Merge pull request juice-shop#2530 from juice-shop/angular17

Merge Angular17 into develop

Author: J12934

.eslintrc.js

@@ -37,7 +37,8 @@ module.exports = {
         // FIXME warnings below this line need to be checked and fixed.
         '@typescript-eslint/explicit-function-return-type': 'off',
         '@typescript-eslint/strict-boolean-expressions': 'off',
-        '@typescript-eslint/no-var-requires': 'off'
+        '@typescript-eslint/no-var-requires': 'off',
+        '@typescript-eslint/no-misused-promises': 'off'
       }
     }
   ]

.github/workflows/ci.yml

@@ -19,8 +19,8 @@ on:
       - 'frontend/src/assets/i18n/*.json'
 env:
   NODE_DEFAULT_VERSION: 20
-  ANGULAR_CLI_VERSION: 17
   CYCLONEDX_NPM_VERSION: '^1.12.0'
+  NODE_OPTIONS: "--max_old_space_size=4096"
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -31,8 +31,6 @@ jobs:
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0
         with:
           node-version: ${{ env.NODE_DEFAULT_VERSION }}
-      - name: "Install CLI tools"
-        run: npm install -g @angular/cli@$ANGULAR_CLI_VERSION
       - name: "Install application minimalistically"
         run: |
           npm install --ignore-scripts
@@ -63,8 +61,6 @@ jobs:
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0
         with:
           node-version: ${{ env.NODE_DEFAULT_VERSION }}
-      - name: "Install CLI tools"
-        run: npm install -g @angular/cli@$ANGULAR_CLI_VERSION
       - name: "Install application"
         run: npm install
       - name: "Check coding challenges for accidental code discrepancies"
@@ -84,9 +80,6 @@ jobs:
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0
         with:
           node-version: ${{ matrix.node-version }}
-      - name: "Install CLI tools"
-        if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '20')
-        run: npm install -g @angular/cli@$ANGULAR_CLI_VERSION
       - name: "Install application"
         if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '20')
         run: npm install
@@ -124,9 +117,6 @@ jobs:
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0
         with:
           node-version: ${{ matrix.node-version }}
-      - name: "Install CLI tools"
-        if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '20')
-        run: npm install -g @angular/cli@$ANGULAR_CLI_VERSION
       - name: "Install application"
         if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '20')
         run: npm install
@@ -185,8 +175,6 @@ jobs:
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0
         with:
           node-version: ${{ env.NODE_DEFAULT_VERSION }}
-      - name: "Install CLI tools"
-        run: npm install -g @angular/cli@$ANGULAR_CLI_VERSION
       - name: "Install application"
         if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '20')
         run: npm install
@@ -264,7 +252,6 @@ jobs:
           node-version: ${{ env.NODE_DEFAULT_VERSION }}
       - name: "Install CLI tools"
         run: |
-          npm install -g @angular/cli@$ANGULAR_CLI_VERSION
           npm install -g @cyclonedx/cyclonedx-npm@$CYCLONEDX_NPM_VERSION
           npm install -g grunt-cli
       - name: "Set packaging options for Grunt"
@@ -333,15 +320,15 @@ jobs:
             BUILD_DATE=${{ env.BUILD_DATE }}
             CYCLONEDX_NPM_VERSION=${{ env.CYCLONEDX_NPM_VERSION }}
   heroku:
-    if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && (github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master')
+    if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && (github.ref == 'refs/heads/angular17' || github.ref == 'refs/heads/master') # TODO Switch angular17 back to develop after merge
     needs: [test, api-test, e2e, custom-config-test]
     runs-on: ubuntu-latest
     steps:
       - name: "Check out Git repository"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
       - name: "Install Heroku CLI"
         run: curl https://cli-assets.heroku.com/install.sh | sh
-      - name: "Set Heroku app & branch for ${{ github.ref }}"
+      - name: "Set Heroku app & branch for ${{ github.ref }}" # TODO Switch angular17 back to develop after merge
         run: |
           if [ "$GITHUB_REF" == "refs/heads/master" ]; then
           echo "HEROKU_APP=juice-shop" >> $GITHUB_ENV

.github/workflows/lint-fixer.yml

@@ -12,8 +12,6 @@ jobs:
       uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0
       with:
         node-version: 20
-    - name: "Install CLI tools"
-      run: npm install -g @angular/cli
     - name: "Install application"
       run: |
         npm install --ignore-scripts

.github/workflows/release.yml

@@ -4,7 +4,6 @@ on:
     tags:
       - v*
 env:
-  ANGULAR_CLI_VERSION: 17
   CYCLONEDX_NPM_VERSION: '^1.12.0'
 jobs:
   package:
@@ -22,7 +21,6 @@ jobs:
           node-version: ${{ matrix.node-version }}
       - name: "Install CLI tools"
         run: |
-          npm install -g @angular/cli@$ANGULAR_CLI_VERSION
           npm install -g @cyclonedx/cyclonedx-npm@$CYCLONEDX_NPM_VERSION
           npm install -g grunt-cli
       - name: "Set packaging options for Grunt"

app.json

@@ -19,5 +19,8 @@
   ],
   "website": "https://owasp-juice.shop",
   "repository": "https://github.com/juice-shop/juice-shop",
-  "logo": "https://raw.githubusercontent.com/juice-shop/juice-shop/master/frontend/src/assets/public/images/JuiceShop_Logo.png"
+  "logo": "https://raw.githubusercontent.com/juice-shop/juice-shop/master/frontend/src/assets/public/images/JuiceShop_Logo.png",
+  "engines": {
+    "node": "20.x"
+  }
 }

config.schema.yml

@@ -732,3 +732,8 @@ ctf:
         type: string
       code:
         type: string
+    yamlBombChallenge:
+      name:
+        type: string
+      code:
+        type: string

config/fbctf.yml

@@ -339,3 +339,6 @@ ctf:
     exposedCredentialsChallenge:
       name: Montenegro
       code: ME
+    yamlBombChallenge:
+      name: Eswatini
+      code: SZ

cypress.config.ts

@@ -15,19 +15,6 @@ export default defineConfig({
     fixturesFolder: false,
     supportFile: 'test/cypress/support/e2e.ts',
     setupNodeEvents (on: any) {
-      on('before:browser:launch', (browser: any = {}, launchOptions: any) => { // TODO Remove after upgrade to Cypress >=12.5.0 <or> Chrome 119 become available on GitHub Workflows, see https://github.com/cypress-io/cypress-documentation/issues/5479
-        if (browser.name === 'chrome' && browser.isHeadless) {
-          launchOptions.args = launchOptions.args.map((arg: any) => {
-            if (arg === '--headless') {
-              return '--headless=new'
-            }
-
-            return arg
-          })
-        }
-        return launchOptions
-      })
-
       on('task', {
         GenerateCoupon (discount: number) {
           return security.generateCoupon(discount)

data/datacreator.ts

@@ -248,7 +248,7 @@ async function createQuantity () {
 async function createMemories () {
   const memories = [
     MemoryModel.create({
-      imagePath: 'assets/public/images/uploads/😼-#zatschi-#whoneedsfourlegs-1572600969477.jpg',
+      imagePath: 'assets/public/images/uploads/ᓚᘏᗢ-#zatschi-#whoneedsfourlegs-1572600969477.jpg',
       caption: '😼 #zatschi #whoneedsfourlegs',
       UserId: datacache.users.bjoernOwasp.id
     }).catch((err: unknown) => {

data/static/challenges.yml

@@ -1057,6 +1057,21 @@
   - Docker
   - Heroku
   - Gitpod
+-
+  name: 'Memory Bomb'
+  category: 'Insecure Deserialization'
+  tags:
+    - Danger Zone
+  description: 'Drop some explosive data into a vulnerable file-handling endpoint.'
+  difficulty: 5
+  hint: 'This one is actually similar to the XXE DoS challenge in every way except the data format being (ab)used.'
+  hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/insecure-deserialization.html#_drop_some_explosive_data_into_a_vulnerable_file_handling_endpoint'
+  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html'
+  key: yamlBombChallenge
+  disabledEnv:
+  - Docker
+  - Heroku
+  - Gitpod
 -
   name: 'Zero Stars'
   category: 'Improper Input Validation'