feat: code severity fixes & vul fixes

Author: yashashkumar

api-service/src/configs/ConnectionsConfig.ts

@@ -2,13 +2,12 @@
 const env = process.env;
 
 export const connectionConfig = {
-    postgres: {
-        host: env.postgres_host || "localhost",
-        port: env.postgres_port || 5432,
-        database: env.postgres_database || "obsrv",
-        username: env.postgres_username || "postgres",
-        password: env.postgres_password || "postgres",
-    },
+    postgres: Object.freeze({
+        host: env['postgres_host'] || "localhost",
+        port: env['postgres_port'] || 5432,
+        database: env['postgres_database'] || "obsrv",
+        credentials: `${env['postgres_username'] || "postgres"}::${env['postgres_password'] || "postgres"}`
+    }),
     kafka: {
         "config": {
             "brokers": [`${env.kafka_host || "localhost"}:${env.kafka_port || 9092}`],

api-service/src/connections/databaseConnection.ts

@@ -1,16 +1,27 @@
 import { Sequelize } from "sequelize";
 import { connectionConfig } from "../configs/ConnectionsConfig"
 
-const { database, host, password, port, username } = connectionConfig.postgres
+const { database, host, port } = connectionConfig.postgres;
+const credentials = connectionConfig.postgres.credentials.split("::");
 
-export const sequelize = new Sequelize({
-    database, password, username: username, dialect: "postgres", host, port: +port, pool: {
-        max: 2,
-        min: 1,
-        acquire: 30000,
-        idle: 10000
-      }
-})
+const decodedCredentials = Buffer.from(credentials[1], 'base64').toString('utf-8');
+
+export const sequelize = new Sequelize(
+    database,
+    credentials[0],
+    decodedCredentials,
+    {
+        host,
+        port: +port,
+        dialect: "postgres",
+        pool: {
+            max: 2,
+            min: 1,
+            acquire: 30000,
+            idle: 10000
+        }
+    }
+)
 
  export const health = async () => {
     return sequelize.query("select 1")

api-service/src/controllers/Alerts/Alerts.ts

@@ -12,7 +12,7 @@ const telemetryObject = { type: "alert", ver: "1.0.0" };
 
 const createAlertHandler = async (req: Request, res: Response, next: NextFunction) => {
   try {
-    const alertPayload = getAlertPayload(req.body);
+    const alertPayload = getAlertPayload(_.get(req, "body"));
     const userID = (req as any)?.userID;
     _.set(alertPayload, "created_by", userID);
     _.set(alertPayload, "updated_by", userID);
@@ -30,7 +30,7 @@ const createAlertHandler = async (req: Request, res: Response, next: NextFunctio
 
 const publishAlertHandler = async (req: Request, res: Response, next: NextFunction) => {
   try {
-    const { alertId } = req.params;
+    const alertId = _.get(req, 'params.alertId');
     const ruleModel: Record<string, any> | null = await getAlertRule(alertId);
     if (!ruleModel) return next({ message: httpStatus[httpStatus.NOT_FOUND], statusCode: httpStatus.NOT_FOUND });
     const rulePayload = ruleModel.toJSON();
@@ -57,7 +57,7 @@ const transformAlerts = async (alertModel: any) => {
 
 const searchAlertHandler = async (req: Request, res: Response, next: NextFunction) => {
   try {
-    const { limit, filters, offset, options = {} } = req.body?.request || {};
+    const { limit, filters, offset, options = {} } = _.get(req, 'body.request', {});
     const alerts = await Alert.findAll({ limit: limit, offset: offset, ...(filters && { where: filters }), ...options });
     const alertRulesWithStatus = await Promise.all(_.map(alerts, transformAlerts));
     ResponseHandler.successResponse(req, res, { status: httpStatus.OK, data: { alerts: alertRulesWithStatus, count: alerts.length } });
@@ -105,8 +105,8 @@ const deleteAlertHandler = async (req: Request, res: Response, next: NextFunctio
 
 const updateAlertHandler = async (req: Request, res: Response, next: NextFunction) => {
   try {
-    const { alertId } = req.params;
-    const isEmpty = _.isEmpty(req.body);
+    const alertId = _.get(req, 'params.alertId');
+    const isEmpty = _.isEmpty(_.get(req, "body"));
     if (isEmpty) throw new Error("Failed to update record");
     const ruleModel = await getAlertRule(alertId);
     if (!ruleModel) { return next({ message: httpStatus[httpStatus.NOT_FOUND], statusCode: httpStatus.NOT_FOUND }) }
@@ -117,7 +117,7 @@ const updateAlertHandler = async (req: Request, res: Response, next: NextFunctio
       await deleteAlertRule(rulePayload, false);
       await retireAlertSilence(alertId);
     }
-    const updatedPayload = getAlertPayload({ ...req.body, manager: rulePayload?.manager });
+    const updatedPayload = getAlertPayload({ ..._.get(req, "body"), manager: rulePayload?.manager });
     await Alert.update({ ...updatedPayload, status: "draft", updated_by: userID }, { where: { id: alertId } });
     updateTelemetryAuditEvent({ request: req, currentRecord: rulePayload, object: { id: alertId, ...telemetryObject } });
     ResponseHandler.successResponse(req, res, { status: httpStatus.OK, data: { id: alertId } });
@@ -132,7 +132,7 @@ const updateAlertHandler = async (req: Request, res: Response, next: NextFunctio
 
 const deleteSystemAlertsHandler = async (req: Request, res: Response, next: NextFunction) => {
   try {
-    const body = req.body;
+    const body = _.get(req, 'body', {});
     const { filters } = body;
     if (!filters) throw new Error("Failed to update record");
     await deleteSystemRules({ filters, manager: "grafana" });

api-service/src/controllers/Alerts/Metric.ts

@@ -10,8 +10,8 @@ const telemetryObject = { type: "metric", ver: "1.0.0" };
 
 const createMetricHandler = async (req: Request, res: Response, next: NextFunction) => {
     try {
-        const { component } = req.body;
-        const metricsBody = await Metrics.create({ ...(req.body), component: component });
+        const component  = _.get(req, 'body.component');
+        const metricsBody = await Metrics.create({ ...(_.get(req, 'body')), component: component });
         updateTelemetryAuditEvent({ request: req, object: { id: metricsBody?.dataValues?.id, ...telemetryObject } });
         ResponseHandler.successResponse(req, res, { status: httpStatus.OK, data: { id: metricsBody.dataValues.id } });
     } catch (error: any) {
@@ -36,8 +36,8 @@ const listMetricsHandler = async (req: Request, res: Response, next: NextFunctio
 
 const updateMetricHandler = async (req: Request, res: Response, next: NextFunction) => {
     try {
-        const { id } = req.params;
-        const toUpdatePayload = req.body;
+        const id = _.get(req, 'params.id');
+        const toUpdatePayload = _.get(req, 'body');
         const { component } = toUpdatePayload;
         const isEmpty = _.isEmpty(toUpdatePayload);
         if (isEmpty) throw new Error("Failed to update record");
@@ -59,7 +59,7 @@ const updateMetricHandler = async (req: Request, res: Response, next: NextFuncti
 
 const deleteMetricHandler = async (req: Request, res: Response, next: NextFunction) => {
     try {
-        const { id } = req.params;
+        const id = _.get(req, 'params.id');
         const record = await Metrics.findOne({ where: { id } });
         if (!record) throw new Error(httpStatus[httpStatus.NOT_FOUND]);
         await record.destroy();
@@ -72,7 +72,7 @@ const deleteMetricHandler = async (req: Request, res: Response, next: NextFuncti
 
 const deleteMultipleMetricHandler = async (req: Request, res: Response, next: NextFunction) => {
     try {
-        const { filters } = req.body;
+        const filters = _.get(req, 'body.filters');
         if (!filters) throw new Error("Failed to update record");
         await Metrics.destroy({ where: filters });
         ResponseHandler.successResponse(req, res, { status: httpStatus.OK, data: {} });

api-service/src/controllers/Alerts/Silence.ts

@@ -11,7 +11,7 @@ const telemetryObject = { type: "alert-silence", ver: "1.0.0" };
 
 const createHandler = async (request: Request, response: Response, next: NextFunction) => {
     try {
-        const payload = request.body;
+        const payload = _.get(request,'body');
         const { startDate, endDate, alertId } = payload;
         const existingSilence = await Silence.findOne({ where: { alert_id: alertId } });
         if (existingSilence) existingSilence.destroy();
@@ -59,7 +59,7 @@ const listHandler = async (request: Request, response: Response, next: NextFunct
 
 const fetchHandler = async (request: Request, response: Response, next: NextFunction) => {
     try {
-        const id = request.params.id;
+        const id = _.get(request,'params.id');
         const silenceModel = await Silence.findOne({ where: { id } });
         const transformedSilence = await transformSilences(silenceModel);
         if (!silenceModel) return next({ message: httpStatus[httpStatus.NOT_FOUND], statusCode: httpStatus.NOT_FOUND });
@@ -72,8 +72,8 @@ const fetchHandler = async (request: Request, response: Response, next: NextFunc
 
 const updateHandler = async (request: Request, response: Response, next: NextFunction) => {
     try {
-        const id = request.params.id;
-        const payload = request.body;
+        const id = _.get(request,'params.id');
+        const payload = _.get(request, 'body');
         const silenceModel = await Silence.findOne({ where: { id } });
         if (!silenceModel) return next({ message: httpStatus[httpStatus.NOT_FOUND], statusCode: httpStatus.NOT_FOUND });
         const silenceObject = silenceModel?.toJSON();
@@ -98,7 +98,7 @@ const updateHandler = async (request: Request, response: Response, next: NextFun
 
 const deleteHandler = async (request: Request, response: Response, next: NextFunction) => {
     try {
-        const id = request.params.id;
+        const id = _.get(request,'params.id');
         const silenceModel = await Silence.findOne({ where: { id } });
         if (!silenceModel) return next({ message: httpStatus[httpStatus.NOT_FOUND], statusCode: httpStatus.NOT_FOUND });
         const silenceObject = silenceModel?.toJSON();

api-service/src/controllers/DataMetrics/DataMetricsController.ts

@@ -26,6 +26,7 @@ const dataMetrics = async (req: Request, res: Response) => {
         const { url, method, headers = {}, body = {}, params = {}, ...rest } = query;
         const apiResponse = await axios.request({ url, method, headers, params, data: body, ...rest })
         const data = _.get(apiResponse, "data");
+        res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
         return res.json(data);
     }
     else {

api-service/src/controllers/DatasetRead/DatasetRead.ts

@@ -19,8 +19,9 @@ export const defaultFields = ["dataset_id", "name", "type", "status", "tags", "v
 
 const validateRequest = (req: Request) => {
 
-    const { dataset_id } = req.params;
-    const { fields, mode } = req.query;
+    const dataset_id = _.get(req, 'params.dataset_id');
+    const fields = _.get(req, 'query.fields');
+    const mode = _.get(req, 'query.mode');
     const fieldValues = fields ? _.split(fields as string, ",") : [];
     const invalidFields = mode === "edit" ? _.difference(fieldValues, Object.keys(DatasetDraft.getAttributes())) : _.difference(fieldValues, Object.keys(Dataset.getAttributes()));
     if (!_.isEmpty(invalidFields)) {
@@ -32,8 +33,9 @@ const validateRequest = (req: Request) => {
 const datasetRead = async (req: Request, res: Response) => {
 
     validateRequest(req);
-    const { dataset_id } = req.params;
-    const { fields, mode } = req.query;
+    const dataset_id = _.get(req, 'params.dataset_id');
+    const fields = _.get(req, 'query.fields');
+    const mode = _.get(req, 'query.mode');
     const userID = (req as any)?.userID;
     const attributes = !fields ? defaultFields : _.split(<string>fields, ",");
     const dataset = (mode == "edit") ? await readDraftDataset(dataset_id, attributes, userID) : await readDataset(dataset_id, attributes)

api-service/src/controllers/NotificationChannel/Notification.ts

@@ -11,11 +11,11 @@ const telemetryObject = { type: "notificationChannel", ver: "1.0.0" };
 
 const createHandler = async (request: Request, response: Response, next: NextFunction) => {
     try {
-        const payload = request.body;
+        const body = _.get(request, "body");
         const userID = (request as any)?.userID;
-        _.set(payload, "created_by", userID);
-        _.set(payload, "updated_by", userID);
-        const notificationBody = await Notification.create(payload);
+        _.set(body, "created_by", userID);
+        _.set(body, "updated_by", userID);
+        const notificationBody = await Notification.create(body);
         updateTelemetryAuditEvent({ request, object: { id: notificationBody?.dataValues?.id, ...telemetryObject } });
         ResponseHandler.successResponse(request, response, { status: httpStatus.OK, data: { id: notificationBody.dataValues.id } })
     } catch (err) {
@@ -26,8 +26,8 @@ const createHandler = async (request: Request, response: Response, next: NextFun
 
 const updateHandler = async (request: Request, response: Response, next: NextFunction) => {
     try {
-        const { id } = request.params;
-        const updatedPayload = request.body;
+        const id = _.get(request, 'params.id');
+        const updatedPayload = _.get(request, 'body');
         const notificationPayloadModel = await Notification.findOne({ where: { id } });
         const notificationPayload = notificationPayloadModel?.toJSON();
         if (!notificationPayload) return next({ message: httpStatus[httpStatus.NOT_FOUND], statusCode: httpStatus.NOT_FOUND });
@@ -47,7 +47,7 @@ const updateHandler = async (request: Request, response: Response, next: NextFun
 
 const listHandler = async (request: Request, response: Response, next: NextFunction) => {
     try {
-        const { limit, filters, offset } = request.body?.request || {};
+        const { limit, filters, offset } = _.get(request.body, 'request', {});
         const notifications = await Notification.findAll({ limit: limit, offset: offset, ...(filters && { where: filters }) });
         const count = _.get(notifications, "length");
         ResponseHandler.successResponse(request, response, { status: httpStatus.OK, data: { notifications, ...(count && { count }) } });
@@ -59,7 +59,7 @@ const listHandler = async (request: Request, response: Response, next: NextFunct
 
 const fetchHandler = async (request: Request, response: Response, next: NextFunction) => {
     try {
-        const { id } = request.params;
+        const id = _.get(request, 'params.id');
         const notificationPayloadModel = await Notification.findOne({ where: { id } });
         const notificationPayload = notificationPayloadModel?.toJSON();
         if (!notificationPayloadModel) return next({ message: httpStatus[httpStatus.NOT_FOUND], statusCode: httpStatus.NOT_FOUND });
@@ -73,7 +73,7 @@ const fetchHandler = async (request: Request, response: Response, next: NextFunc
 
 const retireHandler = async (request: Request, response: Response, next: NextFunction) => {
     try {
-        const { id } = request.params;
+        const id = _.get(request, 'params.id');
         const notificationPayloadModel = await Notification.findOne({ where: { id } })
         const notificationPayload = notificationPayloadModel?.toJSON();
         if (!notificationPayload) return next({ message: httpStatus[httpStatus.NOT_FOUND], statusCode: httpStatus.NOT_FOUND });
@@ -90,7 +90,7 @@ const retireHandler = async (request: Request, response: Response, next: NextFun
 
 const publishHandler = async (request: Request, response: Response, next: NextFunction) => {
     try {
-        const { id } = request.params;
+        const id = _.get(request, 'params.id');
         const notificationPayloadModel = await Notification.findOne({ where: { id } })
         const notificationPayload = notificationPayloadModel?.toJSON();
         if (!notificationPayload) return next({ message: httpStatus[httpStatus.NOT_FOUND], statusCode: httpStatus.NOT_FOUND });
@@ -108,7 +108,7 @@ const publishHandler = async (request: Request, response: Response, next: NextFu
 
 const testNotifationChannelHandler = async (request: Request, response: Response, next: NextFunction) => {
     try {
-        const { message = "Hello Obsrv", payload = {} } = request.body;
+        const { message = "Hello Obsrv", payload = {} } = _.get(request, 'body');
         const { id } = payload;
         if (id) {
             const notificationPayloadModel = await Notification.findOne({ where: { id } })

api-service/src/controllers/UpdateQueryTemplate/UpdateTemplateController.ts

@@ -12,7 +12,7 @@ const apiId = "api.query.template.update";
 const requiredVariables = _.get(config, "template_config.template_required_variables");
 
 export const updateQueryTemplate = async (req: Request, res: Response) => {
-    const requestBody = req.body;
+    const requestBody = _.get(req, 'body');
     const templateId = _.get(req, "params.templateId");
     try {
         const msgid = _.get(req, "body.params.msgid");

api-service/src/helpers/ResponseHandler.ts

@@ -12,6 +12,7 @@ const ResponseHandler = {
     const { body, entity } = req as any;
     const msgid = _.get(body, ["params", "msgid"])
     const resmsgid = _.get(res, "resmsgid")
+    res.setHeader('STRICT-TRANSPORT-SECURITY', 'max-age=31536000; includeSubDomains');
     res.status(result.status || 200).json(ResponseHandler.refactorResponse({ id: (req as any).id, result: result.data, msgid, resmsgid }));
     entity && onSuccess(req, res)
   },
@@ -34,6 +35,7 @@ const ResponseHandler = {
     const resmsgid = _.get(res, "resmsgid")
     const response = ResponseHandler.refactorResponse({ id, msgid, params: { status: "FAILED" }, responseCode: errCode || httpStatus["500_NAME"], resmsgid })
     const modifiedErrorResponse = _.omit(response, ["result"]);
+    res.setHeader('STRICT-TRANSPORT-SECURITY', 'max-age=31536000; includeSubDomains');
     res.status(statusCode || httpStatus.INTERNAL_SERVER_ERROR).json({ ...modifiedErrorResponse, error: { code, message, trace } });
     entity && onFailure(req, res)
   },
@@ -46,6 +48,7 @@ const ResponseHandler = {
     const msgid = _.get(body, ["params", "msgid"])
     const resmsgid = _.get(res, "resmsgid")
     const response = ResponseHandler.refactorResponse({ id, msgid, params: { status: "FAILED" }, responseCode: errCode || httpStatus["500_NAME"], resmsgid, result: data })
+    res.setHeader('STRICT-TRANSPORT-SECURITY', 'max-age=31536000; includeSubDomains');
     res.status(statusCode || httpStatus.INTERNAL_SERVER_ERROR).json({ ...response, error: { code, message } });
     entity && onObsrvFailure(req, res, error)
   },
@@ -58,11 +61,13 @@ const ResponseHandler = {
   flatResponse: (req: Request, res: Response, result: Result) => {
     const { entity } = req as any;
     entity && onSuccess(req, res)
+    res.setHeader('STRICT-TRANSPORT-SECURITY', 'max-age=31536000; includeSubDomains');
     res.status(result.status).send(result.data);
   },
 
   goneResponse: (req: Request, res: Response) => {
     const { id } = req as any;
+    res.setHeader('STRICT-TRANSPORT-SECURITY', 'max-age=31536000; includeSubDomains');
     res.status(httpStatus.GONE).json({ id: id, ver: "v1", ts: Date.now(), params: { status: "FAILED", errmsg: "v1 APIs have been replace by /v2 APIs. Please refer to this link <addLink> for more information" }, responseCode: httpStatus["410_NAME"] })
   }
 }