b3e8a9a058
Major additions: - Community Next.js app (port 18187) for browsing claims with API docs - stemedb-chaos crate: Fault injection, chaos testing, CRDT properties - Latent ingestion system: Reddit/FDA ingesters with ADK-Go agents - Disputed claims handling: Manual review workflows and validation - Aphoria security scanner: New extractors (SQL injection, command injection, weak crypto, TLS version), policy-based ignores, UAT reports - Docker infrastructure: Dockerfile, docker-compose.yml for full stack - VulnBank demo: Intentionally vulnerable multi-language test corpus SDK & API enhancements: - Source registry handlers for tracking data provenance - Metrics endpoint - Skeptic filtering improvements Code quality: - Split 14 large files (>500 lines) into focused modules - All files now under 500-line limit per project guidelines Documentation: - Chaos testing guide, circuit breakers, observability docs - Phase 7 UAT documentation updates - Martin Kleppmann technical writer agent Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
73 lines
2.0 KiB
JavaScript
73 lines
2.0 KiB
JavaScript
/**
|
|
* VulnBank - Express Server with intentional vulnerabilities
|
|
*
|
|
* Vulnerabilities:
|
|
* - TLS verification disabled
|
|
* - CORS wildcard
|
|
* - Insecure JWT verification
|
|
*/
|
|
|
|
const express = require('express');
|
|
const jwt = require('jsonwebtoken');
|
|
const https = require('https');
|
|
|
|
const app = express();
|
|
app.use(express.json());
|
|
|
|
// BLOCK: Hardcoded JWT secret in source code
|
|
const JWT_SECRET = 'super_secret_jwt_key_12345';
|
|
|
|
// BLOCK: CORS allows any origin
|
|
app.use((req, res, next) => {
|
|
res.header('Access-Control-Allow-Origin', '*');
|
|
res.header('Access-Control-Allow-Credentials', 'true');
|
|
res.header('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE');
|
|
next();
|
|
});
|
|
|
|
// VULNERABILITY: TLS verification disabled
|
|
app.get('/api/external', async (req, res) => {
|
|
const url = req.query.url;
|
|
|
|
// BLOCK: rejectUnauthorized: false disables TLS certificate verification
|
|
const agent = new https.Agent({
|
|
rejectUnauthorized: false
|
|
});
|
|
|
|
try {
|
|
const fetch = require('node-fetch');
|
|
const response = await fetch(url, { agent });
|
|
const data = await response.json();
|
|
res.json(data);
|
|
} catch (error) {
|
|
res.status(500).json({ error: error.message });
|
|
}
|
|
});
|
|
|
|
// VULNERABILITY: JWT without algorithm verification
|
|
app.post('/api/verify', (req, res) => {
|
|
const token = req.headers.authorization;
|
|
|
|
try {
|
|
// BLOCK: JWT verification without algorithm specification allows algorithm confusion
|
|
const decoded = jwt.verify(token, JWT_SECRET);
|
|
res.json({ valid: true, payload: decoded });
|
|
} catch (error) {
|
|
res.status(401).json({ valid: false, error: error.message });
|
|
}
|
|
});
|
|
|
|
// VULNERABILITY: JWT decode without verification
|
|
app.get('/api/user-info', (req, res) => {
|
|
const token = req.headers.authorization;
|
|
|
|
// BLOCK: jwt.decode without verification - anyone can forge tokens
|
|
const payload = jwt.decode(token);
|
|
res.json(payload);
|
|
});
|
|
|
|
app.listen(3000, () => {
|
|
console.log('VulnBank Node.js server running on port 3000');
|
|
console.log('Run `aphoria scan` to detect vulnerabilities');
|
|
});
|