Open yagamy4680 opened 1 month ago
npm audit report:
# npm audit report
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie
2 moderate severity vulnerabilities
Here are the source files that use request:
$ grep -rn request * | grep "require\!"
src/wstty/services/http-by-server.ls:1:require! <[prettyjson semver request serialize-error]>
src/wstty/services/bash-by-server.ls:2:require! <[byline through request]>
src/wstty/services/file-mgr.ls:2:require! <[byline through request]>
src/wstty/wstty-client.ls:1:require! <[colors fs moment path request]>
bash-by-server.ls
:
upload-archive: (prefix, tid, operation, filepath, callback) ->
{profile, id, url} = self = @
(read-err, raw) <- fs.readFile filepath
return ERR read-err, "failed to read #{filepath}" if read-err?
INFO "#{prefix}: #{filepath} is read => #{raw.length} bytes"
(compress-err, data) <- zlib.gzip raw
return ERR compress-err, "failed to compress #{filepath}" if compress-err?
INFO "#{prefix}: #{filepath} is compressed => #{data.length} bytes"
filename = "execution-log"
pathname = "/api/v1/upload-archive/#{profile}/#{id}/#{NAME}"
uri = "#{url}#{pathname}"
method = \POST
target = callback
task = tid
qs = {operation, task, target}
archive = value: data, options: {filename}
formData = {archive}
x = {uri, method, qs}
INFO "#{prefix}: posting #{(JSON.stringify x).gray}"
opts = {uri, method, qs, formData}
(err, rsp, body) <- request opts
return ERR err, "failed to post to #{uri}" if err?
return ERR "failed to post to #{uri} because of non-200 response code: #{rsp.statusCode} (#{rsp.statusMessage.red})" unless rsp.statusCode is 200
return INFO "successfully to upload to #{uri}"
http-by-server.ls
:
class V1_Task
start: ->
# ...
(err, rsp, body) <- request opts
return ERR "#{prefix}: got response but already timeout => #{err}, #{JSON.stringify rsp}, #{JSON.stringify body}" unless self.running
return self.feedback-error \HTTP_REQUEST_ERROR, "request error", err if err?
{headers, httpVersion, method, statusCode, statusMessage} = rsp
now = new Date!
duration = now - self.start-time
result = {headers, httpVersion, method, statusCode, statusMessage, body, duration}
size = headers['content-length']
type = headers['content-type']
INFO "#{prefix}: #{uri} responses => #{type} => #{size} bytes"
return self.feedback-result result, size, type
file-manager.ls
:
class ServiceManager
upload-archive: (prefix, tid, filepath, callback) ->
{profile, id, url} = self = @
(read-err, raw) <- fs.readFile filepath
return ERR read-err, "failed to read #{filepath}" if read-err?
INFO "#{prefix}: #{filepath} is read => #{raw.length} bytes"
(compress-err, data) <- zlib.gzip raw
return ERR compress-err, "failed to compress #{filepath}" if compress-err?
INFO "#{prefix}: #{filepath} is compressed => #{data.length} bytes"
filename = "execution-log"
pathname = "/api/v1/upload-archive/#{profile}/#{id}/#{NAME}"
uri = "#{url}#{pathname}"
method = \POST
target = callback
task = tid
qs = {task, target}
archive = value: data, options: {filename}
formData = {archive}
x = {uri, method, qs}
INFO "#{prefix}: posting #{(JSON.stringify x).gray}"
opts = {uri, method, qs, formData}
(err, rsp, body) <- request opts
return ERR err, "failed to post to #{uri}" if err?
return ERR "failed to post to #{uri} because of non-200 response code: #{rsp.statusCode} (#{rsp.statusMessage.red})" unless rsp.statusCode is 200
return INFO "successfully to upload to #{uri}"
wstty-client.ls
:
class TTYSocket
lookup-server: (done) ->
{opts, server-url} = self = @
{cc} = module
INFO "lookup-server: opts => #{PRETTIZE_KVS opts}"
{lookup_next_server, namespace} = opts
return done "lookup-server => select #{server-url.cyan} to use" unless lookup_next_server
uri = "#{server-url}/api/v1/config"
json = yes
body = {cc}
INFO "lookup-server => query from #{uri.cyan} by posting JSON body: #{PRETTIZE_KVS cc}"
(err, rsp, body) <- request.post {json, uri, body}
return done "lookup-server => fallback to use #{server-url.cyan} because of #{err}" if err?
return done "lookup-server => fallback to use #{server-url.cyan} because of non-200 response code: #{rsp.statusCode} (#{rsp.statusMessage.red})" unless rsp.statusCode is 200
{data} = body
return done "lookup-server => fallback to use #{server-url.cyan} because of missing _data_ field in response" unless data?
{url} = data
return done "lookup-server => fallback to use #{url.cyan} because of missing _data.url_ field in response" unless url?
self.server-url = url
INFO "using #{url.cyan}"
return done!
As title.