AB#77131 fix critical and high vulnerabilities (#149)

Author: avicarie

package.json

@@ -36,7 +36,7 @@
   },
   "homepage": "https://github.com/HSLdevcom/hsl-routemap-server#readme",
   "engines": {
-    "node": ">=8.0.0"
+    "node": ">=20.0.0"
   },
   "devDependencies": {
     "@babel/core": "^7.22.6",
@@ -66,44 +66,47 @@
     "react-hot-loader": "^4.13.1",
     "rimraf": "^2.6.2",
     "style-loader": "~2",
-    "webpack": "~4",
-    "webpack-cli": "~4",
-    "webpack-dev-server": "~3",
+    "webpack": "~5",
+    "webpack-cli": "~5",
+    "webpack-dev-server": "~5",
     "worker-loader": "^3.0.8"
   },
   "dependencies": {
     "@azure/storage-blob": "^10.5.0",
-    "@koa/cors": "^2.2.1",
     "apollo-cache-inmemory": "^1.1.1",
     "apollo-client": "^2.0.3",
     "apollo-link-http": "^1.2.0",
     "bullmq": "^1.86.2",
     "dotenv": "^8.0.0",
-    "forever": "^4.0.3",
+    "pm2": "^6.0.14",
     "fs-extra": "^8.1.0",
     "graphql": "^0.11.7",
     "graphql-tag": "^2.5.0",
     "hsl-map-style": "hsldevcom/hsl-map-style#development",
     "ioredis": "^5.0.6",
     "knex": "^2.1.0",
-    "koa": "^2.4.1",
+    "koa": "^2.16.4",
     "koa-json-body": "^5.3.0",
     "koa-router": "7.3.0",
     "koa-session": "^5.10.1",
     "lodash": "^4.17.4",
-    "node-fetch": "^1.7.3",
-    "nodemon": "^1.12.1",
+    "node-fetch": "^2.6.7",
+    "nodemon": "^3.1.14",
     "pg": "^8.7.3",
     "prop-types": "^15.6.0",
-    "puppeteer": "^15.4.1",
+    "puppeteer": "^24.39.1",
     "react": "18.2.0",
     "react-apollo": "^2.0.1",
     "react-dom": "18.2.0",
     "recompose": "^0.30.0",
     "segseg": "^0.2.2",
-    "serve": "^13.0.2",
+    "serve": "^14.2.6",
     "uuid": "^3.1.0",
-    "validator": "^13.15.0",
+    "validator": "^13.15.22",
     "viewport-mercator-project": "^4.1.1"
+  },
+  "resolutions": {
+    "node-fetch": "2.6.7",
+    "flatted": "3.4.1"
   }
 }

scripts/server.js

@@ -1,7 +1,6 @@
 const Koa = require('koa');
 const Router = require('koa-router');
 const session = require('koa-session');
-const cors = require('@koa/cors');
 const jsonBody = require('koa-json-body');
 const { get } = require('lodash');
 const { Queue } = require('bullmq');
@@ -41,6 +40,49 @@ const queue = new Queue('generator', { connection: bullRedisConnection });
 
 const cancelSignalRedis = new Redis(REDIS_CONNECTION_STRING); // New connection to make sure that pub/sub will work correctly.
 
+const createCorsMiddleware = (options = {}) => {
+  const {
+    allowHeaders = [
+      'Accept',
+      'Accept-Language',
+      'Content-Language',
+      'Content-Type',
+      'Authorization',
+      'X-Requested-With',
+    ],
+    allowMethods = ['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+    credentials = false,
+  } = options;
+
+  return async (ctx, next) => {
+    const requestOrigin = ctx.get('Origin');
+    if (requestOrigin) {
+      ctx.set('Access-Control-Allow-Origin', requestOrigin);
+    } else if (!credentials) {
+      ctx.set('Access-Control-Allow-Origin', '*');
+    }
+
+    if (credentials) {
+      ctx.set('Access-Control-Allow-Credentials', 'true');
+    }
+
+    ctx.set('Access-Control-Allow-Methods', allowMethods.join(', '));
+    const requestedHeaders = ctx.get('Access-Control-Request-Headers');
+    if (requestedHeaders) {
+      ctx.set('Access-Control-Allow-Headers', requestedHeaders);
+    } else {
+      ctx.set('Access-Control-Allow-Headers', allowHeaders.join(', '));
+    }
+
+    if (ctx.method === 'OPTIONS') {
+      ctx.status = 204;
+      return;
+    }
+
+    await next();
+  };
+};
+
 async function generatePoster(buildId, props) {
   const { id } = await addPoster({ buildId, props });
 
@@ -284,6 +326,7 @@ async function main() {
 
   router.post('/login', async (ctx) => {
     const authResponse = await authEndpoints.authorize(ctx.request, ctx.response, ctx.session);
+    console.log(JSON.stringify(authResponse.body));
     ctx.session = null;
     if (authResponse.modifiedSession) {
       ctx.session = authResponse.modifiedSession;
@@ -324,11 +367,7 @@ async function main() {
   app
     .use(errorHandler)
     .use(unAuthorizedRouter.routes())
-    .use(
-      cors({
-        credentials: true,
-      }),
-    )
+    .use(createCorsMiddleware({ credentials: true }))
     .use(authMiddleware)
     .use(jsonBody({ fallback: true, limit: '10mb' }))
     .use(router.routes())

server.js

@@ -9,20 +9,15 @@ config.devtool = 'eval';
 config.mode = 'development';
 
 if (process.env.HMR === 'true') {
-  config.entry = [
-    `webpack-dev-server/client?http://localhost:${PORT}`,
-    'webpack/hot/dev-server',
-    ...config.entry,
-  ];
   config.plugins = [new webpack.HotModuleReplacementPlugin(), ...config.plugins];
 }
 
 const options = {
   hot: process.env.HMR === 'true',
   historyApiFallback: true,
-  stats: { colors: true },
+  port: PORT,
 };
 
-const server = new WebpackDevServer(webpack(config), options);
+const server = new WebpackDevServer(options, webpack(config));
 
-server.listen(PORT);
+server.start();