juice-shop/juice-shop

View on GitHub

Showing 99 of 134 total issues

File quantityApiSpec.ts has 312 lines of code (exceeds 300 allowed). Consider refactoring.
Open

/*
 * Copyright (c) 2014-2022 Bjoern Kimminich & the OWASP Juice Shop contributors.
 * SPDX-License-Identifier: MIT
 */

Severity: Minor
Found in test/api/quantityApiSpec.ts - About 2 hrs to fix

    Function determineDisabledEnv has a Cognitive Complexity of 19 (exceeds 7 allowed). Consider refactoring.
    Open

    export const determineDisabledEnv = (disabledEnv: string | string[] | undefined) => {
      if (isDocker()) {
        return disabledEnv && (disabledEnv === 'Docker' || disabledEnv.includes('Docker')) ? 'Docker' : null
      } else if (isHeroku) {
        return disabledEnv && (disabledEnv === 'Heroku' || disabledEnv.includes('Heroku')) ? 'Heroku' : null
    Severity: Minor
    Found in lib/utils.ts - About 2 hrs to fix

    Cognitive Complexity

    Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

    A method's cognitive complexity is based on a few simple rules:

    • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
    • Code is considered more complex for each "break in the linear flow of the code"
    • Code is considered more complex when "flow breaking structures are nested"

    Further reading

    File app.module.ts has 309 lines of code (exceeds 300 allowed). Consider refactoring.
    Open

    /*
     * Copyright (c) 2014-2022 Bjoern Kimminich & the OWASP Juice Shop contributors.
     * SPDX-License-Identifier: MIT
     */
    
    
    Severity: Minor
    Found in frontend/src/app/app.module.ts - About 2 hrs to fix

      Function getLanguageList has 60 lines of code (exceeds 30 allowed). Consider refactoring.
      Open

      module.exports = function getLanguageList () { // TODO Refactor and extend to also load backend translations from /i18n/*json and calculate joint percentage/gauge
        return (req: Request, res: Response, next: NextFunction) => {
          const languages: Array<{ key: string, lang: any, icons: string[], shortKey: string, percentage: unknown, gauge: string }> = []
          let count = 0
          let enContent: any
      Severity: Major
      Found in routes/languages.ts - About 2 hrs to fix

        Function login has 59 lines of code (exceeds 30 allowed). Consider refactoring.
        Open

        Severity: Major
        Found in routes/login.ts - About 2 hrs to fix

          Function databaseRelatedChallenges has a Cognitive Complexity of 18 (exceeds 7 allowed). Consider refactoring.
          Open

          exports.databaseRelatedChallenges = () => (req: Request, res: Response, next: NextFunction) => {
            if (challengeUtils.notSolved(challenges.changeProductChallenge) && products.osaft) {
              changeProductChallenge(products.osaft)
            }
            if (challengeUtils.notSolved(challenges.feedbackChallenge)) {
          Severity: Minor
          Found in routes/verify.ts - About 2 hrs to fix

          Cognitive Complexity

          Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

          A method's cognitive complexity is based on a few simple rules:

          • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
          • Code is considered more complex for each "break in the linear flow of the code"
          • Code is considered more complex when "flow breaking structures are nested"

          Further reading

          Function handleXmlUpload has a Cognitive Complexity of 18 (exceeds 7 allowed). Consider refactoring.
          Open

          function handleXmlUpload ({ file }: Request, res: Response, next: NextFunction) {
            if (utils.endsWith(file?.originalname.toLowerCase(), '.xml')) {
              challengeUtils.solveIf(challenges.deprecatedInterfaceChallenge, () => { return true })
              if (file?.buffer && !utils.disableOnContainerEnv()) { // XXE attacks in Docker/Heroku containers regularly cause "segfault" crashes
                const data = file.buffer.toString()
          Severity: Minor
          Found in routes/fileUpload.ts - About 2 hrs to fix

          Cognitive Complexity

          Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

          A method's cognitive complexity is based on a few simple rules:

          • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
          • Code is considered more complex for each "break in the linear flow of the code"
          • Code is considered more complex when "flow breaking structures are nested"

          Further reading

          Function changePassword has a Cognitive Complexity of 18 (exceeds 7 allowed). Consider refactoring.
          Open

          module.exports = function changePassword () {
            return ({ query, headers, connection }: Request, res: Response, next: NextFunction) => {
              const currentPassword = query.current
              const newPassword = query.new
              const newPasswordInString = newPassword?.toString()
          Severity: Minor
          Found in routes/changePassword.ts - About 2 hrs to fix

          Cognitive Complexity

          Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

          A method's cognitive complexity is based on a few simple rules:

          • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
          • Code is considered more complex for each "break in the linear flow of the code"
          • Code is considered more complex when "flow breaking structures are nested"

          Further reading

          Function upgradeToDeluxe has a Cognitive Complexity of 18 (exceeds 7 allowed). Consider refactoring.
          Open

          module.exports.upgradeToDeluxe = function upgradeToDeluxe () {
            return async (req: Request, res: Response, next: NextFunction) => {
              try {
                const user = await UserModel.findOne({ where: { id: req.body.UserId, role: security.roles.customer } })
                if (!user) {
          Severity: Minor
          Found in routes/deluxe.ts - About 2 hrs to fix

          Cognitive Complexity

          Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

          A method's cognitive complexity is based on a few simple rules:

          • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
          • Code is considered more complex for each "break in the linear flow of the code"
          • Code is considered more complex when "flow breaking structures are nested"

          Further reading

          Function ngAfterViewInit has 57 lines of code (exceeds 30 allowed). Consider refactoring.
          Open

            ngAfterViewInit () {
              const products = this.productService.search('')
              const quantities = this.quantityService.getAll()
              forkJoin([quantities, products]).subscribe(([quantities, products]) => {
                const dataTable: TableEntry[] = []
          Severity: Major
          Found in frontend/src/app/search-result/search-result.component.ts - About 2 hrs to fix

            Function processQuery has 55 lines of code (exceeds 30 allowed). Consider refactoring.
            Open

            async function processQuery (user: User, req: Request, res: Response) {
              const username = user.username
              if (!username) {
                res.status(200).json({
                  action: 'namequery',
            Severity: Major
            Found in routes/chatbot.ts - About 2 hrs to fix

              Function searchProducts has 53 lines of code (exceeds 30 allowed). Consider refactoring.
              Open

              module.exports = function searchProducts () {
                return (req: Request, res: Response, next: NextFunction) => {
                  let criteria: any = req.query.q === 'undefined' ? '' : req.query.q ?? ''
                  criteria = (criteria.length <= 200) ? criteria : criteria.substring(0, 200)
                  models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code-snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge
              Severity: Major
              Found in routes/search.ts - About 1 hr to fix

                Function getUserProfile has 53 lines of code (exceeds 30 allowed). Consider refactoring.
                Open

                module.exports = function getUserProfile () {
                  return (req: Request, res: Response, next: NextFunction) => {
                    fs.readFile('views/userProfile.pug', function (err, buf) {
                      if (err != null) throw err
                      const loggedInUser = security.authenticatedUsers.get(req.cookies.token)
                Severity: Major
                Found in routes/userProfile.ts - About 1 hr to fix

                  Function restoreProgress has a Cognitive Complexity of 17 (exceeds 7 allowed). Consider refactoring.
                  Open

                  module.exports.restoreProgress = function restoreProgress () {
                    return ({ params }: Request, res: Response) => {
                      const hashids = new Hashids('this is my salt', 60, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890')
                      const continueCode = params.continueCode
                      const ids = hashids.decode(continueCode)
                  Severity: Minor
                  Found in routes/restoreProgress.ts - About 1 hr to fix

                  Cognitive Complexity

                  Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

                  A method's cognitive complexity is based on a few simple rules:

                  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
                  • Code is considered more complex for each "break in the linear flow of the code"
                  • Code is considered more complex when "flow breaking structures are nested"

                  Further reading

                  Function fileUpload has a Cognitive Complexity of 17 (exceeds 7 allowed). Consider refactoring.
                  Open

                  module.exports = function fileUpload () {
                    return async (req: Request, res: Response, next: NextFunction) => {
                      const file = req.file
                      const buffer = file?.buffer
                      const uploadedFileType = await fileType.fromBuffer(buffer)
                  Severity: Minor
                  Found in routes/profileImageFileUpload.ts - About 1 hr to fix

                  Cognitive Complexity

                  Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

                  A method's cognitive complexity is based on a few simple rules:

                  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
                  • Code is considered more complex for each "break in the linear flow of the code"
                  • Code is considered more complex when "flow breaking structures are nested"

                  Further reading

                  Function productReviews has 49 lines of code (exceeds 30 allowed). Consider refactoring.
                  Open

                  module.exports = function productReviews () {
                    return (req: Request, res: Response, next: NextFunction) => {
                      const id = req.body.id
                      const user = security.authenticatedUsers.from(req)
                      db.reviews.findOne({ _id: id }).then((review: Review) => {
                  Severity: Minor
                  Found in routes/likeProductReviews.ts - About 1 hr to fix

                    Function retrieveLoggedInUser has a Cognitive Complexity of 15 (exceeds 7 allowed). Consider refactoring.
                    Open

                    module.exports = function retrieveLoggedInUser () {
                      return (req: Request, res: Response) => {
                        let user
                        try {
                          if (security.verify(req.cookies.token)) {
                    Severity: Minor
                    Found in routes/currentUser.ts - About 1 hr to fix

                    Cognitive Complexity

                    Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

                    A method's cognitive complexity is based on a few simple rules:

                    • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
                    • Code is considered more complex for each "break in the linear flow of the code"
                    • Code is considered more complex when "flow breaking structures are nested"

                    Further reading

                    Function restoreProgressFindIt has a Cognitive Complexity of 15 (exceeds 7 allowed). Consider refactoring.
                    Open

                    module.exports.restoreProgressFindIt = function restoreProgressFindIt () {
                      return async ({ params }: Request, res: Response) => {
                        const hashids = new Hashids('this is the salt for findIt challenges', 60, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890')
                        const continueCodeFindIt = params.continueCode
                        const idsFindIt = hashids.decode(continueCodeFindIt)
                    Severity: Minor
                    Found in routes/restoreProgress.ts - About 1 hr to fix

                    Cognitive Complexity

                    Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

                    A method's cognitive complexity is based on a few simple rules:

                    • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
                    • Code is considered more complex for each "break in the linear flow of the code"
                    • Code is considered more complex when "flow breaking structures are nested"

                    Further reading

                    Function status has 44 lines of code (exceeds 30 allowed). Consider refactoring.
                    Open

                    module.exports.status = function status () {
                      return async (req: Request, res: Response, next: NextFunction) => {
                        if (!bot) {
                          res.status(200).json({
                            status: false,
                    Severity: Minor
                    Found in routes/chatbot.ts - About 1 hr to fix

                      Function FeedbackModelInit has 44 lines of code (exceeds 30 allowed). Consider refactoring.
                      Open

                      const FeedbackModelInit = (sequelize: Sequelize) => {
                        Feedback.init(
                          {
                            UserId: {
                              type: DataTypes.INTEGER
                      Severity: Minor
                      Found in models/feedback.ts - About 1 hr to fix
                        Severity
                        Category
                        Status
                        Source
                        Language