@ui5/server 4.0.2 → 4.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +15 -1
  2. package/lib/middleware/serveResources.js +7 -2
  3. package/lib/sslUtil.js +26 -8
  4. package/package.json +9 -7
package/CHANGELOG.md CHANGED
@@ -2,7 +2,19 @@
2
2
  All notable changes to this project will be documented in this file.
3
3
  This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
4
4
 
5
- A list of unreleased changes can be found [here](https://github.com/SAP/ui5-server/compare/v4.0.2...HEAD).
5
+ A list of unreleased changes can be found [here](https://github.com/SAP/ui5-server/compare/v4.0.4...HEAD).
6
+
7
+ <a name="v4.0.4"></a>
8
+ ## [v4.0.4] - 2024-08-27
9
+ ### Bug Fixes
10
+ - Ensure SSL credentials are only readable by owner [`7220dbb`](https://github.com/SAP/ui5-server/commit/7220dbb2237dbf3104dcb88c15c1ca86b61ba49d)
11
+
12
+
13
+ <a name="v4.0.3"></a>
14
+ ## [v4.0.3] - 2024-08-09
15
+ ### Bug Fixes
16
+ - **serveResources:** Do not process manifest.json in test-resources [`964e784`](https://github.com/SAP/ui5-server/commit/964e784f41479300ba45eb4a4818ddd0449d41e7)
17
+
6
18
 
7
19
  <a name="v4.0.2"></a>
8
20
  ## [v4.0.2] - 2024-08-01
@@ -375,6 +387,8 @@ Only Node.js v10 or higher is supported.
375
387
 
376
388
  <a name="v0.0.1"></a>
377
389
  ## v0.0.1 - 2018-06-06
390
+ [v4.0.4]: https://github.com/SAP/ui5-server/compare/v4.0.3...v4.0.4
391
+ [v4.0.3]: https://github.com/SAP/ui5-server/compare/v4.0.2...v4.0.3
378
392
  [v4.0.2]: https://github.com/SAP/ui5-server/compare/v4.0.1...v4.0.2
379
393
  [v4.0.1]: https://github.com/SAP/ui5-server/compare/v4.0.0...v4.0.1
380
394
  [v4.0.0]: https://github.com/SAP/ui5-server/compare/v3.1.5...v4.0.0
package/lib/middleware/serveResources.js CHANGED
@@ -9,6 +9,7 @@ const rProperties = /\.properties$/i;
9
9
  const rReplaceVersion = /\.(library|js|json)$/i;
10
10
  const rManifest = /\/manifest\.json$/i;
11
11
  const rResourcesPrefix = /^\/resources\//i;
12
+ const rTestResourcesPrefix = /^\/test-resources\//i;
12
13
 
13
14
  function isFresh(req, res) {
14
15
  return fresh(req.headers, {
@@ -49,9 +50,13 @@ function createMiddleware({resources, middlewareUtil}) {
49
50
  next();
50
51
  return;
51
52
  }
52
- } else if (rManifest.test(resource.getPath()) && resource.getProject()?.getNamespace()) {
53
+ } else if (
54
+ rManifest.test(pathname) && !rTestResourcesPrefix.test(pathname) &&
55
+ resource.getProject()?.getNamespace()
56
+ ) {
53
57
  // Special handling for manifest.json file by adding additional content to the served manifest.json
54
- // NOTE: This should only be done for manifest.json files that exist in the sources.
58
+ // NOTE: This should only be done for manifest.json files that exist in the sources,
59
+ // not in test-resources.
55
60
  // Files created by generateLibraryManifest (see above) should not be handled in here.
56
61
  // Only manifest.json files in library / application projects should be handled.
57
62
  // resource.getProject.getNamespace() returns null for all other kind of projects.
package/lib/sslUtil.js CHANGED
@@ -1,5 +1,5 @@
1
1
  import os from "node:os";
2
- import {stat, readFile, writeFile, mkdir} from "node:fs/promises";
2
+ import {stat, readFile, writeFile, mkdir, chmod, constants} from "node:fs/promises";
3
3
  import path from "node:path";
4
4
  import {getLogger} from "@ui5/logger";
5
5
 
@@ -27,18 +27,36 @@ export function getSslCertificate(
27
27
  ) {
28
28
  // checks the certificates if they are present
29
29
  return Promise.all([
30
- fileExists(keyPath).then((bExists) => {
31
- if (!bExists) {
30
+ fileExists(keyPath).then(async (statsOrFalse) => {
31
+ if (!statsOrFalse) {
32
32
  log.verbose(`No SSL private key found at ${keyPath}`);
33
33
  return false;
34
34
  }
35
+ if (statsOrFalse.mode & constants.S_IWUSR || statsOrFalse.mode & constants.S_IROTH) {
36
+ // Note: According to the Node.js docs, "On Windows, only S_IRUSR and S_IWUSR are available"
37
+ // Therefore we first check for "writable by owner" (S_IWUSR), even though we are more interested in
38
+ // "readable by others", which we still check on platforms where it's supported
39
+ log.verbose(`Detected outdated file permissions for private key file at ${keyPath}. ` +
40
+ `Fixing permissions...`);
41
+ await chmod(keyPath, 0o400).catch((err) => {
42
+ log.error(`Failed to update permissions of private key file at ${keyPath}: ${err}`);
43
+ });
44
+ }
35
45
  return readFile(keyPath);
36
46
  }),
37
- fileExists(certPath).then((bExists) => {
38
- if (!bExists) {
47
+ fileExists(certPath).then(async (statsOrFalse) => {
48
+ if (!statsOrFalse) {
39
49
  log.verbose(`No SSL certificate found at ${certPath}`);
40
50
  return false;
41
51
  }
52
+
53
+ if (statsOrFalse.mode & constants.S_IWUSR || statsOrFalse.mode & constants.S_IROTH) {
54
+ log.verbose(`Detected outdated file permissions for certificate file at ${keyPath}. ` +
55
+ `Fixing permissions...`);
56
+ await chmod(certPath, 0o400).catch((err) => {
57
+ log.error(`Failed to update permissions of certificate file at ${certPath}: ${err}`);
58
+ });
59
+ }
42
60
  return readFile(certPath);
43
61
  })
44
62
  ]).then(function([key, cert]) {
@@ -84,14 +102,14 @@ async function createAndInstallCertificate(keyPath, certPath) {
84
102
  await Promise.all([
85
103
  // Write certificates to the ui5 certificate folder
86
104
  // such that they are used by default upon next startup
87
- mkdir(path.dirname(keyPath), {recursive: true}).then(() => writeFile(keyPath, key)),
88
- mkdir(path.dirname(certPath), {recursive: true}).then(() => writeFile(certPath, cert))
105
+ mkdir(path.dirname(keyPath), {recursive: true}).then(() => writeFile(keyPath, key, {mode: 0o400})),
106
+ mkdir(path.dirname(certPath), {recursive: true}).then(() => writeFile(certPath, cert, {mode: 0o400}))
89
107
  ]);
90
108
  return {key, cert};
91
109
  }
92
110
 
93
111
  function fileExists(filePath) {
94
- return stat(filePath).then(() => true, (err) => {
112
+ return stat(filePath).then((s) => s, (err) => {
95
113
  if (err.code === "ENOENT") { // "File or directory does not exist"
96
114
  return false;
97
115
  } else {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ui5/server",
3
- "version": "4.0.2",
3
+ "version": "4.0.4",
4
4
  "description": "UI5 Tooling - Server",
5
5
  "author": {
6
6
  "name": "SAP SE",
@@ -117,8 +117,8 @@
117
117
  "url": "git@github.com:SAP/ui5-server.git"
118
118
  },
119
119
  "dependencies": {
120
- "@ui5/builder": "^4.0.1",
121
- "@ui5/fs": "^4.0.0",
120
+ "@ui5/builder": "^4.0.3",
121
+ "@ui5/fs": "^4.0.1",
122
122
  "@ui5/logger": "^4.0.1",
123
123
  "body-parser": "^1.20.2",
124
124
  "compression": "^1.7.4",
@@ -138,18 +138,20 @@
138
138
  "yesno": "^0.4.0"
139
139
  },
140
140
  "devDependencies": {
141
+ "@eslint/js": "^9.8.0",
141
142
  "@istanbuljs/esm-loader-hook": "^0.2.0",
142
- "@ui5/project": "^4.0.2",
143
+ "@ui5/project": "^4.0.3",
143
144
  "ava": "^6.1.3",
144
145
  "chokidar-cli": "^3.0.0",
145
146
  "cross-env": "^7.0.3",
146
147
  "depcheck": "^1.4.7",
147
148
  "docdash": "^2.0.2",
148
- "eslint": "^8.57.0",
149
+ "eslint": "^9.9.1",
149
150
  "eslint-config-google": "^0.14.0",
150
- "eslint-plugin-ava": "^14.0.0",
151
- "eslint-plugin-jsdoc": "^48.10.2",
151
+ "eslint-plugin-ava": "^15.0.1",
152
+ "eslint-plugin-jsdoc": "^50.2.2",
152
153
  "esmock": "^2.6.7",
154
+ "globals": "^15.9.0",
153
155
  "jsdoc": "^4.0.3",
154
156
  "nyc": "^17.0.0",
155
157
  "open-cli": "^8.0.0",