Merge pull request #15004 from Budibase/security-updates

dependency upgrades for security scanners
2024-11-20 16:14:14 +00:00 · 2024-11-20 16:14:14 +00:00 · 739457ca42
parent 0a3000e3ac e5e0563546
commit 739457ca42
11 changed files with 2183 additions and 1655 deletions
--- a/package.json
+++ b/package.json
@ -109,7 +109,7 @@
    "semver": "7.5.3",
    "http-cache-semantics": "4.1.1",
    "msgpackr": "1.10.1",
-    "axios": "1.6.3",
+    "axios": "1.7.7",
    "xml2js": "0.6.2",
    "unset-value": "2.0.1",
    "passport": "0.6.0",
@ -119,6 +119,5 @@
  },
  "engines": {
    "node": ">=20.0.0 <21.0.0"
-  },
-  "dependencies": {}
+  }
 }
--- a/packages/backend-core/package.json
+++ b/packages/backend-core/package.json
@ -33,14 +33,17 @@
    "@budibase/pouchdb-replication-stream": "1.2.11",
    "@budibase/shared-core": "0.0.0",
    "@budibase/types": "0.0.0",
+    "@techpass/passport-openidconnect": "0.3.3",
    "aws-cloudfront-sign": "3.0.2",
-    "aws-sdk": "2.1030.0",
+    "aws-sdk": "2.1692.0",
    "bcrypt": "5.1.0",
    "bcryptjs": "2.4.3",
    "bull": "4.10.1",
    "correlation-id": "4.0.0",
-    "dd-trace": "5.2.0",
+    "dd-trace": "5.23.0",
    "dotenv": "16.0.1",
+    "google-auth-library": "^8.0.1",
+    "google-spreadsheet": "npm:@budibase/google-spreadsheet@4.1.5",
    "ioredis": "5.3.2",
    "joi": "17.6.0",
    "jsonwebtoken": "9.0.2",
@ -55,17 +58,14 @@
    "pino": "8.11.0",
    "pino-http": "8.3.3",
    "posthog-node": "4.0.1",
-    "pouchdb": "7.3.0",
-    "pouchdb-find": "7.2.2",
+    "pouchdb": "9.0.0",
+    "pouchdb-find": "9.0.0",
    "redlock": "4.2.0",
    "rotating-file-stream": "3.1.0",
    "sanitize-s3-objectkey": "0.0.1",
    "semver": "^7.5.4",
    "tar-fs": "2.1.1",
-    "uuid": "^8.3.2",
-    "@techpass/passport-openidconnect": "0.3.3",
-    "google-auth-library": "^8.0.1",
-    "google-spreadsheet": "npm:@budibase/google-spreadsheet@4.1.5"
+    "uuid": "^8.3.2"
  },
  "devDependencies": {
    "@jest/types": "^29.6.3",
@ -78,7 +78,7 @@
    "@types/lodash": "4.14.200",
    "@types/node": "^22.9.0",
    "@types/node-fetch": "2.6.4",
-    "@types/pouchdb": "6.4.0",
+    "@types/pouchdb": "6.4.2",
    "@types/redlock": "4.0.7",
    "@types/semver": "7.3.7",
    "@types/tar-fs": "2.0.1",
--- a/packages/pro
+++ b/packages/pro
@ -1 +1 @@
-Subproject commit bfeece324a03a3a5f25137bf3f8c66d5ed6103d8
+Subproject commit 4facf6a44ee52a405794845f71584168b9db652c
--- a/packages/server/package.json
+++ b/packages/server/package.json
@ -63,13 +63,13 @@
    "@bull-board/koa": "5.10.2",
    "@elastic/elasticsearch": "7.10.0",
    "@google-cloud/firestore": "7.8.0",
-    "@koa/router": "8.0.8",
+    "@koa/router": "13.1.0",
    "@socket.io/redis-adapter": "^8.2.1",
    "@types/xml2js": "^0.4.14",
    "airtable": "0.12.2",
    "arangojs": "7.2.0",
    "archiver": "7.0.1",
-    "aws-sdk": "2.1030.0",
+    "aws-sdk": "2.1692.0",
    "bcrypt": "5.1.0",
    "bcryptjs": "2.4.3",
    "bson": "^6.9.0",
@ -80,8 +80,8 @@
    "cookies": "0.8.0",
    "csvtojson": "2.0.10",
    "curlconverter": "3.21.0",
+    "dd-trace": "5.23.0",
    "dayjs": "^1.10.8",
-    "dd-trace": "5.2.0",
    "dotenv": "8.2.0",
    "form-data": "4.0.0",
    "global-agent": "3.0.0",
@ -89,7 +89,7 @@
    "google-spreadsheet": "npm:@budibase/google-spreadsheet@4.1.5",
    "ioredis": "5.3.2",
    "isolated-vm": "^4.7.2",
-    "jimp": "0.22.12",
+    "jimp": "1.1.4",
    "joi": "17.6.0",
    "js-yaml": "4.1.0",
    "jsonschema": "1.4.0",
@ -104,7 +104,7 @@
    "lodash": "4.17.21",
    "memorystream": "0.3.1",
    "mongodb": "6.7.0",
-    "mssql": "10.0.1",
+    "mssql": "11.0.1",
    "mysql2": "3.9.8",
    "node-fetch": "2.6.7",
    "object-sizeof": "2.6.1",
@ -112,15 +112,15 @@
    "openapi-types": "9.3.1",
    "oracledb": "6.5.1",
    "pg": "8.10.0",
-    "pouchdb": "7.3.0",
+    "pouchdb": "9.0.0",
    "pouchdb-all-dbs": "1.1.1",
-    "pouchdb-find": "7.2.2",
+    "pouchdb-find": "9.0.0",
    "redis": "4",
    "semver": "^7.5.4",
    "serialize-error": "^7.0.1",
    "server-destroy": "1.0.1",
-    "snowflake-promise": "^4.5.0",
-    "socket.io": "4.7.5",
+    "snowflake-sdk": "^1.15.0",
+    "socket.io": "4.8.1",
    "svelte": "^4.2.10",
    "tar": "6.2.1",
    "tmp": "0.2.3",
@ -128,7 +128,7 @@
    "uuid": "^8.3.2",
    "validate.js": "0.13.1",
    "worker-farm": "1.7.0",
-    "xml2js": "0.5.0"
+    "xml2js": "0.6.2"
  },
  "devDependencies": {
    "@babel/preset-env": "7.16.11",
@ -140,13 +140,14 @@
    "@types/jest": "29.5.5",
    "@types/koa": "2.13.4",
    "@types/koa-send": "^4.1.6",
-    "@types/koa__router": "8.0.8",
+    "@types/koa__router": "12.0.4",
    "@types/lodash": "4.14.200",
-    "@types/mssql": "9.1.4",
+    "@types/mssql": "9.1.5",
    "@types/node": "^22.9.0",
    "@types/node-fetch": "2.6.4",
    "@types/oracledb": "6.5.1",
    "@types/pg": "8.6.6",
+    "@types/pouchdb": "6.4.2",
    "@types/server-destroy": "1.0.1",
    "@types/supertest": "2.0.14",
    "@types/tar": "6.1.5",
--- a/packages/server/src/api/controllers/query/import/sources/curl.ts
+++ b/packages/server/src/api/controllers/query/import/sources/curl.ts
@ -4,7 +4,7 @@ import { URL } from "url"

 const curlconverter = require("curlconverter")

-const parseCurl = (data: string): any => {
+const parseCurl = (data: string): Promise<any> => {
  const curlJson = curlconverter.toJsonString(data)
  return JSON.parse(curlJson)
 }
@ -53,8 +53,7 @@ export class Curl extends ImportSource {

  isSupported = async (data: string): Promise<boolean> => {
    try {
-      const curl = parseCurl(data)
-      this.curl = curl
+      this.curl = parseCurl(data)
    } catch (err) {
      return false
    }
--- a/packages/server/src/integrations/microsoftSqlServer.ts
+++ b/packages/server/src/integrations/microsoftSqlServer.ts
@ -281,8 +281,14 @@ class SqlServerIntegration extends Sql implements DatasourcePlus {
        case MSSQLConfigAuthType.NTLM: {
          const { domain, trustServerCertificate } =
            this.config.ntlmConfig || {}
+
+          if (!domain) {
+            throw Error("Domain must be provided for NTLM config")
+          }
+
          clientCfg.authentication = {
            type: "ntlm",
+            // @ts-expect-error - username and password not required for NTLM
            options: {
              domain,
            },
--- a/packages/server/src/integrations/snowflake.ts
+++ b/packages/server/src/integrations/snowflake.ts
@ -6,7 +6,8 @@ import {
  QueryType,
  SqlQuery,
 } from "@budibase/types"
-import { Snowflake } from "snowflake-promise"
+import snowflakeSdk, { SnowflakeError } from "snowflake-sdk"
+import { promisify } from "util"

 interface SnowflakeConfig {
  account: string
@ -71,11 +72,52 @@ const SCHEMA: Integration = {
  },
 }

-class SnowflakeIntegration {
-  private client: Snowflake
+class SnowflakePromise {
+  config: SnowflakeConfig
+  client?: snowflakeSdk.Connection

  constructor(config: SnowflakeConfig) {
-    this.client = new Snowflake(config)
+    this.config = config
+  }
+
+  async connect() {
+    if (this.client?.isUp()) return
+
+    this.client = snowflakeSdk.createConnection(this.config)
+    const connectAsync = promisify(this.client.connect.bind(this.client))
+    return connectAsync()
+  }
+
+  async execute(sql: string) {
+    return new Promise((resolve, reject) => {
+      if (!this.client) {
+        throw Error(
+          "No snowflake client present to execute query. Run connect() first to initialise."
+        )
+      }
+
+      this.client.execute({
+        sqlText: sql,
+        complete: function (
+          err: SnowflakeError | undefined,
+          statementExecuted: any,
+          rows: any
+        ) {
+          if (err) {
+            return reject(err)
+          }
+          resolve(rows)
+        },
+      })
+    })
+  }
+}
+
+class SnowflakeIntegration {
+  private client: SnowflakePromise
+
+  constructor(config: SnowflakeConfig) {
+    this.client = new SnowflakePromise(config)
  }

  async testConnection(): Promise<ConnectionInfo> {
--- a/packages/server/src/utilities/fileSystem/processor.ts
+++ b/packages/server/src/utilities/fileSystem/processor.ts
@ -1,4 +1,4 @@
-import jimp from "jimp"
+import { Jimp } from "jimp"

 const FORMATS = {
  IMAGES: ["png", "jpg", "jpeg", "gif", "bmp", "tiff"],
@ -6,8 +6,8 @@ const FORMATS = {

 function processImage(file: { path: string }) {
  // this will overwrite the temp file
-  return jimp.read(file.path).then(img => {
-    return img.resize(300, jimp.AUTO).write(file.path)
+  return Jimp.read(file.path).then(img => {
+    return img.resize({ w: 256 }).write(file.path as `${string}.${string}`)
  })
 }

--- a/packages/worker/package.json
+++ b/packages/worker/package.json
@ -40,17 +40,17 @@
  "dependencies": {
    "@budibase/backend-core": "0.0.0",
    "@budibase/pro": "0.0.0",
+    "@budibase/shared-core": "0.0.0",
    "@budibase/string-templates": "0.0.0",
    "@budibase/types": "0.0.0",
-    "@budibase/shared-core": "0.0.0",
-    "@koa/router": "8.0.8",
+    "@koa/router": "13.1.0",
    "@techpass/passport-openidconnect": "0.3.3",
    "@types/global-agent": "2.1.1",
-    "aws-sdk": "2.1030.0",
+    "aws-sdk": "2.1692.0",
    "bcrypt": "5.1.0",
    "bcryptjs": "2.4.3",
    "bull": "4.10.1",
-    "dd-trace": "5.2.0",
+    "dd-trace": "5.23.0",
    "dotenv": "8.6.0",
    "global-agent": "3.0.0",
    "ical-generator": "4.1.0",
@ -82,7 +82,7 @@
    "@types/jest": "29.5.5",
    "@types/jsonwebtoken": "9.0.3",
    "@types/koa": "2.13.4",
-    "@types/koa__router": "8.0.8",
+    "@types/koa__router": "12.0.4",
    "@types/lodash": "4.14.200",
    "@types/node": "^22.9.0",
    "@types/node-fetch": "2.6.4",
--- a/packages/worker/src/api/controllers/global/users.ts
+++ b/packages/worker/src/api/controllers/global/users.ts
@ -40,6 +40,7 @@ import {
 import { checkAnyUserExists } from "../../../utilities/users"
 import { isEmailConfigured } from "../../../utilities/email"
 import { BpmStatusKey, BpmStatusValue, utils } from "@budibase/shared-core"
+import crypto from "crypto"

 const MAX_USERS_UPLOAD_LIMIT = 1000

--- a/yarn.lock
+++ b/yarn.lock