jordan/stemedb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4360a17dd3
stemedb/docs/demo/vulnbank/node/server.js
jordan b3e8a9a058 feat: Multi-application expansion with chaos testing and community UI 
Major additions:
- Community Next.js app (port 18187) for browsing claims with API docs
- stemedb-chaos crate: Fault injection, chaos testing, CRDT properties
- Latent ingestion system: Reddit/FDA ingesters with ADK-Go agents
- Disputed claims handling: Manual review workflows and validation
- Aphoria security scanner: New extractors (SQL injection, command
  injection, weak crypto, TLS version), policy-based ignores, UAT reports
- Docker infrastructure: Dockerfile, docker-compose.yml for full stack
- VulnBank demo: Intentionally vulnerable multi-language test corpus

SDK & API enhancements:
- Source registry handlers for tracking data provenance
- Metrics endpoint
- Skeptic filtering improvements

Code quality:
- Split 14 large files (>500 lines) into focused modules
- All files now under 500-line limit per project guidelines

Documentation:
- Chaos testing guide, circuit breakers, observability docs
- Phase 7 UAT documentation updates
- Martin Kleppmann technical writer agent

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 01:24:14 -07:00

73 lines
2.0 KiB
JavaScript
Raw Blame History

/**
* VulnBank - Express Server with intentional vulnerabilities
*
* Vulnerabilities:
* - TLS verification disabled
* - CORS wildcard
* - Insecure JWT verification
*/
const express = require('express');
const jwt = require('jsonwebtoken');
const https = require('https');
const app = express();
app.use(express.json());
// BLOCK: Hardcoded JWT secret in source code
const JWT_SECRET = 'super_secret_jwt_key_12345';
// BLOCK: CORS allows any origin
app.use((req, res, next) => {
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Credentials', 'true');
res.header('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE');
next();
});
// VULNERABILITY: TLS verification disabled
app.get('/api/external', async (req, res) => {
const url = req.query.url;
// BLOCK: rejectUnauthorized: false disables TLS certificate verification
const agent = new https.Agent({
rejectUnauthorized: false
});
try {
const fetch = require('node-fetch');
const response = await fetch(url, { agent });
const data = await response.json();
res.json(data);
} catch (error) {
res.status(500).json({ error: error.message });
}
});
// VULNERABILITY: JWT without algorithm verification
app.post('/api/verify', (req, res) => {
const token = req.headers.authorization;
try {
// BLOCK: JWT verification without algorithm specification allows algorithm confusion
const decoded = jwt.verify(token, JWT_SECRET);
res.json({ valid: true, payload: decoded });
} catch (error) {
res.status(401).json({ valid: false, error: error.message });
}
});
// VULNERABILITY: JWT decode without verification
app.get('/api/user-info', (req, res) => {
const token = req.headers.authorization;
// BLOCK: jwt.decode without verification - anyone can forge tokens
const payload = jwt.decode(token);
res.json(payload);
});
app.listen(3000, () => {
console.log('VulnBank Node.js server running on port 3000');
console.log('Run `aphoria scan` to detect vulnerabilities');
});
Reference in New Issue View Git Blame Copy Permalink