74348: Fix security issues reported by LGTM

2025-10-16 22:43:03 +00:00 · 2020-11-06 14:30:39 +01:00
parent 1e87f2b742
commit 5ef7ae1b86
7 changed files with 45 additions and 4 deletions
--- a/package.json
+++ b/package.json
@@ -88,6 +88,7 @@
    "debug-loader": "^0.0.1",
    "deepmerge": "^4.2.2",
    "express": "4.16.2",
+    "express-rate-limit": "^5.1.3",
    "fast-json-patch": "^2.0.7",
    "file-saver": "^1.3.8",
    "filesize": "^6.1.0",
--- a/server.ts
+++ b/server.ts
@@ -28,12 +28,13 @@ import * as compression from 'compression';
 import * as cookieParser from 'cookie-parser';
 import { join } from 'path';

-import { enableProdMode, NgModuleFactory, Type } from '@angular/core';
+import { enableProdMode } from '@angular/core';

 import { REQUEST, RESPONSE } from '@nguniversal/express-engine/tokens';
 import { environment } from './src/environments/environment';
 import { createProxyMiddleware } from 'http-proxy-middleware';
-import { hasValue, hasNoValue } from './src/app/shared/empty.util';
+import { hasNoValue, hasValue } from './src/app/shared/empty.util';
+import { UIServerConfig } from './src/config/ui-server-config.interface';

 /*
 * Set path for the browser application's dist folder
@@ -121,6 +122,19 @@ function cacheControl(req, res, next) {
  next();
 }

+/**
+ * Checks if the rateLimiter property is present
+ * When it is present, the rateLimiter will be enabled. When it is undefined, the rateLimiter will be disabled.
+ */
+if (hasValue((environment.ui as UIServerConfig).rateLimiter)) {
+  const RateLimit = require('express-rate-limit');
+  const limiter = new RateLimit({
+    windowMs: (environment.ui as UIServerConfig).rateLimiter.windowMs,
+    max: (environment.ui as UIServerConfig).rateLimiter.max
+  });
+  app.use(limiter);
+}
+
 /*
 * Serve static resources (images, i18n messages, …)
 */
@@ -209,8 +223,9 @@ if (environment.ui.ssl) {
      certificate: certificate
    });
  } else {
+    console.warn('Disabling certificate validation and proceeding with a self-signed certificate. If this is a production server, it is recommended that you configure a valid certificate instead.');

-    process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+    process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'; // lgtm[js/disabling-certificate-validation]

    pem.createCertificate({
      days: 1,
--- a/src/config/global-config.interface.ts
+++ b/src/config/global-config.interface.ts
@@ -11,9 +11,10 @@ import { ItemPageConfig } from './item-page-config.interface';
 import { CollectionPageConfig } from './collection-page-config.interface';
 import { Theme } from './theme.inferface';
 import {AuthConfig} from './auth-config.interfaces';
+import { UIServerConfig } from './ui-server-config.interface';

 export interface GlobalConfig extends Config {
-  ui: ServerConfig;
+  ui: UIServerConfig;
  rest: ServerConfig;
  production: boolean;
  cache: CacheConfig;
--- a/src/config/ui-server-config.interface.ts
+++ b/src/config/ui-server-config.interface.ts
@@ -0,0 +1,14 @@
+import { ServerConfig } from './server-config.interface';
+
+/**
+ * Server configuration related to the UI.
+ */
+export class UIServerConfig extends ServerConfig {
+
+  // rateLimiter is used to reduce the amount consequential hits and add a delay
+  rateLimiter?: {
+    windowMs: number;
+    max: number;
+  };
+
+}
--- a/src/environments/environment.common.ts
+++ b/src/environments/environment.common.ts
@@ -13,6 +13,10 @@ export const environment: GlobalConfig = {
    port: 4000,
    // NOTE: Space is capitalized because 'namespace' is a reserved string in TypeScript
    nameSpace: '/',
+    rateLimiter: {
+      windowMs: 1 * 60 * 1000,
+      max: 100
+    }
  },
  // The REST API server settings.
  // NOTE: these must be "synced" with the 'dspace.server.url' setting in your backend's local.cfg.
--- a/src/environments/mock-environment.ts
+++ b/src/environments/mock-environment.ts
@@ -19,6 +19,7 @@ export const environment: Partial<GlobalConfig> = {
    port: 80,
    // NOTE: Space is capitalized because 'namespace' is a reserved string in TypeScript
    nameSpace: '/angular-dspace',
+    rateLimiter: undefined
  },
    // Caching settings
  cache: {
--- a/yarn.lock
+++ b/yarn.lock
@@ -4124,6 +4124,11 @@ expand-tilde@^2.0.0, expand-tilde@^2.0.2:
  dependencies:
    homedir-polyfill "^1.0.1"

+express-rate-limit@^5.1.3:
+  version "5.1.3"
+  resolved "https://registry.yarnpkg.com/express-rate-limit/-/express-rate-limit-5.1.3.tgz#656bacce3f093034976346958a0f0199902c9174"
+  integrity sha512-TINcxve5510pXj4n9/1AMupkj3iWxl3JuZaWhCdYDlZeoCPqweGZrxbrlqTCFb1CT5wli7s8e2SH/Qz2c9GorA==
+
 express@4.16.2:
  version "4.16.2"
  resolved "https://registry.yarnpkg.com/express/-/express-4.16.2.tgz#e35c6dfe2d64b7dca0a5cd4f21781be3299e076c"