fix all vulnerabilities in the production code (#817)

Signed-off-by: Denis barbaron <denis.barbaron@orange.com>
2026-04-18 16:13:24 +02:00 · 2024-11-29 11:02:11 +01:00
parent 2f54e40206
commit 872b0bcbd8
26 changed files with 160 additions and 13627 deletions
--- a/lib/units/storage/plugins/apk/index.js
+++ b/lib/units/storage/plugins/apk/index.js
@@ -7,7 +7,7 @@ var url = require('url')
 var util = require('util')

 var express = require('express')
-var request = require('request')
+var request = require('@cypress/request')

 var logger = require('../../../../util/logger')
 var download = require('../../../../util/download')
--- a/lib/units/storage/plugins/image/task/get.js
+++ b/lib/units/storage/plugins/image/task/get.js
@@ -1,9 +1,13 @@
+/**
+* Copyright © 2024 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
+**/
+
 var util = require('util')
 var stream = require('stream')
 var url = require('url')

 var Promise = require('bluebird')
-var request = require('request')
+var request = require('@cypress/request')

 module.exports = function(path, options) {
  return new Promise(function(resolve, reject) {
--- a/lib/units/storage/s3.js
+++ b/lib/units/storage/s3.js
@@ -8,7 +8,6 @@ var path = require('path')
 var fs = require('fs')

 var express = require('express')
-var validator = require('express-validator')
 var bodyParser = require('body-parser')
 var formidable = require('formidable')
 var Promise = require('bluebird')
@@ -34,7 +33,6 @@ module.exports = function(options) {
  app.set('trust proxy', true)

  app.use(bodyParser.json())
-  app.use(validator())

  app.disable('x-powered-by')

--- a/lib/units/storage/temp.js
+++ b/lib/units/storage/temp.js
@@ -8,7 +8,6 @@ var path = require('path')
 var crypto = require('crypto')

 var express = require('express')
-var validator = require('express-validator')
 var bodyParser = require('body-parser')
 var formidable = require('formidable')
 var Promise = require('bluebird')
@@ -30,7 +29,6 @@ module.exports = function(options) {
  app.set('trust proxy', true)

  app.use(bodyParser.json())
-  app.use(validator())

  app.disable('x-powered-by')

@@ -38,10 +36,8 @@ module.exports = function(options) {
    log.info('Cleaning up inactive resource "%s"', id)
  })

-  app.post('/s/download/:plugin', function(req, res) {
-    requtil.validate(req, function() {
-        req.checkBody('url').notEmpty()
-      })
+  app.post('/s/download/:plugin', requtil.validators.tempUrlValidator, function(req, res) {
+    requtil.validate(req)
      .then(function() {
        return download(req.body.url, {
          dir: options.cacheDir