Merge master into feature/187

README.md

@@ -9,93 +9,128 @@ OWASP Top 10 for Node.js web applications:
 [Tutorial Guide](http://nodegoat.herokuapp.com/tutorial) explaining how each of the OWASP Top 10 vulnerabilities can manifest in Node.js web apps and how to prevent it.
 
 ### Do it!
-[A Vulnerable Node.js App for Ninjas](http://nodegoat.herokuapp.com/) to exploit, toast, and fix. You may like to [set up your own copy](#how-to-setup-your-copy-of-nodegoat) of the app to fix and test vulnerabilities. Hint: Look for comments in the source code.
+[A Vulnerable Node.js App for Ninjas](http://nodegoat.herokuapp.com/) to exploit, toast, and fix. You may like to [set up your own copy](#how-to-set-up-your-copy-of-nodegoat) of the app to fix and test vulnerabilities. Hint: Look for comments in the source code.
 ##### Default user accounts
 The database comes pre-populated with these user accounts created as part of the seed data -
 * Admin Account - u:admin p:Admin_123
 * User Accounts (u:user1 p:User1_123), (u:user2 p:User2_123)
 * New users can also be added using the sign-up page.
 
-## How to Setup Your Copy of NodeGoat
+## How to Set Up Your Copy of NodeGoat
+
+### OPTION 1 - Run NodeGoat on your machine
+
+1) Install [Node.js](http://nodejs.org/) - NodeGoat requires Node v8 or above
+
+2) Clone the github repository:
+   ```
+   git clone https://github.com/OWASP/NodeGoat.git
+   ```
+
+3) Go to the directory:
+   ```
+   cd NodeGoat
+   ```
+
+4) Install node packages:
+   ```
+   npm install
+   ```
+
+5) Set up MongoDB. You can either install MongoDB locally or create a remote instance:
+
+   * Using local MongoDB:
+     1) Install [MongoDB Community Server](https://docs.mongodb.com/manual/administration/install-community/)
+     2) Start [mongod](http://docs.mongodb.org/manual/reference/program/mongod/#bin.mongod)
+
+   * Using remote MongoDB instance:
+     1) [Deploy a MongoDB Atlas free tier cluster](https://docs.atlas.mongodb.com/tutorial/deploy-free-tier-cluster/) (M0 Sandbox)
+     2) [Enable network access](https://docs.atlas.mongodb.com/security/add-ip-address-to-list/) to the cluster from your current IP address
+     3) [Add a database user](https://docs.atlas.mongodb.com/tutorial/create-mongodb-user-for-cluster/) to the cluster
+     4) Set the `MONGODB_URI` environment variable to the connection string of your cluster, which can be viewed in the cluster's
+        [connect dialog](https://docs.atlas.mongodb.com/tutorial/connect-to-your-cluster/#connect-to-your-atlas-cluster). Select "Connect your application",
+        set the driver to "Node.js" and the version to "2.2.12 or later". This will give a connection string in the form:
+        ```
+        mongodb://<username>:<password>@<cluster>/<dbname>?ssl=true&replicaSet=<rsname>&authSource=admin&retryWrites=true&w=majority
+        ```
+        The `<username>` and `<password>` fields need filling in with the details of the database user added earlier. The `<dbname>` field sets the name of the
+        database nodegoat will use in the cluster (eg "nodegoat"). The other fields will already be filled in with the correct details for your cluster.
+
+6) Populate MongoDB with the seed data required for the app:
+   ```
+   npm run db:seed
+   ```
+   By default this will use the "development" configuration, but the desired config can be passed as an argument if required.
+
+7) Start the server. You can run the server using node or nodemon:
+   * Start the server with node. This starts the NodeGoat application at [http://localhost:4000/](http://localhost:4000/):
+     ```
+     npm start
+     ```
+   * Start the server with nodemon, which will automatically restart the application when you make any changes. This starts the NodeGoat application at [http://localhost:5000/](http://localhost:5000/):
+     ```
+     npm run dev
+     ```
 
-### OPTION 1 - One click install on Heroku
-The the quickest way to get running with NodeGoat is to click the button below to deploy it on Heroku.
+#### Customizing the Default Application Configuration
+By default the application will be hosted on port 4000 and will connect to a MongoDB instance at localhost:27017. To change this set the environment variables `PORT` and `MONGODB_URI`.
 
-Even though it is not essential, but recommended that you fork this repository and deploy the forked repo.
-This would allow you to fix vulnerabilities in your own forked version, and deploy and test it on heroku.
+Other settings can be changed by updating the [config file](https://github.com/OWASP/NodeGoat/blob/master/config/env/all.js).
 
-[![Deploy](https://www.herokucdn.com/deploy/button.png)](https://heroku.com/deploy)
 
-This Heroku instance uses Free ($0/month) node server and MongoLab add-on.
+### OPTION 2 - Run NodeGoat on Docker
 
-### OPTION 2 - Run NodeGoat on your machine
+The repo includes the Dockerfile and docker-compose.yml necessary to set up the app and db instance, then connect them together.
 
-If you do not wish to run NodeGoat on Heroku, please follow these steps to setup and run it locally -
-* Install [Node.js](http://nodejs.org/) - NodeGoat requires Node v8 or above
+1) Install [docker](https://docs.docker.com/installation/) and [docker compose](https://docs.docker.com/compose/install/) 
 
-* Clone the github repository
-```
-git clone https://github.com/OWASP/NodeGoat.git
-```
+2) Clone the github repository:
+   ```
+   git clone https://github.com/OWASP/NodeGoat.git
+   ```
 
-*go to the directory
-```
-cd NodeGoat
-```
+3) Go to the directory:
+   ```
+   cd NodeGoat
+   ```
 
-* Install node modules
-```
-npm install
-```
+4) Build the images:
+   ```
+   docker-compose build
+   ```
 
-* Create Mongo DB:
-    You can create a remote MongoDB instance or use local mongod installation
-    * A. Using Remote MongoDB
-        * Create a sandbox mongoDB instance (free) at [mLab](https://mlab.com/plans/pricing/#plan-sandbox)
-        * Create a new database.
-        * Create a user.
-        * Update the `db` property in file `config/env/development.js` to reflect your DB setup. (in format: `mongodb://<username>:<password>@<databasename>`)
-    * OR B.Using local MongoDB
-        * If using local Mongo DB instance, start [mongod](http://docs.mongodb.org/manual/reference/program/mongod/#bin.mongod).
-        * Update the `db` property in file `config/env/development.js` to reflect your DB setup. (in format: `mongodb://localhost:27017/<databasename>`)
+5) Run the app, this starts the NodeGoat application at http://localhost:4000/:
+   ```
+   docker-compose up
+   ```
 
-* Populate MongoDB with seed data required for the app
-    * Run the npm-script below to populate the DB with seed data required for the application. Pass the desired environment as argument. If not passed, "development" is the default:
-```
-npm run db:seed
-```
-* Start server, this starts the NodeGoat application at url [http://localhost:4000/](http://localhost:4000/)
-```
-npm start
-```
 
-* Start server with nodemon, this starts the NodeGoat application at url [http://localhost:5000/](http://localhost:5000/)
-```
-npm run dev
-```
+### OPTION 3 - Deploy to Heroku
 
-### OPTION 3 - Run NodeGoat on Docker
+This option uses a free ($0/month) Heroku node server.
 
-**You need to install [docker](https://docs.docker.com/installation/) and [docker compose](https://docs.docker.com/compose/install/) to be able to use this option**
+Though not essential, it is recommended that you fork this repository and deploy the forked repo.
+This will allow you to fix vulnerabilities in your own forked version, then deploy and test it on Heroku.
 
-The repo includes the Dockerfile and docker-compose.yml necessary to setup the app and the db instance then connect them together.
+1) Set up a publicly accessible MongoDB instance:
+   1) [Deploy a MongoDB Atlas free tier cluster](https://docs.atlas.mongodb.com/tutorial/deploy-free-tier-cluster/) (M0 Sandbox)
+   2) [Enable network access](https://docs.atlas.mongodb.com/security/ip-access-list/#add-ip-access-list-entries) to the cluster from anywhere (CIDR range 0.0.0.0/0)
+   3) [Add a database user](https://docs.atlas.mongodb.com/tutorial/create-mongodb-user-for-cluster/) to the cluster
 
-* Change the db config in `config/env/development.js` to point to the respective Docker container.
-```
-db: "mongodb://mongo:27017/nodegoat",
-```
-* Build the images:
-```
-docker-compose build
-```
-* Run the app:
-```
-docker-compose up
-```
+2) Deploy NodeGoat to Heroku by clicking the button below:
 
+   [![Deploy](https://www.herokucdn.com/deploy/button.png)](https://heroku.com/deploy)
+
+   In the Create New App dialog, set the `MONGODB_URI` config var to the connection string of your MongoDB Atlas cluster.
+   This can be viewed in the cluster's [connect dialog](https://docs.atlas.mongodb.com/tutorial/connect-to-your-cluster/#connect-to-your-atlas-cluster).
+   Select "Connect your application", set the driver to "Node.js" and the version to "2.2.12 or later".
+   This will give a connection string in the form:
+   ```
+   mongodb://<username>:<password>@<cluster>/<dbname>?ssl=true&replicaSet=<rsname>&authSource=admin&retryWrites=true&w=majority
+   ```
+   The `<username>` and `<password>` fields need filling in with the details of the database user added earlier. The `<dbname>` field sets the name of the
+   database nodegoat will use in the cluster (eg "nodegoat"). The other fields will already be filled in with the correct details for your cluster.
 
-#### Customizing the Default Application Configuration
-The default application settings (database url, http port, etc.) can be changed by updating the [config file] (https://github.com/OWASP/NodeGoat/blob/master/config/env/all.js).
 
 ## Report bugs, Feedback, Comments
 *  Open a new [issue](https://github.com/OWASP/NodeGoat/issues) or contact team by joining chat at [Slack](https://owasp.slack.com/messages/project-nodegoat/) or [![Join the chat at https://gitter.im/OWASP/NodeGoat](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/OWASP/NodeGoat?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)

apps/server-render/app.json

@@ -13,11 +13,17 @@
     "postdeploy": "node artifacts/db-reset.js"
   },
   "env": {
+    "MONGODB_URI": {
+      "description": "Connection string for MongoDB database to use. Must be publicly accessible.",
+      "value": ""
+    },
     "NODE_ENV": {
-      "value": "PRODUCTION"
+      "description": "NODE_ENV for build and runtime. Must be in lowercase for Heroku build process.",
+      "value": "production"
+    },
+    "NPM_CONFIG_ONLY": {
+       "description": "Controls devDependency install: \"production\" = skip, \"all\" = install",
+       "value": "production"
     }
-  },
-  "addons": [
-    "mongolab:sandbox"
-  ]
-}
+  }
+}

apps/server-render/app/data/allocations-dao.js

@@ -70,7 +70,7 @@ const AllocationsDAO = function(db) {
                 const parsedThreshold = parseInt(threshold, 10);
 
                 if (parsedThreshold >= 0 && parsedThreshold <= 99) {
-                    return {$where: `this.userId == ${parsedUserId} && this.stocks > ${threshold}`};
+                    return {$where: `this.userId == ${parsedUserId} && this.stocks > ${parsedThreshold}`};
                 }
                 throw `The user supplied threshold: ${parsedThreshold} was not valid.`;
                 */

apps/server-render/app/routes/allocations.js

@@ -1,4 +1,7 @@
 const AllocationsDAO = require("../data/allocations-dao").AllocationsDAO;
+const {
+    environmentalScripts
+} = require("../../config/config");
 
 function AllocationsHandler(db) {
     "use strict";
@@ -21,7 +24,8 @@ function AllocationsHandler(db) {
             if (err) return next(err);
             return res.render("allocations", {
                 userId,
-                allocations
+                allocations,
+                environmentalScripts
             });
         });
     };

apps/server-render/app/routes/benefits.js

@@ -1,6 +1,9 @@
 const {
     BenefitsDAO
 } = require("../data/benefits-dao");
+const {
+    environmentalScripts
+} = require("../../config/config");
 
 function BenefitsHandler(db) {
     "use strict";
@@ -17,7 +20,8 @@ function BenefitsHandler(db) {
                 users,
                 user: {
                     isAdmin: true
-                }
+                },
+                environmentalScripts
             });
         });
     };
@@ -40,7 +44,8 @@ function BenefitsHandler(db) {
                     user: {
                         isAdmin: true
                     },
-                    updateSuccess: true
+                    updateSuccess: true,
+                    environmentalScripts
                 };
 
                 return res.render("benefits", data);

apps/server-render/app/routes/contributions.js

@@ -1,4 +1,7 @@
 const ContributionsDAO = require("../data/contributions-dao").ContributionsDAO;
+const {
+    environmentalScripts
+} = require("../../config/config");
 
 /* The ContributionsHandler must be constructed with a connected db */
 function ContributionsHandler(db) {
@@ -15,7 +18,10 @@ function ContributionsHandler(db) {
             if (error) return next(error);
 
             contrib.userId = userId; //set for nav menu items
-            return res.render("contributions", contrib);
+            return res.render("contributions", {
+                ...contrib,
+                environmentalScripts
+            });
         });
     };
 
@@ -43,14 +49,16 @@ function ContributionsHandler(db) {
         if (isInvalid) {
             return res.render("contributions", {
                 updateError: "Invalid contribution percentages",
-                userId
+                userId,
+                environmentalScripts
             });
         }
         // Prevent more than 30% contributions
         if (preTax + afterTax + roth > 30) {
             return res.render("contributions", {
                 updateError: "Contribution percentages cannot exceed 30 %",
-                userId
+                userId,
+                environmentalScripts
             });
         }
 
@@ -59,7 +67,10 @@ function ContributionsHandler(db) {
             if (err) return next(err);
 
             contributions.updateSuccess = true;
-            return res.render("contributions", contributions);
+            return res.render("contributions", {
+                ...contributions,
+                environmentalScripts
+            });
         });
 
     };

apps/server-render/app/routes/index.js

@@ -5,7 +5,9 @@ const ContributionsHandler = require("./contributions");
 const AllocationsHandler = require("./allocations");
 const MemosHandler = require("./memos");
 const ResearchHandler = require("./research");
-
+const {
+    environmentalScripts
+} = require("../../config/config");
 const ErrorHandler = require("./error").errorHandler;
 
 const index = (app, db) => {
@@ -74,14 +76,18 @@ const index = (app, db) => {
 
     // Handle redirect for learning resources link
     app.get("/tutorial", (req, res) => {
-        return res.render("tutorial/a1");
+        return res.render("tutorial/a1", {
+            environmentalScripts
+        });
     });
 
     app.get("/tutorial/:page", (req, res) => {
         const {
             page
         } = req.params
-        return res.render(`tutorial/${page}`);
+        return res.render(`tutorial/${page}`, {
+            environmentalScripts
+        });
     });
 
     // Research Page

apps/server-render/app/routes/memos.js

@@ -1,4 +1,7 @@
 const MemosDAO = require("../data/memos-dao").MemosDAO;
+const {
+    environmentalScripts
+} = require("../../config/config");
 
 function MemosHandler(db) {
     "use strict";
@@ -23,7 +26,8 @@ function MemosHandler(db) {
             if (err) return next(err);
             return res.render("memos", {
                 memosList: docs,
-                userId: userId
+                userId: userId,
+                environmentalScripts
             });
         });
     };