Merge pull request #2980 from gradido/eslint-security

refactor(backend): eslint security
2025-12-13 07:45:54 +00:00 · 2023-05-10 13:46:41 +02:00 · 2023-05-10 13:46:41 +02:00 · c1f88c692e
commit c1f88c692e
parent c455d51822 c8341f17fa
9 changed files with 34 additions and 9 deletions
--- a/backend/.eslintrc.js
+++ b/backend/.eslintrc.js
@ -12,6 +12,7 @@ module.exports = {
    'plugin:prettier/recommended',
    'plugin:import/recommended',
    'plugin:import/typescript',
+    'plugin:security/recommended',
  ],
  settings: {
    'import/parsers': {
--- a/backend/package.json
+++ b/backend/package.json
@ -68,6 +68,7 @@
    "eslint-plugin-n": "^15.7.0",
    "eslint-plugin-prettier": "^4.2.1",
    "eslint-plugin-promise": "^6.1.1",
+    "eslint-plugin-security": "^1.7.1",
    "eslint-plugin-type-graphql": "^1.0.0",
    "faker": "^5.5.3",
    "graphql-tag": "^2.12.6",
--- a/backend/src/graphql/resolver/TransactionLinkResolver.test.ts
+++ b/backend/src/graphql/resolver/TransactionLinkResolver.test.ts
@ -1040,6 +1040,7 @@ describe('TransactionLinkResolver', () => {
    })

    it('returns a string that ends with the hex value of date', () => {
+      // eslint-disable-next-line security/detect-non-literal-regexp
      const regexp = new RegExp(date.getTime().toString(16) + '$')
      expect(transactionLinkCode(date)).toEqual(expect.stringMatching(regexp))
    })
--- a/backend/src/graphql/resolver/util/creations.ts
+++ b/backend/src/graphql/resolver/util/creations.ts
@ -29,10 +29,12 @@ export const validateContribution = (
    throw new LogError('No information for available creations for the given date', creationDate)
  }

+  // eslint-disable-next-line security/detect-object-injection
  if (amount.greaterThan(creations[index].toString())) {
    throw new LogError(
      'The amount to be created exceeds the amount still available for this month',
      amount,
+      // eslint-disable-next-line security/detect-object-injection
      creations[index],
    )
  }
@ -151,6 +153,7 @@ export const updateCreations = (
  if (index < 0) {
    throw new LogError('You cannot create GDD for a month older than the last three months')
  }
+  // eslint-disable-next-line security/detect-object-injection
  creations[index] = creations[index].plus(contribution.amount.toString())
  return creations
 }
@ -169,6 +172,7 @@ export const getOpenCreations = async (
    return {
      month: date.getMonth(),
      year: date.getFullYear(),
+      // eslint-disable-next-line security/detect-object-injection
      amount: creations[index],
    }
  })
--- a/backend/src/seeds/index.ts
+++ b/backend/src/seeds/index.ts
@ -54,9 +54,8 @@ const run = async () => {
  logger.info('##seed## clean database successful...')

  // seed the standard users
-  for (let i = 0; i < users.length; i++) {
-    const dbUser = await userFactory(seedClient, users[i])
-    logger.info(`##seed## seed standard users[ ${i} ]= ${JSON.stringify(dbUser, null, 2)}`)
+  for (const user of users) {
+    await userFactory(seedClient, user)
  }
  logger.info('##seed## seeding all standard users successful...')

--- a/backend/src/server/logger.ts
+++ b/backend/src/server/logger.ts
@ -7,6 +7,7 @@ import { configure, getLogger } from 'log4js'

 import { CONFIG } from '@/config'

+// eslint-disable-next-line security/detect-non-literal-fs-filename
 const options = JSON.parse(readFileSync(CONFIG.LOG4JS_CONFIG, 'utf-8'))

 options.categories.backend.level = CONFIG.LOG_LEVEL
--- a/backend/src/util/utilities.ts
+++ b/backend/src/util/utilities.ts
@ -1,11 +1,9 @@
 import { Decimal } from 'decimal.js-light'
 import i18n from 'i18n'

-export const objectValuesToArray = (obj: Record<string, string>): string[] => {
-  return Object.keys(obj).map(function (key) {
-    return obj[key]
-  })
-}
+export const objectValuesToArray = (obj: Record<string, string>): string[] =>
+  // eslint-disable-next-line security/detect-object-injection
+  Object.keys(obj).map((key) => obj[key])

 export const decimalSeparatorByLanguage = (a: Decimal, language: string): string => {
  const rememberLocaleToRestore = i18n.getLocale()
--- a/backend/src/webhook/elopage.ts
+++ b/backend/src/webhook/elopage.ts
@ -115,6 +115,7 @@ export const elopageWebhook = async (req: any, res: any): Promise<void> => {
  ) {
    const email = loginElopageBuy.payerEmail

+    // eslint-disable-next-line security/detect-unsafe-regex
    const VALIDATE_EMAIL = /^[a-zA-Z0-9.!#$%&?*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/
    const VALIDATE_NAME = /^<>&;]{2,}$/

--- a/backend/yarn.lock
+++ b/backend/yarn.lock
@ -3005,6 +3005,13 @@ eslint-plugin-promise@^6.1.1:
  resolved "https://registry.yarnpkg.com/eslint-plugin-promise/-/eslint-plugin-promise-6.1.1.tgz#269a3e2772f62875661220631bd4dafcb4083816"
  integrity sha512-tjqWDwVZQo7UIPMeDReOpUgHCmCiH+ePnVT+5zVapL0uuHnegBUs2smM13CzOs2Xb5+MHMRFTs9v24yjba4Oig==

+eslint-plugin-security@^1.7.1:
+  version "1.7.1"
+  resolved "https://registry.yarnpkg.com/eslint-plugin-security/-/eslint-plugin-security-1.7.1.tgz#0e9c4a471f6e4d3ca16413c7a4a51f3966ba16e4"
+  integrity sha512-sMStceig8AFglhhT2LqlU5r+/fn9OwsA72O5bBuQVTssPCdQAOQzL+oMn/ZcpeUY6KcNfLJArgcrsSULNjYYdQ==
+  dependencies:
+    safe-regex "^2.1.1"
+
 eslint-plugin-type-graphql@^1.0.0:
  version "1.0.0"
  resolved "https://registry.yarnpkg.com/eslint-plugin-type-graphql/-/eslint-plugin-type-graphql-1.0.0.tgz#d348560ed628d6ca1dfcea35a02891432daafe6b"
@ -3649,7 +3656,7 @@ graceful-fs@^4.1.6, graceful-fs@^4.2.0:
  integrity sha512-9ByhssR2fPVsNZj478qUUbKfmL0+t5BDVyjShtyZZLiK7ZDAArFFfopyOTj0M05wE2tJPisA4iTnnXl2YoPvOA==

 "gradido-database@file:../database":
-  version "1.19.1"
+  version "1.20.0"
  dependencies:
    "@types/uuid" "^8.3.4"
    cross-env "^7.0.3"
@ -6140,6 +6147,11 @@ reflect-metadata@^0.1.13:
  resolved "https://registry.yarnpkg.com/reflect-metadata/-/reflect-metadata-0.1.13.tgz#67ae3ca57c972a2aa1642b10fe363fe32d49dc08"
  integrity sha512-Ts1Y/anZELhSsjMcU605fU9RE4Oi3p5ORujwbIKXfWa+0Zxs510Qrmrce5/Jowq3cHSZSJqBjypxmHarc+vEWg==

+regexp-tree@~0.1.1:
+  version "0.1.27"
+  resolved "https://registry.yarnpkg.com/regexp-tree/-/regexp-tree-0.1.27.tgz#2198f0ef54518ffa743fe74d983b56ffd631b6cd"
+  integrity sha512-iETxpjK6YoRWJG5o6hXLwvjYAoW+FEZn9os0PD/b6AP6xQwsa/Y7lCVgIixBbUPMfhu+i2LtdeAqVTgGlQarfA==
+
 regexp.prototype.flags@^1.4.3:
  version "1.4.3"
  resolved "https://registry.yarnpkg.com/regexp.prototype.flags/-/regexp.prototype.flags-1.4.3.tgz#87cab30f80f66660181a3bb7bf5981a872b367ac"
@ -6279,6 +6291,13 @@ safe-regex-test@^1.0.0:
    get-intrinsic "^1.1.3"
    is-regex "^1.1.4"

+safe-regex@^2.1.1:
+  version "2.1.1"
+  resolved "https://registry.yarnpkg.com/safe-regex/-/safe-regex-2.1.1.tgz#f7128f00d056e2fe5c11e81a1324dd974aadced2"
+  integrity sha512-rx+x8AMzKb5Q5lQ95Zoi6ZbJqwCLkqi3XuJXp5P3rT8OEc6sZCJG5AE5dU3lsgRr/F4Bs31jSlVN+j5KrsGu9A==
+  dependencies:
+    regexp-tree "~0.1.1"
+
 "safer-buffer@>= 2.1.2 < 3", "safer-buffer@>= 2.1.2 < 3.0.0":
  version "2.1.2"
  resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"