From 8e8d71ca87a0f5cc40fb2daf600dc7fa2693f33e Mon Sep 17 00:00:00 2001
From: Benjamin Gutierrez <ben.gutierrez@forallsecure.com>
Date: Wed, 1 Nov 2023 19:43:55 -0400
Subject: [PATCH 1/5] Adding login endpoint

---
 app.js       | 17 +++++++++++++++++
 openapi.yaml | 34 +++++++++++++++++++++++++++++++++-
 2 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/app.js b/app.js
index c87b654..d35e869 100644
--- a/app.js
+++ b/app.js
@@ -22,6 +22,23 @@ db.run('CREATE TABLE users (email TEXT, password TEXT)', (err) => {
 app.get('/', (req, res) => {
   res.send('Hello, World!');
 });
+
+// Login endpoint (Unsafe)
+app.get('/login', (req, res) => {
+  const { email, password } = req.query;
+
+  if (!email || !password) {
+    return res.status(400).send('Email and password are required');
+  }
+  const query = `SELECT * FROM users WHERE email = '${email}' and password = '${password}'`;
+
+  db.get(query, [], (err, row) => {
+    if (err) {
+      return res.status(500).send(`{"error": "${err.message}"}`);
+    }
+    return res.send('Login successful');
+  });
+}); 
   
 const server = app.listen(port, () => {
   console.log(`Listening at http://localhost:${port}`);
diff --git a/openapi.yaml b/openapi.yaml
index 996c918..c2bae0d 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -21,4 +21,36 @@ paths:
                 type: string
                 example: Hello, World!
 
-  
\ No newline at end of file
+  /login:
+    get:
+      summary: User login
+      description: "Allows user to log in (Note: this is an unsafe method and not recommended for production use)."
+      parameters:
+        - in: query
+          name: email
+          required: true
+          description: User's email
+          schema:
+            type: string
+            format: email
+        - in: query
+          name: password
+          required: true
+          description: User's password
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Login successful
+          content:
+            text/html:
+              schema:
+                type: string
+                example: "<p>Login successful</p>"
+        '400':
+          description: Bad request, parameters missing or invalid
+          content:
+            text/html:
+              schema:
+                type: string
+                example: "<p>Bad request</p>"
\ No newline at end of file

From 0c8b147e000c5a32acac742ba51fd8d2c5b7f8f0 Mon Sep 17 00:00:00 2001
From: Benjamin Gutierrez <ben.gutierrez@forallsecure.com>
Date: Wed, 1 Nov 2023 19:53:09 -0400
Subject: [PATCH 2/5] Adding login endpoint

---
 .github/workflows/mapi.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/mapi.yml b/.github/workflows/mapi.yml
index d180112..98de336 100644
--- a/.github/workflows/mapi.yml
+++ b/.github/workflows/mapi.yml
@@ -64,7 +64,7 @@ jobs:
         flags: vulnerability-tests
         fail_ci_if_error: true
 
-    - name: Archive Mayhem for API report
+    - name: Archive Mayhem for API report 
       uses: actions/upload-artifact@v3
       with:
         name: mapi-report

From 0b6201d76d8968e9c16144c629b0cdd353de823d Mon Sep 17 00:00:00 2001
From: Benjamin Gutierrez <ben.gutierrez@forallsecure.com>
Date: Thu, 2 Nov 2023 11:34:58 -0400
Subject: [PATCH 3/5] Adding login endpoint

---
 app.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app.js b/app.js
index d35e869..2c840b9 100644
--- a/app.js
+++ b/app.js
@@ -34,7 +34,7 @@ app.get('/login', (req, res) => {
 
   db.get(query, [], (err, row) => {
     if (err) {
-      return res.status(500).send(`{"error": "${err.message}"}`);
+      return res.status(500).send(`{"error": "${err.stack}"}`);
     }
     return res.send('Login successful');
   });

From df76513fab8efda2a65ef68e859a205a62125975 Mon Sep 17 00:00:00 2001
From: Benjamin Gutierrez <ben.gutierrez@forallsecure.com>
Date: Thu, 9 Nov 2023 15:20:17 -0500
Subject: [PATCH 4/5] adding vulnerable attachment endpoint

---
 app.js               | 24 ++++++++++++++++++++++++
 attachments/test.txt |  1 +
 openapi.yaml         | 36 +++++++++++++++++++++++++++++++++++-
 3 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 attachments/test.txt

diff --git a/app.js b/app.js
index 2c840b9..1fdcfeb 100644
--- a/app.js
+++ b/app.js
@@ -1,5 +1,7 @@
 const express = require('express');
 const sqlite3 = require('sqlite3').verbose(); // Verbose for easier debugging
+const fs = require('fs');
+const path = require('path');
 const app = express();
 const port = 3000;
 
@@ -40,6 +42,28 @@ app.get('/login', (req, res) => {
   });
 }); 
   
+
+// Vulnerable attachment endpoint
+app.get('/attachment/:name', (req, res) => {
+  // This line directly takes the user input and appends it to the directory path
+  const attachmentName = req.params.name;
+  const attachmentPath = path.join(__dirname, 'attachments', attachmentName);
+
+  // Check if file exists
+  if (!fs.existsSync(attachmentPath)) {
+    return res.status(404).send('Attachment not found');
+  }
+
+  // Read the file and send it in the response
+  fs.readFile(attachmentPath, (err, data) => {
+    if (err) {
+      return res.status(500).send('Error reading file');
+    }
+    res.setHeader('Content-Type', 'text/plain');
+    res.send(data);
+  });
+});
+
 const server = app.listen(port, () => {
   console.log(`Listening at http://localhost:${port}`);
 });
diff --git a/attachments/test.txt b/attachments/test.txt
new file mode 100644
index 0000000..557db03
--- /dev/null
+++ b/attachments/test.txt
@@ -0,0 +1 @@
+Hello World
diff --git a/openapi.yaml b/openapi.yaml
index c2bae0d..d083ae0 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -53,4 +53,38 @@ paths:
             text/html:
               schema:
                 type: string
-                example: "<p>Bad request</p>"
\ No newline at end of file
+                example: "<p>Bad request</p>"
+
+  /attachment/{name}:
+    get:
+      summary: Retrieve attachment
+      description: "Endpoint to retrieve an attachment by name. Warning: This endpoint is vulnerable to path traversal attacks and is only for demo purposes."
+      parameters:
+        - in: path
+          name: name
+          required: true
+          description: The name of the attachment to retrieve, such as "test.txt"
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Attachment retrieved successfully
+          content:
+            text/plain:
+              schema:
+                type: string
+                example: "Contents of the file..."
+        '400':
+          description: Bad request, parameters missing or invalid
+          content:
+            text/html:
+              schema:
+                type: string
+                example: "<p>Bad request</p>"
+        '404':
+          description: Attachment not found
+          content:
+            text/html:
+              schema:
+                type: string
+                example: "<p>Attachment not found</p>"
\ No newline at end of file

From 42e85cce33134f7ed47ae94b5272a6c3af2cc468 Mon Sep 17 00:00:00 2001
From: Benjamin Gutierrez <ben.gutierrez@forallsecure.com>
Date: Thu, 9 Nov 2023 15:26:42 -0500
Subject: [PATCH 5/5] adding attachments

---
 attachments/a    | 1 +
 attachments/test | 1 +
 2 files changed, 2 insertions(+)
 create mode 100644 attachments/a
 create mode 100644 attachments/test

diff --git a/attachments/a b/attachments/a
new file mode 100644
index 0000000..ce01362
--- /dev/null
+++ b/attachments/a
@@ -0,0 +1 @@
+hello
diff --git a/attachments/test b/attachments/test
new file mode 100644
index 0000000..ce01362
--- /dev/null
+++ b/attachments/test
@@ -0,0 +1 @@
+hello