From d185cf63e8da21fc67603336238fafef71390fc2 Mon Sep 17 00:00:00 2001 From: Sulka Haro Date: Fri, 27 Jan 2023 08:34:46 +0200 Subject: [PATCH 1/2] Update Mongo URL parser to 1.0.2 to fix issues Scott H found (#7606) * Update Mongo URL parser to 1.0.2 to fix issues Scott H found * Reset the lockfile * Update lock to include new component --- package-lock.json | 12 ++++++------ package.json | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/package-lock.json b/package-lock.json index c73f9977e30..f604d2465d5 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1996,9 +1996,9 @@ "dev": true }, "caniuse-lite": { - "version": "1.0.30001447", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001447.tgz", - "integrity": "sha512-bdKU1BQDPeEXe9A39xJnGtY0uRq/z5osrnXUw0TcK+EYno45Y+U7QU9HhHEyzvMDffpYadFXi3idnSNkcwLkTw==" + "version": "1.0.30001448", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001448.tgz", + "integrity": "sha512-tq2YI+MJnooG96XpbTRYkBxLxklZPOdLmNIOdIhvf7SNJan6u5vCKum8iT7ZfCt70m1GPkuC7P3TtX6UuhupuA==" }, "caseless": { "version": "0.12.0", @@ -3288,9 +3288,9 @@ } }, "eslint-plugin-security": { - "version": "1.6.0", - "resolved": "https://registry.npmjs.org/eslint-plugin-security/-/eslint-plugin-security-1.6.0.tgz", - "integrity": "sha512-SGvyejbhW/dziRbzOroKX5bj8z/qtBOw7Q95C9CBbJQqBtFB2o4OxSM3MCO2u9noPp7B6DDaFGtXTx8ImPiO/A==", + "version": "1.7.0", + "resolved": "https://registry.npmjs.org/eslint-plugin-security/-/eslint-plugin-security-1.7.0.tgz", + "integrity": "sha512-+ahcCh7M5w7fdFaNccaChBGq8nd3Wa+XvGJS+hY74kvrMhG4EuLbljRIjilOqh1iDMW/EckB1oOWmiVIYlVACQ==", "dev": true, "requires": { "safe-regex": "^2.1.1" diff --git a/package.json b/package.json index 69e4d4c3a31..eb3562bbf78 100644 --- a/package.json +++ b/package.json @@ -114,7 +114,7 @@ "moment-locales-webpack-plugin": "^1.2.0", "moment-timezone": "^0.5.31", "moment-timezone-data-webpack-plugin": "^1.5.0", - "mongo-url-parser": "^1.0.1", + "mongo-url-parser": "^1.0.2", "mongodb": "^3.6.0", "mongomock": "^0.1.2", "node-cache": "^4.2.1", From 3b7528a8edbacde907ce8472838865190271d0ef Mon Sep 17 00:00:00 2001 From: Ben West Date: Thu, 26 Jan 2023 22:42:26 -0800 Subject: [PATCH 2/2] minimum attempt to protect /api/v2/ endpoints (#7554) * minimum attempt to protect /api/v2/ endpoints These endpoints should be protected as reported in https://github.com/nightscout/cgm-remote-monitor/issues/7546. * remove spurious line Co-authored-by: Sulka Haro --- lib/api/properties.js | 4 +++- lib/data/endpoints.js | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/api/properties.js b/lib/api/properties.js index 7e9fd88ebab..07a2597a99e 100644 --- a/lib/api/properties.js +++ b/lib/api/properties.js @@ -18,6 +18,8 @@ function create (env, ctx) { * * Expecting to define extended syntax and support for several query params */ + properties.use(ctx.authorization.isPermitted('api:entries:read'), + ctx.authorization.isPermitted('api:treatments:read')); properties.get(['/', '/*'], function getProperties (req, res) { var sbx = sandbox.serverInit(env, ctx); @@ -57,4 +59,4 @@ function create (env, ctx) { return properties; } -module.exports = create; \ No newline at end of file +module.exports = create; diff --git a/lib/data/endpoints.js b/lib/data/endpoints.js index 252cac9f690..10d041e132a 100644 --- a/lib/data/endpoints.js +++ b/lib/data/endpoints.js @@ -64,6 +64,8 @@ function configure (app, ctx) { next( ); }); + api.use(ctx.authorization.isPermitted('api:entries:read'), + ctx.authorization.isPermitted('api:treatments:read')); api.get('/at/:at?', ensure_at, get_ddata, format_result); return api;