Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
486 commits
Select commit Hold shift + click to select a range
5aa369f
Update a6 to to follow Node.js best practices for crypto library.
jboyer2012 Sep 26, 2017
3521414
Merge pull request #1 from OWASP/master
jboyer2012 Sep 26, 2017
270c17e
Update string quotes for project style guide.
jboyer2012 Sep 29, 2017
587f442
Merge branch 'master' of https://github.com/jboyer2012/NodeGoat
jboyer2012 Sep 29, 2017
c689af4
Add missing semicolon
jboyer2012 Sep 29, 2017
c69760d
Merge pull request #104 from jboyer2012/master
ckarande Sep 29, 2017
6c28712
feat(injection): log injection example
lirantal Oct 8, 2017
68cc71a
feat(session): improper session management
lirantal Oct 17, 2017
9b9f4c9
feat(log-injection): adding a log injection example
lirantal Nov 9, 2017
dc4293c
feat(log-injection): add tutorial description
lirantal Nov 9, 2017
bfea140
feat(session): add tutorial documentation
lirantal Nov 9, 2017
69c6d55
fix(docs): CSRF -> CRLF
lirantal Nov 13, 2017
f4731a9
Update a4.html
joebowbeer Nov 14, 2017
3c97398
Update a8.html
joebowbeer Nov 14, 2017
26c82bf
Merge pull request #111 from joebowbeer/patch-2
ckarande Nov 17, 2017
6cc5017
Merge pull request #110 from joebowbeer/patch-1
ckarande Nov 25, 2017
9e5431e
Merge pull request #107 from lirantal/feat/session-fixation
ckarande Feb 12, 2018
4a82f87
Merge pull request #108 from lirantal/feat/log-injection
ckarande Feb 12, 2018
78cbef2
Fix comment
Feb 12, 2018
450017b
Fix insecure dependency
Feb 12, 2018
3d58bdc
close#112
Feb 13, 2018
befeee7
Minor Updates
ckarande May 5, 2018
843700d
feat(xss-context): add example for context sensitive XSS encoding issues
lirantal Sep 8, 2018
2d8e2b2
fix: use the actual encoded string in the view template
lirantal Sep 8, 2018
95c16db
feat(xss-context): add example for context sensitive XSS encoding iss…
lirantal Sep 9, 2018
d7aed4d
feat(xss-context): improve comments and add tutorial section
lirantal Sep 10, 2018
e808f3c
Merge pull request #116 from lirantal/feat/xss-context-aware-tutorial
ckarande Sep 10, 2018
0a4f186
Proof of Concept SSRF Vulnerability in Research Feature
Jan 15, 2019
e812191
change app.csp() with contentSecurityPolicy()
Feb 25, 2019
6e47500
Added SSRF Tutorial
Mar 3, 2019
fcd91a0
Added SSRF Tutorial
Mar 3, 2019
78afc71
Merge pull request #117 from alexanderfry/ssrf
ckarande Mar 3, 2019
a39291b
Merge pull request #132 from alexanderfry/master
ckarande Mar 3, 2019
1fd3576
Update package versions
ckarande Mar 3, 2019
71e69f3
Switch to multi-stage build
mostafahussein Mar 25, 2019
e6bd96f
Incremented docker-compose version
binarymist Mar 27, 2019
4bdc919
Merge branch 'mostafahussein-docker-enhancements'
binarymist Mar 27, 2019
143c785
Improve performance of docker image build
binarymist Mar 31, 2019
0800830
Also removed r & x perms from the ~
binarymist Mar 31, 2019
a84be9c
Merge pull request #136 from binarymist/Dockerfile-tweaks
ckarande Apr 2, 2019
2f919ed
Remove caret on needle dependency because ^2.2.4 introduces a breakin…
mhxbe Apr 9, 2019
b66fd95
Merge pull request #137 from mhxbe/master
lirantal Apr 9, 2019
b79c914
fix: Fix problem of blank alert on the sign up page
ahnteve Apr 28, 2019
2c3ac53
Merge pull request #138 from Ahnteve/master
lirantal Apr 29, 2019
104b491
Updates to use latest LTS version
ckarande May 2, 2019
a3f1796
Nodegoat logo
ckarande Jun 6, 2019
1d66013
Added cypress and basic setup #142
UlisesGascon Jun 8, 2019
c50cbc3
Login spec added #142
UlisesGascon Jun 8, 2019
4c2aa01
typo
UlisesGascon Jun 8, 2019
4993676
No hardcoded users and passwords
UlisesGascon Jun 10, 2019
6e22fd5
Merge remote-tracking branch 'origin/feature-e2e-tests' into feature-…
UlisesGascon Jun 10, 2019
9c503cd
Added signIn command to Cypress
UlisesGascon Jun 10, 2019
b1d6589
Added tests for /benefits #142
UlisesGascon Jun 10, 2019
fdcba67
Minor Changes
UlisesGascon Jun 11, 2019
a6092d9
Profile Route testing spec added #142
UlisesGascon Jun 11, 2019
2991f93
removed unused functionality
UlisesGascon Jun 11, 2019
ec0787d
Allocations Route testing spec added #142
UlisesGascon Jun 11, 2019
9364318
Contributions route testing spec added #142
UlisesGascon Jun 11, 2019
916b25b
Memos route testing spec added #142
UlisesGascon Jun 11, 2019
4d352b9
Bug fixed. Missing command
UlisesGascon Jun 11, 2019
944c1a1
Logout route testing spec added #142
UlisesGascon Jun 11, 2019
a2a3788
Signup route testing spec added #142
UlisesGascon Jun 11, 2019
75bd6f6
General testing spec added #142
UlisesGascon Jun 11, 2019
ca0b47f
e2e tests refactor and improvements #142
UlisesGascon Jun 11, 2019
d91bde0
Research route spec #142
KoolTheba Jun 12, 2019
64fab90
Learn route spec #142
KoolTheba Jun 12, 2019
01b3520
Tutorial route spec #142
KoolTheba Jun 13, 2019
ddd3ee9
Added exception to manage wrong connection
KoolTheba Jun 13, 2019
65797a9
Dahboard route spec #142
KoolTheba Jun 13, 2019
f01811d
Merge pull request #1 from KoolTheba/master
UlisesGascon Jun 13, 2019
8c2b422
Redefined test assertion
UlisesGascon Jun 13, 2019
c2dd8f6
Linter test specs
UlisesGascon Jun 14, 2019
d616044
e2e test relocated under test folder
UlisesGascon Jun 14, 2019
4fa4fb2
Missing config file
UlisesGascon Jun 25, 2019
981b8b1
Missing file added
UlisesGascon Jun 25, 2019
32e7c6e
Improved development experience
KoolTheba Jun 25, 2019
16673ec
Typo
KoolTheba Jun 25, 2019
e214164
Test cases updated for non admin user
KoolTheba Jun 25, 2019
9baf006
Test cases updated for non admin user
KoolTheba Jun 25, 2019
374860e
Basic Travis file
UlisesGascon Jun 26, 2019
1a2039e
Merge pull request #2 from UlisesGascon/ci-testing
UlisesGascon Jun 26, 2019
f356bfb
Lets add Mongodb
UlisesGascon Jun 26, 2019
7460d75
Merge pull request #3 from UlisesGascon/ci-testing
UlisesGascon Jun 26, 2019
7de021e
fix(profile): the form should populate send fields
lirantal Jun 28, 2019
613c0ee
fix: don't use spread which isn't compatible with Node.js v4 that we …
lirantal Jun 28, 2019
81bf67a
Merge pull request #146 from lirantal/fix/profile-page-fields-on-error
ckarande Jun 28, 2019
a1a3db8
Removed google validation
UlisesGascon Jul 1, 2019
e328eff
Merge remote-tracking branch 'origin/feature-e2e-tests' into feature-…
UlisesGascon Jul 1, 2019
8bf9c40
Removed target validation in a tag
UlisesGascon Jul 20, 2019
39b6099
Merge remote-tracking branch 'origin/feature-e2e-tests' into feature-…
UlisesGascon Jul 20, 2019
6c78e6b
Merge pull request #143 from UlisesGascon/feature-e2e-tests
ckarande Jul 20, 2019
bbaa5b9
added Cypress Tasks (#4)
UlisesGascon Jul 31, 2019
bfb208f
Improved management for Mongo db uri reference
UlisesGascon Aug 2, 2019
b91c3cb
improve cy.exec task
UlisesGascon Aug 2, 2019
5be563e
Merge pull request #5 from UlisesGascon/improve-ci
UlisesGascon Aug 2, 2019
443c3ff
Merge pull request #147 from UlisesGascon/master
ckarande Aug 3, 2019
f9031c8
Migration to Node8 and added support for v10 and v12
UlisesGascon Aug 7, 2019
878e6a9
Npm install
servatj Aug 7, 2019
d59beb3
Remove unused forever
servatj Aug 7, 2019
3a9223d
Add nodemon as npm script
servatj Aug 7, 2019
839d3a7
get rid of grunt nodemon
servatj Aug 7, 2019
1fd168a
Add nodemon in the readme
servatj Aug 7, 2019
9ad593e
Put nodemon file in the right place
servatj Aug 7, 2019
a85be20
Node version upgraded
UlisesGascon Aug 8, 2019
a9dcb0c
change to const
lucas1004jx Aug 8, 2019
27e229b
change to arrow funcion
lucas1004jx Aug 8, 2019
60a7132
simplify if statement
lucas1004jx Aug 8, 2019
e1bbc66
simplify if stament
lucas1004jx Aug 9, 2019
6e8174f
Merge pull request #161 from servatj/add-nodemon
UlisesGascon Aug 11, 2019
16c0983
Merge pull request #160 from UlisesGascon/feature-150
UlisesGascon Aug 11, 2019
df01fbf
Merge pull request #162 from lucas1004jx/issue#152_login
UlisesGascon Aug 11, 2019
60aab7d
change var to let and const
lucas1004jx Aug 13, 2019
250332b
Merge pull request #163 from lucas1004jx/issue#152_chart-data-morris
UlisesGascon Aug 14, 2019
b5aa5d6
refactor allocations-dao.js
lucas1004jx Aug 15, 2019
c2b763f
Merge pull request #164 from lucas1004jx/issue#152_allocations-dao
UlisesGascon Aug 19, 2019
b5fce0a
issue#152 data folder es6 migration
lucas1004jx Aug 27, 2019
5af4f99
short assignation for object property
lucas1004jx Sep 3, 2019
f69a8b9
comment mongodb connect string
lucas1004jx Sep 3, 2019
e79fc67
Merge pull request #167 from lucas1004jx/issue#152_data
UlisesGascon Sep 9, 2019
4fa2add
Revert "issue#152 data folder es6 migration"
UlisesGascon Sep 9, 2019
460a091
Merge pull request #171 from OWASP/revert-167-issue#152_data
UlisesGascon Sep 10, 2019
65b768e
allows to test mongodb uri via env vars
bizob2828 Sep 26, 2019
6868425
Merge pull request #174 from Contrast-Security-OSS/restore-mongo-env-…
UlisesGascon Oct 19, 2019
1ae263b
Merge pull request #119 from NataliaRizzi/master
UlisesGascon Nov 6, 2019
89f11a8
Improved Community Approach #151
UlisesGascon Nov 6, 2019
af5fdb0
Fix #178
UlisesGascon Nov 6, 2019
ff285d3
Merge pull request #177 from UlisesGascon/release-1.5
UlisesGascon Jan 26, 2020
ef51b25
WIP. Migration ES6: Server
UlisesGascon Jan 26, 2020
10a1da1
Migration ES6: Config
UlisesGascon Jan 26, 2020
49bd673
Migration ES6: Artifacts
UlisesGascon Jan 26, 2020
f52305f
WIP. Migration ES6: DAOs
UlisesGascon Jan 26, 2020
8bd5210
Migration ES6: DAOs
UlisesGascon Jan 29, 2020
7e853eb
Migration ES6: Typos
UlisesGascon Jan 29, 2020
5243cc2
Migration ES6: Routes
UlisesGascon Jan 29, 2020
b000efc
Fix routes
UlisesGascon Jan 29, 2020
ae9b0e3
typo
UlisesGascon Jan 29, 2020
fb1ad4b
Fixed missing argument in errorHandler
UlisesGascon Jan 29, 2020
c606812
Added missing condition
UlisesGascon Jan 29, 2020
1f48fa8
Upgrade docker images to Nodejs 12
UlisesGascon Jan 29, 2020
1b1cf33
Merge pull request #185 from UlisesGascon/feature-152
UlisesGascon Mar 17, 2020
d8a3f32
Merge pull request #188 from OWASP/release-1.5
UlisesGascon Mar 17, 2020
bafa1a4
add forever node_modules
iNoSec2 Apr 2, 2020
b3d10af
remove personal info
iNoSec2 Apr 2, 2020
395f252
Merge pull request #195 from iNoSec2/master
ckarande Apr 3, 2020
5481f15
fix: startup logs stringified objects incorrectly
lirantal Jul 9, 2020
560efd5
fix: example of xss in bad context using a dedicated profile field
lirantal Jul 9, 2020
df13008
Fix NoSQL injection solution
karlhorky Jul 9, 2020
02614df
Merge pull request #204 from karlhorky/patch-1
lirantal Jul 9, 2020
21d4291
Merge pull request #202 from lirantal/fix/startup-logs
lirantal Aug 3, 2020
872abf9
Merge pull request #203 from lirantal/fix/xss-context
lirantal Aug 3, 2020
9d4cbcd
test: update broken build in commit 560efd5fdf4daecd0e2c365806d8a15c8…
lirantal Aug 5, 2020
6c978d2
Fix "Cannot read property 'seq' of null" error
rcowsill Sep 24, 2020
67a753b
Fix database URI under docker-compose
rcowsill Sep 25, 2020
7a3751c
Bypass livereload script in cypress tests
rcowsill Sep 26, 2020
935a6c2
Faster deploy to Heroku
rcowsill Oct 10, 2020
7795c99
Replace mongolab addon with MONGODB_URI env var
rcowsill Oct 10, 2020
71f4d27
Remove MONGOLAB_URI and mlab connection string
rcowsill Oct 10, 2020
029e817
Adjustments to livereload to stop (timeout) in prod
binarymist Oct 22, 2020
6331e4e
Update instructions
rcowsill Nov 1, 2020
6dc0022
Add detail to MONGODB_URI instructions
rcowsill Nov 2, 2020
a36728d
Add note about MongoDB Atlas M0
rcowsill Nov 2, 2020
8b0fd4a
Merge pull request #215 from rcowsill/fix/heroku-db
ckarande Nov 10, 2020
5ab98ab
Changed livereload script and put it in test env only
binarymist Nov 10, 2020
0f350f6
add atlas db url
ckarande Nov 10, 2020
c80ebdf
Merge pull request #216 from binarymist/livereload-refactor
ckarande Nov 10, 2020
3b26e2d
Add cross-env to package-lock.json
karlhorky Nov 13, 2020
8623603
Add cross-env for Windows scripts compatibility
karlhorky Nov 13, 2020
505943a
Merge pull request #217 from karlhorky/patch-2
lirantal Nov 13, 2020
4289159
Local DB only - if no DB URI present
Jan 13, 2021
6f76683
Review suggestion/atlas or localdb only
Jan 14, 2021
be42483
Merge pull request #222 from doublethink/insecure_defaultconnection_s…
ckarande Jan 14, 2021
0456ee1
Fix Travis config warnings
rcowsill Nov 16, 2020
f1a5ffb
Fix repeated dbResets so tests run faster
rcowsill Nov 16, 2020
7482c6c
Add Github Actions "E2E Test" workflow
rcowsill Jan 17, 2021
ff81ce9
Merge pull request #223 from rcowsill/fix/travis-warnings
ckarande Jan 24, 2021
a87f2f7
Merge pull request #218 from rcowsill/fix/repeated-dbreset
ckarande Jan 24, 2021
e59ba88
Merge pull request #224 from rcowsill/feature/actions-ci
ckarande Jan 24, 2021
b3a582d
Fix jshint warnings
rcowsill Jan 26, 2021
617dbff
Fix TypeError when server-side request fails
rcowsill Jan 26, 2021
5411a72
Add lint workflow using jshint@2.12.0
rcowsill Jan 27, 2021
b181ead
Update jshint config to fix spurious errors
rcowsill Jan 27, 2021
e1c7f0b
Fix doublequote and semicolon lint errors
rcowsill Jan 27, 2021
897ee26
Add missing "use strict" directives
rcowsill Jan 27, 2021
ada4deb
Split up lines that are too long
rcowsill Jan 27, 2021
3480388
Merge pull request #226 from rcowsill/fix/225-research-dos
ckarande Feb 7, 2021
9b1cfcb
E2E CI: Enable video recording, upload on failure
rcowsill Feb 26, 2021
ea9db91
Update links in description
rcowsill Apr 5, 2021
9c46933
docs: README file cleanup
lirantal Jun 11, 2022
a88dce9
Merge pull request #254 from lirantal/master
ckarande Jun 11, 2022
feb86f7
chore: update gitignore
lirantal Jun 27, 2022
1857653
Fix Mongo version to before OP_QUERY deprecation
steverify Sep 30, 2022
21272f2
fix: revert marked changes back to make sure we use the vulnerable ve…
lirantal Mar 6, 2023
9d1dde1
Merge pull request #281 from OWASP/fix/marked-needs-to-be-vuln
lirantal Mar 6, 2023
1b5d2b4
Merge pull request #265 from steverify/revert-mongo
lirantal Mar 6, 2023
167c05b
Merge pull request #259 from lirantal/test/pathc-1
lirantal Mar 6, 2023
bc8880b
Merge pull request #235 from rcowsill/fix/a9-tutorial-links
lirantal Mar 6, 2023
f383b62
Merge branch 'master' into feature/upload-cypress-errors
lirantal Mar 6, 2023
996210f
Merge pull request #230 from rcowsill/feature/upload-cypress-errors
lirantal Mar 6, 2023
5041469
Merge pull request #227 from rcowsill/feature/lint-workflow
lirantal Mar 6, 2023
c116579
fix: update instructions about tutorial
lirantal Mar 6, 2023
f4880cc
Merge pull request #282 from OWASP/fix/tutorial-instructions
lirantal Mar 6, 2023
c1006dc
fix: sync lockfile
lirantal Mar 6, 2023
5eef167
docs: minor update for inline code style
lirantal Mar 6, 2023
4b61616
fix: mongodb 4.4 is compatible
lirantal Mar 6, 2023
1cb4933
Merge pull request #283 from OWASP/fix/update-mongodb-v
lirantal Mar 6, 2023
4c29a20
fix: spelling on the app page
lirantal Mar 6, 2023
d3c3475
doc: annotate server.js with extra info regarding session and static …
cfabianski Mar 17, 2023
6c713b3
Merge pull request #286 from cfabianski/patch-1
lirantal Mar 18, 2023
2740797
Move tutorial into a separate router
rcowsill Mar 13, 2021
21ec6e4
Fix path traversal vulnerability
rcowsill Mar 14, 2021
935bd90
fix: travel path vulnerability on tutorial pages, merge pull request …
lirantal May 28, 2023
a25b31b
Add blank space after strong tag
za Jun 20, 2023
aec236a
Merge pull request #290 from za/add-blank-space
lirantal Jun 21, 2023
c046f46
fix: express: cause malformed URLs to be evaluated
galanko May 14, 2026
10de995
fix: nodejs-underscore: Arbitrary code execution via the template fun…
galanko May 14, 2026
5b69a75
fix: Prevent open redirect vulnerability in /learn endpoint
galanko May 14, 2026
b20ae1e
fix: Update bson to >=1.1.4 to remediate CVE-2020-7610
galanko May 14, 2026
f7f9f5e
fix: nodejs-mixin-deep: prototype pollution in function mixin-deep
galanko May 14, 2026
1963ca4
fix: nodejs-set-value: prototype pollution in function set-value
galanko May 14, 2026
cfa6b96
fix: Out-of-bounds Read - Document NSWG-ECO-445 vulnerability in util…
galanko May 15, 2026
b7d657d
fix: Configuration Override in helmet-csp
galanko May 15, 2026
5310055
fix: upgrade on-headers from 1.0.1 to 1.1.0 to address CVE-2025-7339
galanko May 15, 2026
9f291a4
fix: decode-uri-component: improper input validation resulting in DoS…
galanko May 15, 2026
86811e3
fix: Add secure flag to session middleware cookie configuration
galanko May 15, 2026
b92d520
Merge pull request #1 from cliff-security/opensec/fix/express-cve-202…
galanko May 15, 2026
4802150
Merge pull request #2 from cliff-security/opensec/fix/underscore-cve-…
galanko May 15, 2026
ef69f3d
Merge pull request #3 from cliff-security/opensec/fix/open-redirect-v…
galanko May 15, 2026
119ce63
Merge pull request #4 from cliff-security/opensec/fix/mixin-deep-cve-…
galanko May 15, 2026
cb0213f
Merge pull request #5 from cliff-security/opensec/fix/bson-cve-2020-7610
galanko May 15, 2026
ff444b6
Merge pull request #7 from cliff-security/opensec/fix/set-value-cve-2…
galanko May 15, 2026
ab23093
Merge pull request #11 from cliff-security/opensec/fix/utile-0-3-0-ns…
galanko May 15, 2026
5c714c7
Merge pull request #13 from cliff-security/opensec/fix/helmet-csp-ghs…
galanko May 15, 2026
97c2f68
Merge pull request #15 from cliff-security/opensec/fix/on-headers-cve…
galanko May 15, 2026
4b9f605
Merge pull request #17 from cliff-security/opensec/fix/decode-uri-com…
galanko May 15, 2026
7dd0bc6
Merge pull request #22 from cliff-security/opensec/fix/express-sessio…
galanko May 15, 2026
8e2e2e3
ci: add Dependabot config (OpenSec posture PR)
May 15, 2026
a6d61f3
docs: add SECURITY.md (OpenSec posture PR)
May 15, 2026
e626e15
Merge pull request #23 from cliff-security/opensec/posture/dependabot
galanko May 15, 2026
e1627e9
Merge pull request #24 from cliff-security/opensec/posture/security-md
galanko May 15, 2026
a1e9119
security: upgrade fsevents from 1.2.9 to 1.2.13 (CVE-2023-45311)
galanko May 14, 2026
c4eeadc
Merge pull request #6 from cliff-security/opensec/fix/fsevents-cve-20…
galanko May 15, 2026
1c9c36f
fix: minimist: prototype pollution
galanko May 18, 2026
c00184e
Merge pull request #36 from cliff-security/cliff/fix/minimist-cve-202…
galanko May 18, 2026
157bb7c
fix: upgrade debug to 3.1.0 to address ReDoS vulnerability (CVE-2017-…
galanko May 18, 2026
704038c
fix: upgrade marked from 0.3.5 to 4.0.10 to fix ReDoS vulnerability C…
galanko May 18, 2026
298131f
fix: Mitigate CVE-2023-25345 directory traversal in swig template engine
galanko May 18, 2026
491cd85
Merge pull request #38 from cliff-security/cliff/fix/marked-cve-2022-…
galanko May 18, 2026
4c50ca5
Merge pull request #39 from cliff-security/cliff/fix/swig-1.4.2-cve-2…
galanko May 18, 2026
d28c24e
Merge pull request #37 from cliff-security/cliff/fix/debug-2.2.0-cve-…
galanko May 18, 2026
a8f5d54
fix: Asymmetric Private Key
galanko May 18, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
Dockerfile
docker-compose.yml
.dockerignore
.git
.github
.gitignore
49 changes: 49 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
labels:
- "dependencies"
commit-message:
prefix: "chore(deps)"
include: "scope"
groups:
minor-and-patch:
update-types:
- "minor"
- "patch"

- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
labels:
- "dependencies"
commit-message:
prefix: "build(deps)"
include: "scope"
groups:
minor-and-patch:
update-types:
- "minor"
- "patch"

- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 5
labels:
- "dependencies"
commit-message:
prefix: "ci(deps)"
include: "scope"
groups:
minor-and-patch:
update-types:
- "minor"
- "patch"
61 changes: 61 additions & 0 deletions .github/workflows/e2e-test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
name: E2E Test
on: [push, pull_request]

jobs:
e2e-test:
name: Node.js
runs-on: ubuntu-latest

strategy:
fail-fast: false
matrix:
node-version: ["10.x", "12.x", "14.x"]

steps:
- name: Checkout https://github.com/${{ github.repository }}@${{ github.ref }}
uses: actions/checkout@v2
with:
persist-credentials: false

- name: Set up Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v1
with:
node-version: ${{ matrix.node-version }}

- name: Use cache
uses: actions/cache@v2
with:
path: |
~/.npm
~/.cache
key: ${{ runner.os }}-node${{ matrix.node-version }}-E2E-${{ hashFiles('package-lock.json') }}

- name: Install dependencies
run: |
npm ci
npm run cy:verify

- name: Start MongoDB
run: |
docker run -d -p 27017:27017 mongo:4.0
timeout 60s bash -c 'until nc -z -w 2 localhost 27017 && echo MongoDB ready; do sleep 2; done'

- name: Run E2E test suite
id: test-suite
run: |
NODE_ENV=test npm start -- --silent &
npm run test:ci -- --config video=true

- name: Prepare cypress artifacts
if: failure() && (steps.test-suite.outcome == 'failure')
working-directory: ./test/e2e
run: >
mkdir -p "screenshots" && find "screenshots" -mindepth 1 -maxdepth 1 -type d
-exec sh -c 'mv -- "videos/$(basename "$1").mp4" "$1"' _ {} \;

- name: Upload cypress artifacts
if: failure() && (steps.test-suite.outcome == 'failure')
uses: actions/upload-artifact@v2
with:
name: cypress-artifacts-node${{ matrix.node-version }}
path: test/e2e/screenshots

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
Comment on lines +6 to +61
26 changes: 26 additions & 0 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: Lint
on: [push, pull_request]

jobs:
lint:
name: Node.js
runs-on: ubuntu-latest

strategy:
fail-fast: false
matrix:
node-version: ["14.x"]

steps:
- name: Checkout https://github.com/${{ github.repository }}@${{ github.ref }}
uses: actions/checkout@v2
with:
persist-credentials: false

- name: Set up Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v1
with:
node-version: ${{ matrix.node-version }}

- name: Run linter
run: npx --no-install jshint@2.12.0 .

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
Comment on lines +6 to +26
35 changes: 34 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1 +1,34 @@
node_modules
# Node modules
node_modules

# Logs and databases
*.log
*.db

# OS files
.DS_Store
.DS_Store?
._*
.Spotlight-V100
.Trashes
Icon?

# Idea stuff
.idea/**

# Zap output
report*.html

# e2e
test/e2e/screenshots/
test/e2e/videos/

# ignore sensitive files
.env.local
.env

# ignore Snyk Code scanner files
.dccache

# ignore certificate and key files
artifacts/cert/
2 changes: 2 additions & 0 deletions .jshintignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
node_modules/
app/assets/vendor/
50 changes: 25 additions & 25 deletions .jshintrc
Original file line number Diff line number Diff line change
@@ -1,39 +1,39 @@
{
"node": true, // Enable globals available when code is running inside of the NodeJS runtime environment.
"browser": true, // Standard browser globals e.g. `window`, `document`.
"es5": true, // Allow EcmaScript 5 syntax.
"esnext": true, // Allow ES.next specific features such as `const` and `let`.
"esversion": 9, // Allow EcmaScript 9 syntax.
"bitwise": false, // Prohibit bitwise operators (&, |, ^, etc.).
"camelcase": false, // Permit only camelcase for `var` and `object indexes`.
"camelcase": true, // Permit only camelcase for `var` and `object indexes`.
"curly": false, // Require {} for every new block or scope.
"eqeqeq": true, // Require triple equals i.e. `===`.
"immed": true, // Require immediate invocations to be wrapped in parens e.g. `( function(){}() );`
"immed": true, // Require immediate invocations to be wrapped in parens e.g. `( function(){}() );`.
"latedef": true, // Prohibit variable use before definition.
"newcap": true, // Require capitalization of all constructor functions e.g. `new F()`.
"noarg": true, // Prohibit use of `arguments.caller` and `arguments.callee`.
"quotmark": "double", // Define quotes to string values.
"regexp": true, // Prohibit `.` and `[^...]` in regular expressions.
"undef": true, // Require all non-global variables be declared before they are used.
"unused": true, // Warn unused variables.
"strict": false, // Require `use strict` pragma in every file.
"unused": false, // Warn unused variables.
"strict": true, // Require `use strict` pragma in every file.
"trailing": true, // Prohibit trailing whitespaces.
"smarttabs": false, // Suppresses warnings about mixed tabs and spaces
"globals": { // Globals variables.
},
"predef": [ // Extra globals.
"define",
"require",
"exports",
"module",
"describe",
"before",
"beforeEach",
"after",
"afterEach",
"it"
],
"indent": 4, // Specify indentation spacing
"maxlen": 120, // Max line lenght
"smarttabs": false, // Suppresses warnings about mixed tabs and spaces.
"indent": 4, // Specify indentation spacing.
"maxlen": 120, // Max line length.
"devel": false, // Allow development statements e.g. `console.log();`.
"noempty": true // Prohibit use of empty blocks.
}
"noempty": true, // Prohibit use of empty blocks.
"overrides": {
"test/e2e/**": {
"globals": {
"cy": false,
"Cypress": false,
"it": false,
"describe": false,
"before": false,
"after": false,
"beforeEach": false,
"afterEach": false,
"expect": false
}
}
}
}
3 changes: 0 additions & 3 deletions .nodemonignore

This file was deleted.

36 changes: 36 additions & 0 deletions .travis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
os: linux
dist: xenial
language: node_js
services:
- docker
- xvfb
node_js:
- v8
- v10
- v12

## Missing dependency for Cypress https://github.com/cypress-io/cypress/issues/4069
addons:
apt:
packages:
- libgconf-2-4


## Cache NPM folder and Cypress binary
## to avoid downloading Cypress again and again
cache:
directories:
- ~/.npm
- ~/.cache

before_script:
## we use the '&' ampersand which tells
## travis to run this process in the background
## else it would block execution and hang travis
- docker run -d -p 27017:27017 mongo:4.0
- docker ps -a
- NODE_ENV=test npm start -- --silent &

script:
- npm run test:ci

76 changes: 76 additions & 0 deletions CODE_OF_CONDUCT.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# Contributor Covenant Code of Conduct

## Our Pledge

In the interest of fostering an open and welcoming environment, we as
contributors and maintainers pledge to make participation in our project and
our community a harassment-free experience for everyone, regardless of age, body
size, disability, ethnicity, sex characteristics, gender identity and expression,
level of experience, education, socio-economic status, nationality, personal
appearance, race, religion, or sexual identity and orientation.

## Our Standards

Examples of behavior that contributes to creating a positive environment
include:

* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community
* Showing empathy towards other community members

Examples of unacceptable behavior by participants include:

* The use of sexualized language or imagery and unwelcome sexual attention or
advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic
address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting

## Our Responsibilities

Project maintainers are responsible for clarifying the standards of acceptable
behavior and are expected to take appropriate and fair corrective action in
response to any instances of unacceptable behavior.

Project maintainers have the right and responsibility to remove, edit, or
reject comments, commits, code, wiki edits, issues, and other contributions
that are not aligned to this Code of Conduct, or to ban temporarily or
permanently any contributor for other behaviors that they deem inappropriate,
threatening, offensive, or harmful.

## Scope

This Code of Conduct applies within all project spaces, and it also applies when
an individual is representing the project or its community in public spaces.
Examples of representing a project or community include using an official
project e-mail address, posting via an official social media account, or acting
as an appointed representative at an online or offline event. Representation of
a project may be further defined and clarified by project maintainers.

## Enforcement

Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by contacting the project team at chetan.karande@owasp.org. All
complaints will be reviewed and investigated and will result in a response that
is deemed necessary and appropriate to the circumstances. The project team is
obligated to maintain confidentiality with regard to the reporter of an incident.
Further details of specific enforcement policies may be posted separately.

Project maintainers who do not follow or enforce the Code of Conduct in good
faith may face temporary or permanent repercussions as determined by other
members of the project's leadership.

## Attribution

This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html

[homepage]: https://www.contributor-covenant.org

For answers to common questions about this code of conduct, see
https://www.contributor-covenant.org/faq
13 changes: 13 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
## Contributing

Contributions from community are key to make NodeGoat a high quality comprehensive resource. Lets make NodeGoat awesome together!

### Ways to Contribute
Depending on your preference, you can contribute in various ways. Here are tasks planned for [upcoming release](https://github.com/OWASP/NodeGoat/milestones).
You can also open an issue, sending a PR, or get in touch on [Gitter Chat](https://gitter.im/OWASP/NodeGoat) or [Slack](https://owasp.slack.com/messages/project-nodegoat/)

If sending PR, once code is ready to commit, run:
```
npm run precommit
```
This command uses `js-beautifier` to indent the code and verifies these [coding standards](https://github.com/OWASP/NodeGoat/blob/master/.jshintrc) using `jsHint`. Please resolve all `jsHint` errors before committing the code.
Loading
Loading