search

tic-tac-toe-io / rds-agent

Agent for Remote Device Diagnosis
MIT License
0 stars 0 forks source link

Replace _request_ with _fetch #4

Open yagamy4680 opened 1 month ago

yagamy4680 commented 1 month ago

As title.

yagamy4680 commented 1 month ago

npm audit report:

# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie

2 moderate severity vulnerabilities
yagamy4680 commented 1 month ago

Here are the source files that use request:

$ grep -rn request * | grep "require\!"

src/wstty/services/http-by-server.ls:1:require! <[prettyjson semver request serialize-error]>
src/wstty/services/bash-by-server.ls:2:require! <[byline through request]>
src/wstty/services/file-mgr.ls:2:require! <[byline through request]>
src/wstty/wstty-client.ls:1:require! <[colors fs moment path request]>
yagamy4680 commented 1 month ago

bash-by-server.ls:

  upload-archive: (prefix, tid, operation, filepath, callback) ->
    {profile, id, url} = self = @
    (read-err, raw) <- fs.readFile filepath
    return ERR read-err, "failed to read #{filepath}" if read-err?
    INFO "#{prefix}: #{filepath} is read => #{raw.length} bytes"
    (compress-err, data) <- zlib.gzip raw
    return ERR compress-err, "failed to compress #{filepath}" if compress-err?
    INFO "#{prefix}: #{filepath} is compressed => #{data.length} bytes"
    filename = "execution-log"
    pathname = "/api/v1/upload-archive/#{profile}/#{id}/#{NAME}"
    uri = "#{url}#{pathname}"
    method = \POST
    target = callback
    task = tid
    qs = {operation, task, target}
    archive = value: data, options: {filename}
    formData = {archive}
    x = {uri, method, qs}
    INFO "#{prefix}: posting #{(JSON.stringify x).gray}"
    opts = {uri, method, qs, formData}
    (err, rsp, body) <- request opts
    return ERR err, "failed to post to #{uri}" if err?
    return ERR "failed to post to #{uri} because of non-200 response code: #{rsp.statusCode} (#{rsp.statusMessage.red})" unless rsp.statusCode is 200
    return INFO "successfully to upload to #{uri}"
yagamy4680 commented 1 month ago

http-by-server.ls:

class V1_Task
  start: ->
    # ...
    (err, rsp, body) <- request opts
    return ERR "#{prefix}: got response but already timeout => #{err}, #{JSON.stringify rsp}, #{JSON.stringify body}" unless self.running
    return self.feedback-error \HTTP_REQUEST_ERROR, "request error", err if err?
    {headers, httpVersion, method, statusCode, statusMessage} = rsp
    now = new Date!
    duration = now - self.start-time
    result = {headers, httpVersion, method, statusCode, statusMessage, body, duration}
    size = headers['content-length']
    type = headers['content-type']
    INFO "#{prefix}: #{uri} responses => #{type} => #{size} bytes"
    return self.feedback-result result, size, type
yagamy4680 commented 1 month ago

file-manager.ls:

class ServiceManager
  upload-archive: (prefix, tid, filepath, callback) ->
    {profile, id, url} = self = @
    (read-err, raw) <- fs.readFile filepath
    return ERR read-err, "failed to read #{filepath}" if read-err?
    INFO "#{prefix}: #{filepath} is read => #{raw.length} bytes"
    (compress-err, data) <- zlib.gzip raw
    return ERR compress-err, "failed to compress #{filepath}" if compress-err?
    INFO "#{prefix}: #{filepath} is compressed => #{data.length} bytes"
    filename = "execution-log"
    pathname = "/api/v1/upload-archive/#{profile}/#{id}/#{NAME}"
    uri = "#{url}#{pathname}"
    method = \POST
    target = callback
    task = tid
    qs = {task, target}
    archive = value: data, options: {filename}
    formData = {archive}
    x = {uri, method, qs}
    INFO "#{prefix}: posting #{(JSON.stringify x).gray}"
    opts = {uri, method, qs, formData}
    (err, rsp, body) <- request opts
    return ERR err, "failed to post to #{uri}" if err?
    return ERR "failed to post to #{uri} because of non-200 response code: #{rsp.statusCode} (#{rsp.statusMessage.red})" unless rsp.statusCode is 200
    return INFO "successfully to upload to #{uri}"
yagamy4680 commented 1 month ago

wstty-client.ls:

class TTYSocket

  lookup-server: (done) ->
    {opts, server-url} = self = @
    {cc} = module
    INFO "lookup-server: opts => #{PRETTIZE_KVS opts}"
    {lookup_next_server, namespace} = opts
    return done "lookup-server => select #{server-url.cyan} to use" unless lookup_next_server
    uri = "#{server-url}/api/v1/config"
    json = yes
    body = {cc}
    INFO "lookup-server => query from #{uri.cyan} by posting JSON body: #{PRETTIZE_KVS cc}"
    (err, rsp, body) <- request.post {json, uri, body}
    return done "lookup-server => fallback to use #{server-url.cyan} because of #{err}" if err?
    return done "lookup-server => fallback to use #{server-url.cyan} because of non-200 response code: #{rsp.statusCode} (#{rsp.statusMessage.red})" unless rsp.statusCode is 200
    {data} = body
    return done "lookup-server => fallback to use #{server-url.cyan} because of missing _data_ field in response" unless data?
    {url} = data
    return done "lookup-server => fallback to use #{url.cyan} because of missing _data.url_ field in response" unless url?
    self.server-url = url
    INFO "using #{url.cyan}"
    return done!