fix all vulnerabilities in the production code (#817)

Signed-off-by: Denis barbaron <[email protected]>

.gitignore

@@ -14,3 +14,4 @@
 /temp/
 /tmp/
 package-lock.json
+yarn.lock

Dockerfile-debian-arm64

@@ -52,6 +52,10 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
     tar xzf devicefarmer-stf-*.tgz --strip-components 1 -C /app && \
     echo '/tmp/build/node_modules/.bin/bower cache clean' | su stf -s /bin/bash && \
     echo 'npm prune --omit=dev' | su stf -s /bin/bash && \
+    wget --progress=dot:mega \
+      https://github.com/google/bundletool/releases/download/1.2.0/bundletool-all-1.2.0.jar && \
+    mkdir -p /app/bundletool && \
+    mv bundletool-all-1.2.0.jar /app/bundletool/bundletool.jar && \
     mv node_modules /app && \
     chown -R root:root /app && \
     echo '--- Cleaning up' && \

Dockerfile-debian-armhf

@@ -52,6 +52,10 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
     tar xzf devicefarmer-stf-*.tgz --strip-components 1 -C /app && \
     echo '/tmp/build/node_modules/.bin/bower cache clean' | su stf -s /bin/bash && \
     echo 'npm prune --omit=dev' | su stf -s /bin/bash && \
+    wget --progress=dot:mega \
+      https://github.com/google/bundletool/releases/download/1.2.0/bundletool-all-1.2.0.jar && \
+    mkdir -p /app/bundletool && \
+    mv bundletool-all-1.2.0.jar /app/bundletool/bundletool.jar && \
     mv node_modules /app && \
     chown -R root:root /app && \
     echo '--- Cleaning up' && \

Dockerfile-debian-x86_64

@@ -50,6 +50,10 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
     tar xzf devicefarmer-stf-*.tgz --strip-components 1 -C /app && \
     echo '/tmp/build/node_modules/.bin/bower cache clean' | su stf -s /bin/bash && \
     echo 'npm prune --omit=dev' | su stf -s /bin/bash && \
+    wget --progress=dot:mega \
+      https://github.com/google/bundletool/releases/download/1.2.0/bundletool-all-1.2.0.jar && \
+    mkdir -p /app/bundletool && \
+    mv bundletool-all-1.2.0.jar /app/bundletool/bundletool.jar && \
     mv node_modules /app && \
     chown -R root:root /app && \
     echo '--- Cleaning up' && \

bower.json

@@ -3,47 +3,39 @@
   "version": "0.1.0",
   "dependencies": {
     "angular": "~1.8.3",
+    "angular-animate": "~1.8.3",
+    "angular-borderlayout": "git://github.com/filearts/angular-borderlayout.git#7c9716aebd9260763f798561ca49d6fbfd4a5c67",
     "angular-cookies": "~1.8.3",
+    "angular-dialog-service": "~5.2.11",
+    "angular-elastic": "~2.5.1",
+    "angular-gettext": "~2.4.2",
+    "angular-growl-v2": "~0.7.9",
+    "angular-hotkeys": "chieffancypants/angular-hotkeys#~1.7.0",
+    "angular-ladda": "~0.3.4",
     "angular-route": "~1.8.3",
     "angular-sanitize": "~1.8.3",
-    "angular-animate": "~1.8.3",
     "angular-touch": "~1.8.3",
-    "lodash": "~3.10.1",
-    "oboe": "~2.1.5",
-    "ng-table": "~1.0.0",
-    "angular-gettext": "~2.4.2",
     "angular-ui-ace": "~0.2.3",
-    "angular-dialog-service": "~5.2.11",
-    "ng-file-upload": "~2.0.5",
-    "angular-growl-v2": "JanStevens/angular-growl-2#~0.7.9",
-    "underscore.string": "~3.2.3",
-    "bootstrap": "~3.4.1",
-    "font-lato-2-subset": "~0.4.0",
-    "packery": "~1.4.3",
-    "draggabilly": "~1.2.4",
-    "angular-elastic": "~2.5.1",
-    "angular-hotkeys": "chieffancypants/angular-hotkeys#~1.6.0",
-    "angular-borderlayout": "git://github.com/filearts/angular-borderlayout.git#7c9716aebd9260763f798561ca49d6fbfd4a5c67",
     "angular-ui-bootstrap": "~1.1.2",
-    "ng-context-menu": "swimlane/ng-context-menu#~1.0.1",
-    "components-font-awesome": "~4.5.0",
-    "epoch": "~0.8.4",
-    "ng-epoch": "~1.0.7",
-    "eventEmitter": "~4.3.0",
-    "angular-ladda": "~0.3.1",
+    "angular-xeditable": "~0.10.2",
+    "bootstrap": "~3.4.1",
+    "components-font-awesome": "~4.7.0",
     "d3": "~3.5.17",
-    "spin.js": "~2.3.2",
-    "angular-xeditable": "~0.1.9"
+    "draggabilly": "~2.0.1",
+    "epoch": "~0.8.4",
+    "eventEmitter": "~4.2.11",
+    "font-lato-2-subset": "~0.4.0",
+    "lodash": "~4.17.21",
+    "ng-context-menu": "~1.1.0",
+    "ng-epoch": "~2.0.1",
+    "ng-table": "~1.0.0",
+    "ng-file-upload": "~2.0.5",
+    "oboe": "~2.1.5",
+    "packery": "~2.1.2",
+    "underscore.string": "~3.3.6"
   },
   "private": true,
   "devDependencies": {
     "angular-mocks": "~1.8.3"
-  },
-  "resolutions": {
-    "angular": "~1.8.3",
-    "d3": "~3.5.17",
-    "spin.js": "~2.3.2",
-    "eventEmitter": "~4.3.0",
-    "epoch": "~0.8.4"
   }
 }

lib/cli/index.js

@@ -1,5 +1,5 @@
 /**
-* Copyright © 2019 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
+* Copyright © 2024 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
 **/
 
 var yargs = require('yargs')
@@ -40,8 +40,6 @@ var _argv = yargs.usage('Usage: $0 <command> [options]')
   .demandCommand(1, 'Must provide a valid command.')
   .help('h', 'Show help.')
   .alias('h', 'help')
-  .version('V', 'Show version.', function() {
-    return require('../../package').version
-  })
+  .version('V', 'Show version.', require('../../package').version)
   .alias('V', 'version')
   .argv

lib/units/api/index.js

@@ -7,8 +7,8 @@ var path = require('path')
 var events = require('events')
 
 var express = require('express')
-var swaggerExpress = require('swagger-express-mw-node12')
-var swaggerUi = require('swagger-tools/middleware/swagger-ui')
+var swaggerExpress = require('autodesk-forks-swagger-express-mw')
+var swaggerUi = require('@targetprocess/swagger-tools/middleware/swagger-ui')
 var cookieSession = require('cookie-session')
 var Promise = require('bluebird')
 var _ = require('lodash')

lib/units/app/index.js

@@ -7,12 +7,11 @@ var url = require('url')
 var fs = require('fs')
 
 var express = require('express')
-var validator = require('express-validator')
 var cookieSession = require('cookie-session')
 var bodyParser = require('body-parser')
 var serveFavicon = require('serve-favicon')
 var serveStatic = require('serve-static')
-var csrf = require('csurf')
+var csrf = require('@dr.pogodin/csurf')
 var compression = require('compression')
 
 var logger = require('../../util/logger')
@@ -93,7 +92,6 @@ module.exports = function(options) {
 
   app.use(bodyParser.json())
   app.use(csrf())
-  app.use(validator())
 
   app.use(function(req, res, next) {
     res.cookie('XSRF-TOKEN', req.csrfToken())

lib/units/auth/ldap.js

@@ -5,11 +5,10 @@
 var http = require('http')
 
 var express = require('express')
-var validator = require('express-validator')
 var cookieSession = require('cookie-session')
 var bodyParser = require('body-parser')
 var serveStatic = require('serve-static')
-var csrf = require('csurf')
+var csrf = require('@dr.pogodin/csurf')
 var Promise = require('bluebird')
 
 var logger = require('../../util/logger')
@@ -46,7 +45,6 @@ module.exports = function(options) {
   }))
   app.use(bodyParser.json())
   app.use(csrf())
-  app.use(validator())
   app.use('/static/bower_components',
     serveStatic(pathutil.resource('bower_components')))
   app.use('/static/auth/ldap', serveStatic(pathutil.resource('auth/ldap')))
@@ -84,15 +82,12 @@ module.exports = function(options) {
     res.render('index')
   })
 
-  app.post('/auth/api/v1/ldap', function(req, res) {
+  app.post('/auth/api/v1/ldap', requtil.validators.ldapLoginValidator, function(req, res) {
     var log = logger.createLogger('auth-ldap')
     log.setLocalIdentifier(req.ip)
     switch (req.accepts(['json'])) {
       case 'json':
-        requtil.validate(req, function() {
-            req.checkBody('username').notEmpty()
-            req.checkBody('password').notEmpty()
-          })
+        requtil.validate(req)
           .then(function() {
             return ldaputil.login(
               options.ldap

lib/units/auth/mock.js

@@ -5,11 +5,10 @@
 var http = require('http')
 
 var express = require('express')
-var validator = require('express-validator')
 var cookieSession = require('cookie-session')
 var bodyParser = require('body-parser')
 var serveStatic = require('serve-static')
-var csrf = require('csurf')
+var csrf = require('@dr.pogodin/csurf')
 var Promise = require('bluebird')
 var basicAuth = require('basic-auth')
 
@@ -68,7 +67,6 @@ module.exports = function(options) {
   }))
   app.use(bodyParser.json())
   app.use(csrf())
-  app.use(validator())
   app.use('/static/bower_components',
     serveStatic(pathutil.resource('bower_components')))
   app.use('/static/auth/mock', serveStatic(pathutil.resource('auth/mock')))
@@ -110,15 +108,12 @@ module.exports = function(options) {
     res.render('index')
   })
 
-  app.post('/auth/api/v1/mock', function(req, res) {
+  app.post('/auth/api/v1/mock', requtil.validators.mockLoginValidator, function(req, res) {
     var log = logger.createLogger('auth-mock')
     log.setLocalIdentifier(req.ip)
     switch (req.accepts(['json'])) {
       case 'json':
-        requtil.validate(req, function() {
-            req.checkBody('name').notEmpty()
-            req.checkBody('email').isEmail()
-          })
+        requtil.validate(req)
           .then(function() {
             return dbapi.checkUserBeforeLogin(req.body)
           })

lib/units/auth/saml2.js

@@ -7,7 +7,7 @@ var http = require('http')
 
 var express = require('express')
 var passport = require('passport')
-var SamlStrategy = require('passport-saml').Strategy
+var SamlStrategy = require('@node-saml/passport-saml').Strategy
 var bodyParser = require('body-parser')
 var _ = require('lodash')
 
@@ -54,7 +54,7 @@ module.exports = function(options) {
 
   if (options.saml.certPath) {
     samlConfig = _.merge(samlConfig, {
-      cert: fs.readFileSync(options.saml.certPath).toString()
+      idpCert: fs.readFileSync(options.saml.certPath).toString()
     })
   }
 

lib/units/device/plugins/install.js

@@ -1,13 +1,13 @@
 //
-// Copyright © 2022 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
+// Copyright © 2024 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
 //
 
 var stream = require('stream')
 var url = require('url')
 var util = require('util')
 
 var syrup = require('@devicefarmer/stf-syrup')
-var request = require('request')
+var request = require('@cypress/request')
 var Promise = require('bluebird')
 
 var logger = require('../../../util/logger')

lib/units/device/plugins/solo.js

@@ -1,3 +1,7 @@
+/**
+* Copyright © 2024 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
+**/
+
 var crypto = require('crypto')
 
 var syrup = require('@devicefarmer/stf-syrup')
@@ -40,7 +44,7 @@ module.exports = syrup.serial()
         , identity.abi
         , identity.sdk
         , new wire.DeviceDisplayMessage(identity.display)
-        , new wire.DevicePhoneMessage(identity.phone)
+        , new wire.DevicePhoneMessage(Object.assign({}, identity.phone))
         , identity.product
         , identity.cpuPlatform
         , identity.openGLESVersion

lib/units/device/support/storage.js

@@ -1,9 +1,13 @@
+/**
+* Copyright © 2024 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
+**/
+
 var util = require('util')
 var url = require('url')
 
 var syrup = require('@devicefarmer/stf-syrup')
 var Promise = require('bluebird')
-var request = require('request')
+var request = require('@cypress/request')
 
 var logger = require('../../../util/logger')
 

lib/units/notify/slack.js

@@ -1,6 +1,10 @@
+/**
+* Copyright © 2024 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
+**/
+
 var util = require('util')
 
-var WebClient = require('@slack/client').WebClient
+var WebClient = require('@slack/web-api')
 var Promise = require('bluebird')
 
 var logger = require('../../util/logger')
@@ -41,19 +45,19 @@ module.exports = function(options) {
       var format = entry.message.indexOf('\n') === -1 ? '`%s`' : '```%s```'
       var message = util.format(format, entry.message)
 
-      client.chat.postMessage(options.channel, util.format(
+      client.chat.postMessage({
+        channel: options.channel
+      , text: util.format(
         '>>> *%s/%s* %d [*%s*] %s'
         , logger.LevelLabel[entry.priority]
         , entry.tag
         , entry.pid
         , entry.identifier
         , message
         )
-        , {
-          username: 'STF'
-          , icon_url: 'https://openstf.io/favicon.png'
-        }
-      )
+      , username: 'STF'
+      , icon_url: 'https://openstf.io/favicon.png'
+      })
     })
   }
 

lib/units/storage/plugins/apk/index.js

@@ -7,7 +7,7 @@ var url = require('url')
 var util = require('util')
 
 var express = require('express')
-var request = require('request')
+var request = require('@cypress/request')
 
 var logger = require('../../../../util/logger')
 var download = require('../../../../util/download')

lib/units/storage/plugins/image/task/get.js

@@ -1,9 +1,13 @@
+/**
+* Copyright © 2024 contains code contributed by Orange SA, authors: Denis Barbaron - Licensed under the Apache license 2.0
+**/
+
 var util = require('util')
 var stream = require('stream')
 var url = require('url')
 
 var Promise = require('bluebird')
-var request = require('request')
+var request = require('@cypress/request')
 
 module.exports = function(path, options) {
   return new Promise(function(resolve, reject) {

lib/units/storage/s3.js

@@ -8,7 +8,6 @@ var path = require('path')
 var fs = require('fs')
 
 var express = require('express')
-var validator = require('express-validator')
 var bodyParser = require('body-parser')
 var formidable = require('formidable')
 var Promise = require('bluebird')
@@ -34,7 +33,6 @@ module.exports = function(options) {
   app.set('trust proxy', true)
 
   app.use(bodyParser.json())
-  app.use(validator())
 
   app.disable('x-powered-by')