fix: vulnerabilities in the socket.io-file package

Ref: * GHSA-9h4g-27m8-qjrg * GHSA-6495-8jvh-f28x * https://cwe.mitre.org/data/definitions/22.html
salesforce · Apr 7, 2022 · 1f2516e · 1f2516e
1 parent 9533ad0
commit 1f2516e
Show file tree

Hide file tree

Showing 6 changed files with 380 additions and 12 deletions.
diff --git a/package.json b/package.json
@@ -57,8 +57,8 @@
     "cross-env": "^5.2.0",
     "eslint": "^5.16.0",
     "husky": "2.4.0",
-    "jest": "^26.0.1",
     "isbinaryfile": "^4.0.2",
+    "jest": "^26.0.1",
     "lerna": "^3.18.3",
     "prettier": "^1.17.1",
     "rimraf": "^2.6.3",

diff --git a/packages/@best/agent/package.json b/packages/@best/agent/package.json
@@ -17,8 +17,8 @@
     "@best/shared": "6.1.0",
     "@best/utils": "6.1.0",
     "express": "4.17.2",
+    "mime": "^1.3.4",
     "socket.io": "~2.2.0",
-    "socket.io-file": "~2.0.31",
     "tar": "6.1.11"
   },
   "files": [

diff --git a/packages/@best/agent/src/utils/benchmark-loader.ts b/packages/@best/agent/src/utils/benchmark-loader.ts
@@ -3,13 +3,14 @@
  * All rights reserved.
  * SPDX-License-Identifier: MIT
  * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/MIT
-*/
+ */
 
-import path from "path";
-import SocketIOFile from "socket.io-file";
+import path from 'path';
 import { cacheDirectory, randomAlphanumeric } from '@best/utils';
 import { x as extractTar } from 'tar';
-import { Socket } from "socket.io";
+import { Socket } from 'socket.io';
+import SocketFile from './socket.io-file';
+import type SocketIOFile from 'socket.io-file'
 
 // This is all part of the initialization
 const LOADER_CONFIG_DEFAULTS = {
@@ -27,11 +28,12 @@ export function getUploaderInstance(socket: Socket): SocketIOFile {
     // same-named benchmark to the agent. When this happens, the agent may get a partial file or the hub may fail
     // because there is a lock on the same-named file.
     const config = Object.assign({}, LOADER_CONFIG_DEFAULTS, {
-        uploadDir: path.join(cacheDirectory('best_agent'), 'uploads', randomAlphanumeric(16))
+        uploadDir: path.join(cacheDirectory('best_agent'), 'uploads', randomAlphanumeric(16)),
     });
 
-    const uploader: any = new SocketIOFile(socket, config);
-    uploader.load = function () {
+    const uploader: any = new (SocketFile as any)(socket, config);
+
+    uploader.load = function() {
         return new Promise((resolve, reject) => {
             uploader.on('complete', (info: any) => {
                 uploader.removeAllListeners('complete');
@@ -43,7 +45,7 @@ export function getUploaderInstance(socket: Socket): SocketIOFile {
                 reject(err);
             });
         });
-    }
+    };
 
     return uploader;
 }