Snake pro Meiry Solution

owasp-top10-2021-apps/a1/ecommerce-api/Makefile

@@ -47,11 +47,11 @@ lint:
 
 ## Runs project using docker-compose
 compose: compose-down
-	docker-compose -f deployments/docker-compose.yml -p secdevlabs up -d --build --force-recreate
+	podman-compose -f deployments/docker-compose.yml -p secdevlabs up -d --build --force-recreate
 
 ## Down project using docker-compose
 compose-down:
-	docker-compose -f deployments/docker-compose.yml -p secdevlabs down -v --remove-orphans
+	podman-compose -f deployments/docker-compose.yml -p secdevlabs down -v --remove-orphans
 
 ## Generates passwords and set them as environment variables
 generate-passwords:

owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/handlers.go

@@ -4,8 +4,11 @@ import (
 	"fmt"
 	"net/http"
 
+
+
 	"github.com/globocom/secDevLabs/owasp-top10-2021-apps/a1/ecommerce-api/app/db"
 	"github.com/labstack/echo"
+	jwt "github.com/dgrijalva/jwt-go"
 )
 
 // HealthCheck is the heath check function.
@@ -15,23 +18,55 @@ func HealthCheck(c echo.Context) error {
 
 // GetTicket returns the userID ticket.
 func GetTicket(c echo.Context) error {
+
+    authHeader := c.Request().Header.Get("Authorization")
 	id := c.Param("id")
+
+	if authHeader == "" {
+		return c.JSON(http.StatusUnauthorized, map[string]string{
+			"error": "Authorization header is missing",
+		})
+	}
+
 	userDataQuery := map[string]interface{}{"userID": id}
 	userDataResult, err := db.GetUserData(userDataQuery)
 	if err != nil {
 		// could not find this user in MongoDB (or MongoDB err connection)
 		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Error finding this UserID."})
 	}
 
+
 	format := c.QueryParam("format")
 	if format == "json" {
 		return c.JSON(http.StatusOK, map[string]string{
 			"result":   "success",
 			"username": userDataResult.Username,
+			"userId" : userDataResult.UserID,
 			"ticket":   userDataResult.Ticket,
 		})
 	}
 
 	msgTicket := fmt.Sprintf("Hey, %s! This is your ticket: %s\n", userDataResult.Username, userDataResult.Ticket)
 	return c.String(http.StatusOK, msgTicket)
 }
+
+
+func parseToken(tokenString string) (*Claims, error) {
+	claims := &Claims{}
+	// Exemplo de parsing do JWT
+	token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
+		return []byte("secret"), nil // sua chave secreta
+	})
+
+	if err != nil || !token.Valid {
+		return nil, fmt.Errorf("invalid token")
+	}
+
+	return claims, nil
+}
+
+// Claims define os dados que estarão no JWT
+type Claims struct {
+	UserID string `json:"userId"`
+	jwt.StandardClaims
+}

owasp-top10-2021-apps/a1/ecommerce-api/app/handlers/session.go

@@ -36,13 +36,15 @@ func ReadCookie(c echo.Context) error {
 // Login checks MongoDB if this user exists and then returns a JWT session cookie.
 func Login(c echo.Context) error {
 
+
 	loginAttempt := types.LoginAttempt{}
 	err := c.Bind(&loginAttempt)
 	if err != nil {
 		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Error login1."})
 	}
 	// input validation missing!
 
+
 	userDataQuery := map[string]interface{}{"username": loginAttempt.Username}
 	userDataResult, err := db.GetUserData(userDataQuery)
 	if err != nil {
@@ -67,6 +69,8 @@ func Login(c echo.Context) error {
 	// Set claims
 	claims := token.Claims.(jwt.MapClaims)
 	claims["name"] = userDataResult.Username
+	claims["userId"]= userDataResult.UserID
+	claims["Ticket"]= userDataResult.Ticket
 	claims["exp"] = time.Now().Add(time.Hour * 72).Unix()
 
 	// Generate encoded token and send it as response.
@@ -86,6 +90,8 @@ func Login(c echo.Context) error {
 			"result":   "success",
 			"username": userDataResult.Username,
 			"user_id":  userDataResult.UserID,
+			"Ticket": userDataResult.Ticket,
+			"token": t,
 		})
 	}
 

owasp-top10-2021-apps/a1/ecommerce-api/app/views/base.html

@@ -37,4 +37,3 @@
 </html>
 {{end}}
 
-

owasp-top10-2021-apps/a1/ecommerce-api/app/views/form.html

@@ -87,15 +87,19 @@ <h2 id="page-title">{{index . "name"}}</h2>
     XHR.onreadystatechange = function (event) {
         if (XHR.readyState == 4) {
             if (XHR.status == 200) {
-                document.getElementById('page-title').innerHTML = "Your orders"
                 var jsonResponse = JSON.parse(XHR.responseText);
+                localStorage.setItem('auth_token', jsonResponse.token);
+                document.getElementById('page-title').innerHTML = "Your orders"
+
+                console.log(jsonResponse)
 
                 // get ticket's user
                 var XHRticket = new XMLHttpRequest();
                 XHRticket.onreadystatechange = function (eventTicket) {
                     if (XHRticket.readyState == 4) {
                         if (XHRticket.status == 200) {
                             var jsonTicket = JSON.parse(XHRticket.responseText);
+                            console.log(jsonTicket)
 
                             document.getElementById('container-form').innerHTML = `
                             <div class="row">
@@ -124,6 +128,8 @@ <h2 id="page-title">{{index . "name"}}</h2>
                 };
                 XHRticket.open('GET', '//localhost:10005/ticket/'+jsonResponse["user_id"]+'?format=json');
                 XHRticket.setRequestHeader('Content-Type','application/json' );
+                XHRticket.setRequestHeader('Authorization', 'Bearer ' + jsonResponse.token);
+
                 XHRticket.send();
             } else {
                 // Define what happens in case of error

owasp-top10-2021-apps/a2/snake-pro/Makefile

@@ -23,11 +23,11 @@ install: compose msg
 
 ## Composes project using docker-compose
 compose: compose-down
-	docker-compose -f deployments/docker-compose.yml -p secdevlabs up -d --build --force-recreate
+	podman-compose -f deployments/docker-compose.yml -p secdevlabs up -d --build --force-recreate
 
 ## Down project using docker-compose
 compose-down:
-	docker-compose -f deployments/docker-compose.yml -p secdevlabs down -v --remove-orphans
+	podman-compose -f deployments/docker-compose.yml -p secdevlabs down -v --remove-orphans
 
 ## Prints initialization message after compose phase
 msg:

owasp-top10-2021-apps/a2/snake-pro/app/api/routes.go

@@ -2,13 +2,15 @@ package api
 
 import (
 	"fmt"
+	"log"
 	"net/http"
 	"os"
 	"time"
 
+	"golang.org/x/crypto/bcrypt"
+
 	jwt "github.com/dgrijalva/jwt-go"
 	db "github.com/globocom/secDevLabs/owasp-top10-2021-apps/a2/snake-pro/app/db/mongo"
-	"github.com/globocom/secDevLabs/owasp-top10-2021-apps/a2/snake-pro/app/pass"
 	"github.com/globocom/secDevLabs/owasp-top10-2021-apps/a2/snake-pro/app/types"
 	"github.com/google/uuid"
 	"github.com/labstack/echo"
@@ -23,11 +25,22 @@ func Root(c echo.Context) error {
 	return c.Redirect(302, "/login")
 }
 
+// Função para gerar hash da senha
+func HashSenha(senha string) (string, error) {
+	hash, err := bcrypt.GenerateFromPassword([]byte(senha), bcrypt.DefaultCost)
+	if err != nil {
+		return "", err
+	}
+	return string(hash), nil
+}
+
 // WriteCookie writes a cookie into echo Context
 func WriteCookie(c echo.Context, jwt string) error {
 	cookie := new(http.Cookie)
 	cookie.Name = "sessionIDsnake"
 	cookie.Value = jwt
+	cookie.Secure = true   //inclusao meiry
+	cookie.HttpOnly = true // inclusao meiry
 	c.SetCookie(cookie)
 	return c.String(http.StatusOK, "")
 }
@@ -55,6 +68,16 @@ func Register(c echo.Context) error {
 		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Passwords do not match."})
 	}
 
+	//Gerar o hash antes de salvar no banco
+	hashedPassword, err := HashSenha(userData.Password)
+	if err != nil {
+		log.Println("Erro ao gerar hash da senha:", err)
+		return c.JSON(http.StatusInternalServerError, map[string]string{"result": "error", "details": "Internal server error."})
+	}
+
+	// Substituir a senha original pelo hash antes de salvar
+	userData.Password = hashedPassword
+
 	newGUID1 := uuid.Must(uuid.NewRandom())
 	userData.UserID = newGUID1.String()
 	userData.HighestScore = 0
@@ -86,10 +109,17 @@ func Login(c echo.Context) error {
 		return c.JSON(http.StatusForbidden, map[string]string{"result": "error", "details": "Error login."})
 	}
 
-	validPass := pass.CheckPass(userDataResult.Password, loginAttempt.Password)
-	if !validPass {
-		// wrong password
-		return c.JSON(http.StatusForbidden, map[string]string{"result": "error", "details": "Error login."})
+	//validPass := pass.CheckPass(userDataResult.Password, loginAttempt.Password)
+	//if !validPass {
+	// wrong password
+	//  return c.JSON(http.StatusForbidden, map[string]string{"result": "error", "details": "Error login."})
+	//}
+
+	// comparando a senha fornecida com o hash armazenado
+	err = bcrypt.CompareHashAndPassword([]byte(userDataResult.Password), []byte(loginAttempt.Password))
+	if err != nil {
+		// Se a senha estiver incorreta
+		return c.JSON(http.StatusForbidden, map[string]string{"result": "error", "details": "Invalid credentials."})
 	}
 
 	// Create token
@@ -103,15 +133,16 @@ func Login(c echo.Context) error {
 	// Generate encoded token and send it as response.
 	t, err := token.SignedString([]byte(os.Getenv("SECRET_KEY")))
 	if err != nil {
+		log.Println("Error generating token:", err)
 		return err
 	}
 
 	err = WriteCookie(c, t)
 	if err != nil {
-		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Error login5."})
+		return c.JSON(http.StatusBadRequest, map[string]string{"result": "error", "details": "Error writing cookie."})
 	}
 	c.Response().Header().Set("Content-type", "text/html")
 	messageLogon := fmt.Sprintf("Hello, %s! Welcome to SnakePro", userDataResult.Username)
-	// err = c.Redirect(http.StatusFound, "http://www.localhost:10003/game/ranking")
+	// err = c.Redirect(http.StatusFound, "https://www.localhost:10003/game/ranking")
 	return c.String(http.StatusOK, messageLogon)
 }

owasp-top10-2021-apps/a2/snake-pro/app/cert.pem

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGITCCBAmgAwIBAgIUVVysXBuhS27Uh948uyGUbLaukmMwDQYJKoZIhvcNAQEL
+BQAwgZ8xCzAJBgNVBAYTAkJSMRcwFQYDVQQIDA5SaW8gZGUgSmFuZWlybzEXMBUG
+A1UEBwwOUmlvIGRlIEphbmVpcm8xEjAQBgNVBAoMCWxvY2FsaG9zdDESMBAGA1UE
+CwwJbG9jYWxob3N0MRIwEAYDVQQDDAlsb2NhbGhvc3QxIjAgBgkqhkiG9w0BCQEW
+E3Rlc3RlQGxvY2FsaG9zdC5jb20wHhcNMjUwMjA3MTQyMzQ1WhcNMjYwMjA3MTQy
+MzQ1WjCBnzELMAkGA1UEBhMCQlIxFzAVBgNVBAgMDlJpbyBkZSBKYW5laXJvMRcw
+FQYDVQQHDA5SaW8gZGUgSmFuZWlybzESMBAGA1UECgwJbG9jYWxob3N0MRIwEAYD
+VQQLDAlsb2NhbGhvc3QxEjAQBgNVBAMMCWxvY2FsaG9zdDEiMCAGCSqGSIb3DQEJ
+ARYTdGVzdGVAbG9jYWxob3N0LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
+AgoCggIBAKRWIxI2miV0B938t4CSJcf7PFT05DNgVKyQHg8rpy6DmJ5aAs5gcTlw
+k/OLSO34zRFsCf8Sz7Q0idmDhCBx596nDfszIVfAg75b7DsjOdt03ovkrYK/F6zA
+LGXtUuZAkbcEIvpFxSurGJKbV02IUTHnoW+UAeBVfHS0EmxGLDZvIrmweVUJ11/f
+qv+0MKw7gulLRWXD/310pMP0FAfiqlaiez6sUA6oqwtTXeRx3bYLn8lcRh3SiJJN
+2iFVl4aP45/HyKkKGn4DzULEYoEjK9jm6ef/2c4ysqnTFulVpZ2jZKw1M+h8NQCF
+Cyuri+C+gEY1uDTJBCjcWyVjTkYstjxV/dDVWPgvkjOP29xIn9nk0AjJTo6wYNFt
+Y8QfiG0g2LwrnMq/2riBQOAw1Bhlifj2G0QSowRRdFWAcBniDMTQOUolmub84qb5
+2MjQuhhOsxRgQ+7Tc9NDIavXg1zdkfTdDd6RceKEjvt/S+m32ap7SKigTUwp+0Sy
+lQPj9a7s7dyTJkzRrrzren9wbxerMnB23Kmeux4+AKsYY8WMe4+PSRoJy8I4CNpG
+E9740Ol96FJE7Z6BRqv/LL1i7d8HIgC8Y7iLvKu6DELyStlcfWX7lweAw7Ul9jAb
+gtRQ4g3vID0jzRnZE1tj8JpPzARmtyxexpYffoQWU1OYqYBjoNUBAgMBAAGjUzBR
+MB0GA1UdDgQWBBTeMra7Wqa3EHQhetg7LwKYeRHOoDAfBgNVHSMEGDAWgBTeMra7
+Wqa3EHQhetg7LwKYeRHOoDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4ICAQBSp8HYDX05gARjK2ahtRymUXF8lWqCxjwypCV5nsI2acK3DrpVgQk5zSEF
+EouK/uRHxsAU71t3+4nx8LQmopv/vvtJgv4qwcOTmxgasIbbUbvCtlN0UhRBUf/H
+raXM23YYk378vQgxnwhPYGmJ3v6OdOl4fEhT32aMMSxb/KPKFQYgobbX8IsidhKP
+70DKIL+5inEA/4c4nLMSYLXYVrP/ggTIFXiD1hdgOy6h+TZbGaMeYKIECejPNALd
+3BbZ1bVFk4p+eDzugSY/NHXWzR+nuKyD3MHSW9C9xQfLfy7qMzd/S4Y09LBh65Dx
+3XlzDXrkMXzIspT6xBJoPIjjZaVhm7CJRcxKQ85iKadYFMNnMFuRyPca5mfK/Jtv
+kGZGV6Hk7kFRA8k9jL2x8esge4rCDmZfbtI7tSZc30mgl201KSXq3HblqhuBK6sD
+OS5gacU8888RmP012kiXu6Rj/EtR1iRJtwmTsAL+t8UirNXdriSexLO6L8n1ifKf
+UUFmiphn0e/eXP6Ke0tUfuVzY9cJdKLEqXqUIUAYMU71JZMdzATWSgdzAF2wucO9
+jwkSwGhhIMs83HSdx+301eC846TvOfBOIJJFE1dyW9uobt0XAaiXDN/S20U0MofE
+vQM42BM8orkJEU/eXC4v0cxrumSLAMm+G5PKcn2PiA3mgE2OnA==
+-----END CERTIFICATE-----

owasp-top10-2021-apps/a2/snake-pro/app/key.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCkViMSNpoldAfd
+/LeAkiXH+zxU9OQzYFSskB4PK6cug5ieWgLOYHE5cJPzi0jt+M0RbAn/Es+0NInZ
+g4Qgcefepw37MyFXwIO+W+w7IznbdN6L5K2CvxeswCxl7VLmQJG3BCL6RcUrqxiS
+m1dNiFEx56FvlAHgVXx0tBJsRiw2byK5sHlVCddf36r/tDCsO4LpS0Vlw/99dKTD
+9BQH4qpWons+rFAOqKsLU13kcd22C5/JXEYd0oiSTdohVZeGj+Ofx8ipChp+A81C
+xGKBIyvY5unn/9nOMrKp0xbpVaWdo2SsNTPofDUAhQsrq4vgvoBGNbg0yQQo3Fsl
+Y05GLLY8Vf3Q1Vj4L5Izj9vcSJ/Z5NAIyU6OsGDRbWPEH4htINi8K5zKv9q4gUDg
+MNQYZYn49htEEqMEUXRVgHAZ4gzE0DlKJZrm/OKm+djI0LoYTrMUYEPu03PTQyGr
+14Nc3ZH03Q3ekXHihI77f0vpt9mqe0iooE1MKftEspUD4/Wu7O3ckyZM0a6863p/
+cG8XqzJwdtypnrsePgCrGGPFjHuPj0kaCcvCOAjaRhPe+NDpfehSRO2egUar/yy9
+Yu3fByIAvGO4i7yrugxC8krZXH1l+5cHgMO1JfYwG4LUUOIN7yA9I80Z2RNbY/Ca
+T8wEZrcsXsaWH36EFlNTmKmAY6DVAQIDAQABAoICAE3VfkbiFaAnlJJPX5pFnh9Z
+nvmeA3dR6MjSeWo2ArjFG0Pk3e9hPj82UtzG24Pak0XtJc7p2fY/7ApZf/rd+DQ8
+ayLO1Lv7Mmq2nuxjgsOuVrlrVcLXPx9S5bRg8yKa8mj8TJS89uX342uMp4zRQ6Of
+UZbHQxw9YPTlVNRzZ/1gJdJNAyqDvr5p8VOqxGLOzPIx9Gx+qEODO4aT0+joMkVW
+L4k/k6tdt6VlltLcG2ZdmxCD47G8RXMF7IpdP6c7/1NuDFwDrQiCRHWbDgyb2+if
+damsRDylRnmowPFC324KNWRaznsOWQwl92R3m4iWsaqPRu+5RX8U3xaWMjyKcMTg
+PCvY3afuXA0U8KZS5K6Jqgj26QLzl+APsOJz87dvZNFXDrcaaspJyRG/WfJfMV+2
+Db9NECijCsLUsD837hMBnH0y2JftghPnA4KgniclKnZ7dGblg7FYaMHXmYSMdRjH
+UReqNZKidcD96ckdTvy2SsCBOfH0ytfbHdTVXEVa/89n474UNIrwEAE5SLhGZazy
+hIY39SfZQejjo7O7xwtmAy9QuBzDKitwA5DcIyC0beCdPCzV42SgWEZJbt3HOgKZ
+fRmM62vzkEBoVfIlK+tgNCdeE6k0u+n1/sek/+mk5QigFDhod9sFOexPf/3DJ56G
+5LSs+2Z5qRftnn0llqUBAoIBAQDbOjiJk06lepRmzAeAqvpeh9c6R86Ptw9myCut
+mxXbObgHFtThBG+yfwR79d7vUv4S+lwEV+aHL2qbAqoPOBQLQxw91o4R5gKIj3fD
+KZxbH/r7+XEGSxg4t8dh9lKJybCR/MyvAiAOMpfUdfOCM8LprkSnqe6XA0EcC4tq
+sMh6ue7GR2DfAD/xEBhzbghQCJuarHPLdHhwveVjndZ57u1/lxMDzJVWgU8w2VFi
+mxcmlJmMaLiqz9fzmRUb52H2IosITH9vl2NlGFgbePtw3AoFBgIxrrDJvbYm/T1a
+iQmWGn5a28G6bj9+/hja29OWVYeqrjZrYlWMrLdhRYfQF5QPAoIBAQC/5tw2lJEo
+8BJaK1FSKJbUMu0yPjlLMk4ahpirRz4slHQT5WG8xqyppi8I9hhDxo9pWgAdeR96
+q4h1og5e3ISQ15Mfias1uZh9wucwIZMmGf83EkHxOn0NXYkkCee0bbMrDR6XX/Na
+UQMs27XBU1kCf4v86Bb8j+0bG9AzMJ9Cp7PwV3uV5Jkt69feTsVVo1aCDGCb5DVB
+Cka3Tvps2ipmI90pCVtekbc0gtv5A7QPa9QTmN9a0SIiTJvb9tuhbbI+Ys911iqE
+fUDv+LVRQSgipQQaVu+0lzvJbmJpWnrOm82Fq3fRLthbAnXERqVwiPQF4gsapDPo
+AUC2rYPkIbXvAoIBAGcbF9IklP2hDEDYvsKWJ5DkJKbFdPIEr9qwVFKfOQVVPScg
+Zti5xGrX8Fz4w3QdvV9hnntwd/ymoWXsN91Wi57MXnD7AvCKFDD0AOiqHl6BSQLP
+S4ghM3Ahh0Wcmy8wy7mtgvrgbgEfbGdBXlijTY2oJ6QPeSZPIoU1LMnuASwvXIym
+r3nSXUBcSJOpcYFquvxhFUjgK3Ei7ssORfwtEkhK3meQBcCcqokX/H364UWE6D6w
+VgIIJNHt8o6gIWOo1Wj+yYTLV7UJYQ7ytJdc9d1s+QUy2vTXI99shTmacAbHyRuk
+dZXgGj749OmiL/5plZgBvZh9tCyoYsr976VAIaMCggEALfaMjiIddpGxw5kWfDgu
+kBq2h08yB9m/rUjJrlR9Bs5z0wQg2cc4OdYM8/eFrk4TsWcWGfkV2hrVr18mVAA7
+XDnWCjq+IDsY1B5nozaXeQvG/hjIZI/eveHGZDRfI+8Wd9xHlHgt4FcBDLB/IxPk
+gN2t2OB6CPosD08lGe2uZ5elWI6LkkZTjhUr+hoh17YslS+DwDLzsmVUtLkc8A99
+EkPKx/ZuxQLfv5sMNuN1MDBidmMqNCVdKJvyxMemqU6N37Vo/U9TlbIuaIvIWfLi
+OxINHoXuGfITJtbiiVtbiLr2ieqc4yR2O64mKOHG5GJZGEOg5zunFw2dw2Nh8LVG
+TwKCAQEArj1VzmSXYxUs4A7VKaSffHTAmJfNqrjQ1v9J8bd0sgyroQNQL7uFtlRe
+ulkCMQKqvzCDn2edipNTXSEOo8XZf8TXTBckp28Mj3W3lS7VZyDWSN96olUUCDWq
+kbew4N3yymXQ70iE/Sq74+k7oMzyp6RkgoGLOqBLC6pRUUl89gY/0kE97FscsdUS
++upGIYGX0RE1p6482JvII1MkV9cufa4eKO3qCnAoSjrJaBb+QzpS9wO0jydI7yPi
+0CILWiwTUxRUtegH/H6B+IofcH/Kmk/MF1T1fLku0MyLjyFWQfoFY0MKMELzgC8X
+uSsXujU5+mC+Fu2Q28BTumc1adAGRA==
+-----END PRIVATE KEY-----