From f0dce040a26e77c5cce9f0ecf5f433ac24477935 Mon Sep 17 00:00:00 2001 From: PeteThePilot <66815098+PeteThePilot@users.noreply.github.com> Date: Thu, 1 Feb 2024 12:43:06 -0800 Subject: [PATCH 1/6] Create codeql.yml --- .github/workflows/codeql.yml | 84 ++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..7521c59 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,84 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '39 3 * * 4' + +jobs: + analyze: + name: Analyze + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + # required for all workflows + security-events: write + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + language: [ 'javascript-typescript' ] + # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] + # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" From caae39541a47c435388ada66e0f5e43e893a7be8 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Fri, 2 Feb 2024 15:19:18 +0000 Subject: [PATCH 2/6] fix: upgrade react-router-dom from 6.21.1 to 6.21.2 Snyk has created this PR to upgrade react-router-dom from 6.21.1 to 6.21.2. See this package in npm: https://www.npmjs.com/package/react-router-dom See this project in Snyk: https://app.snyk.io/org/carsonpetersoncar/project/f730b0b5-d281-4e1f-b96d-9dcd1378c36f?utm_source=github&utm_medium=referral&page=upgrade-pr --- react-frontend/package-lock.json | 26 +++++++++++++------------- react-frontend/package.json | 2 +- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/react-frontend/package-lock.json b/react-frontend/package-lock.json index 16ad706..ff3412d 100644 --- a/react-frontend/package-lock.json +++ b/react-frontend/package-lock.json @@ -14,7 +14,7 @@ "axios": "^1.6.5", "react": "^18.2.0", "react-dom": "^18.2.0", - "react-router-dom": "^6.21.1", + "react-router-dom": "^6.21.2", "react-scripts": "5.0.1", "web-vitals": "^2.1.4" } @@ -3356,9 +3356,9 @@ } }, "node_modules/@remix-run/router": { - "version": "1.14.1", - "resolved": "https://registry.npmjs.org/@remix-run/router/-/router-1.14.1.tgz", - "integrity": "sha512-Qg4DMQsfPNAs88rb2xkdk03N3bjK4jgX5fR24eHCTR9q6PrhZQZ4UJBPzCHJkIpTRN1UKxx2DzjZmnC+7Lj0Ow==", + "version": "1.14.2", + "resolved": "https://registry.npmjs.org/@remix-run/router/-/router-1.14.2.tgz", + "integrity": "sha512-ACXpdMM9hmKZww21yEqWwiLws/UPLhNKvimN8RrYSqPSvB3ov7sLvAcfvaxePeLvccTQKGdkDIhLYApZVDFuKg==", "engines": { "node": ">=14.0.0" } @@ -14948,11 +14948,11 @@ } }, "node_modules/react-router": { - "version": "6.21.1", - "resolved": "https://registry.npmjs.org/react-router/-/react-router-6.21.1.tgz", - "integrity": "sha512-W0l13YlMTm1YrpVIOpjCADJqEUpz1vm+CMo47RuFX4Ftegwm6KOYsL5G3eiE52jnJpKvzm6uB/vTKTPKM8dmkA==", + "version": "6.21.2", + "resolved": "https://registry.npmjs.org/react-router/-/react-router-6.21.2.tgz", + "integrity": "sha512-jJcgiwDsnaHIeC+IN7atO0XiSRCrOsQAHHbChtJxmgqG2IaYQXSnhqGb5vk2CU/wBQA12Zt+TkbuJjIn65gzbA==", "dependencies": { - "@remix-run/router": "1.14.1" + "@remix-run/router": "1.14.2" }, "engines": { "node": ">=14.0.0" @@ -14962,12 +14962,12 @@ } }, "node_modules/react-router-dom": { - "version": "6.21.1", - "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-6.21.1.tgz", - "integrity": "sha512-QCNrtjtDPwHDO+AO21MJd7yIcr41UetYt5jzaB9Y1UYaPTCnVuJq6S748g1dE11OQlCFIQg+RtAA1SEZIyiBeA==", + "version": "6.21.2", + "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-6.21.2.tgz", + "integrity": "sha512-tE13UukgUOh2/sqYr6jPzZTzmzc70aGRP4pAjG2if0IP3aUT+sBtAKUJh0qMh0zylJHGLmzS+XWVaON4UklHeg==", "dependencies": { - "@remix-run/router": "1.14.1", - "react-router": "6.21.1" + "@remix-run/router": "1.14.2", + "react-router": "6.21.2" }, "engines": { "node": ">=14.0.0" diff --git a/react-frontend/package.json b/react-frontend/package.json index ef1e88b..e915944 100644 --- a/react-frontend/package.json +++ b/react-frontend/package.json @@ -9,7 +9,7 @@ "axios": "^1.6.5", "react": "^18.2.0", "react-dom": "^18.2.0", - "react-router-dom": "^6.21.1", + "react-router-dom": "^6.21.2", "react-scripts": "5.0.1", "web-vitals": "^2.1.4" }, From dc5e7967c9d4f620e2768670bbe461feb81823e4 Mon Sep 17 00:00:00 2001 From: DamianDhesi <90358611+DamianDhesi@users.noreply.github.com> Date: Fri, 2 Feb 2024 15:16:23 -0800 Subject: [PATCH 3/6] Updated .yml --- .github/workflows/codeql.yml | 6 +----- .gitignore | 2 ++ 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7521c59..a7674e0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,11 +11,7 @@ # name: "CodeQL" -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] +on: [push, pull_request] schedule: - cron: '39 3 * * 4' diff --git a/.gitignore b/.gitignore index 3a89ac9..9f3cd19 100644 --- a/.gitignore +++ b/.gitignore @@ -12,6 +12,8 @@ */build # misc +*/cert +*/.env */.DS_Store */.env.local */.env.development.local From 407de5d2616f95f371cc903a7fd2895cea3268e8 Mon Sep 17 00:00:00 2001 From: DamianDhesi <90358611+DamianDhesi@users.noreply.github.com> Date: Fri, 2 Feb 2024 15:18:29 -0800 Subject: [PATCH 4/6] fixed yml errors --- .github/workflows/codeql.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a7674e0..124573a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,10 +8,11 @@ # We have attempted to detect the languages in your repository. Please check # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. -# name: "CodeQL" -on: [push, pull_request] +on: + push: + pull_request: schedule: - cron: '39 3 * * 4' From 06ef145afb21a946130740091883a3b50cd1f0b3 Mon Sep 17 00:00:00 2001 From: DamianDhesi <90358611+DamianDhesi@users.noreply.github.com> Date: Fri, 2 Feb 2024 16:05:40 -0800 Subject: [PATCH 5/6] Fixed potential DDoS vuln by adding a rate limiter --- expressjs-backend/backend.js | 10 ++++++++++ expressjs-backend/package-lock.json | 15 +++++++++++++++ expressjs-backend/package.json | 1 + 3 files changed, 26 insertions(+) diff --git a/expressjs-backend/backend.js b/expressjs-backend/backend.js index 2d1c500..20b0c51 100644 --- a/expressjs-backend/backend.js +++ b/expressjs-backend/backend.js @@ -5,10 +5,20 @@ import jwt from "jsonwebtoken"; import "dotenv/config"; import https from "https"; import fs from "fs"; +import rateLimit from "express-rate-limit"; const app = express(); const port = 8000; +// set up rate limiter: maximum of five requests per minute +var limiter = rateLimit({ + windowMs: 15 * 60 * 1000, // 15 minutes + max: 100, // max 100 requests per windowMs +}); + +// apply rate limiter to all requests +app.use(limiter); + app.use(express.json()); app.use(cors("https://localhost:3000")); diff --git a/expressjs-backend/package-lock.json b/expressjs-backend/package-lock.json index 3418903..07046d2 100644 --- a/expressjs-backend/package-lock.json +++ b/expressjs-backend/package-lock.json @@ -13,6 +13,7 @@ "cors": "^2.8.5", "dotenv": "^16.3.1", "express": "^4.18.2", + "express-rate-limit": "^7.1.5", "jsonwebtoken": "^9.0.2", "mongoose": "^8.0.4" } @@ -297,6 +298,20 @@ "node": ">= 0.10.0" } }, + "node_modules/express-rate-limit": { + "version": "7.1.5", + "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.1.5.tgz", + "integrity": "sha512-/iVogxu7ueadrepw1bS0X0kaRC/U0afwiYRSLg68Ts+p4Dc85Q5QKsOnPS/QUjPMHvOJQtBDrZgvkOzf8ejUYw==", + "engines": { + "node": ">= 16" + }, + "funding": { + "url": "https://github.com/sponsors/express-rate-limit" + }, + "peerDependencies": { + "express": "4 || 5 || ^5.0.0-beta.1" + } + }, "node_modules/finalhandler": { "version": "1.2.0", "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.2.0.tgz", diff --git a/expressjs-backend/package.json b/expressjs-backend/package.json index 6aff838..9dea60f 100644 --- a/expressjs-backend/package.json +++ b/expressjs-backend/package.json @@ -14,6 +14,7 @@ "cors": "^2.8.5", "dotenv": "^16.3.1", "express": "^4.18.2", + "express-rate-limit": "^7.1.5", "jsonwebtoken": "^9.0.2", "mongoose": "^8.0.4" } From 5054255ec9f7a9a351aa2adfa2ae322a1e146012 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sat, 3 Feb 2024 15:11:42 +0000 Subject: [PATCH 6/6] fix: upgrade react-router-dom from 6.21.1 to 6.21.2 Snyk has created this PR to upgrade react-router-dom from 6.21.1 to 6.21.2. See this package in npm: https://www.npmjs.com/package/react-router-dom See this project in Snyk: https://app.snyk.io/org/carsonpetersoncar/project/f730b0b5-d281-4e1f-b96d-9dcd1378c36f?utm_source=github&utm_medium=referral&page=upgrade-pr --- react-frontend/package-lock.json | 26 +++++++++++++------------- react-frontend/package.json | 2 +- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/react-frontend/package-lock.json b/react-frontend/package-lock.json index 16ad706..ff3412d 100644 --- a/react-frontend/package-lock.json +++ b/react-frontend/package-lock.json @@ -14,7 +14,7 @@ "axios": "^1.6.5", "react": "^18.2.0", "react-dom": "^18.2.0", - "react-router-dom": "^6.21.1", + "react-router-dom": "^6.21.2", "react-scripts": "5.0.1", "web-vitals": "^2.1.4" } @@ -3356,9 +3356,9 @@ } }, "node_modules/@remix-run/router": { - "version": "1.14.1", - "resolved": "https://registry.npmjs.org/@remix-run/router/-/router-1.14.1.tgz", - "integrity": "sha512-Qg4DMQsfPNAs88rb2xkdk03N3bjK4jgX5fR24eHCTR9q6PrhZQZ4UJBPzCHJkIpTRN1UKxx2DzjZmnC+7Lj0Ow==", + "version": "1.14.2", + "resolved": "https://registry.npmjs.org/@remix-run/router/-/router-1.14.2.tgz", + "integrity": "sha512-ACXpdMM9hmKZww21yEqWwiLws/UPLhNKvimN8RrYSqPSvB3ov7sLvAcfvaxePeLvccTQKGdkDIhLYApZVDFuKg==", "engines": { "node": ">=14.0.0" } @@ -14948,11 +14948,11 @@ } }, "node_modules/react-router": { - "version": "6.21.1", - "resolved": "https://registry.npmjs.org/react-router/-/react-router-6.21.1.tgz", - "integrity": "sha512-W0l13YlMTm1YrpVIOpjCADJqEUpz1vm+CMo47RuFX4Ftegwm6KOYsL5G3eiE52jnJpKvzm6uB/vTKTPKM8dmkA==", + "version": "6.21.2", + "resolved": "https://registry.npmjs.org/react-router/-/react-router-6.21.2.tgz", + "integrity": "sha512-jJcgiwDsnaHIeC+IN7atO0XiSRCrOsQAHHbChtJxmgqG2IaYQXSnhqGb5vk2CU/wBQA12Zt+TkbuJjIn65gzbA==", "dependencies": { - "@remix-run/router": "1.14.1" + "@remix-run/router": "1.14.2" }, "engines": { "node": ">=14.0.0" @@ -14962,12 +14962,12 @@ } }, "node_modules/react-router-dom": { - "version": "6.21.1", - "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-6.21.1.tgz", - "integrity": "sha512-QCNrtjtDPwHDO+AO21MJd7yIcr41UetYt5jzaB9Y1UYaPTCnVuJq6S748g1dE11OQlCFIQg+RtAA1SEZIyiBeA==", + "version": "6.21.2", + "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-6.21.2.tgz", + "integrity": "sha512-tE13UukgUOh2/sqYr6jPzZTzmzc70aGRP4pAjG2if0IP3aUT+sBtAKUJh0qMh0zylJHGLmzS+XWVaON4UklHeg==", "dependencies": { - "@remix-run/router": "1.14.1", - "react-router": "6.21.1" + "@remix-run/router": "1.14.2", + "react-router": "6.21.2" }, "engines": { "node": ">=14.0.0" diff --git a/react-frontend/package.json b/react-frontend/package.json index ef1e88b..e915944 100644 --- a/react-frontend/package.json +++ b/react-frontend/package.json @@ -9,7 +9,7 @@ "axios": "^1.6.5", "react": "^18.2.0", "react-dom": "^18.2.0", - "react-router-dom": "^6.21.1", + "react-router-dom": "^6.21.2", "react-scripts": "5.0.1", "web-vitals": "^2.1.4" },