diff --git a/.brightsec/tests/get-redirect-to-url.test.ts b/.brightsec/tests/get-redirect-to-url.test.ts new file mode 100644 index 00000000000..fc606135893 --- /dev/null +++ b/.brightsec/tests/get-redirect-to-url.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /redirect?to=:url', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['unvalidated_redirect', 'xss', 'ssrf'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + } + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/redirect?to=https://example.com` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-redirect.test.ts b/.brightsec/tests/get-redirect.test.ts new file mode 100644 index 00000000000..94fea13b741 --- /dev/null +++ b/.brightsec/tests/get-redirect.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /redirect', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['unvalidated_redirect', 'xss', 'ssrf'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + } + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/redirect?to=https://example.com` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-v2-redirect-to-url.test.ts b/.brightsec/tests/get-v2-redirect-to-url.test.ts new file mode 100644 index 00000000000..3c139ea86bb --- /dev/null +++ b/.brightsec/tests/get-v2-redirect-to-url.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /redirect?to=:url (v2)', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['unvalidated_redirect', 'xss', 'ssrf'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + } + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/redirect?to=https://example.com` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-v2-redirect.test.ts b/.brightsec/tests/get-v2-redirect.test.ts new file mode 100644 index 00000000000..73ed1bd10aa --- /dev/null +++ b/.brightsec/tests/get-v2-redirect.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /redirect (v2)', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['unvalidated_redirect', 'xss', 'ssrf'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + } + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/redirect?to=https://example.com` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-v3-redirect-to-url.test.ts b/.brightsec/tests/get-v3-redirect-to-url.test.ts new file mode 100644 index 00000000000..548d8c00add --- /dev/null +++ b/.brightsec/tests/get-v3-redirect-to-url.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /redirect?to=:url (v3)', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['unvalidated_redirect', 'xss', 'ssrf'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + } + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/redirect?to=https://example.com` + }); +}); \ No newline at end of file diff --git a/.brightsec/tests/get-v3-redirect.test.ts b/.brightsec/tests/get-v3-redirect.test.ts new file mode 100644 index 00000000000..7426ad26f0c --- /dev/null +++ b/.brightsec/tests/get-v3-redirect.test.ts @@ -0,0 +1,40 @@ +import { test, before, after } from 'node:test'; +import { SecRunner } from '@sectester/runner'; +import { AttackParamLocation, HttpMethod } from '@sectester/scan'; + +const timeout = 40 * 60 * 1000; +const baseUrl = process.env.BRIGHT_TARGET_URL!; + +let runner!: SecRunner; + +before(async () => { + runner = new SecRunner({ + hostname: process.env.BRIGHT_HOSTNAME!, + projectId: process.env.BRIGHT_PROJECT_ID! + }); + + await runner.init(); +}); + +after(() => runner.clear()); + +test('GET /redirect (v3)', { signal: AbortSignal.timeout(timeout) }, async () => { + await runner + .createScan({ + tests: ['unvalidated_redirect', 'xss', 'ssrf'], + attackParamLocations: [AttackParamLocation.QUERY], + starMetadata: { + code_source: 'tssbox/juice-shop:master', + databases: ['SQLite'], + user_roles: { + roles: ['customer', 'deluxe', 'accounting', 'admin'] + } + } + }) + .setFailFast(false) + .timeout(timeout) + .run({ + method: HttpMethod.GET, + url: `${baseUrl}/redirect?to=https://example.com` + }); +}); \ No newline at end of file diff --git a/.github/workflows/bright.yml b/.github/workflows/bright.yml new file mode 100644 index 00000000000..a2cc4ad4009 --- /dev/null +++ b/.github/workflows/bright.yml @@ -0,0 +1,71 @@ +name: Bright + +on: + pull_request: + branches: + - '**' + +permissions: + checks: write + contents: read + id-token: write + actions: write + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Check out Git repository + uses: actions/checkout@v4 + + - name: Use Node.js 20.x + uses: actions/setup-node@v4 + with: + node-version: '20.x' + + - name: Install application dependencies + run: | + npm install + + - name: Start application + run: | + npm start > app.log 2>&1 & + + - name: Probe application readiness + run: | + for i in {1..30}; do nc -z 127.0.0.1 3000 && exit 0 || sleep 5; done; exit 1 + + - name: Use Node.js 22.x for SecTesterJS + uses: actions/setup-node@v4 + with: + node-version: '22.x' + + - name: Install SecTesterJS dependencies + run: | + npm i --save=false --prefix .brightsec @sectester/core @sectester/repeater @sectester/scan @sectester/runner @sectester/reporter + + - name: Authenticate with Bright + uses: ./.github/workflows/composite/configure-bright-credentials + with: + BRIGHT_HOSTNAME: development.playground.brightsec.com + BRIGHT_PROJECT_ID: xagvSFR3EMYf1Yhma8dxEJ + BRIGHT_TOKEN: ${{ secrets.BRIGHT_TOKEN }} + + - name: Run security tests + continue-on-error: true + run: | + node --experimental-transform-types --experimental-strip-types --experimental-detect-module --disable-warning=MODULE_TYPELESS_PACKAGE_JSON --disable-warning=ExperimentalWarning --test-force-exit --test-concurrency=1 --test .brightsec/tests/*.test.ts + env: + BRIGHT_HOSTNAME: development.playground.brightsec.com + BRIGHT_PROJECT_ID: xagvSFR3EMYf1Yhma8dxEJ + BRIGHT_AUTH_ID: wEfwSeetcm3JFpHqQAS5Sp + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + BRIGHT_TOKEN: ${{ env.BRIGHT_TOKEN }} + BRIGHT_TARGET_URL: http://127.0.0.1:3000 + + - name: Upload application logs + if: always() + uses: actions/upload-artifact@v4 + with: + name: app-logs + path: app.log \ No newline at end of file diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index 8c09281f61b..00000000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,358 +0,0 @@ -name: "CI/CD Pipeline" -on: - push: - branches-ignore: - - l10n_develop - - gh-pages - paths-ignore: - - '*.md' - - 'LICENSE' - - 'monitoring/grafana-dashboard.json' - - 'screenshots/**' - tags-ignore: - - '*' - pull_request: - paths-ignore: - - '*.md' - - 'LICENSE' - - 'data/static/i18n/*.json' - - 'frontend/src/assets/i18n/*.json' -env: - NODE_DEFAULT_VERSION: 22 - NODE_OPTIONS: "--max_old_space_size=4096" - CYCLONEDX_NPM_VERSION: '^2.0.0||^3.0.0' -jobs: - lint: - runs-on: ubuntu-latest - steps: - - name: "Check out Git repository" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Use Node.js 22" - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version: ${{ env.NODE_DEFAULT_VERSION }} - - name: "Install application minimalistically" - run: | - npm install --ignore-scripts - cd frontend - npm install --ignore-scripts --legacy-peer-deps - - name: "Lint source code" - run: npm run lint - - name: "Lint customization configs" - run: > - npm run lint:config -- -f ./config/7ms.yml && - npm run lint:config -- -f ./config/addo.yml && - npm run lint:config -- -f ./config/bodgeit.yml && - npm run lint:config -- -f ./config/ctf.yml && - npm run lint:config -- -f ./config/default.yml && - npm run lint:config -- -f ./config/fbctf.yml && - npm run lint:config -- -f ./config/juicebox.yml && - npm run lint:config -- -f ./config/mozilla.yml && - npm run lint:config -- -f ./config/oss.yml && - npm run lint:config -- -f ./config/quiet.yml && - npm run lint:config -- -f ./config/tutorial.yml && - npm run lint:config -- -f ./config/unsafe.yml - coding-challenge-rsn: - runs-on: windows-latest - steps: - - name: "Check out Git repository" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Use Node.js 22" - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version: ${{ env.NODE_DEFAULT_VERSION }} - - name: "Install application" - run: npm install - - name: "Check coding challenges for accidental code discrepancies" - run: npm run rsn - test: - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-latest, macos-latest] # FIXME: Removed "windows-latest" due to 'Error: ENOENT: no such file or directory, open' error breaking at least on Node 20.0 constantly - node-version: [20, 22, 24] - steps: - - name: "Check out Git repository" - if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '22') - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Use Node.js ${{ matrix.node-version }}" - if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '22') - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version: ${{ matrix.node-version }} - - name: "Install application" - if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '22') - run: npm install - - name: "Execute unit tests" - if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '22') - uses: nick-invision/retry@7152eba30c6575329ac0576536151aca5a72780e #v3.0.0 - with: - timeout_minutes: 15 - max_attempts: 3 - command: npm test - - name: "Copy unit test coverage data" - if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && matrix.os == 'ubuntu-latest' && matrix.node-version == '22' - run: | - cp build/reports/coverage/frontend-tests/lcov.info frontend-lcov.info - cp build/reports/coverage/server-tests/lcov.info server-lcov.info - sed -i s/SF:/SF:frontend\\//g frontend-lcov.info - shell: bash - - name: "Upload unit test coverage data" - if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && matrix.os == 'ubuntu-latest' && matrix.node-version == '22' - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0 - with: - name: unit-test-lcov - path: | - frontend-lcov.info - server-lcov.info - api-test: - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-latest, windows-latest, macos-latest] - node-version: [20, 22, 24] - steps: - - name: "Check out Git repository" - if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '22') - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Use Node.js ${{ matrix.node-version }}" - if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '22') - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version: ${{ matrix.node-version }} - - name: "Install application" - if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '22') - run: npm install - - name: "Execute integration tests" - if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '22') - uses: nick-invision/retry@7152eba30c6575329ac0576536151aca5a72780e #v3.0.0 - env: - NODE_ENV: test - with: - timeout_minutes: 5 - max_attempts: 3 - command: npm run frisby - - name: "Copy API test coverage data" - if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && matrix.os == 'ubuntu-latest' && matrix.node-version == '22' - run: cp build/reports/coverage/api-tests/lcov.info api-lcov.info - - name: "Upload API test coverage data" - if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && matrix.os == 'ubuntu-latest' && matrix.node-version == '22' - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0 - with: - name: api-test-lcov - path: | - api-lcov.info - coverage-report: - needs: [test, api-test] - runs-on: ubuntu-latest - if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' - steps: - - name: "Check out Git repository" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Download unit test coverage data" - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 - with: - name: unit-test-lcov - - name: "Download API test coverage data" - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 #v4.1.8 - with: - name: api-test-lcov - - name: "Publish coverage to Coveralls" - uses: coverallsapp/github-action@v2 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - files: frontend-lcov.info server-lcov.info api-lcov.info - custom-config-test: - runs-on: ubuntu-latest - steps: - - name: "Check out Git repository" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Use Node.js 22" - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version: ${{ env.NODE_DEFAULT_VERSION }} - - name: "Install application" - if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '22') - run: npm install - - name: "Execute server tests for each custom configuration" - uses: nick-invision/retry@7152eba30c6575329ac0576536151aca5a72780e #v3.0.0 - with: - timeout_minutes: 30 - max_attempts: 3 - command: > - NODE_ENV=7ms npm run test:server && - NODE_ENV=addo npm run test:server && - NODE_ENV=bodgeit npm run test:server && - NODE_ENV=ctf npm run test:server && - NODE_ENV=fbctf npm run test:server && - NODE_ENV=juicebox npm run test:server && - NODE_ENV=mozilla npm run test:server && - NODE_ENV=oss npm run test:server && - NODE_ENV=quiet npm run test:server && - NODE_ENV=tutorial npm run test:server && - NODE_ENV=unsafe npm run test:server - e2e: - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-latest, macos-latest] - browser: [chrome] # FIXME Switch back to [chrome, firefox] after debugging extreme flakiness of Firefox on CI/CD - fail-fast: false - steps: - - name: "Check out Git repository" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Use Node.js 22" - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version: ${{ env.NODE_DEFAULT_VERSION }} - - name: "Install CLI tools" - run: npm install -g @angular/cli - - name: "Install application" - run: npm install - - name: "Execute end-to-end tests on Ubuntu" - if: ${{ matrix.os == 'ubuntu-latest' }} - uses: cypress-io/github-action@57b70560982e6a11d23d4b8bec7f8a487cdbb71b #v6.7.8 - with: - install: false - browser: ${{ matrix.browser }} - start: npm start - wait-on: http://localhost:3000 - record: true - group: ${{ matrix.browser }} @ ${{ matrix.os }} - env: - SOLUTIONS_WEBHOOK: ${{ secrets.E2E_SOLUTIONS_WEBHOOK }} - CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: "Execute end-to-end tests on Mac" - if: ${{ matrix.os == 'macos-latest' }} - uses: cypress-io/github-action@57b70560982e6a11d23d4b8bec7f8a487cdbb71b #v6.7.8 - with: - install: false - browser: ${{ matrix.browser }} - start: npm start - wait-on: http://localhost:3000 - record: true - group: ${{ matrix.browser }} @ ${{ matrix.os }} - env: - CYPRESS_CACHE_FOLDER: /Users/runner/Library/Caches/Cypress - CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - smoke-test: - runs-on: ubuntu-latest - steps: - - name: "Check out Git repository" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Use Node.js 22" - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version: ${{ env.NODE_DEFAULT_VERSION }} - - name: "Install CLI tools" - run: | - npm install -g @cyclonedx/cyclonedx-npm@$CYCLONEDX_NPM_VERSION - npm install -g grunt-cli - - name: "Set packaging options for Grunt" - run: | - echo "PCKG_OS_NAME=linux" >> $GITHUB_ENV - echo "PCKG_NODE_VERSION=18" >> $GITHUB_ENV - echo "PCKG_CPU_ARCH=x64" >> $GITHUB_ENV - - name: "Package application" - run: | - npm install --production - npm run package:ci - - name: "Unpack application archive" - run: | - cd dist - tar -zxf juice-shop-*.tgz - - name: "Execute smoke test" - run: | - cd dist/juice-shop_* - npm start & - cd ../.. - chmod +x test/smoke/smoke-test.sh - test/smoke/smoke-test.sh http://localhost:3000 - docker-test: - runs-on: ubuntu-latest - steps: - - name: "Check out Git repository" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Execute smoke test on Docker" - run: docker compose -f docker-compose.test.yml up --exit-code-from sut - docker: - if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && (github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master') - needs: [test, api-test, e2e, custom-config-test, docker-test] - runs-on: ubuntu-latest - steps: - - name: "Check out Git repository" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Set up QEMU" - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0 - - name: "Set up Docker Buildx" - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0 - - name: "Login to DockerHub" - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: "Set tag & labels for ${{ github.ref }}" - run: | - if [ "$GITHUB_REF" == "refs/heads/master" ]; then - echo "DOCKER_TAG=latest" >> $GITHUB_ENV - else - echo "DOCKER_TAG=snapshot" >> $GITHUB_ENV - fi - echo "VCS_REF=`git rev-parse --short HEAD`" >> $GITHUB_ENV - echo "BUILD_DATE=`date -u +”%Y-%m-%dT%H:%M:%SZ”`" >> $GITHUB_ENV - - name: "Build and push for AMD64 and ARM64 processors" - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 #v6.1.0 - with: - context: . - file: ./Dockerfile - platforms: linux/amd64,linux/arm64 - push: true - tags: | - bkimminich/juice-shop:${{ env.DOCKER_TAG }} - build-args: | - VCS_REF=${{ env.VCS_REF }} - BUILD_DATE=${{ env.BUILD_DATE }} - CYCLONEDX_NPM_VERSION=${{ env.CYCLONEDX_NPM_VERSION }} - heroku: - if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && (github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master') - needs: [test, api-test, e2e, custom-config-test] - runs-on: ubuntu-latest - steps: - - name: "Check out Git repository" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Install Heroku CLI" - run: curl https://cli-assets.heroku.com/install.sh | sh - - name: "Set Heroku app & branch for ${{ github.ref }}" - run: | - if [ "$GITHUB_REF" == "refs/heads/master" ]; then - echo "HEROKU_APP=juice-shop" >> $GITHUB_ENV - echo "HEROKU_BRANCH=master" >> $GITHUB_ENV - else - echo "HEROKU_APP=juice-shop-staging" >> $GITHUB_ENV - echo "HEROKU_BRANCH=develop" >> $GITHUB_ENV - fi - - name: "Deploy ${{ github.ref }} to Heroku" - uses: akhileshns/heroku-deploy@581dd286c962b6972d427fcf8980f60755c15520 #v3.13.15 - with: - heroku_api_key: ${{ secrets.HEROKU_API_KEY }} - heroku_app_name: ${{ env.HEROKU_APP }} - heroku_email: bjoern.kimminich@owasp.org - branch: ${{ env.HEROKU_BRANCH }} - notify-slack: - if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && (success() || failure()) - needs: - - docker - - heroku - - lint - - coding-challenge-rsn - - smoke-test - - coverage-report - runs-on: ubuntu-latest - steps: - - name: "Slack workflow notification" - uses: Gamesight/slack-workflow-status@68bf00d0dbdbcb206c278399aa1ef6c14f74347a #v1.3.0 - with: - repo_token: ${{ secrets.GITHUB_TOKEN }} - slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index fe353eb0ee5..00000000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: "CodeQL Scan" - -on: - push: - pull_request: - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - strategy: - fail-fast: false - matrix: - language: [ 'javascript-typescript' ] - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - queries: security-extended - config: | - paths-ignore: - - 'data/static/codefixes' - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/composite/configure-bright-credentials/action.yaml b/.github/workflows/composite/configure-bright-credentials/action.yaml new file mode 100644 index 00000000000..84983846b0d --- /dev/null +++ b/.github/workflows/composite/configure-bright-credentials/action.yaml @@ -0,0 +1,53 @@ +name: 'Configure BrightSec credentials' + +inputs: + BRIGHT_HOSTNAME: + description: 'Hostname for the BrightSec environment' + required: true + BRIGHT_PROJECT_ID: + description: 'Project ID for BrightSec' + required: true + BRIGHT_TOKEN: + description: 'Pre-configured token' + required: false + +runs: + using: 'composite' + steps: + - id: configure_env_from_input + name: 'Set existing token in env' + shell: bash + if: ${{ inputs.BRIGHT_TOKEN != '' }} + env: + BRIGHT_TOKEN: ${{ inputs.BRIGHT_TOKEN }} + run: | + echo "BRIGHT_TOKEN=${BRIGHT_TOKEN}" >> $GITHUB_ENV + + - id: configure_bright_credentials_through_oidc + name: 'Exchange OIDC credentials for Bright token' + shell: bash + if: ${{ inputs.BRIGHT_TOKEN == '' }} + env: + BRIGHT_HOSTNAME: ${{ inputs.BRIGHT_HOSTNAME }} + BRIGHT_PROJECT_ID: ${{ inputs.BRIGHT_PROJECT_ID }} + run: | + # Retrieve OIDC token from GitHub + OIDC_TOKEN=$(curl -sS -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ + "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value') + + # Post the token to BrightSec + RESPONSE=$(curl -s -X POST "https://${BRIGHT_HOSTNAME}/api/v1/projects/${BRIGHT_PROJECT_ID}/api-keys/oidc" \ + -H "Content-Type: application/json" \ + -d "{\"token\": \"${OIDC_TOKEN}\"}") + + if ! echo "$RESPONSE" | jq -e . > /dev/null 2>&1; then + echo "Error: $RESPONSE" 1>&2 + exit 1 + fi + + # Extract the pureKey + PURE_KEY=$(echo "$RESPONSE" | jq -r '.pureKey') + + # Mask and store in environment + echo "::add-mask::$PURE_KEY" + echo "BRIGHT_TOKEN=$PURE_KEY" >> $GITHUB_ENV diff --git a/.github/workflows/lint-fixer.yml b/.github/workflows/lint-fixer.yml deleted file mode 100644 index 907f841e1b8..00000000000 --- a/.github/workflows/lint-fixer.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: "Let me lint:fix that for you" - -on: [push] - -jobs: - LMLFTFY: - runs-on: ubuntu-latest - steps: - - name: "Check out Git repository" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Use Node.js 22" - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version: 22 - - name: "Install application" - run: | - npm install --ignore-scripts - cd frontend - npm install --ignore-scripts --legacy-peer-deps - - name: "Fix everything which can be fixed" - run: 'npm run lint:fix' - - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 - with: - commit_message: "Auto-fix linting issues" - branch: ${{ github.head_ref }} - commit_options: '--signoff' - commit_user_name: JuiceShopBot - commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com - commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml deleted file mode 100644 index 9d79216d828..00000000000 --- a/.github/workflows/lock.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: 'Lock Threads' - -on: - schedule: - - cron: '0 0 * * *' - -permissions: - issues: write - pull-requests: write - -jobs: - action: - runs-on: ubuntu-latest - steps: - - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 #v5.0.1 - with: - issue-lock-comment: > - This thread has been automatically locked because it has not had - recent activity after it was closed. :lock: Please open a new issue - for regressions or related bugs. - issue-lock-reason: '' - pr-lock-reason: '' diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml deleted file mode 100644 index f999d22edf1..00000000000 --- a/.github/workflows/rebase.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: Automatic Rebase - -on: - issue_comment: - types: [created] - -jobs: - rebase: - name: Rebase - if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - with: - fetch-depth: 0 - - name: Automatic Rebase - uses: cirrus-actions/rebase@b87d48154a87a85666003575337e27b8cd65f691 #v1.8 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # https://github.community/t5/GitHub-Actions/Workflow-is-failing-if-no-job-can-be-ran-due-to-condition/m-p/38186#M3250 - always_job: - name: Always run job - runs-on: ubuntu-latest - steps: - - name: Always run - run: echo "This job is used to prevent the workflow to fail when all other jobs are skipped." diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 4aad876031e..00000000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,95 +0,0 @@ -name: "Release Pipeline" -on: - push: - tags: - - v* -env: - CYCLONEDX_NPM_VERSION: '^2.0.0||^3.0.0' -jobs: - package: - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-latest, windows-latest, macos-latest] - node-version: [20, 22, 24] - fail-fast: false - steps: - - name: "Check out Git repository" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Use Node.js ${{ matrix.node-version }}" - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0 - with: - node-version: ${{ matrix.node-version }} - - name: "Install CLI tools" - run: | - npm install -g @cyclonedx/cyclonedx-npm@$CYCLONEDX_NPM_VERSION - npm install -g grunt-cli - - name: "Set packaging options for Grunt" - run: | - if [ "$RUNNER_OS" == "Windows" ]; then - echo "PCKG_OS_NAME=win32" >> $GITHUB_ENV - elif [ "$RUNNER_OS" == "macOS" ]; then - echo "PCKG_OS_NAME=darwin" >> $GITHUB_ENV - else - echo "PCKG_OS_NAME=linux" >> $GITHUB_ENV - fi - echo "PCKG_CPU_ARCH=x64" >> $GITHUB_ENV - echo "PCKG_NODE_VERSION=${{ matrix.node-version }}" >> $GITHUB_ENV - shell: bash - - name: "Package application" - run: | - npm install --production - npm run package:ci - - name: 'Attach packaged archive to tag release' - uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 #v2.2.2 - with: - draft: true - files: dist/* - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - docker: - runs-on: ubuntu-latest - steps: - - name: "Check out Git repository" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - - name: "Set up QEMU" - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0 - - name: "Set up Docker Buildx" - uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0 - - name: "Login to DockerHub" - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: "Get tag name" - id: tag - uses: dawidd6/action-get-tag@727a6f0a561be04e09013531e73a3983a65e3479 #v1.1.0 TODO Action is archived and should be replaced eventually - - name: "Set labels for ${{ github.ref }}" - run: | - echo "VCS_REF=`git rev-parse --short HEAD`" >> $GITHUB_ENV - echo "BUILD_DATE=`date -u +”%Y-%m-%dT%H:%M:%SZ”`" >> $GITHUB_ENV - - name: "Build and push for AMD64 and ARM64 processors" - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 #v6.1.0 - with: - context: . - file: ./Dockerfile - platforms: linux/amd64,linux/arm64 - push: true - tags: | - bkimminich/juice-shop:${{ steps.tag.outputs.tag }} - build-args: | - VCS_REF=${{ env.VCS_REF }} - BUILD_DATE=${{ env.BUILD_DATE }} - CYCLONEDX_NPM_VERSION=${{ env.CYCLONEDX_NPM_VERSION }} - notify-slack: - if: always() - needs: - - package - - docker - runs-on: ubuntu-latest - steps: - - name: "Slack workflow notification" - uses: Gamesight/slack-workflow-status@68bf00d0dbdbcb206c278399aa1ef6c14f74347a #v1.3.0 - with: - repo_token: ${{ secrets.GITHUB_TOKEN }} - slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml deleted file mode 100644 index 0519859a7b5..00000000000 --- a/.github/workflows/stale.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: 'Close stale issues and PR' -on: - schedule: - - cron: '30 1 * * *' - -jobs: - stale: - runs-on: ubuntu-latest - steps: - - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e #v9.0.0 - with: - stale-issue-message: > - This issue has been automatically marked as `stale` because it has not had - recent activity. :calendar: It will be _closed automatically_ in one week if no further activity occurs. - stale-pr-message: > - This PR has been automatically marked as `stale` because it has not had - recent activity. :calendar: It will be _closed automatically_ in two weeks if no further activity occurs. - close-issue-message: This issue was closed because it has been stalled for 7 days with no activity. - close-pr-message: This PR was closed because it has been stalled for 14 days with no activity. - days-before-stale: 14 - days-before-close: 7 - days-before-pr-close: 14 - exempt-issue-labels: 'critical,technical debt' - exempt-assignees: bkimminich diff --git a/.github/workflows/update-challenges-ebook.yml b/.github/workflows/update-challenges-ebook.yml deleted file mode 100644 index 9810a5ab503..00000000000 --- a/.github/workflows/update-challenges-ebook.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: "Update challenges in Companion Guide" - -on: - push: - branches: [ master, develop ] - paths: - - 'data/static/challenges.yml' - -jobs: - UpdateChallengesOnWebsite: - if: github.repository == 'juice-shop/juice-shop' - runs-on: ubuntu-latest - steps: - - name: Check out Git repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - with: - token: ${{ secrets.BOT_TOKEN }} - repository: juice-shop/pwning-juice-shop - ref: ${{ github.ref_name }} - - name: Update challenges.yml - run: | - cd docs/modules/ROOT/assets/data - rm challenges.yml - wget https://raw.githubusercontent.com/juice-shop/juice-shop/${{ github.ref_name }}/data/static/challenges.yml - - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 - with: - commit_message: "Auto-update challenges.yml from ${{ github.sha }}" - branch: ${{ github.ref_name }} - commit_options: '--signoff' - - # Optional commit user and author settings - commit_user_name: JuiceShopBot - commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com - commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> diff --git a/.github/workflows/update-challenges-www.yml b/.github/workflows/update-challenges-www.yml deleted file mode 100644 index caaa7405bf1..00000000000 --- a/.github/workflows/update-challenges-www.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: "Update challenges on owasp-juice.shop" - -on: - push: - branches: [ master ] - paths: - - 'data/static/challenges.yml' - -jobs: - UpdateChallengesOnWebsite: - if: github.repository == 'juice-shop/juice-shop' - runs-on: ubuntu-latest - steps: - - name: Check out Git repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - with: - token: ${{ secrets.BOT_TOKEN }} - repository: OWASP/www-project-juice-shop - ref: master - - name: Update challenges.yml - run: | - cd _data/ - rm challenges.yml - wget https://raw.githubusercontent.com/juice-shop/juice-shop/master/data/static/challenges.yml - - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 - with: - commit_message: "Auto-update challenges.yml from ${{ github.sha }}" - branch: master - commit_options: '--signoff' - - # Optional commit user and author settings - commit_user_name: JuiceShopBot - commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com - commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> diff --git a/.github/workflows/update-news-www.yml b/.github/workflows/update-news-www.yml deleted file mode 100644 index 26757465a1a..00000000000 --- a/.github/workflows/update-news-www.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: "Update news on owasp-juice.shop" - -on: - release: - types: [ published ] - -jobs: - UpdateNewsOnWebsite: - runs-on: ubuntu-latest - steps: - - name: Check out Git repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - with: - token: ${{ secrets.BOT_TOKEN }} - repository: OWASP/www-project-juice-shop - branch: master - - name: Update tab_news.md - run: | - sed -i 's//\n* ${{ github.event.release.published_at }}: juice-shop [`${{ github.event.release.tag_name }}`](https:\/\/github.com\/juice-shop\/juice-shop\/releases\/tag\/${{ github.event.release.tag_name }})/' tab_news.md - - uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 #v5.0.1 - with: - commit_message: "Add juice-shop ${{ github.event.release.tag_name }} release notes to tab_news.md" - branch: master - commit_options: '--signoff' - - # Optional commit user and author settings - commit_user_name: JuiceShopBot - commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com - commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> diff --git a/.github/workflows/zap_scan.yml b/.github/workflows/zap_scan.yml deleted file mode 100644 index 44117a146b3..00000000000 --- a/.github/workflows/zap_scan.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: "ZAP Baseline Scan" - -on: - schedule: - - cron: '0 18 * * 6' - -jobs: - zap_scan: - runs-on: ubuntu-latest - name: Scan Juice Shop preview instance on Heroku - steps: - - name: Check out Git repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - with: - ref: develop - - name: ZAP Scan - uses: zaproxy/action-baseline@7c4deb10e6261301961c86d65d54a516394f9aed # v0.14.0 - with: - token: ${{ secrets.GITHUB_TOKEN }} - target: 'https://preview.owasp-juice.shop' - rules_file_name: '.zap/rules.tsv' - cmd_options: '-a -j' diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 7b5f3c01b0a..00000000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,7 +0,0 @@ -include: - - template: Auto-DevOps.gitlab-ci.yml - -variables: - SAST_EXCLUDED_PATHS: "frontend/src/assets/private/**" - TEST_DISABLED: "true" - DAST_DISABLED: "true" diff --git a/routes/order.ts b/routes/order.ts index be0693b30df..39c387c55ea 100644 --- a/routes/order.ts +++ b/routes/order.ts @@ -144,6 +144,7 @@ export function placeOrder () { }) } else { next(new Error('Insufficient wallet balance.')) + return } } WalletModel.increment({ balance: totalPoints }, { where: { UserId: req.body.UserId } }).catch((error: unknown) => { diff --git a/server.ts b/server.ts index c58efa5f54c..b5a1fb22809 100644 --- a/server.ts +++ b/server.ts @@ -31,6 +31,8 @@ import securityTxt from 'express-security.txt' import { rateLimit } from 'express-rate-limit' import { getStream } from 'file-stream-rotator' import type { Request, Response, NextFunction } from 'express' +import { AsyncLocalStorage } from 'node:async_hooks' +import { PerformanceObserver } from 'node:perf_hooks' import { sequelize } from './models' import { UserModel } from './models/user' @@ -174,6 +176,43 @@ restoreOverwrittenFilesWithOriginals().then(() => { app.locals.abused_ssti_bug = false app.locals.abused_ssrf_bug = false + const BYTES_IN_MB = 1024 * 1024 + let requestCount = 0 + const obs = new PerformanceObserver((list) => { + const entry = list.getEntries()[0] + // @ts-expect-error FIXME kind is not a property of PerformanceEntry + const { duration, kind } = entry + const heapUsed = process.memoryUsage().heapUsed / BYTES_IN_MB + logger.info(`GC: kind=${kind} duration=${duration.toFixed(2)}ms heapUsed=${heapUsed.toFixed(2)}MB`) + }) + obs.observe({ entryTypes: ['gc'], buffered: false }) + + app.use((req: Request, res: Response, next: NextFunction) => { + requestCount++ + const { rss, heapUsed, heapTotal, external } = process.memoryUsage() + logger.info(`Request #${requestCount} | RSS: ${(rss / BYTES_IN_MB).toFixed(2)}MB, HeapUsed: ${(heapUsed / BYTES_IN_MB).toFixed(2)}MB, HeapTotal: ${(heapTotal / BYTES_IN_MB).toFixed(2)}MB, External: ${(external / BYTES_IN_MB).toFixed(2)}MB, Path: ${req.path}`) + next() + }) + + /* Unhandled rejections handling with AsyncLocalStorage */ + const als = new AsyncLocalStorage() + app.use((req: Request, res: Response, next: NextFunction) => { + als.run({ res }, () => { next() }) + }) + const onFatal = (reason: any) => { + console.error('[unhandledRejection]', reason) + + const store = als.getStore() as { res?: Response } | undefined + const res = store?.res + + if (res && !res.headersSent && !res.writableEnded) { + res.status(500).json({ error: 'Internal server error' }) + } + } + + process.on('uncaughtException', onFatal) + process.on('unhandledRejection', onFatal) + /* Compression for all requests */ app.use(compression())