Skip to content

Executer v2#32

Open
sudhir-raut wants to merge 3 commits intomasterfrom
executer-v2
Open

Executer v2#32
sudhir-raut wants to merge 3 commits intomasterfrom
executer-v2

Conversation

@sudhir-raut
Copy link
Collaborator

@sudhir-raut sudhir-raut commented Mar 3, 2025

New version of executor added.
Resolved module injection issue.

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 3, 2025
View reviewed changes
src/common/middlewares/test/http-request-headers.middleware.spec.ts
const request: any = {
headers: {
'x-tenant-id': 'some-tenant-id',
'authorization': 'Bearer some-token',

Check failure

Code scanning / CodeQL

Hard-coded credentials Critical test

The hard-coded value "Bearer some-token" is used as
authorization header
Loading
.
src/common/middlewares/test/http-request-headers.middleware.spec.ts
const request: any = {
headers: {
'x-tenant-id': 'some-tenant-id',
'authorization': 'Bearer some-token',

Check failure

Code scanning / CodeQL

Hard-coded credentials Critical test

The hard-coded value "Bearer some-token" is used as
authorization header
Loading
.
src/models/connectors/repository/connectors.repository.impl.ts
}

update(condition: any, object: UpdateConnectorBodyDto): Promise<ConnectorDocument> {
return this.ConnectorModel.findOneAndUpdate(condition, object, { new: true }).exec();

Check failure

Code scanning / CodeQL

Database query built from user-controlled sources High

This query object depends on a
user-provided value
Loading
.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to ensure that the user-controlled data is properly sanitized before being used in the database query. For NoSQL databases like MongoDB, we can use the $eq operator to ensure that the data is interpreted as a literal value. Alternatively, we can validate the data to ensure it is of the expected type and format before using it in the query.

The best way to fix this issue without changing existing functionality is to modify the update method in ConnectorRepositoryImpl to use the $eq operator for the condition and validate the object parameter before using it in the query.

Suggested changeset 1
src/models/connectors/repository/connectors.repository.impl.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/models/connectors/repository/connectors.repository.impl.ts b/src/models/connectors/repository/connectors.repository.impl.ts
--- a/src/models/connectors/repository/connectors.repository.impl.ts
+++ b/src/models/connectors/repository/connectors.repository.impl.ts
@@ -20,3 +20,9 @@
   update(condition: any, object: UpdateConnectorBodyDto): Promise<ConnectorDocument> {
-    return this.ConnectorModel.findOneAndUpdate(condition, object, { new: true }).exec();
+    // Ensure the condition uses the $eq operator
+    const sanitizedCondition = { _id: { $eq: condition._id } };
+    // Validate the object parameter (example: ensure it's an object and has expected properties)
+    if (typeof object !== 'object' || !object) {
+      throw new Error('Invalid update object');
+    }
+    return this.ConnectorModel.findOneAndUpdate(sanitizedCondition, object, { new: true }).exec();
   }
EOF
@@ -20,3 +20,9 @@
update(condition: any, object: UpdateConnectorBodyDto): Promise<ConnectorDocument> {
return this.ConnectorModel.findOneAndUpdate(condition, object, { new: true }).exec();
// Ensure the condition uses the $eq operator
const sanitizedCondition = { _id: { $eq: condition._id } };
// Validate the object parameter (example: ensure it's an object and has expected properties)
if (typeof object !== 'object' || !object) {
throw new Error('Invalid update object');
}
return this.ConnectorModel.findOneAndUpdate(sanitizedCondition, object, { new: true }).exec();
}
Copilot is powered by AI and may make mistakes. Always verify output.
src/models/validations/repository/validations.repository.impl.ts
}

updateOne(condition: any, object: any): Promise<ValidationsDocument> {
return this.ValidationsModel.findOneAndUpdate(condition, object, { new: true }).exec();

Check failure

Code scanning / CodeQL

Database query built from user-controlled sources High

This query object depends on a
user-provided value
Loading
.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to ensure that the user-provided data is properly sanitized or validated before being used in the database query. In this case, we can use the $set operator to ensure that the user input is interpreted as a literal value and not as a query object. This will prevent any potential NoSQL injection attacks.

  1. Modify the updateOne method in validations.repository.impl.ts to use the $set operator.
  2. Ensure that the object parameter is properly sanitized or validated before being used in the query.
Suggested changeset 1
src/models/validations/repository/validations.repository.impl.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/models/validations/repository/validations.repository.impl.ts b/src/models/validations/repository/validations.repository.impl.ts
--- a/src/models/validations/repository/validations.repository.impl.ts
+++ b/src/models/validations/repository/validations.repository.impl.ts
@@ -29,3 +29,3 @@
   updateOne(condition: any, object: any): Promise<ValidationsDocument> {
-    return this.ValidationsModel.findOneAndUpdate(condition, object, { new: true }).exec();
+    return this.ValidationsModel.findOneAndUpdate(condition, { $set: object }, { new: true }).exec();
   }
EOF
@@ -29,3 +29,3 @@
updateOne(condition: any, object: any): Promise<ValidationsDocument> {
return this.ValidationsModel.findOneAndUpdate(condition, object, { new: true }).exec();
return this.ValidationsModel.findOneAndUpdate(condition, { $set: object }, { new: true }).exec();
}
Copilot is powered by AI and may make mistakes. Always verify output.
src/modules/connectors/connectors.service.ts
for ( let key in search ) {
if ( search.hasOwnProperty( key ) ) {
let obj = {};
obj[ key ] = { $regex: new RegExp( search[ key ], 'i' ) };

Check failure

Code scanning / CodeQL

Regular expression injection High

This regular expression is constructed from a
user-provided value
Loading
.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to sanitize the user input before using it to construct a regular expression. The best way to do this is by using a sanitization function such as _.escapeRegExp from the lodash library. This function escapes special characters in the input that have special meaning in regular expressions, thus preventing injection attacks.

We will need to:

  1. Import the lodash library.
  2. Use the _.escapeRegExp function to sanitize search[key] before using it in the RegExp constructor.
Suggested changeset 1
src/modules/connectors/connectors.service.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/modules/connectors/connectors.service.ts b/src/modules/connectors/connectors.service.ts
--- a/src/modules/connectors/connectors.service.ts
+++ b/src/modules/connectors/connectors.service.ts
@@ -1,2 +1,3 @@
 import { HttpStatus, Injectable } from "@nestjs/common";
+import * as _ from 'lodash';
 import { CreateConnectorBodyDto, UpdateConnectorBodyDto, GetConnectorQueryDto } from "./dtos";
@@ -58,3 +59,3 @@
             let obj = {};
-            obj[ key ] = { $regex: new RegExp( search[ key ], 'i' ) };
+            obj[ key ] = { $regex: new RegExp( _.escapeRegExp( search[ key ] ), 'i' ) };
             condition[ '$or' ].push( obj );
EOF
@@ -1,2 +1,3 @@
import { HttpStatus, Injectable } from "@nestjs/common";
import * as _ from 'lodash';
import { CreateConnectorBodyDto, UpdateConnectorBodyDto, GetConnectorQueryDto } from "./dtos";
@@ -58,3 +59,3 @@
let obj = {};
obj[ key ] = { $regex: new RegExp( search[ key ], 'i' ) };
obj[ key ] = { $regex: new RegExp( _.escapeRegExp( search[ key ] ), 'i' ) };
condition[ '$or' ].push( obj );
Copilot is powered by AI and may make mistakes. Always verify output.
src/modules/executor/providers/data-transformer.ts
private escapeSlashes(data) {
if (typeof data === "string") {
data = data.replace(/\\(?![nrtbf"'\\])/g, '\\\\');
data = data.replace(/"/g,'\\"')

Check failure

Code scanning / CodeQL

Incomplete string escaping or encoding High

This does not escape backslash characters in the input.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to ensure that all backslashes in the input string are properly escaped. This can be achieved by using a regular expression with the global flag to replace all occurrences of backslashes with double backslashes. Additionally, we should ensure that other characters are also escaped correctly.

The best way to fix the problem without changing existing functionality is to update the escapeSlashes method to use a regular expression that matches all backslashes and replaces them with double backslashes. We should also ensure that the other replacements are performed correctly.

Suggested changeset 1
src/modules/executor/providers/data-transformer.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/modules/executor/providers/data-transformer.ts b/src/modules/executor/providers/data-transformer.ts
--- a/src/modules/executor/providers/data-transformer.ts
+++ b/src/modules/executor/providers/data-transformer.ts
@@ -32,4 +32,4 @@
         if (typeof data === "string") {
-            data = data.replace(/\\(?![nrtbf"'\\])/g, '\\\\');
-            data = data.replace(/"/g,'\\"')
+            data = data.replace(/\\/g, '\\\\');
+            data = data.replace(/"/g, '\\"');
             data = data.replace(/'/g, "\\'");
EOF
@@ -32,4 +32,4 @@
if (typeof data === "string") {
data = data.replace(/\\(?![nrtbf"'\\])/g, '\\\\');
data = data.replace(/"/g,'\\"')
data = data.replace(/\\/g, '\\\\');
data = data.replace(/"/g, '\\"');
data = data.replace(/'/g, "\\'");
Copilot is powered by AI and may make mistakes. Always verify output.
src/modules/executor/providers/data-transformer.ts
if (typeof data === "string") {
data = data.replace(/\\(?![nrtbf"'\\])/g, '\\\\');
data = data.replace(/"/g,'\\"')
data = data.replace(/'/g, "\\'");

Check failure

Code scanning / CodeQL

Incomplete string escaping or encoding High

This does not escape backslash characters in the input.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to ensure that all backslashes are properly escaped in the escapeSlashes method. This can be achieved by adding a line to replace all backslashes with double backslashes before handling other characters. This ensures that any backslashes in the input string are correctly escaped.

Suggested changeset 1
src/modules/executor/providers/data-transformer.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/modules/executor/providers/data-transformer.ts b/src/modules/executor/providers/data-transformer.ts
--- a/src/modules/executor/providers/data-transformer.ts
+++ b/src/modules/executor/providers/data-transformer.ts
@@ -32,3 +32,3 @@
         if (typeof data === "string") {
-            data = data.replace(/\\(?![nrtbf"'\\])/g, '\\\\');
+            data = data.replace(/\\/g, '\\\\');
             data = data.replace(/"/g,'\\"')
EOF
@@ -32,3 +32,3 @@
if (typeof data === "string") {
data = data.replace(/\\(?![nrtbf"'\\])/g, '\\\\');
data = data.replace(/\\/g, '\\\\');
data = data.replace(/"/g,'\\"')
Copilot is powered by AI and may make mistakes. Always verify output.
src/modules/process-definitions/process-definitions.service.ts
async uploadBPMNFile(headers: CommonHeadersDto, file) {
const filename = sanitize(file.originalname);
const xml = require('fs').readFileSync(`${Paths.BPMN_XML}/${filename}`, 'utf8');
const xml = require('fs').readFileSync(file.path, 'utf8');

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to ensure that the file path is validated and sanitized before it is used. This can be done by resolving the path to remove any potentially harmful segments and then checking that the resolved path is within a designated safe directory.

  1. Use path.resolve to normalize the file path.
  2. Check that the resolved path starts with the root directory to ensure it is within the intended directory.
  3. If the path is not valid, return an error response.
Suggested changeset 1
src/modules/process-definitions/process-definitions.service.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/modules/process-definitions/process-definitions.service.ts b/src/modules/process-definitions/process-definitions.service.ts
--- a/src/modules/process-definitions/process-definitions.service.ts
+++ b/src/modules/process-definitions/process-definitions.service.ts
@@ -305,3 +305,10 @@
   async uploadBPMNFile(headers: CommonHeadersDto, file) {
-    const xml = require('fs').readFileSync(file.path, 'utf8');
+    const path = require('path');
+    const fs = require('fs');
+    const ROOT = '/src/shared/public/';
+    const resolvedPath = path.resolve(ROOT, file.path);
+    if (!resolvedPath.startsWith(ROOT)) {
+      throw new CustomError(HttpStatus.FORBIDDEN, CustomMessages.INVALID_FILE_PATH);
+    }
+    const xml = fs.readFileSync(resolvedPath, 'utf8');
     const options = { ignoreComment: true, alwaysChildren: true };
EOF
@@ -305,3 +305,10 @@
async uploadBPMNFile(headers: CommonHeadersDto, file) {
const xml = require('fs').readFileSync(file.path, 'utf8');
const path = require('path');
const fs = require('fs');
const ROOT = '/src/shared/public/';
const resolvedPath = path.resolve(ROOT, file.path);
if (!resolvedPath.startsWith(ROOT)) {
throw new CustomError(HttpStatus.FORBIDDEN, CustomMessages.INVALID_FILE_PATH);
}
const xml = fs.readFileSync(resolvedPath, 'utf8');
const options = { ignoreComment: true, alwaysChildren: true };
Copilot is powered by AI and may make mistakes. Always verify output.
src/modules/webhooks/webhooks.service.ts
for (let key in search) {
if (search.hasOwnProperty(key)) {
let obj = {};
obj[key] = { $regex: new RegExp(search[key], 'i') }

Check failure

Code scanning / CodeQL

Regular expression injection High

This regular expression is constructed from a
user-provided value
Loading
.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to sanitize the user input before using it to construct a regular expression. The best way to do this is by using a sanitization function such as _.escapeRegExp from the lodash library. This function escapes special characters in the input that have special meaning in regular expressions, thus preventing injection attacks.

We will:

  1. Import the lodash library.
  2. Use the _.escapeRegExp function to sanitize search[key] before constructing the regular expression.
Suggested changeset 1
src/modules/webhooks/webhooks.service.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/modules/webhooks/webhooks.service.ts b/src/modules/webhooks/webhooks.service.ts
--- a/src/modules/webhooks/webhooks.service.ts
+++ b/src/modules/webhooks/webhooks.service.ts
@@ -6,2 +6,3 @@
 import { WebhookRepositoryImpl } from "src/models/webhooks/repository/webhooks.repository.impl";
+import * as _ from 'lodash';
 
@@ -13,3 +14,2 @@
 
-
   async create(createWebhookDto: CreateWebhookBodyDto): Promise<CustomResponse | CustomError> {
@@ -46,3 +46,3 @@
             let obj = {};
-            obj[key] = { $regex: new RegExp(search[key], 'i') }
+            obj[key] = { $regex: new RegExp(_.escapeRegExp(search[key]), 'i') }
             condition['$or'].push(obj);
EOF
@@ -6,2 +6,3 @@
import { WebhookRepositoryImpl } from "src/models/webhooks/repository/webhooks.repository.impl";
import * as _ from 'lodash';

@@ -13,3 +14,2 @@


async create(createWebhookDto: CreateWebhookBodyDto): Promise<CustomResponse | CustomError> {
@@ -46,3 +46,3 @@
let obj = {};
obj[key] = { $regex: new RegExp(search[key], 'i') }
obj[key] = { $regex: new RegExp(_.escapeRegExp(search[key]), 'i') }
condition['$or'].push(obj);
Copilot is powered by AI and may make mistakes. Always verify output.
src/shared/connectors/soap.connector.ts
if (err) {
reject(err);
} else {
client[soapConnectorConfig.method](soapConnectorConfig.data, (err, result) => {

Check failure

Code scanning / CodeQL

Unvalidated dynamic method call High

Invocation of method with
user-controlled
Loading
name may dispatch to unexpected target and cause an exception.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to validate that the method name provided in soapConnectorConfig.method is a valid function on the client object before invoking it. This can be achieved by checking if the method exists and is of type function. If the method is not valid, we should handle the error appropriately.

  1. Check if client.hasOwnProperty(soapConnectorConfig.method) to ensure the method exists on the client object.
  2. Check if typeof client[soapConnectorConfig.method] === 'function' to ensure the method is a function.
  3. If both checks pass, invoke the method; otherwise, reject the promise with an appropriate error message.
Suggested changeset 1
src/shared/connectors/soap.connector.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/shared/connectors/soap.connector.ts b/src/shared/connectors/soap.connector.ts
--- a/src/shared/connectors/soap.connector.ts
+++ b/src/shared/connectors/soap.connector.ts
@@ -29,9 +29,13 @@
                 } else {
-                    client[soapConnectorConfig.method](soapConnectorConfig.data, (err, result) => {
-                        if (err) {
-                            reject(err);
-                        } else {
-                            resolve(result);
-                        }
-                    });
+                    if (client.hasOwnProperty(soapConnectorConfig.method) && typeof client[soapConnectorConfig.method] === 'function') {
+                        client[soapConnectorConfig.method](soapConnectorConfig.data, (err, result) => {
+                            if (err) {
+                                reject(err);
+                            } else {
+                                resolve(result);
+                            }
+                        });
+                    } else {
+                        reject(new Error(`Invalid method: ${soapConnectorConfig.method}`));
+                    }
                 }
EOF
@@ -29,9 +29,13 @@
} else {
client[soapConnectorConfig.method](soapConnectorConfig.data, (err, result) => {
if (err) {
reject(err);
} else {
resolve(result);
}
});
if (client.hasOwnProperty(soapConnectorConfig.method) && typeof client[soapConnectorConfig.method] === 'function') {
client[soapConnectorConfig.method](soapConnectorConfig.data, (err, result) => {
if (err) {
reject(err);
} else {
resolve(result);
}
});
} else {
reject(new Error(`Invalid method: ${soapConnectorConfig.method}`));
}
}
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sudhir-raut