step-node-agent 3.28.4 → 3.29.0

package/AgentConf.yaml

@@ -1,5 +1,7 @@
 agentPort: '8082'
 gridHost: http://localhost:8081
+#gridSecurity:
+#  jwtSecretKey: 6S7lhTV89ENqZqQXFgcpFSX8anpbosW/CSBe30l8NCQ=
 registrationPeriod: 1000
 tokenGroups:
 - capacity: 10
@@ -10,4 +12,4 @@ tokenGroups:
 properties:
   myProp1: myDefaultValue
   myProp2: myValue2
-  keywords: keywords/keywords.js;
+  keywords: keywords/keywords.js;

package/api/filemanager/filemanager.js

@@ -2,7 +2,10 @@ module.exports = function FileManager (agentContext) {
   const fs = require('fs')
   const shell = require('shelljs')
   const http = require('http')
+  const https = require('https')
+  const url = require('url')
   const unzip = require('unzip-stream')
+  const jwtUtils = require('../../utils/jwtUtils')
 
   let exports = {}
   const filemanagerPath = agentContext.properties['filemanagerPath'] ? agentContext.properties['filemanagerPath'] : 'filemanager'
@@ -99,7 +102,25 @@ module.exports = function FileManager (agentContext) {
 
   function getKeywordFile (controllerFileUrl, targetDir) {
     return new Promise(function (resolve, reject) {
-      http.get(controllerFileUrl, (resp) => {
+      const parsedUrl = url.parse(controllerFileUrl)
+      const httpModule = parsedUrl.protocol === 'https:' ? https : http
+
+      const requestOptions = {
+        hostname: parsedUrl.hostname,
+        port: parsedUrl.port,
+        path: parsedUrl.path,
+        method: 'GET'
+      }
+
+      // Add bearer token if gridSecurity is configured
+      const token = jwtUtils.generateJwtToken(agentContext.gridSecurity, 300); // 5 minutes expiration
+      if (token) {
+        requestOptions.headers = {
+          'Authorization': 'Bearer ' + token
+        };
+      }
+
+      const req = httpModule.request(requestOptions, (resp) => {
         const filename = parseName(resp.headers)
         const filepath = targetDir + '/' + filename
         if (isDir(resp.headers) || filename.toUpperCase().endsWith('ZIP')) {
@@ -112,6 +133,8 @@ module.exports = function FileManager (agentContext) {
         console.log('Error: ' + err.message)
         reject(err)
       })
+
+      req.end()
     })
   }
 

package/middleware/jwtAuth.js

@@ -0,0 +1,37 @@
+const jwt = require('jsonwebtoken')
+
+module.exports = function createJwtAuthMiddleware(gridSecurity) {
+  return function jwtAuthMiddleware(req, res, next) {
+    // Skip authentication for /running endpoint
+    if (req.path === '/running') {
+      return next();
+    }
+
+    // Skip authentication if gridSecurity is not configured
+    if (!gridSecurity || !gridSecurity.jwtSecretKey) {
+      return next();
+    }
+
+    const authHeader = req.headers.authorization;
+
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      return res.status(401).json({ error: 'Missing or invalid Authorization header' });
+    }
+
+    const token = authHeader.substring(7); // Remove 'Bearer ' prefix
+
+    try {
+      const decoded = jwt.verify(token, gridSecurity.jwtSecretKey, { algorithms: ['HS256'] });
+      req.user = decoded;
+      next();
+    } catch (err) {
+      if (err.name === 'TokenExpiredError') {
+        return res.status(401).json({ error: 'Token expired' });
+      } else if (err.name === 'JsonWebTokenError') {
+        return res.status(401).json({ error: 'Invalid token' });
+      } else {
+        return res.status(500).json({ error: 'Token verification failed' });
+      }
+    }
+  };
+};

package/node_modules/resolve/.eslintrc

@@ -14,7 +14,7 @@
         "func-style": 0,
         "global-require": 1,
         "id-length": [2, { "min": 1, "max": 40 }],
-        "max-lines": [2, 350],
+        "max-lines": [2, 360],
         "max-lines-per-function": 0,
         "max-nested-callbacks": 0,
         "max-params": 0,

package/node_modules/resolve/.github/INCIDENT_RESPONSE_PROCESS.md

@@ -0,0 +1,119 @@
+# Incident Response Process for **resolve**
+
+## Reporting a Vulnerability
+
+We take the security of **resolve** very seriously. If you believe you’ve found a security vulnerability, please inform us responsibly through coordinated disclosure.
+
+### How to Report
+
+> **Do not** report security vulnerabilities through public GitHub issues, discussions, or social media.
+
+Instead, please use one of these secure channels:
+
+1. **GitHub Security Advisories**
+   Use the **Report a vulnerability** button in the Security tab of the [browserify/resolve repository](https://github.com/browserify/resolve).
+
+2. **Email**
+   Follow the posted [Security Policy](https://github.com/browserify/resolve/security/policy).
+
+### What to Include
+
+**Required Information:**
+- Brief description of the vulnerability type
+- Affected version(s) and components
+- Steps to reproduce the issue
+- Impact assessment (what an attacker could achieve)
+- Confirm the issue is not present in test files (in other words, only via the official entry points in `exports`)
+
+**Helpful Additional Details:**
+- Full paths of affected source files
+- Specific commit or branch where the issue exists
+- Required configuration to reproduce
+- Proof-of-concept code (if available)
+- Suggested mitigation or fix
+
+## Our Response Process
+
+**Timeline Commitments:**
+- **Initial acknowledgment**: Within 24 hours
+- **Detailed response**: Within 3 business days
+- **Status updates**: Every 7 days until resolved
+- **Resolution target**: 90 days for most issues
+
+**What We’ll Do:**
+1. Acknowledge your report and assign a tracking ID
+2. Assess the vulnerability and determine severity
+3. Develop and test a fix
+4. Coordinate disclosure timeline with you
+5. Release a security update and publish an advisory and CVE
+6. Credit you in our security advisory (if desired)
+
+## Disclosure Policy
+
+- **Coordinated disclosure**: We’ll work with you on timing
+- **Typical timeline**: 90 days from report to public disclosure
+- **Early disclosure**: If actively exploited
+- **Delayed disclosure**: For complex issues
+
+## Scope
+
+**In Scope:**
+- **resolve** package (all supported versions)
+- Official examples and documentation
+- Core resolution APIs
+- Dependencies with direct security implications
+
+**Out of Scope:**
+- Third-party wrappers or extensions
+- Bundler-specific integrations
+- Social engineering or physical attacks
+- Theoretical vulnerabilities without practical exploitation
+- Issues in non-production files
+
+## Security Measures
+
+**Our Commitments:**
+- Regular vulnerability scanning via `npm audit`
+- Automated security checks in CI/CD (GitHub Actions)
+- Secure coding practices and mandatory code review
+- Prompt patch releases for critical issues
+
+**User Responsibilities:**
+- Keep **resolve** updated
+- Monitor dependency vulnerabilities
+- Follow secure configuration guidelines for module resolution
+
+## Legal Safe Harbor
+
+**We will NOT:**
+- Initiate legal action
+- Contact law enforcement
+- Suspend or terminate your access
+
+**You must:**
+- Only test against your own installations
+- Not access, modify, or delete user data
+- Not degrade service availability
+- Not publicly disclose before coordinated disclosure
+- Act in good faith
+
+## Recognition
+
+- **Advisory Credits**: Credit in GitHub Security Advisories (unless anonymous)
+
+## Security Updates
+
+**Stay Informed:**
+- Subscribe to npm updates for **resolve**
+- Enable GitHub Security Advisory notifications
+
+**Update Process:**
+- Patch releases (e.g., 1.22.10 → 1.22.11)
+- Out-of-band releases for critical issues
+- Advisories via GitHub Security Advisories
+
+## Contact Information
+
+- **Security reports**: Security tab of [browserify/resolve](https://github.com/browserify/resolve/security)
+- **General inquiries**: GitHub Discussions or Issues
+

package/node_modules/resolve/.github/THREAT_MODEL.md

@@ -0,0 +1,74 @@
+## Threat Model for resolve (module path resolution library)
+
+### 1. Library Overview
+
+- **Library Name:** resolve
+- **Brief Description:** Implements Node.js `require.resolve()` algorithm for synchronous and asynchronous file path resolution. Used to locate modules and files in Node.js projects.
+- **Key Public APIs/Functions:** `resolve.sync()` / `resolve/sync`, `resolve()` / `resolve/async`
+
+### 2. Define Scope
+
+This threat model focuses on the core path resolution algorithm, including filesystem interaction, option handling, and cache management.
+
+### 3. Conceptual System Diagram
+
+```
+Caller Application → resolve(id, options) → Resolution Algorithm → File System
+                           │
+                           └→ Options Handling
+                           └→ Cache System
+```
+
+**Trust Boundaries:**
+- **Input module IDs:** May come from untrusted sources (user input, configuration)
+- **Filesystem access:** The library interacts with the filesystem to resolve paths
+- **Options:** Provided by the caller
+- **Cache:** Used to improve performance, but could be a vector for tampering or information disclosure if not handled securely
+
+### 4. Identify Assets
+
+- **Integrity of resolution output:** Ensure correct and safe file path matching.
+- **Confidentiality of configuration:** Prevent sensitive path information from being leaked.
+- **Availability/performance for host application:** Prevent crashes or resource exhaustion.
+- **Security of host application:** Prevent path traversal or unintended filesystem access.
+- **Reputation of library:** Maintain trust by avoiding supply chain attacks and vulnerabilities[1][3][4].
+
+### 5. Identify Threats
+
+| Component / API / Interaction                       | S  | T  | R  | I  | D  | E  |
+|-----------------------------------------------------|----|----|----|----|----|----|
+| Public API Call (`resolve/async`, `resolve/sync`)   | ✓  | ✓  | –  | ✓  | –  | –  |
+| Filesystem Access                                   | –  | ✓  | –  | ✓  | ✓  | –  |
+| Options Handling                                    | ✓  | ✓  | –  | ✓  | –  | –  |
+| Cache System                                        | –  | ✓  | –  | ✓  | –  | –  |
+
+**Key Threats:**
+- **Spoofing:** Malicious module IDs mimicking legitimate packages, or spoofing configuration options[1].
+- **Tampering:** Caller-provided paths altering resolution order, or cache tampering leading to incorrect results[1][4].
+- **Information Disclosure:** Error messages revealing filesystem structure or sensitive paths[1].
+- **Denial of Service:** Recursive or excessive resolution exhausting filesystem handles or causing application crashes[1].
+- **Path Traversal:** Malicious input allowing access to files outside the intended directory[4].
+
+### 6. Mitigation/Countermeasures
+
+| Threat Identified                          | Proposed Mitigation |
+|--------------------------------------------|---------------------|
+| Spoofing (malicious module IDs/config)     | Sanitize input IDs; validate against known patterns; restrict `basedir` to app-controlled paths[1][4]. |
+| Tampering (path traversal, cache)          | Validate input IDs for directory escapes; secure cache reads/writes; restrict cache to trusted sources[1][4]. |
+| Information Disclosure (error messages)    | Generic "not found" errors without internal paths; avoid exposing sensitive configuration in errors[1]. |
+| Denial of Service (resource exhaustion)    | Limit recursive resolution depth; implement timeout; monitor for excessive filesystem operations[1]. |
+
+### 7. Risk Ranking
+
+- **High:** Path traversal via malicious IDs (if not properly mitigated)
+- **Medium:** Cache tampering or spoofing (if cache is not secured)
+- **Low:** Information disclosure in errors (if error handling is generic)
+
+### 8. Next Steps & Review
+
+1. **Implement input sanitization for module IDs and configuration.**
+2. **Add resolution depth limiting and timeout.**
+3. **Audit cache handling for race conditions and tampering.**
+4. **Regularly review dependencies for vulnerabilities.**
+5. **Keep documentation and threat model up to date.**
+6. **Monitor for new threats as the ecosystem and library evolve[1][3].**

package/node_modules/resolve/SECURITY.md

@@ -1,3 +1,11 @@
 # Security
 
-Please email [@ljharb](https://github.com/ljharb) or see https://tidelift.com/security if you have a potential security vulnerability to report.
+Please file a private vulnerability via GitHub, email [@ljharb](https://github.com/ljharb), or see https://tidelift.com/security if you have a potential security vulnerability to report.
+
+## Incident Response
+
+See our [Incident Response Process](.github/INCIDENT_RESPONSE_PROCESS.md).
+
+## Threat Model
+
+See [THREAT_MODEL.md](./THREAT_MODEL.md).

package/node_modules/resolve/lib/async.js

@@ -8,6 +8,10 @@ var isCore = require('is-core-module');
 
 var realpathFS = process.platform !== 'win32' && fs.realpath && typeof fs.realpath.native === 'function' ? fs.realpath.native : fs.realpath;
 
+var relativePathRegex = /^(?:\.\.?(?:\/|$)|\/|([A-Za-z]:)?[/\\])/;
+var windowsDriveRegex = /^\w:[/\\]*$/;
+var nodeModulesRegex = /[/\\]node_modules[/\\]*$/;
+
 var homedir = getHomedir();
 var defaultPaths = function () {
     return [
@@ -124,10 +128,10 @@ module.exports = function resolve(x, options, callback) {
 
     var res;
     function init(basedir) {
-        if ((/^(?:\.\.?(?:\/|$)|\/|([A-Za-z]:)?[/\\])/).test(x)) {
+        if (relativePathRegex.test(x)) {
             res = path.resolve(basedir, x);
             if (x === '.' || x === '..' || x.slice(-1) === '/') res += '/';
-            if ((/\/$/).test(x) && res === basedir) {
+            if (x.slice(-1) === '/' && res === basedir) {
                 loadAsDirectory(res, opts.package, onfile);
             } else loadAsFile(res, opts.package, onfile);
         } else if (includeCoreModules && isCore(x)) {
@@ -215,10 +219,10 @@ module.exports = function resolve(x, options, callback) {
 
     function loadpkg(dir, cb) {
         if (dir === '' || dir === '/') return cb(null);
-        if (process.platform === 'win32' && (/^\w:[/\\]*$/).test(dir)) {
+        if (process.platform === 'win32' && windowsDriveRegex.test(dir)) {
             return cb(null);
         }
-        if ((/[/\\]node_modules[/\\]*$/).test(dir)) return cb(null);
+        if (nodeModulesRegex.test(dir)) return cb(null);
 
         maybeRealpath(realpath, dir, opts, function (unwrapErr, pkgdir) {
             if (unwrapErr) return loadpkg(path.dirname(dir), cb);

package/node_modules/resolve/lib/core.json

@@ -91,7 +91,7 @@
 	"node:repl": [">= 14.18 && < 15", ">= 16"],
 	"node:sea": [">= 20.12 && < 21", ">= 21.7"],
 	"smalloc": ">= 0.11.5 && < 3",
-	"node:sqlite": ">= 23.4",
+	"node:sqlite": [">= 22.13 && < 23", ">= 23.4"],
 	"_stream_duplex": ">= 0.9.4",
 	"node:_stream_duplex": [">= 14.18 && < 15", ">= 16"],
 	"_stream_transform": ">= 0.9.4",

package/node_modules/resolve/lib/node-modules-paths.js

@@ -1,11 +1,14 @@
 var path = require('path');
 var parse = path.parse || require('path-parse'); // eslint-disable-line global-require
 
+var driveLetterRegex = /^([A-Za-z]:)/;
+var uncPathRegex = /^\\\\/;
+
 var getNodeModulesDirs = function getNodeModulesDirs(absoluteStart, modules) {
     var prefix = '/';
-    if ((/^([A-Za-z]:)/).test(absoluteStart)) {
+    if (driveLetterRegex.test(absoluteStart)) {
         prefix = '';
-    } else if ((/^\\\\/).test(absoluteStart)) {
+    } else if (uncPathRegex.test(absoluteStart)) {
         prefix = '\\\\';
     }
 

package/node_modules/resolve/lib/sync.js

@@ -8,6 +8,10 @@ var normalizeOptions = require('./normalize-options');
 
 var realpathFS = process.platform !== 'win32' && fs.realpathSync && typeof fs.realpathSync.native === 'function' ? fs.realpathSync.native : fs.realpathSync;
 
+var relativePathRegex = /^(?:\.\.?(?:\/|$)|\/|([A-Za-z]:)?[/\\])/;
+var windowsDriveRegex = /^\w:[/\\]*$/;
+var nodeModulesRegex = /[/\\]node_modules[/\\]*$/;
+
 var homedir = getHomedir();
 var defaultPaths = function () {
     return [
@@ -96,7 +100,7 @@ module.exports = function resolveSync(x, options) {
     // ensure that `basedir` is an absolute path at this point, resolving against the process' current working directory
     var absoluteStart = maybeRealpathSync(realpathSync, path.resolve(basedir), opts);
 
-    if ((/^(?:\.\.?(?:\/|$)|\/|([A-Za-z]:)?[/\\])/).test(x)) {
+    if (relativePathRegex.test(x)) {
         var res = path.resolve(absoluteStart, x);
         if (x === '.' || x === '..' || x.slice(-1) === '/') res += '/';
         var m = loadAsFileSync(res) || loadAsDirectorySync(res);
@@ -137,10 +141,10 @@ module.exports = function resolveSync(x, options) {
 
     function loadpkg(dir) {
         if (dir === '' || dir === '/') return;
-        if (process.platform === 'win32' && (/^\w:[/\\]*$/).test(dir)) {
+        if (process.platform === 'win32' && windowsDriveRegex.test(dir)) {
             return;
         }
-        if ((/[/\\]node_modules[/\\]*$/).test(dir)) return;
+        if (nodeModulesRegex.test(dir)) return;
 
         var pkgfile = path.join(maybeRealpathSync(realpathSync, dir, opts), 'package.json');
 

package/node_modules/resolve/package.json

@@ -1,10 +1,10 @@
 {
 	"name": "resolve",
 	"description": "resolve like require.resolve() on behalf of files asynchronously and synchronously",
-	"version": "1.22.10",
+	"version": "1.22.11",
 	"repository": {
 		"type": "git",
-		"url": "git://github.com/browserify/resolve.git"
+		"url": "ssh://github.com/browserify/resolve.git"
 	},
 	"bin": {
 		"resolve": "./bin/resolve"
@@ -30,8 +30,8 @@
 		"test:multirepo": "cd ./test/resolver/multirepo && npm install && npm test"
 	},
 	"devDependencies": {
-		"@ljharb/eslint-config": "^21.1.1",
-		"array.prototype.map": "^1.0.7",
+		"@ljharb/eslint-config": "^21.2.0",
+		"array.prototype.map": "^1.0.8",
 		"copy-dir": "^1.3.0",
 		"eclint": "^2.8.1",
 		"eslint": "=8.8.0",
@@ -57,7 +57,7 @@
 		"url": "https://github.com/sponsors/ljharb"
 	},
 	"dependencies": {
-		"is-core-module": "^2.16.0",
+		"is-core-module": "^2.16.1",
 		"path-parse": "^1.0.7",
 		"supports-preserve-symlinks-flag": "^1.0.0"
 	},

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "step-node-agent",
-  "version": "3.28.4",
+  "version": "3.29.0",
   "description": "The official STEP Agent implementation for Node.js",
   "main": "index.js",
   "scripts": {
@@ -32,6 +32,7 @@
     "express": "^4.17.1",
     "get-fqdn": "^1.0.0",
     "http": "0.0.0",
+    "jsonwebtoken": "^9.0.2",
     "minimist": "^1.2.5",
     "npm": "^6.14.15",
     "request": "^2.88.0",

package/server.js

@@ -4,7 +4,7 @@ const YAML = require('yaml')
 
 let args = minimist(process.argv.slice(2), {
   default: {
-    f: path.join(__dirname, 'AgentConf.json')
+    f: path.join(__dirname, 'AgentConf.yaml')
   }
 })
 console.log('[Agent] Using arguments ' + JSON.stringify(args))
@@ -26,9 +26,10 @@ if(agentConfFileExt === '.yaml') {
 console.log('[Agent] Creating agent context and tokens')
 const uuid = require('uuid/v4')
 const _ = require('underscore')
+const jwtUtils = require('./utils/jwtUtils')
 const agentType = 'node'
 const agent = {id: uuid()}
-let agentContext = { tokens: [], tokenSessions: [], tokenProperties: [], properties: agentConf.properties, controllerUrl: agentConf.gridHost }
+let agentContext = { tokens: [], tokenSessions: [], tokenProperties: [], properties: agentConf.properties, controllerUrl: agentConf.gridHost, gridSecurity: agentConf.gridSecurity }
 _.each(agentConf.tokenGroups, function (tokenGroup) {
   const tokenConf = tokenGroup.tokenConf
   let attributes = tokenConf.attributes
@@ -60,6 +61,11 @@ const bodyParser = require('body-parser')
 app.use(bodyParser.urlencoded({extended: true}))
 app.use(bodyParser.json())
 
+// Apply JWT authentication middleware
+const createJwtAuthMiddleware = require('./middleware/jwtAuth')
+const jwtAuthMiddleware = createJwtAuthMiddleware(agentConf.gridSecurity)
+app.use(jwtAuthMiddleware)
+
 const routes = require('./api/routes/routes')
 routes(app, agentContext)
 
@@ -72,19 +78,32 @@ startWithAgentUrl = function(agentUrl) {
   const registrationPeriod = agentConf.registrationPeriod || 5000
   const request = require('request')
   setInterval(function () {
-    request({
+    const requestOptions = {
       uri: agentConf.gridHost + '/grid/register',
       method: 'POST',
       json: true,
       body: { agentRef: { agentId: agent.id, agentUrl: agentUrl, agentType: agentType }, tokens: agentContext.tokens }
-    }, function (err, res, body) {
+    };
+
+    // Add bearer token if gridSecurity is configured
+    const token = jwtUtils.generateJwtToken(agentConf.gridSecurity, 3600); // 1 hour expiration
+    if (token) {
+      requestOptions.headers = {
+        'Authorization': 'Bearer ' + token
+      };
+    }
+
+    request(requestOptions, function (err, res, body) {
       if (err) {
+        console.log("[Agent] Error while registering agent to grid")
         console.log(err)
+      } else if (res.statusCode !== 204) {
+        console.log("[Agent] Failed to register agent: grid responded with status " + res.statusCode + (body != null ? ". Response body: " + JSON.stringify(body) : ""))
       }
     })
   }, registrationPeriod)
-  
-  console.log('[Agent] Successfully started on: ' + port)  
+
+  console.log('[Agent] Successfully started on: ' + port)
 }
 
 if(agentConf.agentUrl) {
@@ -92,8 +111,8 @@ if(agentConf.agentUrl) {
 } else {
   const getFQDN = require('get-fqdn');
   getFQDN().then(FQDN => {
-    startWithAgentUrl('http://' + FQDN + ':' + port) 
+    startWithAgentUrl('http://' + FQDN + ':' + port)
   }).catch(e => {
     console.log('[Agent] Error while getting FQDN ' + e)
   })
-}
+}

package/utils/jwtUtils.js

@@ -0,0 +1,21 @@
+const jwt = require('jsonwebtoken')
+
+module.exports = {
+  generateJwtToken: function(gridSecurity, expirationSeconds) {
+    if (!gridSecurity || !gridSecurity.jwtSecretKey) {
+      return null;
+    }
+
+    const now = Math.floor(Date.now() / 1000);
+    const expiration = now + expirationSeconds;
+
+    return jwt.sign(
+      {
+        iat: now,
+        exp: expiration
+      },
+      gridSecurity.jwtSecretKey,
+      { algorithm: 'HS256' }
+    );
+  }
+}