@ui5/server 4.0.3 → 4.0.5

package/CHANGELOG.md

@@ -2,7 +2,19 @@
 All notable changes to this project will be documented in this file.  
 This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-A list of unreleased changes can be found [here](https://github.com/SAP/ui5-server/compare/v4.0.3...HEAD).
+A list of unreleased changes can be found [here](https://github.com/SAP/ui5-server/compare/v4.0.5...HEAD).
+
+<a name="v4.0.5"></a>
+## [v4.0.5] - 2024-09-11
+### Dependency Updates
+- Bump path-to-regexp and router [`f713647`](https://github.com/SAP/ui5-server/commit/f713647258c89df7355c78a6c3b86817167027ed)
+
+
+<a name="v4.0.4"></a>
+## [v4.0.4] - 2024-08-27
+### Bug Fixes
+- Ensure SSL credentials are only readable by owner [`7220dbb`](https://github.com/SAP/ui5-server/commit/7220dbb2237dbf3104dcb88c15c1ca86b61ba49d)
+
 
 <a name="v4.0.3"></a>
 ## [v4.0.3] - 2024-08-09
@@ -381,6 +393,8 @@ Only Node.js v10 or higher is supported.
 
 <a name="v0.0.1"></a>
 ## v0.0.1 - 2018-06-06
+[v4.0.5]: https://github.com/SAP/ui5-server/compare/v4.0.4...v4.0.5
+[v4.0.4]: https://github.com/SAP/ui5-server/compare/v4.0.3...v4.0.4
 [v4.0.3]: https://github.com/SAP/ui5-server/compare/v4.0.2...v4.0.3
 [v4.0.2]: https://github.com/SAP/ui5-server/compare/v4.0.1...v4.0.2
 [v4.0.1]: https://github.com/SAP/ui5-server/compare/v4.0.0...v4.0.1

package/lib/sslUtil.js

@@ -1,5 +1,5 @@
 import os from "node:os";
-import {stat, readFile, writeFile, mkdir} from "node:fs/promises";
+import {stat, readFile, writeFile, mkdir, chmod, constants} from "node:fs/promises";
 import path from "node:path";
 import {getLogger} from "@ui5/logger";
 
@@ -27,18 +27,36 @@ export function getSslCertificate(
 ) {
 	// checks the certificates if they are present
 	return Promise.all([
-		fileExists(keyPath).then((bExists) => {
-			if (!bExists) {
+		fileExists(keyPath).then(async (statsOrFalse) => {
+			if (!statsOrFalse) {
 				log.verbose(`No SSL private key found at ${keyPath}`);
 				return false;
 			}
+			if (statsOrFalse.mode & constants.S_IWUSR || statsOrFalse.mode & constants.S_IROTH) {
+				// Note: According to the Node.js docs, "On Windows, only S_IRUSR and S_IWUSR are available"
+				// Therefore we first check for "writable by owner" (S_IWUSR), even though we are more interested in
+				// "readable by others", which we still check on platforms where it's supported
+				log.verbose(`Detected outdated file permissions for private key file at ${keyPath}. ` +
+					`Fixing permissions...`);
+				await chmod(keyPath, 0o400).catch((err) => {
+					log.error(`Failed to update permissions of private key file at ${keyPath}: ${err}`);
+				});
+			}
 			return readFile(keyPath);
 		}),
-		fileExists(certPath).then((bExists) => {
-			if (!bExists) {
+		fileExists(certPath).then(async (statsOrFalse) => {
+			if (!statsOrFalse) {
 				log.verbose(`No SSL certificate found at ${certPath}`);
 				return false;
 			}
+
+			if (statsOrFalse.mode & constants.S_IWUSR || statsOrFalse.mode & constants.S_IROTH) {
+				log.verbose(`Detected outdated file permissions for certificate file at ${keyPath}. ` +
+					`Fixing permissions...`);
+				await chmod(certPath, 0o400).catch((err) => {
+					log.error(`Failed to update permissions of certificate file at ${certPath}: ${err}`);
+				});
+			}
 			return readFile(certPath);
 		})
 	]).then(function([key, cert]) {
@@ -84,14 +102,14 @@ async function createAndInstallCertificate(keyPath, certPath) {
 	await Promise.all([
 		// Write certificates to the ui5 certificate folder
 		// such that they are used by default upon next startup
-		mkdir(path.dirname(keyPath), {recursive: true}).then(() => writeFile(keyPath, key)),
-		mkdir(path.dirname(certPath), {recursive: true}).then(() => writeFile(certPath, cert))
+		mkdir(path.dirname(keyPath), {recursive: true}).then(() => writeFile(keyPath, key, {mode: 0o400})),
+		mkdir(path.dirname(certPath), {recursive: true}).then(() => writeFile(certPath, cert, {mode: 0o400}))
 	]);
 	return {key, cert};
 }
 
 function fileExists(filePath) {
-	return stat(filePath).then(() => true, (err) => {
+	return stat(filePath).then((s) => s, (err) => {
 		if (err.code === "ENOENT") { // "File or directory does not exist"
 			return false;
 		} else {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@ui5/server",
-	"version": "4.0.3",
+	"version": "4.0.5",
 	"description": "UI5 Tooling - Server",
 	"author": {
 		"name": "SAP SE",
@@ -117,8 +117,8 @@
 		"url": "git@github.com:SAP/ui5-server.git"
 	},
 	"dependencies": {
-		"@ui5/builder": "^4.0.1",
-		"@ui5/fs": "^4.0.0",
+		"@ui5/builder": "^4.0.3",
+		"@ui5/fs": "^4.0.1",
 		"@ui5/logger": "^4.0.1",
 		"body-parser": "^1.20.2",
 		"compression": "^1.7.4",
@@ -126,37 +126,37 @@
 		"devcert-sanscache": "^0.5.1",
 		"escape-html": "^1.0.3",
 		"etag": "^1.8.1",
-		"express": "^4.19.2",
+		"express": "^4.20.0",
 		"fresh": "^0.5.2",
 		"graceful-fs": "^4.2.11",
 		"mime-types": "^2.1.35",
 		"parseurl": "^1.3.3",
 		"portscanner": "^2.2.0",
 		"replacestream": "^4.0.3",
-		"router": "^1.3.8",
+		"router": "^2.0.0",
 		"spdy": "^4.0.2",
 		"yesno": "^0.4.0"
 	},
 	"devDependencies": {
 		"@eslint/js": "^9.8.0",
 		"@istanbuljs/esm-loader-hook": "^0.2.0",
-		"@ui5/project": "^4.0.2",
+		"@ui5/project": "^4.0.3",
 		"ava": "^6.1.3",
 		"chokidar-cli": "^3.0.0",
 		"cross-env": "^7.0.3",
 		"depcheck": "^1.4.7",
 		"docdash": "^2.0.2",
-		"eslint": "^9.8.0",
+		"eslint": "^9.10.0",
 		"eslint-config-google": "^0.14.0",
 		"eslint-plugin-ava": "^15.0.1",
-		"eslint-plugin-jsdoc": "^48.11.0",
+		"eslint-plugin-jsdoc": "^50.2.2",
 		"esmock": "^2.6.7",
 		"globals": "^15.9.0",
 		"jsdoc": "^4.0.3",
 		"nyc": "^17.0.0",
 		"open-cli": "^8.0.0",
 		"rimraf": "^6.0.1",
-		"sinon": "^18.0.0",
+		"sinon": "^18.0.1",
 		"supertest": "^7.0.0",
 		"tap-xunit": "^2.4.1"
 	}