public IActionResult AllStringInFormCsrfProtected()
{
var model = new AccountUserViewModel();
model.SearchText = "(None)";
return(View(model));
}
static void Main(string[] args)
{
ClientAuthentication.baseWebAddress = "http://*****:*****@itsligo.ie", "LBowles$1"))
{
Console.WriteLine("Successful login Token acquired {0} user status is {1}", ClientAuthentication.AuthToken, ClientAuthentication.AuthStatus.ToString());
try
{
AccountUserViewModel acuvm = ClientAuthentication.getItem <AccountUserViewModel>("api/AccountManager/getAccounts");
if (acuvm != null)
{
Console.WriteLine("Got {0} accounts for current logged in user {1}", acuvm.accounts.Count(), acuvm.AccountManagerName);
// Get account list using current UserID
List <Account> accounts = ClientAuthentication.getList <Account>("api/AccountManager/getAccountsForCurrentManager/" + acuvm.AccountManagerID);
foreach (var item in accounts)
{
Console.WriteLine("Account Name {0}", item.AccountName);
}
}
}
catch (Exception ex)
{
Console.WriteLine("Error {0} --> {1}", ex.Message, ex.InnerException.Message);
}
Console.ReadKey();
}
}
public IActionResult AllIntInForm()
{
var model = new AccountUserViewModel();
model.SearchText = "(None)";
return(View(model));
}
public IActionResult AllStringLineBreakSafeSecond()
{
var model = new AccountUserViewModel();
model.SearchText = "(None)";
return(View(model));
}
public IActionResult QueryStringKey()
{
var model = new AccountUserViewModel();
try
{
if (Request.Query.Keys.Count == 0)
{
model.SearchText = "(None)";
model.Foods = new List <FoodDisplayView>();
}
else
{
var key = Request.Query.Keys.First();
model.SearchText = Request.Query[key];
var searchText = "SELECT * FROM FoodDisplayView WHERE " + key + " LIKE '%' + @Name + '%'";
model.Foods = _context.ExecSQL <FoodDisplayView>(searchText, new SqlParameter("@Name", Request.Query[key].ToString()));
}
return(View(model));
}
catch
{
return(View(CreateModelForError(model.SearchText)));
}
}
public IActionResult FalsePositive_Calc(string foodId)
{
int calculated = 0;
var model = new AccountUserViewModel();
DataTable dt = new DataTable();
try
{
calculated = (int)dt.Compute(foodId, "");
}
catch
{
try
{
calculated = int.Parse(foodId);
}
catch
{
model.SearchText = "(Error)";
model.Foods = new List <FoodDisplayView>();
return(View(model));
}
}
model.SearchText = calculated.ToString();
model.Foods = _context.ExecSQL <FoodDisplayView>("SELECT * FROM FoodDisplayView WHERE FoodID = @FoodId", new SqlParameter("@FoodID", calculated));
return(View(model));
}
public IActionResult StringInCookie()
{
AccountUserViewModel model;
var previousSearchValue = HttpContext.Request.Cookies["FoodNameSearch"];
if (!string.IsNullOrEmpty(previousSearchValue))
{
try
{
model = UnsafeModel(previousSearchValue);
}
catch
{
model = new AccountUserViewModel();
model.SearchText = "(None)";
}
}
else
{
model = new AccountUserViewModel();
model.SearchText = "(None)";
}
return(View(model));
}
public IActionResult StringInCookie(string foodName)
{
try
{
var options = new CookieOptions();
options.Expires = DateTime.Now.AddYears(1);
options.HttpOnly = false;
options.SameSite = SameSiteMode.None;
options.IsEssential = true;
HttpContext.Response.Cookies.Append("FoodNameSearch", foodName, options);
var searchText = "SELECT * FROM FoodDisplayView WHERE FoodName LIKE '%' + @FoodName + '%'";
var model = new AccountUserViewModel();
model.SearchText = foodName;
model.Foods = _context.ExecSQL <FoodDisplayView>(searchText, new SqlParameter("@FoodName", foodName));
return(View(model));
}
catch
{
return(View(CreateModelForError(foodName)));
}
}
public IActionResult IntInCookie(string foodGroupId)
{
ViewBag.AvailableValues = _context.FoodGroup.Select(g => new SearchItemViewModel()
{
Text = g.FoodGroupText, Value = g.FoodGroupId.ToString(), IsSelected = g.FoodGroupId.ToString() == foodGroupId
});
try
{
var options = new CookieOptions();
options.Expires = DateTime.Now.AddYears(1);
options.HttpOnly = false;
options.SameSite = SameSiteMode.None;
options.IsEssential = true;
HttpContext.Response.Cookies.Append("FoodGroupIdSearch", foodGroupId, options);
var searchText = "SELECT * FROM FoodDisplayView WHERE FoodGroupID = @FoodGroupID";
var model = new AccountUserViewModel();
model.SearchText = foodGroupId;
model.Foods = _context.ExecSQL <FoodDisplayView>(searchText, new SqlParameter("@FoodGroupID", foodGroupId));
return(View(model));
}
catch
{
return(View(CreateModelForError(foodGroupId)));
}
}
public IActionResult ValueShadowing(string foodName)
{
if (Request.Cookies["foodName"] != null)
{
foodName = Request.Cookies["foodName"];
}
if (Request.Query.Keys.Contains("foodName"))
{
foodName = Request.Query["foodName"];
}
var model = new AccountUserViewModel();
if (foodName != null && Request.Method != "GET")
{
model.SearchText = foodName;
model.Foods = _context.ExecSQL <FoodDisplayView>("SELECT * FROM FoodDisplayView WHERE FoodName LIKE '%' + @FoodName + '%'", new SqlParameter("@FoodName", foodName));
}
else
{
model.SearchText = "(None)";
model.Foods = new List <FoodDisplayView>();
}
return(View(model));
}
private AccountUserViewModel CreateModelForError(string foodName)
{
var model = new AccountUserViewModel();
model.SearchText = "An error occurred searching for " + foodName;
model.Foods = new List <FoodDisplayView>();
return(model);
}
public IActionResult XSS(string foodName)
{
var model = new AccountUserViewModel();
model.SearchText = foodName;
model.Foods = _dbContext.ExecSQL <FoodDisplayView>("SELECT * FROM FoodDisplayView WHERE FoodName LIKE '%' + @FoodName + '%'", new SqlParameter("@FoodName", foodName));
return(View(model));
}
private AccountUserViewModel CreateModel(string foodName)
{
var model = new AccountUserViewModel();
model.SearchText = foodName;
model.Foods = _context.ExecSQL <FoodDisplayView>("SELECT * FROM FoodDisplayView WHERE FoodName LIKE '%' + @FoodName + '%'", new SqlParameter("@FoodName", foodName));
return(model);
}
public IActionResult FileInclusion(AccountUserViewModel model)
{
var fullFilePath = _hostEnv.ContentRootPath + "\\wwwroot\\text\\" + model.SearchText;
var fileContents = System.IO.File.ReadAllText(fullFilePath);
ViewBag.FileContents = fileContents;
return(View(model));
}
// 유저 정보 변경 - update
public IActionResult UpdateUser(string id)
{
AccountUserViewModel viewModel = new AccountUserViewModel()
{
Email = id
};
return(View(viewModel));
}
private AccountUserViewModel UnsafeModel_Int(string foodId)
{
var model = new AccountUserViewModel();
model.SearchText = foodId;
var searchText = "SELECT * FROM FoodDisplayView WHERE FoodId = " + foodId;
model.Foods = _context.ExecSQL <FoodDisplayView>(searchText, null);
return(model);
}
private AccountUserViewModel CreateUnsafeGenericModel(string foodName)
{
var model = new AccountUserViewModel();
model.SearchText = foodName;
var searchText = "SELECT * FROM FoodDisplayView WHERE FoodName LIKE '%" + foodName + "%'";
model.Foods = _dbContext.ExecSQL <FoodDisplayView>(searchText, null);
return(model);
}
// 유저 정보 수정
public AccountUser UpdateUser(AccountUserViewModel model)
{
AccountUser accountUser = context.AccountUsers.Where(a => a.UserName == model.Email).FirstOrDefault();
if (accountUser != null)
{
accountUser.Email = model.Email;
accountUser.Address = model.Address;
accountUser.PhoneNumber = model.PhoneNumber;
}
return(accountUser);
}
public async Task <IActionResult> Invite(Guid?VendorId, bool IsVendor = false)
{
var model = new AccountUserViewModel();
model.IsVendor = IsVendor;
if (IsVendor)
{
model.systemPermission = SystemPermissions.Vendor;
}
model.VendorId = VendorId;
await PopulateDropDownVendors(model);
return(View(model));
}
public IActionResult AllIntInQSQuoteEscaped(string foodId)
{
try
{
var escaped = foodId.Replace("'", "''");
var model = new AccountUserViewModel();
model.SearchText = escaped;
var query = "SELECT * FROM FoodDisplayView WHERE FoodID = " + foodId;
model.Foods = _context.ExecSQL <FoodDisplayView>(query, null);
return(View(model));
}
catch
{
return(View(CreateModelForError(foodId)));
}
}
public async Task <IActionResult> Edit()
{
//Get current user
var currentUser = await _userManager.GetUserAsync(User);
//Populate view model
AccountUserViewModel model = new AccountUserViewModel();
model.Email = currentUser.Email;
model.FirstName = currentUser.FirstName;
model.LastName = currentUser.LastName;
model.Password = string.Empty;
model.RePassword = string.Empty;
return(View(model));
}
public IActionResult StoredXSS()
{
var user = _authManager.GetLoggedInUser();
if (user == null)
{
return(NotFound($"Unable to load user."));
}
var foodGroup = user.FavoriteFoodGroup == null ? "(Not set)" : user.FavoriteFoodGroup;
var model = new AccountUserViewModel();
model.SearchText = foodGroup;
model.Foods = _dbContext.ExecSQL <FoodDisplayView>("SELECT * FROM FoodDisplayView WHERE FoodGroup LIKE '%' + @FoodGroup + '%'", new SqlParameter("@FoodGroup", foodGroup));
return(View(model));
}
public IActionResult MD5Hash(string foodName)
{
var model = new AccountUserViewModel();
model.SearchText = foodName;
model.Foods = _context.ExecSQL <FoodDisplayView>("SELECT * FROM FoodDisplayView WHERE FoodName LIKE '%' + @FoodName + '%'", new SqlParameter("@FoodName", foodName));
using (var hash = MD5.Create())
{
var foodNameAsBytes = System.Text.Encoding.UTF8.GetBytes(foodName);
var hashedBytes = hash.ComputeHash(foodNameAsBytes);
var hashedAsString = System.Text.Encoding.UTF8.GetString(hashedBytes);
Response.Cookies.Append("FoodNameHash", hashedAsString);
}
return(View(model));
}
public IActionResult FalsePositive_Error(string foodName)
{
try
{
if (foodName.Contains("'"))
{
throw new Exception("String cannot have an apostrophe");
}
var model = new AccountUserViewModel();
model.Foods = _context.ExecSQL <FoodDisplayView>("SELECT * FROM FoodDisplayView WHERE FoodName LIKE '%' + @FoodName + '%'", new SqlParameter("@FoodName", foodName));
return(View(model));
}
catch
{
return(View(CreateModelForError("An error occurred")));
}
}
public async Task <IActionResult> Register(AccountUserViewModel model)
{
//Check if passwords match
if (model.Password != model.RePassword)
{
//Display error
ModelState.AddModelError(string.Empty, "Password does not match.");
return(View());
}
//Create new user using information from view model
var newUser = new User()
{
UserName = model.Email,
Email = model.Email,
FirstName = model.FirstName,
LastName = model.LastName
};
//Use User Manager to create new user
var userCreationResult = await _userManager.CreateAsync(newUser, model.Password);
if (!userCreationResult.Succeeded) //user creation failed
{
//Display all errors from failure adn display
foreach (var error in userCreationResult.Errors)
{
ModelState.AddModelError(string.Empty, error.Description);
}
return(View());
}
//Send email confirmation
var emailConfirmationToken = await _userManager.GenerateEmailConfirmationTokenAsync(newUser); //create confirmation token
var tokenVerificationURL = Url.Action("VerifyEmail", "Account", new { id = newUser.Id, token = emailConfirmationToken }, Request.Scheme); //get url
//Send email
await _messageService.Send(model.Email, "Verify your email", $"Click <a href=\"{tokenVerificationURL}\">here</a> to verify your email");
//Show page telling user to check email
return(Content("Check your email for a verification link"));
}
public IActionResult AllStringLineBreakSafeSecond(string foodName, string foodGroup)
{
try
{
var model = new AccountUserViewModel();
model.SearchText = $"Food Name: {foodName}, Food Group: {foodGroup}";
var searchText = @"SELECT *
FROM FoodDisplayView
WHERE FoodName LIKE '%" + foodName + "%' OR " +
"FoodGroup LIKE '%' + @FoodGroup + '%'";
model.Foods = _context.ExecSQL <FoodDisplayView>(searchText, new SqlParameter("@FoodGroup", foodGroup));
return(View(model));
}
catch
{
return(View(CreateModelForError(foodName)));
}
}
public IActionResult IntInCookie()
{
AccountUserViewModel model;
var previousSearchValue = HttpContext.Request.Cookies["FoodGroupIdSearch"];
if (!string.IsNullOrEmpty(previousSearchValue))
{
try
{
ViewBag.AvailableValues = _context.FoodGroup.Select(g => new SearchItemViewModel()
{
Text = g.FoodGroupText, Value = g.FoodGroupId.ToString(), IsSelected = g.FoodGroupId.ToString() == previousSearchValue
});
model = new AccountUserViewModel();
model.SearchText = previousSearchValue;
var searchText = "SELECT * FROM FoodDisplayView WHERE FoodGroupId = " + previousSearchValue;
model.Foods = _context.ExecSQL <FoodDisplayView>(searchText, null);
}
//Let's make sure that we can't lock ourselves out of the page
catch
{
ViewBag.AvailableValues = _context.FoodGroup.Select(g => new SearchItemViewModel()
{
Text = g.FoodGroupText, Value = g.FoodGroupId.ToString(), IsSelected = false
});
model = new AccountUserViewModel();
model.SearchText = "(None)";
}
}
else
{
ViewBag.AvailableValues = _context.FoodGroup.Select(g => new SearchItemViewModel()
{
Text = g.FoodGroupText, Value = g.FoodGroupId.ToString(), IsSelected = false
});
model = new AccountUserViewModel();
model.SearchText = "(None)";
}
return(View(model));
}
private async Task PopulateDropDownVendors(AccountUserViewModel model)
{
var vendors = await _accountCtx.Vendors.Where(x => x.AccountId == CommonAccount.Id).Select(m => new SelectListItem
{
Text = m.Name,
Value = m.Id.ToString(),
}).ToListAsync();
model.Vendors.AddRange(vendors);
var permissionslist = Enum.GetValues(typeof(SystemPermissions)).Cast <SystemPermissions>().Where(x => x != SystemPermissions.Administrator).Select(v => new SelectListItem
{
Text = v.ToString(),
Value = ((int)v).ToString()
}).ToList();
model.SystemPermissions.AddRange(permissionslist);
}
//This is here to see if SAST scanners will pick it up
private AccountUserViewModel UnsafeModel_Format_Query(string foodName)
{
var query = string.Format("SELECT * FROM FoodDisplayView WHERE FoodName LIKE '%{0}%'", foodName);
var model = new AccountUserViewModel();
model.SearchText = foodName;
using (var connection = new SqlConnection(_config.GetConnectionString("DefaultConnection")))
{
var command = connection.CreateCommand();
command.CommandText = query;
connection.Open();
var foods = new List <FoodDisplayView>();
using (var reader = command.ExecuteReader())
{
while (reader.Read())
{
var newFood = new FoodDisplayView();
newFood.FoodID = reader.GetInt32(0);
newFood.FoodGroupID = reader.GetInt32(1);
newFood.FoodGroup = reader.GetString(2);
newFood.FoodName = reader.GetString(3);
newFood.Calories = reader.GetNullableInt(4);
newFood.Protein = reader.GetNullableDouble(5);
newFood.Fat = reader.GetNullableDouble(6);
newFood.Carbohydrates = reader.GetNullableDouble(7);
foods.Add(newFood);
}
}
model.Foods = foods;
connection.Close();
}
return(model);
}
public async Task <IActionResult> Edit(AccountUserViewModel model)
{
//Check if passwords match
if (model.Password != model.RePassword)
{
//Display error
ModelState.AddModelError("Password", "Passwords do not match.");
return(View(model));
}
//Get current user
var currentUser = await _userManager.GetUserAsync(User);
if (currentUser == null) //user not found
{
throw new InvalidOperationException();
}
//Check if confirmation password is correct
var passwordCheck = await _userManager.CheckPasswordAsync(currentUser, model.Password);
if (!passwordCheck) //password incorrect
{
//Display error
ModelState.AddModelError("Password", "Incorrect password.");
return(View(model));
}
//Update current user data
currentUser.Email = model.Email;
currentUser.UserName = model.Email;
currentUser.FirstName = model.FirstName;
currentUser.LastName = model.LastName;
//Use user manager to update user
await _userManager.UpdateAsync(currentUser);
//Redirect to home page
return(RedirectToAction("Index", "Home"));
}
