fix all vulnerabilities in the production code (#817)

Signed-off-by: Denis barbaron <denis.barbaron@orange.com>
2026-04-18 06:53:20 +02:00 · 2024-11-29 11:02:11 +01:00
parent 2f54e40206
commit 872b0bcbd8
26 changed files with 160 additions and 13627 deletions
--- a/lib/units/auth/ldap.js
+++ b/lib/units/auth/ldap.js
@@ -5,11 +5,10 @@
 var http = require('http')

 var express = require('express')
-var validator = require('express-validator')
 var cookieSession = require('cookie-session')
 var bodyParser = require('body-parser')
 var serveStatic = require('serve-static')
-var csrf = require('csurf')
+var csrf = require('@dr.pogodin/csurf')
 var Promise = require('bluebird')

 var logger = require('../../util/logger')
@@ -46,7 +45,6 @@ module.exports = function(options) {
  }))
  app.use(bodyParser.json())
  app.use(csrf())
-  app.use(validator())
  app.use('/static/bower_components',
    serveStatic(pathutil.resource('bower_components')))
  app.use('/static/auth/ldap', serveStatic(pathutil.resource('auth/ldap')))
@@ -84,15 +82,12 @@ module.exports = function(options) {
    res.render('index')
  })

-  app.post('/auth/api/v1/ldap', function(req, res) {
+  app.post('/auth/api/v1/ldap', requtil.validators.ldapLoginValidator, function(req, res) {
    var log = logger.createLogger('auth-ldap')
    log.setLocalIdentifier(req.ip)
    switch (req.accepts(['json'])) {
      case 'json':
-        requtil.validate(req, function() {
-            req.checkBody('username').notEmpty()
-            req.checkBody('password').notEmpty()
-          })
+        requtil.validate(req)
          .then(function() {
            return ldaputil.login(
              options.ldap
--- a/lib/units/auth/mock.js
+++ b/lib/units/auth/mock.js
@@ -5,11 +5,10 @@
 var http = require('http')

 var express = require('express')
-var validator = require('express-validator')
 var cookieSession = require('cookie-session')
 var bodyParser = require('body-parser')
 var serveStatic = require('serve-static')
-var csrf = require('csurf')
+var csrf = require('@dr.pogodin/csurf')
 var Promise = require('bluebird')
 var basicAuth = require('basic-auth')

@@ -68,7 +67,6 @@ module.exports = function(options) {
  }))
  app.use(bodyParser.json())
  app.use(csrf())
-  app.use(validator())
  app.use('/static/bower_components',
    serveStatic(pathutil.resource('bower_components')))
  app.use('/static/auth/mock', serveStatic(pathutil.resource('auth/mock')))
@@ -110,15 +108,12 @@ module.exports = function(options) {
    res.render('index')
  })

-  app.post('/auth/api/v1/mock', function(req, res) {
+  app.post('/auth/api/v1/mock', requtil.validators.mockLoginValidator, function(req, res) {
    var log = logger.createLogger('auth-mock')
    log.setLocalIdentifier(req.ip)
    switch (req.accepts(['json'])) {
      case 'json':
-        requtil.validate(req, function() {
-            req.checkBody('name').notEmpty()
-            req.checkBody('email').isEmail()
-          })
+        requtil.validate(req)
          .then(function() {
            return dbapi.checkUserBeforeLogin(req.body)
          })
--- a/lib/units/auth/saml2.js
+++ b/lib/units/auth/saml2.js
@@ -7,7 +7,7 @@ var http = require('http')

 var express = require('express')
 var passport = require('passport')
-var SamlStrategy = require('passport-saml').Strategy
+var SamlStrategy = require('@node-saml/passport-saml').Strategy
 var bodyParser = require('body-parser')
 var _ = require('lodash')

@@ -54,7 +54,7 @@ module.exports = function(options) {

  if (options.saml.certPath) {
    samlConfig = _.merge(samlConfig, {
-      cert: fs.readFileSync(options.saml.certPath).toString()
+      idpCert: fs.readFileSync(options.saml.certPath).toString()
    })
  }