Skip to content

Commit

Permalink
fix(security): crash in HeaderParser in dicer
Browse files Browse the repository at this point in the history 
Addresses the advisory:
https://github.com/hyperledger/cacti/security/dependabot/176

The dicer dependency is included via the express-openapi-validator
package which needed to be upgraded project-wide for a fix.

The test cases for verifying that the OpenAPI validation still works had
to be updated because the way invalid field names are represented by
the new version of the validator have been changed. It used to say if
in the request body there was a problematic field ".body.SOME_FIELD"
but now it says instead "/body/SOME_FIELD" so a minor change was needed
in the test cases assertions to make sure they are not ending up with
false negative results.

URL GHSA-wm7h-9275-46v2
CVE ID CVE-2022-24434
GHSA ID GHSA-wm7h-9275-46v2

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
  • Loading branch information
@petermetz
petermetz committed Aug 18, 2023
1 parent 36988a5 commit 77fb559
Show file tree
Hide file tree
Showing 18 changed files with 140 additions and 260 deletions.
2 changes: 1 addition & 1 deletion packages/cactus-cmd-api-server/package.json
View file
Expand Up @@ -75,7 +75,7 @@
"express": "4.17.3",
"express-http-proxy": "1.6.2",
"express-jwt": "8.4.1",
"express-openapi-validator": "4.12.12",
"express-openapi-validator": "5.0.4",
"express-rate-limit": "6.7.0",
"fs-extra": "10.0.0",
"google-protobuf": "3.18.0-rc.2",
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-core/package.json
View file
Expand Up @@ -54,7 +54,7 @@
"@hyperledger/cactus-core-api": "2.0.0-alpha.1",
"express": "4.17.3",
"express-jwt-authz": "2.4.1",
"express-openapi-validator": "4.13.8",
"express-openapi-validator": "5.0.4",
"typescript-optional": "2.0.1"
},
"devDependencies": {
Expand Down
16 changes: 8 additions & 8 deletions ...plugin-keychain-aws-sm/src/test/typescript/integration/openapi/openapi-validation.test.ts
View file
Expand Up @@ -164,7 +164,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fSet} without required key: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(fields.includes("key"), "Rejected because key is required");
}
Expand All @@ -183,7 +183,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fGet} without required key: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(fields.includes("key"), "Rejected because key is required");
}
Expand All @@ -202,7 +202,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fHas} without required key: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(fields.includes("key"), "Rejected because key is required");
}
Expand All @@ -221,7 +221,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fDelete} without required key: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(fields.includes("key"), "Rejected because key is required");
}
Expand All @@ -242,7 +242,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fSet} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand All @@ -265,7 +265,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fGet} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand All @@ -288,7 +288,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fHas} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand All @@ -311,7 +311,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fDelete} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand Down
16 changes: 8 additions & 8 deletions ...gin-keychain-google-sm/src/test/typescript/integration/openapi/openapi-validation.test.ts
View file
Expand Up @@ -119,7 +119,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fSet} without required key: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(fields.includes("key"), "Rejected because key is required");
}
Expand All @@ -138,7 +138,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fGet} without required key: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(fields.includes("key"), "Rejected because key is required");
}
Expand All @@ -157,7 +157,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fHas} without required key: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(fields.includes("key"), "Rejected because key is required");
}
Expand All @@ -176,7 +176,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fDelete} without required key: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(fields.includes("key"), "Rejected because key is required");
}
Expand All @@ -197,7 +197,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fSet} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand All @@ -220,7 +220,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fGet} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand All @@ -243,7 +243,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fHas} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand All @@ -266,7 +266,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fDelete} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand Down
16 changes: 8 additions & 8 deletions ...-plugin-keychain-vault/src/test/typescript/integration/openapi/openapi-validation.test.ts
View file
Expand Up @@ -147,7 +147,7 @@ test(`${testCase}`, async (t: Test) => {
`Endpoint ${fSet} without required key: response.status === 400 OK`,
);
const fields = e?.response?.data.map((param) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(fields?.includes("key"), "Rejected because key is required");
}
Expand All @@ -165,7 +165,7 @@ test(`${testCase}`, async (t: Test) => {
`Endpoint ${fHas} without required key: response.status === 400 OK`,
);
const fields = e?.response?.data.map((param) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(fields?.includes("key"), "Rejected because key is required");
}
Expand All @@ -183,7 +183,7 @@ test(`${testCase}`, async (t: Test) => {
`Endpoint ${fGet} without required key: response.status === 400 OK`,
);
const fields = e?.response?.data.map((param) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(fields?.includes("key"), "Rejected because key is required");
}
Expand All @@ -201,7 +201,7 @@ test(`${testCase}`, async (t: Test) => {
`Endpoint ${fDelete} without required key: response.status === 400 OK`,
);
const fields = e?.response?.data.map((param) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(fields?.includes("key"), "Rejected because key is required");
}
Expand All @@ -223,7 +223,7 @@ test(`${testCase}`, async (t: Test) => {
`Endpoint ${fSet} with fake=4: response.status === 400 OK`,
);
const fields = e?.response?.data.map((param) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields?.includes("fake"),
Expand All @@ -247,7 +247,7 @@ test(`${testCase}`, async (t: Test) => {
`Endpoint ${fHas} with fake=4: response.status === 400 OK`,
);
const fields = e?.response?.data.map((param) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields?.includes("fake"),
Expand All @@ -271,7 +271,7 @@ test(`${testCase}`, async (t: Test) => {
`Endpoint ${fGet} with fake=4: response.status === 400 OK`,
);
const fields =
e?.response?.data.map((param) => param.path.replace(".body.", "")) ||
e?.response?.data.map((param) => param.path.replace("/body/", "")) ||
[];
t2.ok(
fields.includes("fake"),
Expand All @@ -295,7 +295,7 @@ test(`${testCase}`, async (t: Test) => {
`Endpoint ${fDelete} with fake=4: response.status === 400 OK`,
);
const fields = e?.response?.data.map((param: { path: string }) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields?.includes("fake"),
Expand Down
32 changes: 16 additions & 16 deletions ...st/typescript/integration/plugin-ledger-connector-besu/openapi/openapi-validation.test.ts
View file
Expand Up @@ -207,7 +207,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fDeploy} without required contractName and bytecode: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("contractName"),
Expand Down Expand Up @@ -249,7 +249,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fDeploy} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand Down Expand Up @@ -310,7 +310,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fInvoke} without required contractName: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("contractName"),
Expand Down Expand Up @@ -345,7 +345,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fInvoke} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand Down Expand Up @@ -408,7 +408,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fRun} without required consistencyStrategy: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("consistencyStrategy"),
Expand Down Expand Up @@ -448,7 +448,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fRun} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand Down Expand Up @@ -549,7 +549,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fSign} without required keychainId: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("keychainId"),
Expand Down Expand Up @@ -605,7 +605,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fSign} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand Down Expand Up @@ -640,7 +640,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fBalance} without required address: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(fields.includes("address"), "Rejected because address is required");
}
Expand All @@ -662,7 +662,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fBalance} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand Down Expand Up @@ -693,7 +693,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fBlock} without required blockHashOrBlockNumber: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("blockHashOrBlockNumber"),
Expand All @@ -718,7 +718,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fBlock} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand Down Expand Up @@ -755,7 +755,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fPastLogs} without required address: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(fields.includes("address"), "Rejected because address is required");
}
Expand All @@ -777,7 +777,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fPastLogs} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand Down Expand Up @@ -845,7 +845,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fRecord} without required transactionHash: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("transactionHash"),
Expand All @@ -870,7 +870,7 @@ test(testCase, async (t: Test) => {
`Endpoint ${fRecord} with fake=4: response.status === 400 OK`,
);
const fields = e.response.data.map((param: any) =>
param.path.replace(".body.", ""),
param.path.replace("/body/", ""),
);
t2.ok(
fields.includes("fake"),
Expand Down
2 changes: 1 addition & 1 deletion packages/cactus-plugin-ledger-connector-corda/package.json
View file
Expand Up @@ -60,7 +60,7 @@
"@hyperledger/cactus-core": "2.0.0-alpha.1",
"@hyperledger/cactus-core-api": "2.0.0-alpha.1",
"axios": "0.21.4",
"express-openapi-validator": "3.10.0",
"express-openapi-validator": "5.0.4",
"internal-ip": "6.2.0",
"joi": "17.9.1",
"node-ssh": "13.1.0",
Expand Down

0 comments on commit 77fb559

Please sign in to comment.