sdsad

iondrimba · web-flow · commit 60ea13c79d9d · 2025-08-06T12:12:38.000-03:00
diff --git a/src/app/d1.js b/src/app/d1.js
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2014-2022 Bjoern Kimminich & the OWASP Juice Shop contributors.
+ * SPDX-License-Identifier: MIT
+ */
+
+import challengeUtils = require('../lib/challengeUtils')
+import { Request, Response, NextFunction } from 'express'
+import { Review } from '../data/types'
+
+const challenges = require('../data/datacache').challenges
+const db = require('../data/mongodb')
+const security = require('../lib/insecurity')
+
+module.exports = function productReviews () {
+  return (req: Request, res: Response, next: NextFunction) => {
+    const id = req.body.id
+    const user = security.authenticatedUsers.from(req)
+    db.reviews.findOne({ _id: id }).then((review: Review) => {
+      if (!review) {
+        res.status(404).json({ error: 'Not found' })
+      } else {
+        const likedBy = review.likedBy
+        if (!likedBy.includes(user.data.email)) {
+          db.reviews.update(
+            { _id: id },
+            { $inc: { likesCount: 1 } }
+          ).then(
+            () => {
+              // Artificial wait for timing attack challenge
+              setTimeout(function () {
+                db.reviews.findOne({ _id: id }).then((review: Review) => {
+                  const likedBy = review.likedBy
+                  likedBy.push(user.data.email)
+                  let count = 0
+                  for (let i = 0; i < likedBy.length; i++) {
+                    if (likedBy[i] === user.data.email) {
+                      count++
+                    }
+                  }
+                  challengeUtils.solveIf(challenges.timingAttackChallenge, () => { return count > 2 })
+                  db.reviews.update(
+                    { _id: id },
+                    { $set: { likedBy: likedBy } }
+                  ).then(
+                    (result: any) => {
+                      res.json(result)
+                    }, (err: unknown) => {
+                      res.status(500).json(err)
+                    })
+                }, () => {
+                  res.status(400).json({ error: 'Wrong Params' })
+                })
+              }, 150)
+            }, (err: unknown) => {
+              res.status(500).json(err)
+            })
+        } else {
+          res.status(403).json({ error: 'Not allowed' })
+        }
+      }
+    }, () => {
+      res.status(400).json({ error: 'Wrong Params' })
+    })
+  }
+}
