fix all vulnerabilities in the production code (#817)

Signed-off-by: Denis barbaron <denis.barbaron@orange.com>
2026-04-22 22:05:21 +02:00 · 2024-11-29 11:02:11 +01:00
parent 2f54e40206
commit 872b0bcbd8
26 changed files with 160 additions and 13627 deletions
--- a/lib/units/api/index.js
+++ b/lib/units/api/index.js
@@ -7,8 +7,8 @@ var path = require('path')
 var events = require('events')

 var express = require('express')
-var swaggerExpress = require('swagger-express-mw-node12')
-var swaggerUi = require('swagger-tools/middleware/swagger-ui')
+var swaggerExpress = require('autodesk-forks-swagger-express-mw')
+var swaggerUi = require('@targetprocess/swagger-tools/middleware/swagger-ui')
 var cookieSession = require('cookie-session')
 var Promise = require('bluebird')
 var _ = require('lodash')
--- a/lib/units/app/index.js
+++ b/lib/units/app/index.js
@@ -7,12 +7,11 @@ var url = require('url')
 var fs = require('fs')

 var express = require('express')
-var validator = require('express-validator')
 var cookieSession = require('cookie-session')
 var bodyParser = require('body-parser')
 var serveFavicon = require('serve-favicon')
 var serveStatic = require('serve-static')
-var csrf = require('csurf')
+var csrf = require('@dr.pogodin/csurf')
 var compression = require('compression')

 var logger = require('../../util/logger')
@@ -93,7 +92,6 @@ module.exports = function(options) {

  app.use(bodyParser.json())
  app.use(csrf())
-  app.use(validator())

  app.use(function(req, res, next) {
    res.cookie('XSRF-TOKEN', req.csrfToken())
--- a/lib/units/auth/ldap.js
+++ b/lib/units/auth/ldap.js
@@ -5,11 +5,10 @@
 var http = require('http')

 var express = require('express')
-var validator = require('express-validator')
 var cookieSession = require('cookie-session')
 var bodyParser = require('body-parser')
 var serveStatic = require('serve-static')
-var csrf = require('csurf')
+var csrf = require('@dr.pogodin/csurf')
 var Promise = require('bluebird')

 var logger = require('../../util/logger')
@@ -46,7 +45,6 @@ module.exports = function(options) {
  }))
  app.use(bodyParser.json())
  app.use(csrf())
-  app.use(validator())
  app.use('/static/bower_components',
    serveStatic(pathutil.resource('bower_components')))
  app.use('/static/auth/ldap', serveStatic(pathutil.resource('auth/ldap')))
@@ -84,15 +82,12 @@ module.exports = function(options) {
    res.render('index')
  })

-  app.post('/auth/api/v1/ldap', function(req, res) {
+  app.post('/auth/api/v1/ldap', requtil.validators.ldapLoginValidator, function(req, res) {
    var log = logger.createLogger('auth-ldap')
    log.setLocalIdentifier(req.ip)
    switch (req.accepts(['json'])) {
      case 'json':
-        requtil.validate(req, function() {
-            req.checkBody('username').notEmpty()
-            req.checkBody('password').notEmpty()
-          })
+        requtil.validate(req)
          .then(function() {
            return ldaputil.login(
              options.ldap
--- a/lib/units/auth/mock.js
+++ b/lib/units/auth/mock.js
@@ -5,11 +5,10 @@
 var http = require('http')

 var express = require('express')
-var validator = require('express-validator')
 var cookieSession = require('cookie-session')
 var bodyParser = require('body-parser')
 var serveStatic = require('serve-static')
-var csrf = require('csurf')
+var csrf = require('@dr.pogodin/csurf')
 var Promise = require('bluebird')
 var basicAuth = require('basic-auth')

@@ -68,7 +67,6 @@ module.exports = function(options) {
  }))
  app.use(bodyParser.json())
  app.use(csrf())
-  app.use(validator())
  app.use('/static/bower_components',
    serveStatic(pathutil.resource('bower_components')))
  app.use('/static/auth/mock', serveStatic(pathutil.resource('auth/mock')))
@@ -110,15 +108,12 @@ module.exports = function(options) {
    res.render('index')
  })

-  app.post('/auth/api/v1/mock', function(req, res) {
+  app.post('/auth/api/v1/mock', requtil.validators.mockLoginValidator, function(req, res) {
    var log = logger.createLogger('auth-mock')
    log.setLocalIdentifier(req.ip)
    switch (req.accepts(['json'])) {
      case 'json':
-        requtil.validate(req, function() {
-            req.checkBody('name').notEmpty()
-            req.checkBody('email').isEmail()
-          })
+        requtil.validate(req)
          .then(function() {
            return dbapi.checkUserBeforeLogin(req.body)
          })
--- a/lib/units/auth/saml2.js
+++ b/lib/units/auth/saml2.js
@@ -7,7 +7,7 @@ var http = require('http')

 var express = require('express')
 var passport = require('passport')
-var SamlStrategy = require('passport-saml').Strategy
+var SamlStrategy = require('@node-saml/passport-saml').Strategy
 var bodyParser = require('body-parser')
 var _ = require('lodash')

@@ -54,7 +54,7 @@ module.exports = function(options) {

  if (options.saml.certPath) {
    samlConfig = _.merge(samlConfig, {
-      cert: fs.readFileSync(options.saml.certPath).toString()
+      idpCert: fs.readFileSync(options.saml.certPath).toString()
    })
  }

--- a/lib/units/device/plugins/install.js
+++ b/lib/units/device/plugins/install.js
@@ -1,5 +1,5 @@
 //
-// Copyright © 2022 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
+// Copyright © 2024 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
 //

 var stream = require('stream')
@@ -7,7 +7,7 @@ var url = require('url')
 var util = require('util')

 var syrup = require('@devicefarmer/stf-syrup')
-var request = require('request')
+var request = require('@cypress/request')
 var Promise = require('bluebird')

 var logger = require('../../../util/logger')
--- a/lib/units/device/plugins/solo.js
+++ b/lib/units/device/plugins/solo.js
@@ -1,3 +1,7 @@
+/**
+* Copyright © 2024 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
+**/
+
 var crypto = require('crypto')

 var syrup = require('@devicefarmer/stf-syrup')
@@ -40,7 +44,7 @@ module.exports = syrup.serial()
        , identity.abi
        , identity.sdk
        , new wire.DeviceDisplayMessage(identity.display)
-        , new wire.DevicePhoneMessage(identity.phone)
+        , new wire.DevicePhoneMessage(Object.assign({}, identity.phone))
        , identity.product
        , identity.cpuPlatform
        , identity.openGLESVersion
--- a/lib/units/device/support/storage.js
+++ b/lib/units/device/support/storage.js
@@ -1,9 +1,13 @@
+/**
+* Copyright © 2024 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
+**/
+
 var util = require('util')
 var url = require('url')

 var syrup = require('@devicefarmer/stf-syrup')
 var Promise = require('bluebird')
-var request = require('request')
+var request = require('@cypress/request')

 var logger = require('../../../util/logger')

--- a/lib/units/notify/slack.js
+++ b/lib/units/notify/slack.js
@@ -1,6 +1,10 @@
+/**
+* Copyright © 2024 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
+**/
+
 var util = require('util')

-var WebClient = require('@slack/client').WebClient
+var WebClient = require('@slack/web-api')
 var Promise = require('bluebird')

 var logger = require('../../util/logger')
@@ -41,7 +45,9 @@ module.exports = function(options) {
      var format = entry.message.indexOf('\n') === -1 ? '`%s`' : '```%s```'
      var message = util.format(format, entry.message)

-      client.chat.postMessage(options.channel, util.format(
+      client.chat.postMessage({
+        channel: options.channel
+      , text: util.format(
        '>>> *%s/%s* %d [*%s*] %s'
        , logger.LevelLabel[entry.priority]
        , entry.tag
@@ -49,11 +55,9 @@ module.exports = function(options) {
        , entry.identifier
        , message
        )
-        , {
-          username: 'STF'
-          , icon_url: 'https://openstf.io/favicon.png'
-        }
-      )
+      , username: 'STF'
+      , icon_url: 'https://openstf.io/favicon.png'
+      })
    })
  }

--- a/lib/units/storage/plugins/apk/index.js
+++ b/lib/units/storage/plugins/apk/index.js
@@ -7,7 +7,7 @@ var url = require('url')
 var util = require('util')

 var express = require('express')
-var request = require('request')
+var request = require('@cypress/request')

 var logger = require('../../../../util/logger')
 var download = require('../../../../util/download')
--- a/lib/units/storage/plugins/image/task/get.js
+++ b/lib/units/storage/plugins/image/task/get.js
@@ -1,9 +1,13 @@
+/**
+* Copyright © 2024 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
+**/
+
 var util = require('util')
 var stream = require('stream')
 var url = require('url')

 var Promise = require('bluebird')
-var request = require('request')
+var request = require('@cypress/request')

 module.exports = function(path, options) {
  return new Promise(function(resolve, reject) {
--- a/lib/units/storage/s3.js
+++ b/lib/units/storage/s3.js
@@ -8,7 +8,6 @@ var path = require('path')
 var fs = require('fs')

 var express = require('express')
-var validator = require('express-validator')
 var bodyParser = require('body-parser')
 var formidable = require('formidable')
 var Promise = require('bluebird')
@@ -34,7 +33,6 @@ module.exports = function(options) {
  app.set('trust proxy', true)

  app.use(bodyParser.json())
-  app.use(validator())

  app.disable('x-powered-by')

--- a/lib/units/storage/temp.js
+++ b/lib/units/storage/temp.js
@@ -8,7 +8,6 @@ var path = require('path')
 var crypto = require('crypto')

 var express = require('express')
-var validator = require('express-validator')
 var bodyParser = require('body-parser')
 var formidable = require('formidable')
 var Promise = require('bluebird')
@@ -30,7 +29,6 @@ module.exports = function(options) {
  app.set('trust proxy', true)

  app.use(bodyParser.json())
-  app.use(validator())

  app.disable('x-powered-by')

@@ -38,10 +36,8 @@ module.exports = function(options) {
    log.info('Cleaning up inactive resource "%s"', id)
  })

-  app.post('/s/download/:plugin', function(req, res) {
-    requtil.validate(req, function() {
-        req.checkBody('url').notEmpty()
-      })
+  app.post('/s/download/:plugin', requtil.validators.tempUrlValidator, function(req, res) {
+    requtil.validate(req)
      .then(function() {
        return download(req.body.url, {
          dir: options.cacheDir
--- a/lib/units/websocket/index.js
+++ b/lib/units/websocket/index.js
@@ -6,10 +6,10 @@ var http = require('http')
 var events = require('events')
 var util = require('util')

-var socketio = require('socket.io')
+var Socketio = require('socket.io').Server
 var Promise = require('bluebird')
 var _ = require('lodash')
-var request = Promise.promisifyAll(require('request'))
+var request = Promise.promisifyAll(require('@cypress/request'))
 var adb = require('../../util/adbutil')()
 var uuid = require('uuid')

@@ -32,7 +32,7 @@ const apiutil = require('../../util/apiutil')
 module.exports = function(options) {
  var log = logger.createLogger('websocket')
  var server = http.createServer()
-  var io = socketio.listen(server, {
+  var io = new Socketio(server, {
        serveClient: false
      , transports: ['websocket']
      })
@@ -570,7 +570,7 @@ module.exports = function(options) {
            ])
          }
          catch(err) {
-            //workaround for https://github.com/openstf/stf/issues/1180
+            // workaround for https://github.com/openstf/stf/issues/1180
            log.error('input.touchMove had an error', err.stack)
          }
        })