code fixes

Author: ArtemHoruzhenko

.snyk

@@ -2,6 +2,7 @@
 exclude:
   global:
     - __mocks__/**
+    - tests
     - redisinsight/api/test/**
     - "*.spec.ts"
     - "*.spec.tsx"

redisinsight/api/config/default.ts

@@ -81,6 +81,10 @@ export default {
     excludeRoutes: [],
     excludeAuthRoutes: [],
   },
+  encryption: {
+    encryptionIV: process.env.RI_ENCRYPTION_IV || Buffer.alloc(16, 0),
+    encryptionAlgorithm: process.env.RI_ENCRYPTION_ALGORYTHM || 'aes-256-cbc',
+  },
   sockets: {
     cors: process.env.RI_SOCKETS_CORS ? process.env.RI_SOCKETS_CORS === 'true' : false,
     serveClient: process.env.RI_SOCKETS_SERVE_CLIENT ? process.env.RI_SOCKETS_SERVE_CLIENT === 'true' : false,

redisinsight/api/src/modules/cloud/user/cloud-user.api.service.ts

@@ -74,9 +74,9 @@ export class CloudUserApiService {
         throw new CloudApiUnauthorizedException();
       }
 
-      const decodedJwt = decode(session.accessToken);
+      const { exp } = JSON.parse(Buffer.from(session.accessToken.split('.')[1], 'base64').toString());
 
-      const expiresIn = decodedJwt.exp * 1_000 - Date.now();
+      const expiresIn = exp * 1_000 - Date.now();
 
       if (expiresIn < cloudConfig.renewTokensBeforeExpire) {
         // need to renew

redisinsight/api/src/modules/encryption/strategies/key-encryption.strategy.ts

@@ -11,9 +11,9 @@ import {
 } from 'src/modules/encryption/exceptions';
 import config, { Config } from 'src/utils/config';
 
-const ALGORITHM = 'aes-256-cbc';
 const HASH_ALGORITHM = 'sha256';
 const SERVER_CONFIG = config.get('server') as Config['server'];
+const ENCRYPTION_CONFIG = config.get('encryption') as Config['encryption'];
 
 @Injectable()
 export class KeyEncryptionStrategy implements IEncryptionStrategy {
@@ -27,6 +27,10 @@ export class KeyEncryptionStrategy implements IEncryptionStrategy {
     this.key = SERVER_CONFIG.encryptionKey;
   }
 
+  private getCipherIV(): Buffer {
+    return Buffer.from(ENCRYPTION_CONFIG.encryptionIV).slice(0, 16);
+  }
+
   /**
    * Will return existing cipher stored in-memory or
    * create new one using specified key and store it in-memory
@@ -55,7 +59,7 @@ export class KeyEncryptionStrategy implements IEncryptionStrategy {
   async encrypt(data: string): Promise<EncryptionResult> {
     const cipherKey = await this.getCipherKey();
     try {
-      const cipher = createCipheriv(ALGORITHM, cipherKey, Buffer.alloc(16, 0));
+      const cipher = createCipheriv(ENCRYPTION_CONFIG.encryptionAlgorithm, cipherKey, this.getCipherIV());
       let encrypted = cipher.update(data, 'utf8', 'hex');
       encrypted += cipher.final('hex');
 
@@ -77,7 +81,7 @@ export class KeyEncryptionStrategy implements IEncryptionStrategy {
     const cipherKey = await this.getCipherKey();
 
     try {
-      const decipher = createDecipheriv(ALGORITHM, cipherKey, Buffer.alloc(16, 0));
+      const decipher = createDecipheriv(ENCRYPTION_CONFIG.encryptionAlgorithm, cipherKey, this.getCipherIV());
       let decrypted = decipher.update(data, 'hex', 'utf8');
       decrypted += decipher.final('utf8');
       return decrypted;

redisinsight/api/src/modules/encryption/strategies/keytar-encryption.strategy.ts

@@ -13,8 +13,8 @@ import config, { Config } from 'src/utils/config';
 
 const SERVICE = 'redisinsight';
 const ACCOUNT = 'app';
-const ALGORITHM = 'aes-256-cbc';
 const SERVER_CONFIG = config.get('server') as Config['server'];
+const ENCRYPTION_CONFIG = config.get('encryption') as Config['encryption'];
 
 @Injectable()
 export class KeytarEncryptionStrategy implements IEncryptionStrategy {
@@ -71,6 +71,10 @@ export class KeytarEncryptionStrategy implements IEncryptionStrategy {
     }
   }
 
+  private getCipherIV(): Buffer {
+    return Buffer.from(ENCRYPTION_CONFIG.encryptionIV).slice(0, 16);
+  }
+
   /**
    * Get password from storage and create cipher key
    * Note: Will generate new password if it doesn't exists yet
@@ -107,7 +111,7 @@ export class KeytarEncryptionStrategy implements IEncryptionStrategy {
   async encrypt(data: string): Promise<EncryptionResult> {
     const cipherKey = await this.getCipherKey();
     try {
-      const cipher = createCipheriv(ALGORITHM, cipherKey, Buffer.alloc(16, 0));
+      const cipher = createCipheriv(ENCRYPTION_CONFIG.encryptionAlgorithm, cipherKey, this.getCipherIV());
       let encrypted = cipher.update(data, 'utf8', 'hex');
       encrypted += cipher.final('hex');
 
@@ -128,7 +132,7 @@ export class KeytarEncryptionStrategy implements IEncryptionStrategy {
 
     const cipherKey = await this.getCipherKey();
     try {
-      const decipher = createDecipheriv(ALGORITHM, cipherKey, Buffer.alloc(16, 0));
+      const decipher = createDecipheriv(ENCRYPTION_CONFIG.encryptionAlgorithm, cipherKey, this.getCipherIV());
       let decrypted = decipher.update(data, 'hex', 'utf8');
       decrypted += decipher.final('utf8');
       return decrypted;

redisinsight/api/src/modules/rdi/client/api.rdi.client.ts

@@ -172,9 +172,9 @@ export class ApiRdiClient extends RdiClient {
         { username: this.rdi.username, password: this.rdi.password },
       );
       const accessToken = response.data.access_token;
-      const decodedJwt = decode(accessToken);
+      const { exp } = JSON.parse(Buffer.from(accessToken.split('.')[1], 'base64').toString());
 
-      this.auth = { jwt: accessToken, exp: decodedJwt.exp };
+      this.auth = { jwt: accessToken, exp };
       this.client.defaults.headers.common['Authorization'] = `Bearer ${accessToken}`;
     } catch (e) {
       throw wrapRdiPipelineError(e);

redisinsight/ui/src/pages/home/components/cluster-connection/cluster-connection-form/ClusterConnectionForm.tsx

@@ -61,6 +61,7 @@ const fieldDisplayNames: Values = {
   host: 'Cluster Host',
   port: 'Cluster Port',
   username: 'Admin Username',
+  // deepcode ignore NoHardcodedPasswords: <Not a passowrd but "password" field placeholder>
   password: 'Admin Password',
 }