routes/showProductReviews.ts
/*
* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
* SPDX-License-Identifier: MIT
*/
import utils = require('../lib/utils')
import challengeUtils = require('../lib/challengeUtils')
import { type Request, type Response, type NextFunction } from 'express'
import { type Review } from 'data/types'
import * as db from '../data/mongodb'
import { challenges } from '../data/datacache'
const security = require('../lib/insecurity')
// Blocking sleep function as in native MongoDB
// @ts-expect-error FIXME Type safety broken for global object
global.sleep = (time: number) => {
// Ensure that users don't accidentally dos their servers for too long
if (time > 2000) {
time = 2000
}
const stop = new Date().getTime()
while (new Date().getTime() < stop + time) {
;
}
}
module.exports = function productReviews () {
return (req: Request, res: Response, next: NextFunction) => {
const id = !utils.isChallengeEnabled(challenges.noSqlCommandChallenge) ? Number(req.params.id) : req.params.id
// Measure how long the query takes, to check if there was a nosql dos attack
const t0 = new Date().getTime()
db.reviewsCollection.find({ $where: 'this.product == ' + id }).then((reviews: Review[]) => {
const t1 = new Date().getTime()
challengeUtils.solveIf(challenges.noSqlCommandChallenge, () => { return (t1 - t0) > 2000 })
const user = security.authenticatedUsers.from(req)
for (let i = 0; i < reviews.length; i++) {
if (user === undefined || reviews[i].likedBy.includes(user.data.email)) {
reviews[i].liked = true
}
}
res.json(utils.queryResultToJson(reviews))
}, () => {
res.status(400).json({ error: 'Wrong Params' })
})
}
}