Migration ES6: Routes

Related OWASP#152
UlisesGascon · Jan 29, 2020 · 4fcc9df · 4fcc9df
1 parent cbb07db
commit 4fcc9df
Show file tree

Hide file tree

Showing 9 changed files with 155 additions and 191 deletions.
diff --git a/app/routes/allocations.js b/app/routes/allocations.js
@@ -1,25 +1,21 @@
-var AllocationsDAO = require("../data/allocations-dao").AllocationsDAO;
+const AllocationsDAO = require("../data/allocations-dao").AllocationsDAO;
 
-function AllocationsHandler(db) {
+const AllocationsHandler = db => {
     "use strict";
 
-    var allocationsDAO = new AllocationsDAO(db);
+    const allocationsDAO = new AllocationsDAO(db);
 
-
-    this.displayAllocations = function(req, res, next) {
+    this.displayAllocations = (req, res, next) => {
         /*
         // Fix for A4 Insecure DOR -  take user id from session instead of from URL param
-        var userId = req.session.userId;
+        const { userId } = req.session;
         */
-        var userId = req.params.userId;
+        const {userId} = req.params;
+        const { threshold } = req.query
 
-        allocationsDAO.getByUserIdAndThreshold(userId, req.query.threshold, function(err, allocations) {
+        allocationsDAO.getByUserIdAndThreshold(userId, threshold, (err, allocations) => {
             if (err) return next(err);
-
-            return res.render("allocations", {
-                userId: userId,
-                allocations: allocations
-            });
+            return res.render("allocations", { userId, allocations });
         });
     };
 }

diff --git a/app/routes/benefits.js b/app/routes/benefits.js
@@ -1,40 +1,37 @@
-var BenefitsDAO = require("../data/benefits-dao").BenefitsDAO;
+const { BenefitsDAO } = require("../data/benefits-dao");
 
-function BenefitsHandler(db) {
+const BenefitsHandler = db => {
     "use strict";
 
-    var benefitsDAO = new BenefitsDAO(db);
+    const benefitsDAO = new BenefitsDAO(db);
 
-    this.displayBenefits = function(req, res, next) {
+    this.displayBenefits = (req, res, next) => {
 
-        benefitsDAO.getAllNonAdminUsers(function(error, users) {
+        benefitsDAO.getAllNonAdminUsers((error, users) => {
 
             if (error) return next(error);
 
             return res.render("benefits", {
-                users: users,
+                users,
                 user: {
                     isAdmin: true
                 }
             });
         });
     };
 
-    this.updateBenefits = function(req, res, next) {
-        var userId = req.body.userId;
-        var benefitStartDate = req.body.benefitStartDate;
+    this.updateBenefits = (req, res, next) => {
+        const { userId, benefitStartDate } = req.body;
 
-        benefitsDAO.updateBenefits(userId, benefitStartDate, function(error) {
+        benefitsDAO.updateBenefits(userId, benefitStartDate, (error) => {
 
             if (error) return next(error);
 
-            benefitsDAO.getAllNonAdminUsers(function(error, users) {
-                var data;
-
+            benefitsDAO.getAllNonAdminUsers((error, users) => {
                 if (error) return next(error);
 
-                data = {
-                    users: users,
+                const data = {
+                    users,
                     user: {
                         isAdmin: true
                     },

diff --git a/app/routes/contributions.js b/app/routes/contributions.js
@@ -1,54 +1,56 @@
-var ContributionsDAO = require("../data/contributions-dao").ContributionsDAO;
+const ContributionsDAO = require("../data/contributions-dao").ContributionsDAO;
 
 /* The ContributionsHandler must be constructed with a connected db */
-function ContributionsHandler(db) {
+const ContributionsHandler = db => {
     "use strict";
 
-    var contributionsDAO = new ContributionsDAO(db);
+    const contributionsDAO = new ContributionsDAO(db);
 
-    this.displayContributions = function(req, res, next) {
-        var userId = req.session.userId;
+    this.displayContributions = (req, res, next) => {
+        const { userId } = req.session;
 
-        contributionsDAO.getByUserId(userId, function(error, contrib) {
+        contributionsDAO.getByUserId(userId, (error, contrib) => {
             if (error) return next(error);
 
             contrib.userId = userId; //set for nav menu items
             return res.render("contributions", contrib);
         });
     };
 
-    this.handleContributionsUpdate = function(req, res, next) {
+    this.handleContributionsUpdate = (req, res, next) => {
 
         /*jslint evil: true */
         // Insecure use of eval() to parse inputs
-        var preTax = eval(req.body.preTax);
-        var afterTax = eval(req.body.afterTax);
-        var roth = eval(req.body.roth);
+        const preTax = eval(req.body.preTax);
+        const afterTax = eval(req.body.afterTax);
+        const roth = eval(req.body.roth);
 
         /*
         //Fix for A1 -1 SSJS Injection attacks - uses alternate method to eval
-        var preTax = parseInt(req.body.preTax);
-        var afterTax = parseInt(req.body.afterTax);
-        var roth = parseInt(req.body.roth);
+        const preTax = parseInt(req.body.preTax);
+        const afterTax = parseInt(req.body.afterTax);
+        const roth = parseInt(req.body.roth);
         */
-        var userId = req.session.userId;
+        const { userId } = req.session;
 
         //validate contributions
-        if (isNaN(preTax) || isNaN(afterTax) || isNaN(roth) || preTax < 0 || afterTax < 0 || roth < 0) {
+        const validations = [isNaN(preTax), isNaN(afterTax), isNaN(roth), preTax < 0, afterTax < 0, roth < 0]
+        const isInvalid = validations.some(validation => validation)
+        if (isInvalid) {
             return res.render("contributions", {
                 updateError: "Invalid contribution percentages",
-                userId: userId
+                userId
             });
         }
         // Prevent more than 30% contributions
         if (preTax + afterTax + roth > 30) {
             return res.render("contributions", {
                 updateError: "Contribution percentages cannot exceed 30 %",
-                userId: userId
+                userId
             });
         }
 
-        contributionsDAO.update(userId, preTax, afterTax, roth, function(err, contributions) {
+        contributionsDAO.update(userId, preTax, afterTax, roth, (err, contributions) => {
 
             if (err) return next(err);
 

diff --git a/app/routes/error.js b/app/routes/error.js
@@ -1,6 +1,6 @@
 // Error handling middleware
 
-var errorHandler = function(err, req, res, next) {
+const errorHandler = (err, req, res, next) => {
 
     "use strict";
 
@@ -12,4 +12,4 @@ var errorHandler = function(err, req, res, next) {
     });
 };
 
-exports.errorHandler = errorHandler;
+module.exports = { errorHandler };
diff --git a/app/routes/index.js b/app/routes/index.js
@@ -1,30 +1,30 @@
-var SessionHandler = require("./session");
-var ProfileHandler = require("./profile");
-var BenefitsHandler = require("./benefits");
-var ContributionsHandler = require("./contributions");
-var AllocationsHandler = require("./allocations");
-var MemosHandler = require("./memos");
-var ResearchHandler = require("./research");
+const SessionHandler = require("./session");
+const ProfileHandler = require("./profile");
+const BenefitsHandler = require("./benefits");
+const ContributionsHandler = require("./contributions");
+const AllocationsHandler = require("./allocations");
+const MemosHandler = require("./memos");
+const ResearchHandler = require("./research");
 
-var ErrorHandler = require("./error").errorHandler;
+const ErrorHandler = require("./error").errorHandler;
 
-var exports = function(app, db) {
+const index = (app, db) => {
 
     "use strict";
 
-    var sessionHandler = new SessionHandler(db);
-    var profileHandler = new ProfileHandler(db);
-    var benefitsHandler = new BenefitsHandler(db);
-    var contributionsHandler = new ContributionsHandler(db);
-    var allocationsHandler = new AllocationsHandler(db);
-    var memosHandler = new MemosHandler(db);
-    var researchHandler = new ResearchHandler(db);
+    const sessionHandler = new SessionHandler(db);
+    const profileHandler = new ProfileHandler(db);
+    const benefitsHandler = new BenefitsHandler(db);
+    const contributionsHandler = new ContributionsHandler(db);
+    const allocationsHandler = new AllocationsHandler(db);
+    const memosHandler = new MemosHandler(db);
+    const researchHandler = new ResearchHandler(db);
 
     // Middleware to check if a user is logged in
-    var isLoggedIn = sessionHandler.isLoggedInMiddleware;
+    const isLoggedIn = sessionHandler.isLoggedInMiddleware;
 
     //Middleware to check if user has admin rights
-    var isAdmin = sessionHandler.isAdminUserMiddleware;
+    const isAdmin = sessionHandler.isAdminUserMiddleware;
 
     // The main page of the app
     app.get("/", sessionHandler.displayWelcomePage);
@@ -67,17 +67,19 @@ var exports = function(app, db) {
     app.post("/memos", isLoggedIn, memosHandler.addMemos);
 
     // Handle redirect for learning resources link
-    app.get("/learn", isLoggedIn, function(req, res, next) {
+    app.get("/learn", isLoggedIn, (req, res) => {
         // Insecure way to handle redirects by taking redirect url from query string
         return res.redirect(req.query.url);
     });
 
     // Handle redirect for learning resources link
-    app.get("/tutorial", function(req, res, next) {
+    app.get("/tutorial", (req, res) => {
         return res.render("tutorial/a1");
     });
-    app.get("/tutorial/:page", function(req, res, next) {
-        return res.render("tutorial/" + req.params.page);
+
+    app.get("/tutorial/:page", (req, res) => {
+        const { page } = req.params
+        return res.render(`tutorial/${page}`);
     });
 
     // Research Page
@@ -87,4 +89,4 @@ var exports = function(app, db) {
     app.use(ErrorHandler);
 };
 
-module.exports = exports;
+module.exports = index;
diff --git a/app/routes/memos.js b/app/routes/memos.js
@@ -1,26 +1,23 @@
-var MemosDAO = require("../data/memos-dao").MemosDAO;
+const MemosDAO = require("../data/memos-dao").MemosDAO;
 
-function MemosHandler(db) {
+const MemosHandler = (db) => {
     "use strict";
 
-    var memosDAO = new MemosDAO(db);
+    const memosDAO = new MemosDAO(db);
 
-    var self = this;
-    this.addMemos = function(req, res, next) {
+    this.addMemos = (req, res, next) => {
 
-        memosDAO.insert(req.body.memo, function(err, docs) {
+        memosDAO.insert(req.body.memo, (err, docs) => {
             if (err) return next(err);
-
-            self.displayMemos(req, res, next);
-
+            this.displayMemos(req, res, next);
         });
     };
 
-    this.displayMemos = function(req, res, next) {
+    this.displayMemos = (req, res, next) => {
 
-        var userId = req.session.userId;
+        const { userId } = req.session;
 
-        memosDAO.getAllMemos(function(err, docs) {
+        memosDAO.getAllMemos((err, docs) => {
             if (err) return next(err);
             return res.render("memos", {
                 memosList: docs,

diff --git a/app/routes/profile.js b/app/routes/profile.js
@@ -1,18 +1,18 @@
-var ProfileDAO = require("../data/profile-dao").ProfileDAO;
-var ESAPI = require('node-esapi')
+const ProfileDAO = require("../data/profile-dao").ProfileDAO;
+const ESAPI = require('node-esapi')
 
 /* The ProfileHandler must be constructed with a connected db */
-function ProfileHandler(db) {
+const ProfileHandler = (db) => {
     "use strict";
 
-    var profile = new ProfileDAO(db);
+    const profile = new ProfileDAO(db);
 
-    this.displayProfile = function (req, res, next) {
-        var userId = req.session.userId;
+    this.displayProfile = (req, res, next) => {
+        const { userId } = req.session;
 
 
 
-        profile.getByUserId(parseInt(userId), function (err, doc) {
+        profile.getByUserId(parseInt(userId), (err, doc) => {
             if (err) return next(err);
             doc.userId = userId;
 
@@ -29,26 +29,20 @@ function ProfileHandler(db) {
         });
     };
 
-    this.handleProfileUpdate = function (req, res, next) {
+    this.handleProfileUpdate = (req, res, next) => {
 
-        var firstName = req.body.firstName;
-        var lastName = req.body.lastName;
-        var ssn = req.body.ssn;
-        var dob = req.body.dob;
-        var address = req.body.address;
-        var bankAcc = req.body.bankAcc;
-        var bankRouting = req.body.bankRouting;
+        const {firstName, lastName, ssn, dob, address, bankAcc, bankRouting} = req.body;
 
         // Fix for Section: ReDoS attack
         // The following regexPattern that is used to validate the bankRouting number is insecure and vulnerable to
         // catastrophic backtracking which means that specific type of input may cause it to consume all CPU resources
         // with an exponential time until it completes
         // --
         // The Fix: Instead of using greedy quantifiers the same regex will work if we omit the second quantifier +
-        // var regexPattern = /([0-9]+)\#/;
-        var regexPattern = /([0-9]+)+\#/;
+        // const regexPattern = /([0-9]+)\#/;
+        const regexPattern = /([0-9]+)+\#/;
         // Allow only numbers with a suffix of the letter #, for example: 'XXXXXX#'
-        var testComplyWithRequirements = regexPattern.test(bankRouting);
+        const testComplyWithRequirements = regexPattern.test(bankRouting);
         // if the regex test fails we do not allow saving
         if (testComplyWithRequirements !== true) {
             const firstNameSafeString = firstName
@@ -64,7 +58,7 @@ function ProfileHandler(db) {
             });
         }
 
-        var userId = req.session.userId;
+        const { userId } = req.session;
 
         profile.updateUser(
             parseInt(userId),
@@ -75,7 +69,7 @@ function ProfileHandler(db) {
             address,
             bankAcc,
             bankRouting,
-            function (err, user) {
+            (err, user) => {
 
                 if (err) return next(err);