fix all vulnerabilities in the production code (#817)

Signed-off-by: Denis barbaron <denis.barbaron@orange.com>
2026-04-18 08:03:30 +02:00 · 2024-11-29 11:02:11 +01:00
parent 2f54e40206
commit 872b0bcbd8
26 changed files with 160 additions and 13627 deletions
--- a/lib/units/auth/mock.js
+++ b/lib/units/auth/mock.js
@@ -5,11 +5,10 @@
 var http = require('http')

 var express = require('express')
-var validator = require('express-validator')
 var cookieSession = require('cookie-session')
 var bodyParser = require('body-parser')
 var serveStatic = require('serve-static')
-var csrf = require('csurf')
+var csrf = require('@dr.pogodin/csurf')
 var Promise = require('bluebird')
 var basicAuth = require('basic-auth')

@@ -68,7 +67,6 @@ module.exports = function(options) {
  }))
  app.use(bodyParser.json())
  app.use(csrf())
-  app.use(validator())
  app.use('/static/bower_components',
    serveStatic(pathutil.resource('bower_components')))
  app.use('/static/auth/mock', serveStatic(pathutil.resource('auth/mock')))
@@ -110,15 +108,12 @@ module.exports = function(options) {
    res.render('index')
  })

-  app.post('/auth/api/v1/mock', function(req, res) {
+  app.post('/auth/api/v1/mock', requtil.validators.mockLoginValidator, function(req, res) {
    var log = logger.createLogger('auth-mock')
    log.setLocalIdentifier(req.ip)
    switch (req.accepts(['json'])) {
      case 'json':
-        requtil.validate(req, function() {
-            req.checkBody('name').notEmpty()
-            req.checkBody('email').isEmail()
-          })
+        requtil.validate(req)
          .then(function() {
            return dbapi.checkUserBeforeLogin(req.body)
          })