $KEY_LENGTH 1 | md5sum | awk '{print $1}')
 
 echo "#" > deployments/.dockers.env
 echo "# This file is auto generated and contains all environment variables needed by Stegonography's database" >> deployments/.dockers.env
 echo "#" >> deployments/.dockers.env
 echo "MONGO_ROOT_PASSWORD=$MONGO_ROOT_PASSWORD" >> deployments/.dockers.env
 echo "MONGO_DATABASE=$MONGO_DATABASE" >> deployments/.dockers.env
-echo "MONGO_USER=$MONGO_USER" >> deployments/.dockers.env
-echo "MONGO_PASSWORD=$MONGO_PASSWORD" >> deployments/.dockers.env
-echo "MONGO_PORT=$MONGO_PORT" >> deployments/.dockers.env
\ No newline at end of file
+echo "MONGO_USER=$MONGO_DATABASE_USERNAME" >> deployments/.dockers.env
+echo "MONGO_PASSWORD=$MONGO_DATABASE_PASSWORD" >> deployments/.dockers.env
+echo "MONGO_PORT=$MONGO_PORT" >> deployments/.dockers.env
+echo "USER=$USER" >> deployments/.dockers.env
+echo "PASS=$PASS" >> deployments/.dockers.env
+
+
+
+
+# KEY_LENGTH=32
+
+# # Gera uma chave criptograficamente segura
+# SECURE_KEY=$(pwgen -s $KEY_LENGTH 1 | md5sum | awk '{print $1}')
+
+# # Exibe a chave gerada
+# echo "Chave gerada: $SECURE_KEY"
\ No newline at end of file