@itentialopensource/adapter-utils 5.3.9 → 5.3.10

package/CHANGELOG.md

@@ -1,4 +1,12 @@
 
+## 5.3.10 [03-06-2024]
+
+* Fix some security vulnerabilities
+
+See merge request itentialopensource/adapter-utils!289
+
+---
+
 ## 5.3.9 [03-04-2024]
 
 * Resolve ADAPT-3296

package/lib/connectorRest.js

@@ -416,10 +416,12 @@ function returnStub(request, entitySchema, callProperties) {
   if (reqBody && (!entitySchema || !entitySchema.requestDatatype
     || entitySchema.requestDatatype.toUpperCase() === 'JSON' || entitySchema.requestDatatype.toUpperCase() === 'URLENCODE')) {
     let reqBdObj = null;
-    if (entitySchema && entitySchema.requestDatatype && entitySchema.requestDatatype.toUpperCase() === 'URLENCODE') {
-      reqBdObj = querystring.parse(reqBody.trim());
-    } else {
-      reqBdObj = JSON.parse(reqBody.trim());
+    if (typeof reqBody === 'string') {
+      if (entitySchema && entitySchema.requestDatatype && entitySchema.requestDatatype.toUpperCase() === 'URLENCODE') {
+        reqBdObj = querystring.parse(reqBody.trim());
+      } else {
+        reqBdObj = JSON.parse(reqBody.trim());
+      }
     }
 
     specificResp = checkBodyData(uriPath, method, reqBdObj, mockresponses, entitySchema.responseDatatype);
@@ -687,7 +689,10 @@ function makeRequest(request, entitySchema, callProperties, startTrip, attempt,
       // add the data for each field into the form
       const mykeys = Object.keys(mybody);
       if (mykeys.length === 2 && mykeys[0] === 'file' && mykeys[1] === 'convertBase64ToBuffer') {
-        const filePart = mybody[mykeys[0]].split(';');
+        let filePart = mybody[mykeys[0]];
+        if (typeof filePart === 'string') {
+          filePart = filePart.split(';');
+        }
         let fileName = null;
         // see if we have a filename that we should add to the formdata
         for (let p = 1; p < filePart.length; p += 1) {
@@ -710,11 +715,20 @@ function makeRequest(request, entitySchema, callProperties, startTrip, attempt,
         for (let k = 0; k < mykeys.length; k += 1) {
           if (mykeys[k] === 'file') {
             let fileVal = mybody[mykeys[k]];
-            if (fileVal.indexOf('@') === 0) {
+            if ((typeof fileVal === 'string') && (fileVal.indexOf('@') === 0)) {
               // if there are multiple parts - first part is full path to file, other part can be name (starts with name=)
               const filePart = fileVal.split(';');
               let fileName = null;
-              fileVal = fs.readFileSync(filePart[0].substring(1));
+
+              // get the path for the specific file
+              // const dataFile = path.join(__dirname, `/uploads/${filePart[0].substring(1)}`);
+              // const dataFile = path.join(__dirname, '/../uploads/filetoupload');
+              // Read the action from the file system
+              if (request.filePath) {
+                fileVal = fs.readFileSync(request.filePath);
+              } else {
+                fileVal = '';
+              }
 
               // see if we have a filename that we should add to the formdata
               for (let p = 1; p < filePart.length; p += 1) {

package/lib/restHandler.js

@@ -142,9 +142,40 @@ function handleRestRequest(request, entityId, entitySchema, callProperties, filt
   const origin = `${id}-restHandler-handleRestRequest`;
   log.trace(origin);
 
+  // copy the request so lint does not complain about update
+  const newReqObj = request;
+
+  // this is only something in Form data with files
+  if (entitySchema && entitySchema.requestDatatype && entitySchema.requestDatatype.toUpperCase() === 'FORM') {
+    // need to convert request.body back to JSON
+    let mybody = newReqObj.body;
+    if (typeof mybody === 'string') {
+      try {
+        mybody = JSON.parse(newReqObj.body);
+      } catch (ex) {
+        log.debug('Rest Handler can not parse Form Body');
+      }
+    }
+    // set the filePath into the request object
+    const mykeys = Object.keys(mybody);
+    for (let k = 0; k < mykeys.length; k += 1) {
+      if (mykeys[k] === 'file') {
+        const itemVal = mybody[mykeys[k]];
+        if ((typeof itemVal === 'string') && (itemVal.indexOf('@') === 0)) {
+          const fileVal = itemVal;
+          if (fileVal.indexOf('@') === 0) {
+            const filePart = fileVal.split(';');
+            newReqObj.filePath = filePart[0].substring(1);
+          }
+        }
+        break;
+      }
+    }
+  }
+
   try {
     // perform the request to get entity(ies)
-    return connectorInst.performRequest(request, entitySchema, callProperties, (resObj, perror) => {
+    return connectorInst.performRequest(newReqObj, entitySchema, callProperties, (resObj, perror) => {
       if (perror) {
         let retError = null;
         const retErrorObj = perror;
@@ -219,13 +250,13 @@ function handleRestRequest(request, entityId, entitySchema, callProperties, filt
 
       if (entitySchema.responseObjects) {
         const responseKeys = entitySchema.responseObjects;
-        const uriPath = request.origPath;
-        const method = request.method.toUpperCase();
-        const reqBody = request.body;
-        const reqPath = request.path;
+        const uriPath = newReqObj.origPath;
+        const method = newReqObj.method.toUpperCase();
+        const reqBody = newReqObj.body;
+        const reqPath = newReqObj.path;
 
         // if there is a request body, see if there is something that matches a specific input
-        if (reqBody && (!entitySchema || !entitySchema.requestDatatype
+        if (reqBody && (typeof reqBody === 'string') && (!entitySchema || !entitySchema.requestDatatype
             || entitySchema.requestDatatype.toUpperCase() === 'JSON' || entitySchema.requestDatatype.toUpperCase() === 'URLENCODE')) {
           let reqBdObj = null;
           if (entitySchema && entitySchema.requestDatatype && entitySchema.requestDatatype.toUpperCase() === 'URLENCODE') {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@itentialopensource/adapter-utils",
-  "version": "5.3.9",
+  "version": "5.3.10",
   "description": "Itential Adapter Utility Libraries",
   "scripts": {
     "postinstall": "node utils/setup.js",