step-node-agent 3.28.4 → 3.29.1

package/AgentConf.yaml

@@ -1,5 +1,7 @@
 agentPort: '8082'
 gridHost: http://localhost:8081
+#gridSecurity:
+#  jwtSecretKey: 6S7lhTV89ENqZqQXFgcpFSX8anpbosW/CSBe30l8NCQ=
 registrationPeriod: 1000
 tokenGroups:
 - capacity: 10
@@ -10,4 +12,4 @@ tokenGroups:
 properties:
   myProp1: myDefaultValue
   myProp2: myValue2
-  keywords: keywords/keywords.js;
+  keywords: keywords/keywords.js;

package/api/filemanager/filemanager.js

@@ -2,7 +2,10 @@ module.exports = function FileManager (agentContext) {
   const fs = require('fs')
   const shell = require('shelljs')
   const http = require('http')
+  const https = require('https')
+  const url = require('url')
   const unzip = require('unzip-stream')
+  const jwtUtils = require('../../utils/jwtUtils')
 
   let exports = {}
   const filemanagerPath = agentContext.properties['filemanagerPath'] ? agentContext.properties['filemanagerPath'] : 'filemanager'
@@ -99,7 +102,25 @@ module.exports = function FileManager (agentContext) {
 
   function getKeywordFile (controllerFileUrl, targetDir) {
     return new Promise(function (resolve, reject) {
-      http.get(controllerFileUrl, (resp) => {
+      const parsedUrl = url.parse(controllerFileUrl)
+      const httpModule = parsedUrl.protocol === 'https:' ? https : http
+
+      const requestOptions = {
+        hostname: parsedUrl.hostname,
+        port: parsedUrl.port,
+        path: parsedUrl.path,
+        method: 'GET'
+      }
+
+      // Add bearer token if gridSecurity is configured
+      const token = jwtUtils.generateJwtToken(agentContext.gridSecurity, 300); // 5 minutes expiration
+      if (token) {
+        requestOptions.headers = {
+          'Authorization': 'Bearer ' + token
+        };
+      }
+
+      const req = httpModule.request(requestOptions, (resp) => {
         const filename = parseName(resp.headers)
         const filepath = targetDir + '/' + filename
         if (isDir(resp.headers) || filename.toUpperCase().endsWith('ZIP')) {
@@ -112,6 +133,8 @@ module.exports = function FileManager (agentContext) {
         console.log('Error: ' + err.message)
         reject(err)
       })
+
+      req.end()
     })
   }
 

package/middleware/jwtAuth.js

@@ -0,0 +1,37 @@
+const jwt = require('jsonwebtoken')
+
+module.exports = function createJwtAuthMiddleware(gridSecurity) {
+  return function jwtAuthMiddleware(req, res, next) {
+    // Skip authentication for /running endpoint
+    if (req.path === '/running') {
+      return next();
+    }
+
+    // Skip authentication if gridSecurity is not configured
+    if (!gridSecurity || !gridSecurity.jwtSecretKey) {
+      return next();
+    }
+
+    const authHeader = req.headers.authorization;
+
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      return res.status(401).json({ error: 'Missing or invalid Authorization header' });
+    }
+
+    const token = authHeader.substring(7); // Remove 'Bearer ' prefix
+
+    try {
+      const decoded = jwt.verify(token, gridSecurity.jwtSecretKey, { algorithms: ['HS256'] });
+      req.user = decoded;
+      next();
+    } catch (err) {
+      if (err.name === 'TokenExpiredError') {
+        return res.status(401).json({ error: 'Token expired' });
+      } else if (err.name === 'JsonWebTokenError') {
+        return res.status(401).json({ error: 'Invalid token' });
+      } else {
+        return res.status(500).json({ error: 'Token verification failed' });
+      }
+    }
+  };
+};

package/node_modules/body-parser/HISTORY.md

@@ -1,3 +1,11 @@
+1.20.4 / 2025-12-01
+===================
+
+  * deps: qs@~6.14.0
+  * deps: use tilde notation for dependencies
+  * deps: http-errors@~2.0.1
+  * deps: raw-body@~2.5.3
+
 1.20.3 / 2024-09-10
 ===================
 

package/node_modules/body-parser/lib/types/urlencoded.js

@@ -55,9 +55,6 @@ function urlencoded (options) {
     : opts.limit
   var type = opts.type || 'application/x-www-form-urlencoded'
   var verify = opts.verify || false
-  var depth = typeof opts.depth !== 'number'
-    ? Number(opts.depth || 32)
-    : opts.depth
 
   if (verify !== false && typeof verify !== 'function') {
     throw new TypeError('option verify must be function')
@@ -121,8 +118,7 @@ function urlencoded (options) {
       encoding: charset,
       inflate: inflate,
       limit: limit,
-      verify: verify,
-      depth: depth
+      verify: verify
     })
   }
 }
@@ -137,10 +133,7 @@ function extendedparser (options) {
   var parameterLimit = options.parameterLimit !== undefined
     ? options.parameterLimit
     : 1000
-
-  var depth = typeof options.depth !== 'number'
-    ? Number(options.depth || 32)
-    : options.depth
+  var depth = options.depth !== undefined ? options.depth : 32
   var parse = parser('qs')
 
   if (isNaN(parameterLimit) || parameterLimit < 1) {

package/node_modules/body-parser/package.json

@@ -1,7 +1,7 @@
 {
   "name": "body-parser",
   "description": "Node.js body parsing middleware",
-  "version": "1.20.3",
+  "version": "1.20.4",
   "contributors": [
     "Douglas Christopher Wilson <doug@somethingdoug.com>",
     "Jonathan Ong <me@jongleberry.com> (http://jongleberry.com)"
@@ -9,18 +9,18 @@
   "license": "MIT",
   "repository": "expressjs/body-parser",
   "dependencies": {
-    "bytes": "3.1.2",
+    "bytes": "~3.1.2",
     "content-type": "~1.0.5",
     "debug": "2.6.9",
     "depd": "2.0.0",
-    "destroy": "1.2.0",
-    "http-errors": "2.0.0",
-    "iconv-lite": "0.4.24",
-    "on-finished": "2.4.1",
-    "qs": "6.13.0",
-    "raw-body": "2.5.2",
+    "destroy": "~1.2.0",
+    "http-errors": "~2.0.1",
+    "iconv-lite": "~0.4.24",
+    "on-finished": "~2.4.1",
+    "qs": "~6.14.0",
+    "raw-body": "~2.5.3",
     "type-is": "~1.6.18",
-    "unpipe": "1.0.0"
+    "unpipe": "~1.0.0"
   },
   "devDependencies": {
     "eslint": "8.34.0",
@@ -40,7 +40,6 @@
     "lib/",
     "LICENSE",
     "HISTORY.md",
-    "SECURITY.md",
     "index.js"
   ],
   "engines": {

package/node_modules/cookie/index.js

@@ -21,6 +21,7 @@ exports.serialize = serialize;
  */
 
 var __toString = Object.prototype.toString
+var __hasOwnProperty = Object.prototype.hasOwnProperty
 
 /**
  * RegExp to match cookie-name in RFC 6265 sec 4.1.1
@@ -130,7 +131,7 @@ function parse(str, opt) {
     var key = str.slice(keyStartIdx, keyEndIdx);
 
     // only assign once
-    if (!obj.hasOwnProperty(key)) {
+    if (!__hasOwnProperty.call(obj, key)) {
       var valStartIdx = startIndex(str, eqIdx + 1, endIdx);
       var valEndIdx = endIndex(str, endIdx, valStartIdx);
 

package/node_modules/cookie/package.json

@@ -1,7 +1,7 @@
 {
   "name": "cookie",
   "description": "HTTP server cookie parsing and serialization",
-  "version": "0.7.1",
+  "version": "0.7.2",
   "author": "Roman Shtylman <shtylman@gmail.com>",
   "contributors": [
     "Douglas Christopher Wilson <doug@somethingdoug.com>"

package/node_modules/cookie-signature/History.md

@@ -1,10 +1,14 @@
+1.0.7 / 2023-04-12
+==================
+
+* backport the buffer support from the 1.2.x release branch (thanks @FadhiliNjagi!)
+
 1.0.6 / 2015-02-03
 ==================
 
 * use `npm test` instead of `make test` to run tests
 * clearer assertion messages when checking input
 
-
 1.0.5 / 2014-09-05
 ==================
 

package/node_modules/cookie-signature/index.js

@@ -8,14 +8,14 @@ var crypto = require('crypto');
  * Sign the given `val` with `secret`.
  *
  * @param {String} val
- * @param {String} secret
+ * @param {String|NodeJS.ArrayBufferView|crypto.KeyObject} secret
  * @return {String}
  * @api private
  */
 
 exports.sign = function(val, secret){
-  if ('string' != typeof val) throw new TypeError("Cookie value must be provided as a string.");
-  if ('string' != typeof secret) throw new TypeError("Secret string must be provided.");
+  if ('string' !== typeof val) throw new TypeError("Cookie value must be provided as a string.");
+  if (null == secret) throw new TypeError("Secret key must be provided.");
   return val + '.' + crypto
     .createHmac('sha256', secret)
     .update(val)
@@ -28,14 +28,14 @@ exports.sign = function(val, secret){
  * returning `false` if the signature is invalid.
  *
  * @param {String} val
- * @param {String} secret
+ * @param {String|NodeJS.ArrayBufferView|crypto.KeyObject} secret
  * @return {String|Boolean}
  * @api private
  */
 
 exports.unsign = function(val, secret){
-  if ('string' != typeof val) throw new TypeError("Signed cookie string must be provided.");
-  if ('string' != typeof secret) throw new TypeError("Secret string must be provided.");
+  if ('string' !== typeof val) throw new TypeError("Signed cookie string must be provided.");
+  if (null == secret) throw new TypeError("Secret key must be provided.");
   var str = val.slice(0, val.lastIndexOf('.'))
     , mac = exports.sign(str, secret);
   

package/node_modules/cookie-signature/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cookie-signature",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "description": "Sign and unsign cookies",
   "keywords": ["cookie", "sign", "unsign"],
   "author": "TJ Holowaychuk <tj@learnboost.com>",
@@ -15,4 +15,4 @@
     "test": "mocha --require should --reporter spec"
   },
   "main": "index"
-}
+}

package/node_modules/express/History.md

@@ -1,3 +1,14 @@
+4.22.1 / 2025-12-01
+==========
+
+  * Revert security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6))
+
+4.22.0 / 2025-12-01
+==========
+  * Security fix for [CVE-2024-51999](https://www.cve.org/CVERecord?id=CVE-2024-51999) ([GHSA-pj86-cfqh-vqx6](https://github.com/expressjs/express/security/advisories/GHSA-pj86-cfqh-vqx6))
+  * deps: use tilde notation for dependencies
+  * deps: qs@6.14.0
+
 4.21.2 / 2024-11-06
 ==========
 

package/node_modules/express/package.json

@@ -1,7 +1,7 @@
 {
   "name": "express",
   "description": "Fast, unopinionated, minimalist web framework",
-  "version": "4.21.2",
+  "version": "4.22.1",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "contributors": [
     "Aaron Heckmann <aaron.heckmann+github@gmail.com>",
@@ -34,32 +34,32 @@
   "dependencies": {
     "accepts": "~1.3.8",
     "array-flatten": "1.1.1",
-    "body-parser": "1.20.3",
-    "content-disposition": "0.5.4",
+    "body-parser": "~1.20.3",
+    "content-disposition": "~0.5.4",
     "content-type": "~1.0.4",
-    "cookie": "0.7.1",
-    "cookie-signature": "1.0.6",
+    "cookie": "~0.7.1",
+    "cookie-signature": "~1.0.6",
     "debug": "2.6.9",
     "depd": "2.0.0",
     "encodeurl": "~2.0.0",
     "escape-html": "~1.0.3",
     "etag": "~1.8.1",
-    "finalhandler": "1.3.1",
-    "fresh": "0.5.2",
-    "http-errors": "2.0.0",
+    "finalhandler": "~1.3.1",
+    "fresh": "~0.5.2",
+    "http-errors": "~2.0.0",
     "merge-descriptors": "1.0.3",
     "methods": "~1.1.2",
-    "on-finished": "2.4.1",
+    "on-finished": "~2.4.1",
     "parseurl": "~1.3.3",
-    "path-to-regexp": "0.1.12",
+    "path-to-regexp": "~0.1.12",
     "proxy-addr": "~2.0.7",
-    "qs": "6.13.0",
+    "qs": "~6.14.0",
     "range-parser": "~1.2.1",
     "safe-buffer": "5.2.1",
-    "send": "0.19.0",
-    "serve-static": "1.16.2",
+    "send": "~0.19.0",
+    "serve-static": "~1.16.2",
     "setprototypeof": "1.2.0",
-    "statuses": "2.0.1",
+    "statuses": "~2.0.1",
     "type-is": "~1.6.18",
     "utils-merge": "1.0.1",
     "vary": "~1.1.2"
@@ -75,11 +75,11 @@
     "hbs": "4.2.0",
     "marked": "0.7.0",
     "method-override": "3.0.0",
-    "mocha": "10.2.0",
+    "mocha": "^6.2.2",
     "morgan": "1.10.0",
-    "nyc": "15.1.0",
+    "nyc": "^14.1.1",
     "pbkdf2-password": "1.2.1",
-    "supertest": "6.3.0",
+    "supertest": "^6.1.6",
     "vhost": "~3.0.2"
   },
   "engines": {

package/node_modules/finalhandler/HISTORY.md

@@ -1,3 +1,9 @@
+v1.3.2 / 2025-12-01
+==================
+
+  * deps: use tilde notation for dependencies
+  * deps: statuses@~2.0.2
+
 v1.3.1 / 2024-09-11
 ==================
 

package/node_modules/finalhandler/package.json

@@ -1,7 +1,7 @@
 {
   "name": "finalhandler",
   "description": "Node.js final http responder",
-  "version": "1.3.1",
+  "version": "1.3.2",
   "author": "Douglas Christopher Wilson <doug@somethingdoug.com>",
   "license": "MIT",
   "repository": "pillarjs/finalhandler",
@@ -9,9 +9,9 @@
     "debug": "2.6.9",
     "encodeurl": "~2.0.0",
     "escape-html": "~1.0.3",
-    "on-finished": "2.4.1",
+    "on-finished": "~2.4.1",
     "parseurl": "~1.3.3",
-    "statuses": "2.0.1",
+    "statuses": "~2.0.2",
     "unpipe": "~1.0.0"
   },
   "devDependencies": {

package/node_modules/http-errors/HISTORY.md

@@ -1,3 +1,9 @@
+2.0.1 / 2025-11-20
+==================
+
+  * deps: use tilde notation for dependencies
+  * deps: update statuses to 2.0.2
+
 2.0.0 / 2021-12-17
 ==================
 

package/node_modules/http-errors/index.js

@@ -279,11 +279,12 @@ function populateConstructorExports (exports, codes, HttpError) {
 
 /**
  * Get a class name from a name identifier.
+ *
+ * @param {string} name
+ * @returns {string}
  * @private
  */
 
 function toClassName (name) {
-  return name.substr(-5) !== 'Error'
-    ? name + 'Error'
-    : name
+  return name.slice(-5) === 'Error' ? name : name + 'Error'
 }

package/node_modules/http-errors/package.json

@@ -1,7 +1,7 @@
 {
   "name": "http-errors",
   "description": "Create HTTP error objects",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "author": "Jonathan Ong <me@jongleberry.com> (http://jongleberry.com)",
   "contributors": [
     "Alan Plum <me@pluma.io>",
@@ -9,17 +9,21 @@
   ],
   "license": "MIT",
   "repository": "jshttp/http-errors",
+  "funding": {
+    "type": "opencollective",
+    "url": "https://opencollective.com/express"
+  },
   "dependencies": {
-    "depd": "2.0.0",
-    "inherits": "2.0.4",
-    "setprototypeof": "1.2.0",
-    "statuses": "2.0.1",
-    "toidentifier": "1.0.1"
+    "depd": "~2.0.0",
+    "inherits": "~2.0.4",
+    "setprototypeof": "~1.2.0",
+    "statuses": "~2.0.2",
+    "toidentifier": "~1.0.1"
   },
   "devDependencies": {
     "eslint": "7.32.0",
     "eslint-config-standard": "14.1.1",
-    "eslint-plugin-import": "2.25.3",
+    "eslint-plugin-import": "2.32.0",
     "eslint-plugin-markdown": "2.2.1",
     "eslint-plugin-node": "11.1.0",
     "eslint-plugin-promise": "5.2.0",
@@ -32,7 +36,7 @@
   },
   "scripts": {
     "lint": "eslint . && node ./scripts/lint-readme-list.js",
-    "test": "mocha --reporter spec --bail",
+    "test": "mocha --reporter spec",
     "test-ci": "nyc --reporter=lcov --reporter=text npm test",
     "test-cov": "nyc --reporter=html --reporter=text npm test",
     "version": "node scripts/version-history.js && git add HISTORY.md"

package/node_modules/qs/.eslintrc

@@ -13,6 +13,7 @@
         "func-name-matching": 0,
         "id-length": [2, { "min": 1, "max": 25, "properties": "never" }],
         "indent": [2, 4],
+        "max-lines": 0,
         "max-lines-per-function": [2, { "max": 150 }],
         "max-params": [2, 18],
         "max-statements": [2, 100],

package/node_modules/qs/CHANGELOG.md

@@ -1,3 +1,25 @@
+## **6.14.0**
+- [New] `parse`: add `throwOnParameterLimitExceeded` option (#517)
+- [Refactor] `parse`: use `utils.combine` more
+- [patch] `parse`: add explicit `throwOnLimitExceeded` default
+- [actions] use shared action; re-add finishers
+- [meta] Fix changelog formatting bug
+- [Deps] update `side-channel`
+- [Dev Deps] update `es-value-fixtures`, `has-bigints`, `has-proto`, `has-symbols`
+- [Tests] increase coverage
+
+## **6.13.1**
+- [Fix] `stringify`: avoid a crash when a `filter` key is `null`
+- [Fix] `utils.merge`: functions should not be stringified into keys
+- [Fix] `parse`: avoid a crash with interpretNumericEntities: true, comma: true, and iso charset
+- [Fix] `stringify`: ensure a non-string `filter` does not crash
+- [Refactor] use `__proto__` syntax instead of `Object.create` for null objects
+- [Refactor] misc cleanup
+- [Tests] `utils.merge`: add some coverage
+- [Tests] fix a test case
+- [actions] split out node 10-20, and 20+
+- [Dev Deps] update `es-value-fixtures`, `mock-property`, `object-inspect`, `tape`
+
 ## **6.13.0**
 - [New] `parse`: add `strictDepth` option (#511)
 - [Tests] use `npm audit` instead of `aud`

package/node_modules/qs/README.md

@@ -49,7 +49,7 @@ assert.deepEqual(qs.parse('foo[bar]=baz'), {
 });
 ```
 
-When using the `plainObjects` option the parsed value is returned as a null object, created via `Object.create(null)` and as such you should be aware that prototype methods will not exist on it and a user may set those names to whatever value they like:
+When using the `plainObjects` option the parsed value is returned as a null object, created via `{ __proto__: null }` and as such you should be aware that prototype methods will not exist on it and a user may set those names to whatever value they like:
 
 ```javascript
 var nullObject = qs.parse('a[hasOwnProperty]=b', { plainObjects: true });
@@ -135,6 +135,18 @@ var limited = qs.parse('a=b&c=d', { parameterLimit: 1 });
 assert.deepEqual(limited, { a: 'b' });
 ```
 
+If you want an error to be thrown whenever the a limit is exceeded (eg, `parameterLimit`, `arrayLimit`), set the `throwOnLimitExceeded` option to `true`. This option will generate a descriptive error if the query string exceeds a configured limit.
+```javascript
+try {
+    qs.parse('a=1&b=2&c=3&d=4', { parameterLimit: 3, throwOnLimitExceeded: true });
+} catch (err) {
+    assert(err instanceof Error);
+    assert.strictEqual(err.message, 'Parameter limit exceeded. Only 3 parameters allowed.');
+}
+```
+
+When `throwOnLimitExceeded` is set to `false` (default), **qs** will parse up to the specified `parameterLimit` and ignore the rest without throwing an error.
+
 To bypass the leading question mark, use `ignoreQueryPrefix`:
 
 ```javascript
@@ -286,6 +298,18 @@ var withArrayLimit = qs.parse('a[1]=b', { arrayLimit: 0 });
 assert.deepEqual(withArrayLimit, { a: { '1': 'b' } });
 ```
 
+If you want to throw an error whenever the array limit is exceeded, set the `throwOnLimitExceeded` option to `true`. This option will generate a descriptive error if the query string exceeds a configured limit.
+```javascript
+try {
+    qs.parse('a[1]=b', { arrayLimit: 0, throwOnLimitExceeded: true });
+} catch (err) {
+    assert(err instanceof Error);
+    assert.strictEqual(err.message, 'Array limit exceeded. Only 0 elements allowed in an array.');
+}
+```
+
+When `throwOnLimitExceeded` is set to `false` (default), **qs** will parse up to the specified `arrayLimit` and if the limit is exceeded, the array will instead be converted to an object with the index as the key
+
 To disable array parsing entirely, set `parseArrays` to `false`.
 
 ```javascript