✒️ refactor(like-service, docs): Document like-service, refactor env …

…variables

README.md

@@ -32,6 +32,7 @@ Unguard is composed of eight microservices written in different languages that t
 | [proxy-service](./src/proxy-service)                       | Java Spring     | unguard-proxy   | Serves REST API for proxying requests from frontend (vulnerable to SSRF; no sanitization on the entered URL).                               |
 | [profile-service](./src/profile-service)                   | Java Spring     | default         | Serves REST API for updating biography information in a H2 database; vulnerable to SQL injection attacks                                    |
 | [membership-service](./src/membership-service)             | .NET 7          | default         | Serves REST API for updating user memberships in a MariaDB; vulnerable to SQL injection attacks                                             |
+| [like-service](./src/like-service)                         | PHP             | default         | Serves REST API for liking and unliking posts using MariaDB; vulnerable to an SQL injection attack for removing other users' likes          |
 | [user-auth-service](./src/user-auth-service)               | Node.js Express | default         | Serves REST API for authenticating users with JWT tokens (vulnerable to JWT key confusion).                                                 |
 | [status-service](./src/status-service)                     | Go              | unguard-status  | Serves REST API for Kubernetes deployments health, as well as a user and user role list (vulnerable to SQL injection)                       |
 | jaeger                                                     |                 | default         | The [Jaeger](https://www.jaegertracing.io/) stack for distributed tracing.                                                                  |

chart/templates/like-service.yaml

@@ -70,8 +70,8 @@ spec:
             - name: JAEGER_SERVICE_NAME
               value: {{quote (printf "unguard-%s" .Values.likeService.name) }}
             {{if .Values.tracing.enabled}}
-            - name: JAEGER_AGENT_HOST
-              value: {{ quote (printf "%s-%s" .Values.jaeger.name .Values.likeService.deployment.container.env.JAEGER_AGENT_HOST) }}
+            - name: JAEGER_COLLECTOR_HOST
+              value: {{ quote (printf "%s-%s" .Values.jaeger.name .Values.likeService.deployment.container.env.JAEGER_COLLECTOR_HOST) }}
             - name: JAEGER_PORT
               value: {{ quote .Values.likeService.deployment.container.env.JAEGER_PORT }}
             - name: SERVICE_NAME

chart/values.yaml

@@ -400,7 +400,7 @@ likeService:
       ports:
         containerPort: 8000
       env:
-        JAEGER_AGENT_HOST: collector # PHP OpenTelemetry sends data to jaeger-collector instead of jaeger-agent
+        JAEGER_COLLECTOR_HOST: collector # PHP OpenTelemetry sends data to jaeger-collector instead of jaeger-agent
         JAEGER_DISABLED: true
         JAEGER_PORT: 4318
         SERVICE_NAME: unguard-like-service

exploit-toolkit/exploits/sql-injection/README.md

@@ -1,5 +1,6 @@
 # SQL injection
 
-Unguard has two SQL injection vulnerabilities:
+Unguard has three SQL injection vulnerabilities:
 * [One in the Java `profile-service`](./SQLI-PROFILE-SERVICE-H2.md), which is exploitable through the user biography and allows you to access the h2 database.
 * [One in the Golang `status-service`](./SQLI-STATUS-SERVICE-MARIADB.md), which is exploitable through the search bar on the Users page and allows you to access the MariaDB database.
+* [One in the PHP `like-service`](./SQLI-LIKE-SERVICE-REMOVE-LIKE.md), which allows you to remove another user's like on a given post if you send the right parameters.

src/like-service/.env

@@ -1,4 +1,4 @@
-APP_NAME=unguard-like-service
+APP_NAME="${SERVICE_NAME}"
 APP_ENV=local
 APP_KEY=
 APP_DEBUG=true
@@ -7,8 +7,8 @@ APP_URL=http://localhost
 LOG_CHANNEL=stderr
 
 DB_CONNECTION=mysql
-DB_HOST=unguard-mariadb
-DB_PORT=3306
+DB_HOST="${UNGUARD_MARIADB_SERVICE_HOST}"
+DB_PORT="${UNGUARD_MARIADB_SERVICE_PORT_MYSQL}"
 DB_DATABASE=likeDb
 DB_USERNAME=root
 DB_PASSWORD=
@@ -44,5 +44,3 @@ PUSHER_APP_CLUSTER=mt1
 
 MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
 MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
-
-UNGUARD_USER_AUTH_SERVICE_ADDRESS=unguard-user-auth-service

src/like-service/Dockerfile

@@ -15,7 +15,7 @@ COPY . /var/www
 ADD https://github.com/mlocati/docker-php-extension-installer/releases/latest/download/install-php-extensions /usr/local/bin/
 
 RUN chmod +x /usr/local/bin/install-php-extensions && \
-    install-php-extensions opentelemetry
+    install-php-extensions opentelemetry-1.0.0RC1
 
 #This is faster https://github.com/composer/composer/issues/8205#issuecomment-507256979
 RUN php /usr/bin/composer config --global repos.packagist composer https://packagist.org

src/like-service/README.md

@@ -1,61 +1,86 @@
-<p align="center"><a href="https://laravel.com" target="_blank"><img src="https://raw.githubusercontent.com/laravel/art/master/logo-lockup/5%20SVG/2%20CMYK/1%20Full%20Color/laravel-logolockup-cmyk-red.svg" width="400"></a></p>
-
-<p align="center">
-<a href="https://travis-ci.org/laravel/framework"><img src="https://travis-ci.org/laravel/framework.svg" alt="Build Status"></a>
-<a href="https://packagist.org/packages/laravel/framework"><img src="https://poser.pugx.org/laravel/framework/d/total.svg" alt="Total Downloads"></a>
-<a href="https://packagist.org/packages/laravel/framework"><img src="https://poser.pugx.org/laravel/framework/v/stable.svg" alt="Latest Stable Version"></a>
-<a href="https://packagist.org/packages/laravel/framework"><img src="https://poser.pugx.org/laravel/framework/license.svg" alt="License"></a>
-</p>
-
-## About Laravel
-
-Laravel is a web application framework with expressive, elegant syntax. We believe development must be an enjoyable and creative experience to be truly fulfilling. Laravel takes the pain out of development by easing common tasks used in many web projects, such as:
-
-- [Simple, fast routing engine](https://laravel.com/docs/routing).
-- [Powerful dependency injection container](https://laravel.com/docs/container).
-- Multiple back-ends for [session](https://laravel.com/docs/session) and [cache](https://laravel.com/docs/cache) storage.
-- Expressive, intuitive [database ORM](https://laravel.com/docs/eloquent).
-- Database agnostic [schema migrations](https://laravel.com/docs/migrations).
-- [Robust background job processing](https://laravel.com/docs/queues).
-- [Real-time event broadcasting](https://laravel.com/docs/broadcasting).
-
-Laravel is accessible, powerful, and provides tools required for large, robust applications.
-
-## Learning Laravel
-
-Laravel has the most extensive and thorough [documentation](https://laravel.com/docs) and video tutorial library of all modern web application frameworks, making it a breeze to get started with the framework.
-
-If you don't feel like reading, [Laracasts](https://laracasts.com) can help. Laracasts contains over 1500 video tutorials on a range of topics including Laravel, modern PHP, unit testing, and JavaScript. Boost your skills by digging into our comprehensive video library.
-
-## Laravel Sponsors
-
-We would like to extend our thanks to the following sponsors for funding Laravel development. If you are interested in becoming a sponsor, please visit the Laravel [Patreon page](https://patreon.com/taylorotwell).
-
-### Premium Partners
-
-- **[Vehikl](https://vehikl.com/)**
-- **[Tighten Co.](https://tighten.co)**
-- **[Kirschbaum Development Group](https://kirschbaumdevelopment.com)**
-- **[64 Robots](https://64robots.com)**
-- **[Cubet Techno Labs](https://cubettech.com)**
-- **[Cyber-Duck](https://cyber-duck.co.uk)**
-- **[Many](https://www.many.co.uk)**
-- **[Webdock, Fast VPS Hosting](https://www.webdock.io/en)**
-- **[DevSquad](https://devsquad.com)**
-- **[OP.GG](https://op.gg)**
-
-## Contributing
-
-Thank you for considering contributing to the Laravel framework! The contribution guide can be found in the [Laravel documentation](https://laravel.com/docs/contributions).
-
-## Code of Conduct
-
-In order to ensure that the Laravel community is welcoming to all, please review and abide by the [Code of Conduct](https://laravel.com/docs/contributions#code-of-conduct).
-
-## Security Vulnerabilities
-
-If you discover a security vulnerability within Laravel, please send an e-mail to Taylor Otwell via [taylor@laravel.com](mailto:taylor@laravel.com). All security vulnerabilities will be promptly addressed.
-
-## License
-
-The Laravel framework is open-sourced software licensed under the [MIT license](https://opensource.org/licenses/MIT).
+# Like Service
+
+Provides REST endpoints for retrieving and updating like counts for posts in MariaDB:
+* `POST like-service/like-service/like-delete`
+    ```
+    Request body:
+    {
+        "postId": 123
+    }
+    ```
+* `POST like-service/like-service/like-post`
+    ```
+    Request body:
+    {
+        "postId": 123
+    }
+    ```
+* `GET like-service/like-service/like-count/{postId}`
+    ```
+    Response:
+    {
+        "likeCount": 123,
+        "userLiked": true
+    }
+    ``````
+* `GET like-service/like-service/like-count?postIds=1&postIds=2&postIds=3&postIds=4...`
+    ```
+    Response:
+    {
+        "likeCounts": [
+            {"postId": 1, "likeCount": 123},
+            {"postId": 2, "likeCount": 456},
+            {"postId": 3, "likeCount": 789},
+            {"postId": 4, "likeCount": 135},
+            ...
+        ],
+        "likedPosts": [
+            {"postId": 1},
+            {"postId": 3},
+            ...
+        ]
+    }
+    ```
+All the endpoints require that a JWT cookie be sent for authentication with the the `user-auth-service`. This cookie is obtained by logging in and links the requests to a user ID.
+
+# How to run locally
+The Like Service can either be run using `skaffold dev` (see [DEV-GUIDE](../../docs/DEV-GUIDE.md)), or it can be run locally, provided that you have the following requirements installed.
+
+## Requirements
+* PHP 8.0 with `opentelemetry` and MySQL (`mysqli`, `pdo`, `pdo_mysql`) extensions installed
+* Composer
+* MariaDB instance (see [user-auth-service README](../user-auth-service/README.md) for setting it up)
+
+## Environment Variables
+The following environment variables need to be set:
+
+| Name                      | Example Value                     | Description                                                 |
+|---------------------------|-----------------------------------|-------------------------------------------------------------|
+| SERVICE_NAME              | unguard-like-service              | Name of the service                                         |
+| API_PATH                  | /like-service                     | Api entrypoint path                                         |
+| SERVER_PORT               | 8000                              | The port that the server will run on                        |
+| USER_AUTH_SERVICE_ADDRESS | unguard-user-auth-service-service | Change to hostname/IP of user-auth-service instance         |
+| DB_HOST                   | localhost                         | Address of MariaDB instance                                 |
+| DB_PORT                   | 3306                              | Port of MariaDB instance                                    |
+| DB_DATABASE               | likeDb                            | Database to create and use on the MariaDB instance          |
+| DB_USERNAME               | root                              | Username of the MariaDB user                                |
+| MARIADB_PASSWORD          |                                   | Password of the MariaDB user                                |
+| JAEGER_DISABLED           | true                              | Set to 'false' if you have a Jaeger instance running        |
+| JAEGER_COLLECTOR_HOST     | collector                         | Change to hostname/IP of your Jaeger collector              |
+| JAEGER_PORT               | 4318                              | The jaeger collector port for HTTP OTLP traffic             |
+| JAEGER_SERVICE_NAME       | unguard-like-service              | Name that will be used for the service in the Jaeger traces |
+
+## Setup
+Install the required packages: 
+```
+composer install
+```
+Create the database and create tables:
+```
+php artisan make:database
+php artisan migrate:fresh
+```
+Run Laravel:
+```
+php artisan serve
+```

src/like-service/app/Console/Commands/CreateDatabase.php

@@ -55,9 +55,9 @@ public function __construct()
      */
     public function handle()
     {
-        $host = getenv('UNGUARD_MARIADB_SERVICE_HOST', false);
-        $port = getenv('UNGUARD_MARIADB_SERVICE_PORT_MYSQL', false);
-        $rootuser = 'root';
+        $host = getenv('DB_HOST', false);
+        $port = getenv('DB_PORT', false);
+        $rootuser = getenv('DB_USERNAME', false);
         $password = getenv('MARIADB_PASSWORD', false);
         $address = $host . ":" . $port;
         $dbName = getenv('DB_DATABASE', false);

src/like-service/app/Http/Controllers/LikeController.php

@@ -44,9 +44,7 @@ static function doLike($request)
             'userId' => $userId,
             'postId' => $postId
         ]);
-        return response()->json([
-            'message' => 'Authorized'
-        ], 200);
+        return response()->make();
     }
 
     static function getLikeCountAndState($request, $postId)
@@ -119,9 +117,7 @@ static function removeLike($request)
 
         $query->setBindings($bindings)->delete();
 
-        return response()->json([
-            'userId' => $userId,
-        ], 200);
+        return response()->make();
     }
 
     static function validateToken($user_token)

src/like-service/config/app.php

@@ -29,10 +29,10 @@
     |
     */
 
-    'name' => env('APP_NAME', 'Laravel'),
+    'name' => env('SERVICE_NAME', 'unguard-like-service'),
 
     'auth_service_url' => 'http://' .
-        getenv('UNGUARD_USER_AUTH_SERVICE_ADDRESS') .
+        getenv('USER_AUTH_SERVICE_ADDRESS') .
         '/auth/isValid/',
 
     /*

src/like-service/config/database.php

@@ -52,13 +52,11 @@
     'connections' => [
         'mysql' => [
             'driver' => 'mysql',
-            'url' => env('DATABASE_URL'),
-            'host' => env('UNGUARD_MARIADB_SERVICE_HOST', '127.0.0.1'),
-            'port' => env('UNGUARD_MARIADB_SERVICE_PORT_MYSQL', '3306'),
-            'database' => env('DB_DATABASE', 'forge'),
+            'host' => env('DB_HOST', '127.0.0.1'),
+            'port' => env('DB_PORT', '3306'),
+            'database' => env('DB_DATABASE', 'likeDb'),
             'username' => env('DB_USERNAME', 'root'),
             'password' => env('MARIADB_PASSWORD', ''),
-            'unix_socket' => env('DB_SOCKET', ''),
             'charset' => 'utf8mb4',
             'collation' => 'utf8mb4_unicode_ci',
             'prefix' => '',

src/like-service/public/index.php

@@ -78,7 +78,7 @@
 if (strtolower(getenv('JAEGER_DISABLED', false)) === "false") {
     Globals::registerInitializer(function (Configurator $configurator) {
         $propagator = JaegerPropagator::getInstance();
-        $transport = (new OtlpHttpTransportFactory())->create('http://' . getenv('JAEGER_AGENT_HOST', false) . ':' . getenv('JAEGER_PORT', false) . '/v1/traces', ContentTypes::JSON);
+        $transport = (new OtlpHttpTransportFactory())->create('http://' . getenv('JAEGER_COLLECTOR_HOST', false) . ':' . getenv('JAEGER_PORT', false) . '/v1/traces', ContentTypes::JSON);
         $exporter = new SpanExporter($transport);
 
         $resource = ResourceInfo::create(Attributes::create([