hazza/dspace-angular
1
0
Fork 1
mirror of https://github.com/DSpace/dspace-angular.git synced 2025-10-17 15:03:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

74348: Fix security issues reported by LGTM

Browse Source
This commit is contained in:
Yana De Pauw
2020-11-06 14:30:39 +01:00
parent 1e87f2b742
commit 5ef7ae1b86
7 changed files with 45 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
package.json
View File

@@ -88,6 +88,7 @@
"debug-loader": "^0.0.1", "debug-loader": "^0.0.1",
"deepmerge": "^4.2.2", "deepmerge": "^4.2.2",
"express": "4.16.2", "express": "4.16.2",
"express-rate-limit": "^5.1.3",
"fast-json-patch": "^2.0.7", "fast-json-patch": "^2.0.7",
"file-saver": "^1.3.8", "file-saver": "^1.3.8",
"filesize": "^6.1.0", "filesize": "^6.1.0",

21
server.ts
View File

@@ -28,12 +28,13 @@ import * as compression from 'compression';
import * as cookieParser from 'cookie-parser'; import * as cookieParser from 'cookie-parser';
import { join } from 'path'; import { join } from 'path';
import { enableProdMode, NgModuleFactory, Type } from '@angular/core'; import { enableProdMode } from '@angular/core';
import { REQUEST, RESPONSE } from '@nguniversal/express-engine/tokens'; import { REQUEST, RESPONSE } from '@nguniversal/express-engine/tokens';
import { environment } from './src/environments/environment'; import { environment } from './src/environments/environment';
import { createProxyMiddleware } from 'http-proxy-middleware'; import { createProxyMiddleware } from 'http-proxy-middleware';
import { hasValue, hasNoValue } from './src/app/shared/empty.util'; import { hasNoValue, hasValue } from './src/app/shared/empty.util';
import { UIServerConfig } from './src/config/ui-server-config.interface';
/* /*
* Set path for the browser application's dist folder * Set path for the browser application's dist folder
@@ -121,6 +122,19 @@ function cacheControl(req, res, next) {
next(); next();
} }
/**
* Checks if the rateLimiter property is present
* When it is present, the rateLimiter will be enabled. When it is undefined, the rateLimiter will be disabled.
*/
if (hasValue((environment.ui as UIServerConfig).rateLimiter)) {
const RateLimit = require('express-rate-limit');
const limiter = new RateLimit({
windowMs: (environment.ui as UIServerConfig).rateLimiter.windowMs,
max: (environment.ui as UIServerConfig).rateLimiter.max
});
app.use(limiter);
}
/* /*
* Serve static resources (images, i18n messages, …) * Serve static resources (images, i18n messages, …)
*/ */
@@ -209,8 +223,9 @@ if (environment.ui.ssl) {
certificate: certificate certificate: certificate
}); });
} else { } else {
console.warn('Disabling certificate validation and proceeding with a self-signed certificate. If this is a production server, it is recommended that you configure a valid certificate instead.');
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'; process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'; // lgtm[js/disabling-certificate-validation]
pem.createCertificate({ pem.createCertificate({
days: 1, days: 1,

3
src/config/global-config.interface.ts
View File

@@ -11,9 +11,10 @@ import { ItemPageConfig } from './item-page-config.interface';
import { CollectionPageConfig } from './collection-page-config.interface'; import { CollectionPageConfig } from './collection-page-config.interface';
import { Theme } from './theme.inferface'; import { Theme } from './theme.inferface';
import {AuthConfig} from './auth-config.interfaces'; import {AuthConfig} from './auth-config.interfaces';
import { UIServerConfig } from './ui-server-config.interface';
export interface GlobalConfig extends Config { export interface GlobalConfig extends Config {
ui: ServerConfig; ui: UIServerConfig;
rest: ServerConfig; rest: ServerConfig;
production: boolean; production: boolean;
cache: CacheConfig; cache: CacheConfig;

14
src/config/ui-server-config.interface.ts Normal file
View File

@@ -0,0 +1,14 @@
import { ServerConfig } from './server-config.interface';
/**
* Server configuration related to the UI.
*/
export class UIServerConfig extends ServerConfig {
// rateLimiter is used to reduce the amount consequential hits and add a delay
rateLimiter?: {
windowMs: number;
max: number;
};
}

4
src/environments/environment.common.ts
View File

@@ -13,6 +13,10 @@ export const environment: GlobalConfig = {
port: 4000, port: 4000,
// NOTE: Space is capitalized because 'namespace' is a reserved string in TypeScript // NOTE: Space is capitalized because 'namespace' is a reserved string in TypeScript
nameSpace: '/', nameSpace: '/',
rateLimiter: {
windowMs: 1 * 60 * 1000,
max: 100
}
}, },
// The REST API server settings. // The REST API server settings.
// NOTE: these must be "synced" with the 'dspace.server.url' setting in your backend's local.cfg. // NOTE: these must be "synced" with the 'dspace.server.url' setting in your backend's local.cfg.

1
src/environments/mock-environment.ts
View File

@@ -19,6 +19,7 @@ export const environment: Partial<GlobalConfig> = {
port: 80, port: 80,
// NOTE: Space is capitalized because 'namespace' is a reserved string in TypeScript // NOTE: Space is capitalized because 'namespace' is a reserved string in TypeScript
nameSpace: '/angular-dspace', nameSpace: '/angular-dspace',
rateLimiter: undefined
}, },
// Caching settings // Caching settings
cache: { cache: {

5
yarn.lock
View File

@@ -4124,6 +4124,11 @@ expand-tilde@^2.0.0, expand-tilde@^2.0.2:
dependencies: dependencies:
homedir-polyfill "^1.0.1" homedir-polyfill "^1.0.1"
express-rate-limit@^5.1.3:
version "5.1.3"
resolved "https://registry.yarnpkg.com/express-rate-limit/-/express-rate-limit-5.1.3.tgz#656bacce3f093034976346958a0f0199902c9174"
integrity sha512-TINcxve5510pXj4n9/1AMupkj3iWxl3JuZaWhCdYDlZeoCPqweGZrxbrlqTCFb1CT5wli7s8e2SH/Qz2c9GorA==
express@4.16.2: express@4.16.2:
version "4.16.2" version "4.16.2"
resolved "https://registry.yarnpkg.com/express/-/express-4.16.2.tgz#e35c6dfe2d64b7dca0a5cd4f21781be3299e076c" resolved "https://registry.yarnpkg.com/express/-/express-4.16.2.tgz#e35c6dfe2d64b7dca0a5cd4f21781be3299e076c"