unionfindbee · unionfindbee · Nov 1, 2023 · Nov 1, 2023 · Nov 2, 2023 · Nov 9, 2023
diff --git a/.github/workflows/mapi.yml b/.github/workflows/mapi.yml
@@ -49,6 +49,7 @@ jobs:
         sarif-report: mapi.sarif
         html-report: mapi.html
         target: forallsecure-demo/mapi-node-example/node
+	duration: 6001
 
     - name: Shut down API
       run: pgrep node | xargs kill || true; sleep 5
@@ -64,7 +65,7 @@ jobs:
         flags: vulnerability-tests
         fail_ci_if_error: true
 
-    - name: Archive Mayhem for API report
+    - name: Archive Mayhem for API report 
       uses: actions/upload-artifact@v3
       with:
         name: mapi-report
@@ -73,4 +74,4 @@ jobs:
     - name: Upload SARIF file
       uses: github/codeql-action/upload-sarif@v2
       with:
-        sarif_file: mapi.sarif
+        sarif_file: mapi.sarif
diff --git a/app.js b/app.js
@@ -1,5 +1,7 @@
 const express = require('express');
 const sqlite3 = require('sqlite3').verbose(); // Verbose for easier debugging
+const fs = require('fs');
+const path = require('path');
 const app = express();
 const port = 3000;
 
@@ -22,7 +24,46 @@
 app.get('/', (req, res) => {
   res.send('Hello, World!');
 });
+
+// Login endpoint (Unsafe)
+app.get('/login', (req, res) => {
+  const { email, password } = req.query;
+
+  if (!email || !password) {
+    return res.status(400).send('Email and password are required');
+  }
+  const query = `SELECT * FROM users WHERE email = '${email}' and password = '${password}'`;
+
+  db.get(query, [], (err, row) => {
+    if (err) {
+      return res.status(500).send(`{"error": "${err.stack}"}`);
+    }
+    return res.send('Login successful');
+  });
+}); 
 
+
+// Vulnerable attachment endpoint
+app.get('/attachment/:name', (req, res) => {
+  // This line directly takes the user input and appends it to the directory path
+  const attachmentName = req.params.name;
+  const attachmentPath = path.join(__dirname, 'attachments', attachmentName);
+
+  // Check if file exists
+  if (!fs.existsSync(attachmentPath)) {
+    return res.status(404).send('Attachment not found');
+  }
+
+  // Read the file and send it in the response
+  fs.readFile(attachmentPath, (err, data) => {
+    if (err) {
+      return res.status(500).send('Error reading file');
+    }
+    res.setHeader('Content-Type', 'text/plain');
+    res.send(data);
+  });
+});
+
 const server = app.listen(port, () => {
   console.log(`Listening at http://localhost:${port}`);
 });

diff --git a/attachments/a b/attachments/a
@@ -0,0 +1 @@
+hello
diff --git a/attachments/test b/attachments/test
@@ -0,0 +1 @@
+hello
diff --git a/attachments/test.txt b/attachments/test.txt
@@ -0,0 +1 @@
+Hello World
diff --git a/openapi.yaml b/openapi.yaml
@@ -21,4 +21,70 @@ paths:
                 type: string
                 example: Hello, World!
 
-
+  /login:
+    get:
+      summary: User login
+      description: "Allows user to log in (Note: this is an unsafe method and not recommended for production use)."
+      parameters:
+        - in: query
+          name: email
+          required: true
+          description: User's email
+          schema:
+            type: string
+            format: email
+        - in: query
+          name: password
+          required: true
+          description: User's password
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Login successful
+          content:
+            text/html:
+              schema:
+                type: string
+                example: "<p>Login successful</p>"
+        '400':
+          description: Bad request, parameters missing or invalid
+          content:
+            text/html:
+              schema:
+                type: string
+                example: "<p>Bad request</p>"
+
+  /attachment/{name}:
+    get:
+      summary: Retrieve attachment
+      description: "Endpoint to retrieve an attachment by name. Warning: This endpoint is vulnerable to path traversal attacks and is only for demo purposes."
+      parameters:
+        - in: path
+          name: name
+          required: true
+          description: The name of the attachment to retrieve, such as "test.txt"
+          schema:
+            type: string
+      responses:
+        '200':
+          description: Attachment retrieved successfully
+          content:
+            text/plain:
+              schema:
+                type: string
+                example: "Contents of the file..."
+        '400':
+          description: Bad request, parameters missing or invalid
+          content:
+            text/html:
+              schema:
+                type: string
+                example: "<p>Bad request</p>"
+        '404':
+          description: Attachment not found
+          content:
+            text/html:
+              schema:
+                type: string
+                example: "<p>Attachment not found</p>"