Merge pull request #80 from RedisInsight/feature/codeql-fe-fixes

#RI-2088 - codeql fe fixes

Author: rsergeenko

.github/workflows/codeql-analysis.yml

@@ -13,7 +13,7 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ main, latest, release/* ]
+    branches: [ main, latest, release/*, codeql ]
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ main ]

configs/webpack.config.main.prod.babel.js

@@ -1,7 +1,6 @@
 import path from 'path';
 import webpack from 'webpack';
 import { merge } from 'webpack-merge';
-import TerserPlugin from 'terser-webpack-plugin';
 import { BundleAnalyzerPlugin } from 'webpack-bundle-analyzer';
 import baseConfig from './webpack.config.base';
 import DeleteSourceMaps from '../scripts/DeleteSourceMaps';

redisinsight/api/src/modules/browser/dto/keys.dto.ts

@@ -201,7 +201,7 @@ export class UpdateKeyTtlDto {
   @ApiProperty({
     type: Number,
     description:
-      'Set a timeout on key in seconds. After the timeout has expired, the key will automatically be deleted.'
+      'Set a timeout on key in seconds. After the timeout has expired, the key will automatically be deleted. '
       + 'If the property has value of -1, then the key timeout will be removed.',
     maximum: MAX_TTL_NUMBER,
   })
@@ -216,7 +216,7 @@ export class KeyTtlResponse {
     type: Number,
     description:
       'The remaining time to live of a key that has a timeout. '
-      + 'If value equals -2 then the key does not exist or has deleted.'
+      + 'If value equals -2 then the key does not exist or has deleted. '
       + 'If value equals -1 then the key has no associated expire (No limit).',
     maximum: MAX_TTL_NUMBER,
   })

redisinsight/api/src/modules/browser/services/keys-business/scanner/strategies/cluster.strategy.ts

@@ -12,15 +12,11 @@ import {
   GetKeysWithDetailsResponse,
   RedisDataType,
 } from 'src/modules/browser/dto';
-import ERROR_MESSAGES from 'src/constants/error-messages';
+import { parseClusterCursor } from 'src/modules/browser/utils/clusterCursor';
 import { ISettingsProvider } from 'src/modules/core/models/settings-provider.interface';
 import { AbstractStrategy } from './abstract.strategy';
 import { IGetNodeKeysResult } from '../scanner.interface';
 
-const NODES_SEPARATOR = '||';
-const CURSOR_SEPARATOR = '@';
-// Correct format 172.17.0.1:7001@-1||172.17.0.1:7002@33
-const CLUSTER_CURSOR_REGEX = /^(([a-z0-9.])+:[0-9]+(@-?\d+))+((\|\|)?([a-z0-9.])+:[0-9]+(@-?\d+))*$/;
 const REDIS_SCAN_CONFIG = config.get('redis_scan');
 
 export class ClusterStrategy extends AbstractStrategy {
@@ -100,7 +96,7 @@ export class ClusterStrategy extends AbstractStrategy {
     initialCursor: string,
   ): Promise<IGetNodeKeysResult[]> {
     if (Number.isNaN(toNumber(initialCursor))) {
-      return this.getNodesFromClusterCursor(initialCursor);
+      return parseClusterCursor(initialCursor);
     }
 
     const clusterNodes = await this.redisManager.getNodes(
@@ -118,35 +114,6 @@ export class ClusterStrategy extends AbstractStrategy {
     }));
   }
 
-  /**
-   * Parses composed custom cursor from FE and returns nodes
-   * Format: 172.17.0.1:7001@22||172.17.0.1:7002@33
-   */
-  private getNodesFromClusterCursor(cursor: string): IGetNodeKeysResult[] {
-    const isCorrectFormat = CLUSTER_CURSOR_REGEX.test(cursor);
-    if (!isCorrectFormat) {
-      throw new Error(ERROR_MESSAGES.INCORRECT_CLUSTER_CURSOR_FORMAT);
-    }
-    const nodeStrings = cursor.split(NODES_SEPARATOR);
-    const nodes = [];
-
-    nodeStrings.forEach((item: string) => {
-      const [address, nextCursor] = item.split(CURSOR_SEPARATOR);
-      const [host, port] = address.split(':');
-      if (parseInt(nextCursor, 10) >= 0) {
-        nodes.push({
-          total: 0,
-          scanned: 0,
-          host,
-          port: parseInt(port, 10),
-          cursor: parseInt(nextCursor, 10),
-          keys: [],
-        });
-      }
-    });
-    return nodes;
-  }
-
   private async calculateNodesTotalKeys(
     clientOptions,
     nodes: IGetNodeKeysResult[],

redisinsight/api/src/modules/browser/utils/clusterCursor.spec.ts

@@ -0,0 +1,85 @@
+import ERROR_MESSAGES from 'src/constants/error-messages';
+import { isClusterCursorValid, parseClusterCursor } from './clusterCursor';
+
+const isClusterCursorValidTests = [
+  { input: '172.17.0.1:7001@22||172.17.0.1:7002@33', expected: true },
+  { input: '172.17.0.1:7001@-1||172.17.0.1:7002@-1', expected: true },
+  {
+    input: '172.17.0.1:7001@10'
+      + '||172.17.0.1:7002@10'
+      + '||172.17.0.1:7003@10'
+      + '||172.17.0.1:7004@10'
+      + '||172.17.0.1:7005@10'
+      + '||172.17.0.1:7006@10',
+    expected: true,
+  },
+  { input: '172.17.0.1:7001@-1', expected: true },
+  { input: 'domain.com:7001@-1', expected: true },
+  { input: '172.17.0.1:7001@1228822', expected: true },
+  { input: '172.17.0.1:7001@', expected: false },
+  { input: '172.17.0.1:7001@text', expected: false },
+  { input: '172,17,0,1:7001@-1', expected: false },
+  { input: 'plain text', expected: false },
+  { input: 'text@text||text@text', expected: false },
+  { input: 'text@text', expected: false },
+  { input: '', expected: false },
+];
+
+describe('isClusterCursorValid', () => {
+  it.each(isClusterCursorValidTests)('%j', ({ input, expected }) => {
+    expect(isClusterCursorValid(input)).toBe(expected);
+  });
+});
+
+const defaultNodeScanResult = {
+  total: 0, scanned: 0, host: '172.17.0.1', port: 0, cursor: 0, keys: [],
+};
+const parsingError = new Error(ERROR_MESSAGES.INCORRECT_CLUSTER_CURSOR_FORMAT);
+const parseClusterCursorTests = [
+  {
+    input: '172.17.0.1:7001@22||172.17.0.1:7002@33',
+    expected: [
+      { ...defaultNodeScanResult, port: 7001, cursor: 22 },
+      { ...defaultNodeScanResult, port: 7002, cursor: 33 },
+    ],
+  },
+  {
+    input: '172.17.0.1:7001@-1'
+      + '||172.17.0.1:7002@10'
+      + '||172.17.0.1:7003@-1'
+      + '||172.17.0.1:7004@10'
+      + '||172.17.0.1:7005@-1'
+      + '||172.17.0.1:7006@10',
+    expected: [
+      { ...defaultNodeScanResult, port: 7002, cursor: 10 },
+      { ...defaultNodeScanResult, port: 7004, cursor: 10 },
+      { ...defaultNodeScanResult, port: 7006, cursor: 10 },
+    ],
+  },
+  {
+    input: '172.17.0.1:7001@-1||172.17.0.1:7002@-1',
+    expected: [],
+  },
+  { input: '172.17.0.1:7001@', expected: parsingError },
+  { input: '172.17.0.1:7001@text', expected: parsingError },
+  { input: '172,17,0,1:7001@-1', expected: parsingError },
+  { input: 'plain text', expected: parsingError },
+  { input: 'text@text||text@text', expected: parsingError },
+  { input: 'text@text', expected: parsingError },
+  { input: '', expected: parsingError },
+  { input: '', expected: parsingError },
+];
+
+describe('parseClusterCursor', () => {
+  it.each(parseClusterCursorTests)('%j', ({ input, expected }) => {
+    if (expected instanceof Error) {
+      try {
+        parseClusterCursor(input);
+      } catch (e) {
+        expect(e.message).toEqual(expected.message);
+      }
+    } else {
+      expect(parseClusterCursor(input)).toEqual(expected);
+    }
+  });
+});

redisinsight/api/src/modules/browser/utils/clusterCursor.ts

@@ -0,0 +1,39 @@
+import ERROR_MESSAGES from 'src/constants/error-messages';
+import { IGetNodeKeysResult } from 'src/modules/browser/services/keys-business/scanner/scanner.interface';
+
+const NODES_SEPARATOR = '||';
+const CURSOR_SEPARATOR = '@';
+// Correct format 172.17.0.1:7001@-1||172.17.0.1:7002@33
+const CLUSTER_CURSOR_REGEX = /^(([a-z0-9.])+:[0-9]+(@-?\d+)(?:\|{2}(?!$)|$))+$/;
+
+export const isClusterCursorValid = (cursor) => CLUSTER_CURSOR_REGEX.test(cursor);
+
+/**
+ * Parses composed custom cursor from FE and returns nodes
+ * Format: 172.17.0.1:7001@22||172.17.0.1:7002@33
+ */
+export const parseClusterCursor = (cursor: string): IGetNodeKeysResult[] => {
+  if (!isClusterCursorValid(cursor)) {
+    throw new Error(ERROR_MESSAGES.INCORRECT_CLUSTER_CURSOR_FORMAT);
+  }
+  const nodeStrings = cursor.split(NODES_SEPARATOR);
+  const nodes = [];
+
+  nodeStrings.forEach((item: string) => {
+    const [address, nextCursor] = item.split(CURSOR_SEPARATOR);
+    const [host, port] = address.split(':');
+
+    // ignore nodes with cursor -1 (fully scanned)
+    if (parseInt(nextCursor, 10) >= 0) {
+      nodes.push({
+        total: 0,
+        scanned: 0,
+        host,
+        port: parseInt(port, 10),
+        cursor: parseInt(nextCursor, 10),
+        keys: [],
+      });
+    }
+  });
+  return nodes;
+};

redisinsight/api/src/utils/hosting-provider-helper.ts

@@ -1,6 +1,9 @@
 import { HostingProvider } from 'src/modules/core/models/database-instance.entity';
 import { IP_ADDRESS_REGEX, PRIVATE_IP_ADDRESS_REGEX } from 'src/constants';
 
+// Ignore LGTM [js/incomplete-url-substring-sanitization] alert.
+// Because we do not bind potentially dangerous logic to this.
+// We define a hosting provider for telemetry only.
 export const getHostingProvider = (host: string): HostingProvider => {
   // Tries to detect the hosting provider from the hostname.
   if (host === '0.0.0.0' || host === 'localhost') {
@@ -9,12 +12,13 @@ export const getHostingProvider = (host: string): HostingProvider => {
   if (IP_ADDRESS_REGEX.test(host) && PRIVATE_IP_ADDRESS_REGEX.test(host)) {
     return HostingProvider.LOCALHOST;
   }
-  if (host.endsWith('rlrcp.com') || host.endsWith('redislabs.com')) {
+  if (host.endsWith('rlrcp.com') || host.endsWith('redislabs.com')) { // lgtm[js/incomplete-url-substring-sanitization]
     return HostingProvider.RE_CLOUD;
   }
-  if (host.endsWith('cache.amazonaws.com')) {
+  if (host.endsWith('cache.amazonaws.com')) { // lgtm[js/incomplete-url-substring-sanitization]
     return HostingProvider.AWS;
   }
+  // lgtm[js/incomplete-url-substring-sanitization]
   if (host.endsWith('cache.windows.net')) {
     return HostingProvider.AZURE;
   }

redisinsight/main.dev.ts

@@ -185,11 +185,10 @@ export const createWindow = async (splash: BrowserWindow | null = null) => {
     webPreferences: {
       nodeIntegration: true,
       nodeIntegrationInWorker: true,
-      webSecurity: false,
+      webSecurity: true,
       contextIsolation: false,
       spellcheck: true,
-      allowRunningInsecureContent: true,
-      enableRemoteModule: true,
+      allowRunningInsecureContent: false,
       scrollBounce: true,
     },
   });

redisinsight/ui/src/components/ContentEditable.tsx

@@ -28,9 +28,9 @@ export const parseMultilineContentEditableChangeHtml = (text: string = '') =>
 export const parseContentEditableHtml = (text: string = '') =>
   text
     .replace(/ /gi, ' ')
-    .replace(/&/gi, '&')
     .replace(/&lt;/gi, '<')
     .replace(/&gt;/gi, '>')
+    .replace(/&amp;/gi, '&')
 
 const onPaste = (e: React.ClipboardEvent) => {
   e.preventDefault()

redisinsight/ui/src/components/query-card/QueryCardCliPlugin/QueryCardCliPlugin.tsx

@@ -45,8 +45,6 @@ const QueryCardCliPlugin = (props: Props) => {
   const generatedIframeNameRef = useRef<string>('')
   const { theme } = useContext(ThemeContext)
 
-  const dispatch = useDispatch()
-
   const sendMessageToPlugin = (data = {}) => {
     const event: any = document.createEvent('Event')
     event.initEvent('message', false, false)
@@ -63,21 +61,6 @@ const QueryCardCliPlugin = (props: Props) => {
     })
   }
 
-  const sendRedisCommand = (command: string, requestId: string) => {
-    dispatch(
-      sendPluginCommandAction({
-        command,
-        onSuccessAction: (response) => {
-          sendMessageToPlugin({
-            event: 'executeRedisCommand',
-            requestId,
-            data: response
-          })
-        }
-      })
-    )
-  }
-
   useEffect(() => {
     if (currentView === null) return
     pluginApi.onEvent(generatedIframeNameRef.current, PluginEvents.heightChanged, (height: string) => {