diff --git a/backend/.eslintrc.js b/backend/.eslintrc.js index 6a7d74b38..7f2ecd578 100644 --- a/backend/.eslintrc.js +++ b/backend/.eslintrc.js @@ -12,6 +12,7 @@ module.exports = { 'plugin:prettier/recommended', 'plugin:import/recommended', 'plugin:import/typescript', + 'plugin:security/recommended', ], settings: { 'import/parsers': { diff --git a/backend/package.json b/backend/package.json index c5e0df3c5..c6e852841 100644 --- a/backend/package.json +++ b/backend/package.json @@ -68,6 +68,7 @@ "eslint-plugin-n": "^15.7.0", "eslint-plugin-prettier": "^4.2.1", "eslint-plugin-promise": "^6.1.1", + "eslint-plugin-security": "^1.7.1", "eslint-plugin-type-graphql": "^1.0.0", "faker": "^5.5.3", "graphql-tag": "^2.12.6", diff --git a/backend/src/graphql/resolver/TransactionLinkResolver.test.ts b/backend/src/graphql/resolver/TransactionLinkResolver.test.ts index 9d39a80ae..3c6ba31ab 100644 --- a/backend/src/graphql/resolver/TransactionLinkResolver.test.ts +++ b/backend/src/graphql/resolver/TransactionLinkResolver.test.ts @@ -1040,6 +1040,7 @@ describe('TransactionLinkResolver', () => { }) it('returns a string that ends with the hex value of date', () => { + // eslint-disable-next-line security/detect-non-literal-regexp const regexp = new RegExp(date.getTime().toString(16) + '$') expect(transactionLinkCode(date)).toEqual(expect.stringMatching(regexp)) }) diff --git a/backend/src/graphql/resolver/util/creations.ts b/backend/src/graphql/resolver/util/creations.ts index 1c0c0735e..d6f0e9af4 100644 --- a/backend/src/graphql/resolver/util/creations.ts +++ b/backend/src/graphql/resolver/util/creations.ts @@ -29,10 +29,12 @@ export const validateContribution = ( throw new LogError('No information for available creations for the given date', creationDate) } + // eslint-disable-next-line security/detect-object-injection if (amount.greaterThan(creations[index].toString())) { throw new LogError( 'The amount to be created exceeds the amount still available for this month', amount, + // eslint-disable-next-line security/detect-object-injection creations[index], ) } @@ -151,6 +153,7 @@ export const updateCreations = ( if (index < 0) { throw new LogError('You cannot create GDD for a month older than the last three months') } + // eslint-disable-next-line security/detect-object-injection creations[index] = creations[index].plus(contribution.amount.toString()) return creations } @@ -169,6 +172,7 @@ export const getOpenCreations = async ( return { month: date.getMonth(), year: date.getFullYear(), + // eslint-disable-next-line security/detect-object-injection amount: creations[index], } }) diff --git a/backend/src/seeds/index.ts b/backend/src/seeds/index.ts index fab81eb95..77fa51990 100644 --- a/backend/src/seeds/index.ts +++ b/backend/src/seeds/index.ts @@ -54,9 +54,8 @@ const run = async () => { logger.info('##seed## clean database successful...') // seed the standard users - for (let i = 0; i < users.length; i++) { - const dbUser = await userFactory(seedClient, users[i]) - logger.info(`##seed## seed standard users[ ${i} ]= ${JSON.stringify(dbUser, null, 2)}`) + for (const user of users) { + await userFactory(seedClient, user) } logger.info('##seed## seeding all standard users successful...') diff --git a/backend/src/server/logger.ts b/backend/src/server/logger.ts index d1edbd8fb..0f146b7f7 100644 --- a/backend/src/server/logger.ts +++ b/backend/src/server/logger.ts @@ -7,6 +7,7 @@ import { configure, getLogger } from 'log4js' import { CONFIG } from '@/config' +// eslint-disable-next-line security/detect-non-literal-fs-filename const options = JSON.parse(readFileSync(CONFIG.LOG4JS_CONFIG, 'utf-8')) options.categories.backend.level = CONFIG.LOG_LEVEL diff --git a/backend/src/util/utilities.ts b/backend/src/util/utilities.ts index e9935bbd4..d5da55aed 100644 --- a/backend/src/util/utilities.ts +++ b/backend/src/util/utilities.ts @@ -1,11 +1,9 @@ import { Decimal } from 'decimal.js-light' import i18n from 'i18n' -export const objectValuesToArray = (obj: Record): string[] => { - return Object.keys(obj).map(function (key) { - return obj[key] - }) -} +export const objectValuesToArray = (obj: Record): string[] => + // eslint-disable-next-line security/detect-object-injection + Object.keys(obj).map((key) => obj[key]) export const decimalSeparatorByLanguage = (a: Decimal, language: string): string => { const rememberLocaleToRestore = i18n.getLocale() diff --git a/backend/src/webhook/elopage.ts b/backend/src/webhook/elopage.ts index 7a779fadd..07e7d4ecf 100644 --- a/backend/src/webhook/elopage.ts +++ b/backend/src/webhook/elopage.ts @@ -115,6 +115,7 @@ export const elopageWebhook = async (req: any, res: any): Promise => { ) { const email = loginElopageBuy.payerEmail + // eslint-disable-next-line security/detect-unsafe-regex const VALIDATE_EMAIL = /^[a-zA-Z0-9.!#$%&?*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$/ const VALIDATE_NAME = /^<>&;]{2,}$/ diff --git a/backend/yarn.lock b/backend/yarn.lock index 1bc8c64fd..4a283e482 100644 --- a/backend/yarn.lock +++ b/backend/yarn.lock @@ -3005,6 +3005,13 @@ eslint-plugin-promise@^6.1.1: resolved "https://registry.yarnpkg.com/eslint-plugin-promise/-/eslint-plugin-promise-6.1.1.tgz#269a3e2772f62875661220631bd4dafcb4083816" integrity sha512-tjqWDwVZQo7UIPMeDReOpUgHCmCiH+ePnVT+5zVapL0uuHnegBUs2smM13CzOs2Xb5+MHMRFTs9v24yjba4Oig== +eslint-plugin-security@^1.7.1: + version "1.7.1" + resolved "https://registry.yarnpkg.com/eslint-plugin-security/-/eslint-plugin-security-1.7.1.tgz#0e9c4a471f6e4d3ca16413c7a4a51f3966ba16e4" + integrity sha512-sMStceig8AFglhhT2LqlU5r+/fn9OwsA72O5bBuQVTssPCdQAOQzL+oMn/ZcpeUY6KcNfLJArgcrsSULNjYYdQ== + dependencies: + safe-regex "^2.1.1" + eslint-plugin-type-graphql@^1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/eslint-plugin-type-graphql/-/eslint-plugin-type-graphql-1.0.0.tgz#d348560ed628d6ca1dfcea35a02891432daafe6b" @@ -3649,7 +3656,7 @@ graceful-fs@^4.1.6, graceful-fs@^4.2.0: integrity sha512-9ByhssR2fPVsNZj478qUUbKfmL0+t5BDVyjShtyZZLiK7ZDAArFFfopyOTj0M05wE2tJPisA4iTnnXl2YoPvOA== "gradido-database@file:../database": - version "1.19.1" + version "1.20.0" dependencies: "@types/uuid" "^8.3.4" cross-env "^7.0.3" @@ -6140,6 +6147,11 @@ reflect-metadata@^0.1.13: resolved "https://registry.yarnpkg.com/reflect-metadata/-/reflect-metadata-0.1.13.tgz#67ae3ca57c972a2aa1642b10fe363fe32d49dc08" integrity sha512-Ts1Y/anZELhSsjMcU605fU9RE4Oi3p5ORujwbIKXfWa+0Zxs510Qrmrce5/Jowq3cHSZSJqBjypxmHarc+vEWg== +regexp-tree@~0.1.1: + version "0.1.27" + resolved "https://registry.yarnpkg.com/regexp-tree/-/regexp-tree-0.1.27.tgz#2198f0ef54518ffa743fe74d983b56ffd631b6cd" + integrity sha512-iETxpjK6YoRWJG5o6hXLwvjYAoW+FEZn9os0PD/b6AP6xQwsa/Y7lCVgIixBbUPMfhu+i2LtdeAqVTgGlQarfA== + regexp.prototype.flags@^1.4.3: version "1.4.3" resolved "https://registry.yarnpkg.com/regexp.prototype.flags/-/regexp.prototype.flags-1.4.3.tgz#87cab30f80f66660181a3bb7bf5981a872b367ac" @@ -6279,6 +6291,13 @@ safe-regex-test@^1.0.0: get-intrinsic "^1.1.3" is-regex "^1.1.4" +safe-regex@^2.1.1: + version "2.1.1" + resolved "https://registry.yarnpkg.com/safe-regex/-/safe-regex-2.1.1.tgz#f7128f00d056e2fe5c11e81a1324dd974aadced2" + integrity sha512-rx+x8AMzKb5Q5lQ95Zoi6ZbJqwCLkqi3XuJXp5P3rT8OEc6sZCJG5AE5dU3lsgRr/F4Bs31jSlVN+j5KrsGu9A== + dependencies: + regexp-tree "~0.1.1" + "safer-buffer@>= 2.1.2 < 3", "safer-buffer@>= 2.1.2 < 3.0.0": version "2.1.2" resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"