routes/b2bOrder.ts
/*
* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
* SPDX-License-Identifier: MIT
*/
import vm = require('vm')
import { type Request, type Response, type NextFunction } from 'express'
import challengeUtils = require('../lib/challengeUtils')
import * as utils from '../lib/utils'
import { challenges } from '../data/datacache'
const security = require('../lib/insecurity')
const safeEval = require('notevil')
module.exports = function b2bOrder () {
return ({ body }: Request, res: Response, next: NextFunction) => {
if (utils.isChallengeEnabled(challenges.rceChallenge) || utils.isChallengeEnabled(challenges.rceOccupyChallenge)) {
const orderLinesData = body.orderLinesData || ''
try {
const sandbox = { safeEval, orderLinesData }
vm.createContext(sandbox)
vm.runInContext('safeEval(orderLinesData)', sandbox, { timeout: 2000 })
res.json({ cid: body.cid, orderNo: uniqueOrderNumber(), paymentDue: dateTwoWeeksFromNow() })
} catch (err) {
if (utils.getErrorMessage(err).match(/Script execution timed out.*/) != null) {
challengeUtils.solveIf(challenges.rceOccupyChallenge, () => { return true })
res.status(503)
next(new Error('Sorry, we are temporarily not available! Please try again later.'))
} else {
challengeUtils.solveIf(challenges.rceChallenge, () => { return utils.getErrorMessage(err) === 'Infinite loop detected - reached max iterations' })
next(err)
}
}
} else {
res.json({ cid: body.cid, orderNo: uniqueOrderNumber(), paymentDue: dateTwoWeeksFromNow() })
}
}
function uniqueOrderNumber () {
return security.hash(`${(new Date()).toString()}_B2B`)
}
function dateTwoWeeksFromNow () {
return new Date(new Date().getTime() + (14 * 24 * 60 * 60 * 1000)).toISOString()
}
}