nyx/tests/fixtures/express_app/routes.js

var child_process = require("child_process");
var crypto = require("crypto");
var fs = require("fs");

// ───── User authentication route ─────

// POST /auth/login
// Reads credentials from request body, constructs a shell command to
// check credentials via an external LDAP tool.
// VULN: req.body flows into child_process.exec
function handleLogin(req, res) {
    var username = req.body.username;
    var password = req.body.password;

    var cmd = "ldapwhoami -x -D 'cn=" + username + ",dc=corp' -w '" + password + "'";
    child_process.exec(cmd, function(err, stdout, stderr) {
        if (err) {
            res.status(401).send("Authentication failed");
            return;
        }
        var token = crypto.randomBytes(32).toString("hex");
        res.json({ token: token, user: username });
    });
}

// ───── Search endpoint ─────

// GET /api/search
// User-supplied query parameter is passed directly to eval for "dynamic filtering".
// VULN: req.query flows into eval (code injection)
function handleSearch(req, res) {
    var query = req.query.q;
    var filterExpr = req.query.filter;

    // Developer thought this was clever for dynamic filtering
    var filterFn = eval("(function(item) { return " + filterExpr + "; })");

    var results = getDatabase().filter(filterFn);
    res.json({ results: results, query: query });
}

// ───── Admin panel rendering ─────

// GET /admin/dashboard
// Renders an admin dashboard; user-supplied name goes into innerHTML.
// VULN: req.query flows into innerHTML (XSS)
function renderDashboard(req, res) {
    var userName = req.query.name;
    var greeting = "<h1>Welcome, " + userName + "</h1>";
    document.getElementById("header").innerHTML = greeting;

    var statsHtml = req.query.stats;
    document.getElementById("stats-panel").innerHTML = statsHtml;
}

// ───── Webhook handler ─────

// POST /webhooks/deploy
// Reads a deployment command from process.env, executes it.
// VULN: process.env flows into child_process.execSync
function handleDeployWebhook(req, res) {
    var secret = req.headers["x-webhook-secret"];
    if (secret !== process.env.WEBHOOK_SECRET) {
        res.status(403).send("Forbidden");
        return;
    }

    var deployCmd = process.env.DEPLOY_COMMAND;
    var output = child_process.execSync(deployCmd);
    res.send("Deployed: " + output.toString());
}

// ───── File preview ─────

// GET /files/preview
// Reads a file based on user-supplied path, writes content to page.
// VULN: req.query flows into innerHTML (reflected XSS via file content)
function previewFile(req, res) {
    var filePath = req.query.path;
    var content = fs.readFileSync(filePath, "utf-8");
    document.getElementById("preview").innerHTML = content;
}

// ───── Cookie-based session ─────

// POST /session/set
// Sets a cookie from request parameters.
// VULN: document.cookie write from user input
function setSessionCookie(req, res) {
    var sessionId = req.params.sid;
    document.cookie = "session=" + sessionId + "; path=/; HttpOnly";
}

// ───── Prototype pollution ─────

// POST /api/config/merge
// Merges user-supplied config into the global config object.
// VULN: prototype pollution via __proto__
function mergeConfig(req, res) {
    var userConfig = JSON.parse(req.body.config);
    for (var key in userConfig) {
        if (key === "__proto__") {
            // Developer forgot to skip this
            Object.prototype[key] = userConfig[key];
        }
        globalConfig[key] = userConfig[key];
    }
    res.json({ status: "ok" });
}

// ───── Timer-based polling ─────

// Sets up a polling interval with a string argument.
// VULN: setTimeout with string is equivalent to eval
function startPolling() {
    var interval = 5000;
    setTimeout("checkForUpdates()", interval);
    setInterval("refreshDashboard()", 30000);
}

// ───── Safe patterns ─────

// GET /api/profile
// SAFE: user input sanitized with DOMPurify before rendering
function renderProfile(req, res) {
    var bio = req.query.bio;
    var cleanBio = DOMPurify.sanitize(bio);
    document.getElementById("bio").innerHTML = cleanBio;
}

// GET /api/redirect
// SAFE: URL properly encoded before use
function safeRedirect(req, res) {
    var target = req.query.url;
    var encoded = encodeURIComponent(target);
    res.redirect("/go?url=" + encoded);
}
Feat/full cfg (#30) * feat: Enhance control flow analysis with function summaries and taint analysis * feat: Update taint analysis to utilize function summaries for enhanced tracking * Refactor `walk.rs` batch processing and override handling: - Renamed `Batcher` to `BatchSender` for clarity. - Added `BatchSender::new` constructor for cleaner initialization. - Simplified batch size management in `BatchSender`. - Extracted `build_overrides` function for reusable override construction. - Improved error handling and validation in override building. - Enhanced performance with directory and file type filtering in `walk`. * Improve logging and streamline directory walk process: - Added detailed `tracing` logs for debugging batch flushes, override construction, and walk initialization/completion. - Optimized and simplified `filter_entry` logic for directory and file type filters. - Improved metadata checks and max file size enforcement during the scan. * Refactor and optimize taint tracking, label rules, and directory walk process: - Replaced `DefaultHasher` with `blake3::Hasher` for improved taint hashing. - Enhanced sorting and hashing logic in `taint.rs` for consistency and efficiency. - Removed unused `set_hash` function and redundant imports across files. - Improved batch sender logic in `walk.rs`, renaming key components for clarity. - Unified `spawn_senders` and `spawn_file_walker` with thread handling and channel tuple return. - Expanded label rules with additional matchers for sources, sanitizers, and sinks. - Deprecated `dump_cfg` and specific logging utilities in `cfg.rs` for code cleanup. * fix: fixed let chains error in walk.rs * fix: updated dependencies * fix: updated dependencies * chore: Remove standard error in scan.rs * feat: Introduce function summaries for enhanced taint and control flow analysis * feat: Enhance taint analysis with interop support and function summaries * feat: Add configuration analysis module and enhance matcher rules * feat: Add arity column to function_summaries and handle schema migration * fix: fixed clippy &PathBuf warnings * chore: Update dependencies and versioning in Cargo files * docs: Update README to enhance clarity and detail on features and analysis modes * chore: Update CHANGELOG for version 0.2.0 with new features, changes, and fixes * docs: Update SECURITY.md to clarify version support status --------- Co-authored-by: elipeter <eli.peter@es.fcm.travel> 2026-02-24 23:44:07 -05:00			`var child_process = require("child_process");`
			`var crypto = require("crypto");`
			`var fs = require("fs");`

			`// ───── User authentication route ─────`

			`// POST /auth/login`
			`// Reads credentials from request body, constructs a shell command to`
			`// check credentials via an external LDAP tool.`
			`// VULN: req.body flows into child_process.exec`
			`function handleLogin(req, res) {`
			`var username = req.body.username;`
			`var password = req.body.password;`

			`var cmd = "ldapwhoami -x -D 'cn=" + username + ",dc=corp' -w '" + password + "'";`
			`child_process.exec(cmd, function(err, stdout, stderr) {`
			`if (err) {`
			`res.status(401).send("Authentication failed");`
			`return;`
			`}`
			`var token = crypto.randomBytes(32).toString("hex");`
			`res.json({ token: token, user: username });`
			`});`
			`}`

			`// ───── Search endpoint ─────`

			`// GET /api/search`
			`// User-supplied query parameter is passed directly to eval for "dynamic filtering".`
			`// VULN: req.query flows into eval (code injection)`
			`function handleSearch(req, res) {`
			`var query = req.query.q;`
			`var filterExpr = req.query.filter;`

			`// Developer thought this was clever for dynamic filtering`
			`var filterFn = eval("(function(item) { return " + filterExpr + "; })");`

			`var results = getDatabase().filter(filterFn);`
			`res.json({ results: results, query: query });`
			`}`

			`// ───── Admin panel rendering ─────`

			`// GET /admin/dashboard`
			`// Renders an admin dashboard; user-supplied name goes into innerHTML.`
			`// VULN: req.query flows into innerHTML (XSS)`
			`function renderDashboard(req, res) {`
			`var userName = req.query.name;`
			`var greeting = "<h1>Welcome, " + userName + "</h1>";`
			`document.getElementById("header").innerHTML = greeting;`

			`var statsHtml = req.query.stats;`
			`document.getElementById("stats-panel").innerHTML = statsHtml;`
			`}`

			`// ───── Webhook handler ─────`

			`// POST /webhooks/deploy`
			`// Reads a deployment command from process.env, executes it.`
			`// VULN: process.env flows into child_process.execSync`
			`function handleDeployWebhook(req, res) {`
			`var secret = req.headers["x-webhook-secret"];`
			`if (secret !== process.env.WEBHOOK_SECRET) {`
			`res.status(403).send("Forbidden");`
			`return;`
			`}`

			`var deployCmd = process.env.DEPLOY_COMMAND;`
			`var output = child_process.execSync(deployCmd);`
			`res.send("Deployed: " + output.toString());`
			`}`

			`// ───── File preview ─────`

			`// GET /files/preview`
			`// Reads a file based on user-supplied path, writes content to page.`
			`// VULN: req.query flows into innerHTML (reflected XSS via file content)`
			`function previewFile(req, res) {`
			`var filePath = req.query.path;`
			`var content = fs.readFileSync(filePath, "utf-8");`
			`document.getElementById("preview").innerHTML = content;`
			`}`

			`// ───── Cookie-based session ─────`

			`// POST /session/set`
			`// Sets a cookie from request parameters.`
			`// VULN: document.cookie write from user input`
			`function setSessionCookie(req, res) {`
			`var sessionId = req.params.sid;`
			`document.cookie = "session=" + sessionId + "; path=/; HttpOnly";`
			`}`

			`// ───── Prototype pollution ─────`

			`// POST /api/config/merge`
			`// Merges user-supplied config into the global config object.`
			`// VULN: prototype pollution via __proto__`
			`function mergeConfig(req, res) {`
			`var userConfig = JSON.parse(req.body.config);`
			`for (var key in userConfig) {`
			`if (key === "__proto__") {`
			`// Developer forgot to skip this`
			`Object.prototype[key] = userConfig[key];`
			`}`
			`globalConfig[key] = userConfig[key];`
			`}`
			`res.json({ status: "ok" });`
			`}`

			`// ───── Timer-based polling ─────`

			`// Sets up a polling interval with a string argument.`
			`// VULN: setTimeout with string is equivalent to eval`
			`function startPolling() {`
			`var interval = 5000;`
			`setTimeout("checkForUpdates()", interval);`
			`setInterval("refreshDashboard()", 30000);`
			`}`

			`// ───── Safe patterns ─────`

			`// GET /api/profile`
			`// SAFE: user input sanitized with DOMPurify before rendering`
			`function renderProfile(req, res) {`
			`var bio = req.query.bio;`
			`var cleanBio = DOMPurify.sanitize(bio);`
			`document.getElementById("bio").innerHTML = cleanBio;`
			`}`

			`// GET /api/redirect`
			`// SAFE: URL properly encoded before use`
			`function safeRedirect(req, res) {`
			`var target = req.query.url;`
			`var encoded = encodeURIComponent(target);`
			`res.redirect("/go?url=" + encoded);`
			`}`