Add vuln testing apps

Author: timothywarner

NodeGoat/.dockerignore

@@ -0,0 +1,6 @@
+Dockerfile
+docker-compose.yml
+.dockerignore
+.git
+.github
+.gitignore

NodeGoat/.github/workflows/e2e-test.yml

@@ -0,0 +1,61 @@
+name: E2E Test
+on: [push, pull_request]
+
+jobs:
+  e2e-test:
+    name: Node.js
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        node-version: ["10.x", "12.x", "14.x"]
+
+    steps:
+      - name: Checkout https://github.com/${{ github.repository }}@${{ github.ref }}
+        uses: actions/checkout@v2
+        with:
+          persist-credentials: false
+
+      - name: Set up Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v1
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Use cache
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/.npm
+            ~/.cache
+          key: ${{ runner.os }}-node${{ matrix.node-version }}-E2E-${{ hashFiles('package-lock.json') }}
+
+      - name: Install dependencies
+        run: |
+          npm ci
+          npm run cy:verify
+
+      - name: Start MongoDB
+        run: |
+          docker run -d -p 27017:27017 mongo:4.0
+          timeout 60s bash -c 'until nc -z -w 2 localhost 27017 && echo MongoDB ready; do sleep 2; done'
+
+      - name: Run E2E test suite
+        id: test-suite
+        run: |
+          NODE_ENV=test npm start -- --silent &
+          npm run test:ci -- --config video=true
+
+      - name: Prepare cypress artifacts
+        if: failure() && (steps.test-suite.outcome == 'failure')
+        working-directory: ./test/e2e
+        run: >
+          mkdir -p "screenshots" && find "screenshots" -mindepth 1 -maxdepth 1 -type d
+          -exec sh -c 'mv -- "videos/$(basename "$1").mp4" "$1"' _ {} \;
+
+      - name: Upload cypress artifacts
+        if: failure() && (steps.test-suite.outcome == 'failure')
+        uses: actions/upload-artifact@v2
+        with:
+          name: cypress-artifacts-node${{ matrix.node-version }}
+          path: test/e2e/screenshots

NodeGoat/.github/workflows/lint.yml

@@ -0,0 +1,26 @@
+name: Lint
+on: [push, pull_request]
+
+jobs:
+  lint:
+    name: Node.js
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        node-version: ["14.x"]
+
+    steps:
+      - name: Checkout https://github.com/${{ github.repository }}@${{ github.ref }}
+        uses: actions/checkout@v2
+        with:
+          persist-credentials: false
+
+      - name: Set up Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v1
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Run linter
+        run: npx --no-install jshint@2.12.0 .

NodeGoat/.gitignore

@@ -0,0 +1,31 @@
+# Node modules
+node_modules
+
+# Logs and databases
+*.log
+*.db
+
+# OS files
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+Icon?
+
+# Idea stuff
+.idea/**
+
+# Zap output
+report*.html
+
+# e2e
+test/e2e/screenshots/
+test/e2e/videos/
+
+# ignore sensitive files
+.env.local
+.env
+
+# ignore Snyk Code scanner files
+.dccache

NodeGoat/.jshintignore

@@ -0,0 +1,2 @@
+node_modules/
+app/assets/vendor/

NodeGoat/.jshintrc

@@ -0,0 +1,39 @@
+{
+    "node": true, // Enable globals available when code is running inside of the NodeJS runtime environment.
+    "browser": true, // Standard browser globals e.g. `window`, `document`.
+    "esversion": 9, // Allow EcmaScript 9 syntax.
+    "bitwise": false, // Prohibit bitwise operators (&, |, ^, etc.).
+    "camelcase": true, // Permit only camelcase for `var` and `object indexes`.
+    "curly": false, // Require {} for every new block or scope.
+    "eqeqeq": true, // Require triple equals i.e. `===`.
+    "immed": true, // Require immediate invocations to be wrapped in parens e.g. `( function(){}() );`.
+    "latedef": true, // Prohibit variable use before definition.
+    "newcap": true, // Require capitalization of all constructor functions e.g. `new F()`.
+    "noarg": true, // Prohibit use of `arguments.caller` and `arguments.callee`.
+    "quotmark": "double", // Define quotes to string values.
+    "regexp": true, // Prohibit `.` and `[^...]` in regular expressions.
+    "undef": true, // Require all non-global variables be declared before they are used.
+    "unused": false, // Warn unused variables.
+    "strict": true, // Require `use strict` pragma in every file.
+    "trailing": true, // Prohibit trailing whitespaces.
+    "smarttabs": false, // Suppresses warnings about mixed tabs and spaces.
+    "indent": 4, // Specify indentation spacing.
+    "maxlen": 120, // Max line length.
+    "devel": false, // Allow development statements e.g. `console.log();`.
+    "noempty": true, // Prohibit use of empty blocks.
+    "overrides": {
+        "test/e2e/**": {
+            "globals": {
+                "cy": false,
+                "Cypress": false,
+                "it": false,
+                "describe": false,
+                "before": false,
+                "after": false,
+                "beforeEach": false,
+                "afterEach": false,
+                "expect": false
+            }
+        }
+    }
+}

NodeGoat/.travis.yml

@@ -0,0 +1,36 @@
+os: linux
+dist: xenial
+language: node_js
+services:
+  - docker
+  - xvfb
+node_js:
+  - v8
+  - v10
+  - v12
+
+## Missing dependency for Cypress https://github.com/cypress-io/cypress/issues/4069
+addons:
+  apt:
+    packages:
+    - libgconf-2-4
+
+  
+## Cache NPM folder and Cypress binary
+## to avoid downloading Cypress again and again
+cache:
+  directories:
+    - ~/.npm
+    - ~/.cache
+
+before_script:
+  ## we use the '&' ampersand which tells
+  ## travis to run this process in the background
+  ## else it would block execution and hang travis
+  - docker run -d -p 27017:27017 mongo:4.0
+  - docker ps -a
+  - NODE_ENV=test npm start -- --silent &
+
+script:
+  - npm run test:ci
+

NodeGoat/CODE_OF_CONDUCT.md

@@ -0,0 +1,76 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to make participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies within all project spaces, and it also applies when
+an individual is representing the project or its community in public spaces.
+Examples of representing a project or community include using an official
+project e-mail address, posting via an official social media account, or acting
+as an appointed representative at an online or offline event. Representation of
+a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at chetan.karande@owasp.org. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq

NodeGoat/CONTRIBUTING.md

@@ -0,0 +1,13 @@
+## Contributing
+
+Contributions from community are key to make NodeGoat a high quality comprehensive resource. Lets make NodeGoat awesome together!
+
+### Ways to Contribute
+Depending on your preference, you can contribute in various ways. Here are tasks planned for [upcoming release](https://github.com/OWASP/NodeGoat/milestones).
+You can also open an issue, sending a PR, or get in touch on [Gitter Chat](https://gitter.im/OWASP/NodeGoat) or [Slack](https://owasp.slack.com/messages/project-nodegoat/)
+
+If sending PR, once code is ready to commit, run:
+```
+npm run precommit
+```
+This command uses `js-beautifier` to indent the code and verifies these [coding standards](https://github.com/OWASP/NodeGoat/blob/master/.jshintrc) using `jsHint`. Please resolve all `jsHint` errors before committing the code.

NodeGoat/Dockerfile

@@ -0,0 +1,18 @@
+FROM node:12-alpine
+ENV WORKDIR /usr/src/app/
+WORKDIR $WORKDIR
+COPY package*.json $WORKDIR
+RUN npm install --production --no-cache
+
+FROM node:12-alpine
+ENV USER node
+ENV WORKDIR /home/$USER/app
+WORKDIR $WORKDIR
+COPY --from=0 /usr/src/app/node_modules node_modules
+RUN chown $USER:$USER $WORKDIR
+COPY --chown=node . $WORKDIR
+# In production environment uncomment the next line
+#RUN chown -R $USER:$USER /home/$USER && chmod -R g-s,o-rx /home/$USER && chmod -R o-wrx $WORKDIR
+# Then all further actions including running the containers should be done under non-root user.
+USER $USER
+EXPOSE 4000