fix: introduce security related linter and fix warnings (#106)

magicmatatjahu · web-flow · commit 9c5f891f804e · 2020-07-09T17:03:06.000+02:00
diff --git a/.eslintrc b/.eslintrc
@@ -6,10 +6,12 @@ env:
 plugins:
   - sonarjs
   - mocha
+  - security
 
 extends:
   - plugin:sonarjs/recommended
   - plugin:mocha/recommended
+  - plugin:security/recommended
 
 parserOptions:
   ecmaVersion: 2018
@@ -102,4 +104,6 @@ overrides:
   - files: "test/**"
     rules:
       prefer-arrow-callback: 0
-      sonarjs/no-duplicate-string: 0
+      sonarjs/no-duplicate-string: 0
+      security/detect-object-injection: 0
+      security/detect-non-literal-fs-filename: 0
diff --git a/lib/customValidators.js b/lib/customValidators.js
@@ -116,7 +116,7 @@ function validateOperationId(parsedJSON, asyncapiYAMLorJSON, initialFormat, oper
 
   chnlsMap.forEach((chnlObj,chnlName) => {
     operations.forEach(opName => {
-      const op = chnlObj[opName];
+      const op = chnlObj[String(opName)];
       if (op) addDuplicateToMap(op, chnlName, opName);
     });
   });
diff --git a/lib/models/asyncapi.js b/lib/models/asyncapi.js
@@ -1,10 +1,11 @@
-const { createMapOfType, getMapKeyOfType, addExtensions } = require('../utils');
+const { createMapOfType, getMapValueOfType, addExtensions } = require('../utils');
 const Base = require('./base');
 const Info = require('./info');
 const Server = require('./server');
 const Channel = require('./channel');
 const Components = require('./components');
 const Tag = require('./tag');
+
 const xParserMessageName = 'x-parser-message-name';
 const xParserSchemaId = 'x-parser-schema-id';
 
@@ -66,7 +67,7 @@ class AsyncAPIDocument extends Base {
    * @returns {Server}
    */
   server(name) {
-    return getMapKeyOfType(this._json.servers, name, Server);
+    return getMapValueOfType(this._json.servers, name, Server);
   }
 
   /**
@@ -96,7 +97,7 @@ class AsyncAPIDocument extends Base {
    * @returns {Channel}
    */
   channel(name) {
-    return getMapKeyOfType(this._json.channels, name, Channel, this);
+    return getMapValueOfType(this._json.channels, name, Channel, this);
   }
 
   /**
@@ -199,7 +200,7 @@ function assignNameToComponentMessages(doc) {
   if (doc.hasComponents()) {
     for (const [key, m] of Object.entries(doc.components().messages())) {
       if (m.name() === undefined) {
-        m.json()[xParserMessageName] = key;
+        m.json()[String(xParserMessageName)] = key;
       }
     }
   }
@@ -214,7 +215,7 @@ function assignUidToParameterSchemas(doc) {
   doc.channelNames().forEach(channelName => {
     const channel = doc.channel(channelName);
     for (const [parameterKey, parameterSchema] of Object.entries(channel.parameters())) {
-      parameterSchema.json()[xParserSchemaId] = parameterKey;
+      parameterSchema.json()[String(xParserSchemaId)] = parameterKey;
     }
   });
 }
@@ -227,7 +228,7 @@ function assignUidToParameterSchemas(doc) {
 function assignUidToComponentSchemas(doc) {
   if (doc.hasComponents()) {
     for (const [key, s] of Object.entries(doc.components().schemas())) {
-      s.json()[xParserSchemaId] = key;
+      s.json()[String(xParserSchemaId)] = key;
     }
   }
 }
@@ -257,7 +258,7 @@ function assignNameToAnonymousMessages(doc) {
 function addNameToKey(messages, number) {
   messages.forEach(m => {
     if (m.name() === undefined) {
-      m.json()[xParserMessageName] = `<anonymous-message-${number}>`;
+      m.json()[String(xParserMessageName)] = `<anonymous-message-${number}>`;
     }
   });
 }
@@ -362,7 +363,7 @@ function assignIdToAnonymousSchemas(doc) {
   let anonymousSchemaCounter = 0;
   const callback = (schema) => {
     if (!schema.uid()) {
-      schema.json()[xParserSchemaId] = `<anonymous-schema-${++anonymousSchemaCounter}>`;
+      schema.json()[String(xParserSchemaId)] = `<anonymous-schema-${++anonymousSchemaCounter}>`;
     }
   };
   schemaDocument(doc, callback);
diff --git a/lib/models/base.js b/lib/models/base.js
@@ -17,7 +17,7 @@ class Base {
   json(key) {
     if (key === undefined) return this._json;
     if (!this._json) return;
-    return this._json[key];
+    return this._json[String(key)];
   }
 }
 
diff --git a/lib/models/channel.js b/lib/models/channel.js
@@ -1,4 +1,4 @@
-const { createMapOfType, getMapKeyOfType, addExtensions } = require('../utils');
+const { createMapOfType, getMapValueOfType, getMapValueByKey, addExtensions } = require('../utils');
 const Base = require('./base');
 const ChannelParameter = require('./channel-parameter');
 const PublishOperation = require('./publish-operation');
@@ -30,7 +30,7 @@ class Channel extends Base {
    * @returns {ChannelParameter}
    */
   parameter(name) {
-    return getMapKeyOfType(this._json.parameters, name, ChannelParameter);
+    return getMapValueOfType(this._json.parameters, name, ChannelParameter);
   }
 
   /**
@@ -82,7 +82,7 @@ class Channel extends Base {
    * @returns {Object}
    */
   binding(name) {
-    return this._json.bindings ? this._json.bindings[name] : null;
+    return getMapValueByKey(this._json.bindings, name);
   }
 }
 
diff --git a/lib/models/components.js b/lib/models/components.js
@@ -1,4 +1,4 @@
-const { getMapKeyOfType, createMapOfType, addExtensions } = require('../utils');
+const { createMapOfType, getMapValueOfType, addExtensions } = require('../utils');
 const Base = require('./base');
 const Message = require('./message');
 const Schema = require('./schema');
@@ -26,7 +26,7 @@ class Components extends Base {
    * @returns {Message}
    */
   message(name) {
-    return getMapKeyOfType(this._json.messages, name, Message);
+    return getMapValueOfType(this._json.messages, name, Message);
   }
   
   /**
@@ -40,7 +40,7 @@ class Components extends Base {
    * @returns {Schema}
    */
   schema(name) {
-    return getMapKeyOfType(this._json.schemas, name, Schema);
+    return getMapValueOfType(this._json.schemas, name, Schema);
   }
   
   /**
@@ -54,7 +54,7 @@ class Components extends Base {
    * @returns {SecurityScheme}
    */
   securityScheme(name) {
-    return getMapKeyOfType(this._json.securitySchemes, name, SecurityScheme);
+    return getMapValueOfType(this._json.securitySchemes, name, SecurityScheme);
   }
   
   /**
@@ -68,7 +68,7 @@ class Components extends Base {
    * @returns {ChannelParameter}
    */
   parameter(name) {
-    return getMapKeyOfType(this._json.parameters, name, ChannelParameter);
+    return getMapValueOfType(this._json.parameters, name, ChannelParameter);
   }
   
   /**
@@ -82,7 +82,7 @@ class Components extends Base {
    * @returns {CorrelationId}
    */
   correlationId(name) {
-    return getMapKeyOfType(this._json.correlationIds, name, CorrelationId);
+    return getMapValueOfType(this._json.correlationIds, name, CorrelationId);
   }
   
   /**
@@ -96,7 +96,7 @@ class Components extends Base {
    * @returns {OperationTrait}
    */
   operationTrait(name) {
-    return getMapKeyOfType(this._json.operationTraits, name, OperationTrait);
+    return getMapValueOfType(this._json.operationTraits, name, OperationTrait);
   }
   
   /**
@@ -110,7 +110,7 @@ class Components extends Base {
    * @returns {MessageTrait}
    */
   messageTrait(name) {
-    return getMapKeyOfType(this._json.messageTraits, name, MessageTrait);
+    return getMapValueOfType(this._json.messageTraits, name, MessageTrait);
   }
 }
 
diff --git a/lib/models/message-traitable.js b/lib/models/message-traitable.js
@@ -1,4 +1,4 @@
-const { getMapKeyOfType, addExtensions } = require('../utils');
+const { getMapValueOfType, getMapValueByKey, addExtensions } = require('../utils');
 const Base = require('./base');
 const Tag = require('./tag');
 const ExternalDocs = require('./external-docs');
@@ -26,7 +26,7 @@ class MessageTraitable extends Base {
    */
   header(name) {
     if (!this._json.headers) return null;
-    return getMapKeyOfType(this._json.headers.properties, name, Schema);
+    return getMapValueOfType(this._json.headers.properties, name, Schema);
   }
 
   /**
@@ -114,7 +114,7 @@ class MessageTraitable extends Base {
    * @returns {Object}
    */
   binding(name) {
-    return this._json.bindings ? this._json.bindings[name] : null;
+    return getMapValueByKey(this._json.bindings, name);
   }
 
   /**
diff --git a/lib/models/operation-traitable.js b/lib/models/operation-traitable.js
@@ -1,4 +1,4 @@
-const { addExtensions } = require('../utils');
+const { getMapValueByKey, addExtensions } = require('../utils');
 const Base = require('./base');
 const Tag = require('./tag');
 const ExternalDocs = require('./external-docs');
@@ -66,7 +66,7 @@ class OperationTraitable extends Base {
    * @returns {Object}
    */
   binding(name) {
-    return this._json.bindings ? this._json.bindings[name] : null;
+    return getMapValueByKey(this._json.bindings, name);
   }
 }
 
diff --git a/lib/models/operation.js b/lib/models/operation.js
@@ -30,10 +30,10 @@ class Operation extends OperationTraitable {
    * @returns {Message}
    */
   message(index) {
-    if (!this._json.message) return null;
+    if (typeof index !== 'number' || !this._json.message) return null;
     if (!this._json.message.oneOf) return new Message(this._json.message);
     if (index > this._json.message.oneOf.length - 1) return null;
-    return new Message(this._json.message.oneOf[index]);
+    return new Message(this._json.message.oneOf[+index]);
   }
 }
 
diff --git a/lib/models/schema.js b/lib/models/schema.js
@@ -232,12 +232,8 @@ class Schema extends Base {
   dependencies() {
     if (!this._json.dependencies) return null;
     const result = {};
-    Object.keys(this._json.dependencies).forEach(k => {
-      if (!Array.isArray(this._json.dependencies[k])) {
-        result[k] = new Schema(this._json.dependencies[k]);
-      } else {
-        result[k] = this._json.dependencies[k];
-      }
+    Object.entries(this._json.dependencies).forEach(([key, value]) => {
+      result[String(key)] = !Array.isArray(value) ? new Schema(value) : value;
     });
     return result;
   }
diff --git a/lib/models/server.js b/lib/models/server.js
@@ -1,4 +1,4 @@
-const { createMapOfType, getMapKeyOfType, addExtensions } = require('../utils');
+const { createMapOfType, getMapValueOfType, getMapValueByKey, addExtensions } = require('../utils');
 const Base = require('./base');
 const ServerVariable = require('./server-variable');
 const ServerSecurityRequirement = require('./server-security-requirement');
@@ -50,7 +50,7 @@ class Server extends Base {
    * @returns {ServerVariable}
    */
   variable(name) {
-    return getMapKeyOfType(this._json.variables, name, ServerVariable);
+    return getMapValueOfType(this._json.variables, name, ServerVariable);
   }
 
   /**
@@ -80,7 +80,7 @@ class Server extends Base {
    * @returns {Object}
    */
   binding(name) {
-    return this._json.bindings ? this._json.bindings[name] : null;
+    return getMapValueByKey(this._json.bindings, name);
   }
 }
 
diff --git a/lib/parser.js b/lib/parser.js
@@ -155,30 +155,30 @@ async function customDocumentOperations(js, asyncapiYAMLorJSON, initialFormat, o
   validateChannelParams(js, asyncapiYAMLorJSON, initialFormat);
   validateOperationId(js, asyncapiYAMLorJSON, initialFormat, OPERATIONS);
 
-  for (const channelName in js.channels) {
-    const channel = js.channels[channelName];
-    const convert = OPERATIONS.map(async (opName) => {
-      const op = channel[opName];
+  const promisesArray = [];
+  Object.entries(js.channels).forEach(([channelName, channel]) => {
+    promisesArray.push(...OPERATIONS.map(async (opName) => {
+      const op = channel[String(opName)];
       if (op) {
         const messages = op.message ? (op.message.oneOf || [op.message]) : [];
-        const pathToPayload = `/channels/${ channelName }/${ opName }/message/payload`; 
         if (options.applyTraits) {  
           applyTraits(op);
           messages.forEach(m => applyTraits(m));
         }
+        const pathToPayload = `/channels/${channelName}/${opName}/message/payload`; 
         for (const m of messages) {
           await validateAndConvertMessage(m, asyncapiYAMLorJSON, initialFormat, js, pathToPayload);
         }
       }
-    });
-    await Promise.all(convert);
-  }
+    }));
+  });
+  await Promise.all(promisesArray);
 }
 
 async function validateAndConvertMessage(msg, originalAsyncAPIDocument, fileFormat, parsedAsyncAPIDocument, pathToPayload) {
   const schemaFormat = msg.schemaFormat || DEFAULT_SCHEMA_FORMAT;
 
-  await PARSERS[schemaFormat]({
+  await PARSERS[String(schemaFormat)]({
     schemaFormat,
     message: msg,
     defaultSchemaFormat: DEFAULT_SCHEMA_FORMAT,
@@ -208,15 +208,15 @@ function registerSchemaParser(parserModule) {
     });
 
   parserModule.getMimeTypes().forEach((schemaFormat) => {
-    PARSERS[schemaFormat] = parserModule.parse;
+    PARSERS[String(schemaFormat)] = parserModule.parse;
   });
 }
 
 function applyTraits(js) {
   if (Array.isArray(js.traits)) {
     for (const trait of js.traits) {
       for (const key in trait) {
-        js[key] = mergePatch(js[key], trait[key]);
+        js[String(key)] = mergePatch(js[String(key)], trait[String(key)]);
       }
     }
 
diff --git a/lib/utils.js b/lib/utils.js
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
diff --git a/test/models/asyncapi_test.js b/test/models/asyncapi_test.js
diff --git a/test/parse_test.js b/test/parse_test.js

Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,11 @@`
`1`		`-const { createMapOfType, getMapKeyOfType, addExtensions } = require('../utils');`
	`1`	`+const { createMapOfType, getMapValueOfType, addExtensions } = require('../utils');`
`2`	`2`	`const Base = require('./base');`
`3`	`3`	`const Info = require('./info');`
`4`	`4`	`const Server = require('./server');`
`5`	`5`	`const Channel = require('./channel');`
`6`	`6`	`const Components = require('./components');`
`7`	`7`	`const Tag = require('./tag');`
	`8`	`+`
`8`	`9`	`const xParserMessageName = 'x-parser-message-name';`
`9`	`10`	`const xParserSchemaId = 'x-parser-schema-id';`
`10`	`11`
`@@ -66,7 +67,7 @@ class AsyncAPIDocument extends Base {`
`66`	`67`	`* @returns {Server}`
`67`	`68`	`*/`
`68`	`69`	`server(name) {`
`69`		`- return getMapKeyOfType(this._json.servers, name, Server);`
	`70`	`+ return getMapValueOfType(this._json.servers, name, Server);`
`70`	`71`	`}`
`71`	`72`
`72`	`73`	`/**`
`@@ -96,7 +97,7 @@ class AsyncAPIDocument extends Base {`
`96`	`97`	`* @returns {Channel}`
`97`	`98`	`*/`
`98`	`99`	`channel(name) {`
`99`		`- return getMapKeyOfType(this._json.channels, name, Channel, this);`
	`100`	`+ return getMapValueOfType(this._json.channels, name, Channel, this);`
`100`	`101`	`}`
`101`	`102`
`102`	`103`	`/**`
`@@ -199,7 +200,7 @@ function assignNameToComponentMessages(doc) {`
`199`	`200`	`if (doc.hasComponents()) {`
`200`	`201`	`for (const [key, m] of Object.entries(doc.components().messages())) {`
`201`	`202`	`if (m.name() === undefined) {`
`202`		`- m.json()[xParserMessageName] = key;`
	`203`	`+ m.json()[String(xParserMessageName)] = key;`
`203`	`204`	`}`
`204`	`205`	`}`
`205`	`206`	`}`
`@@ -214,7 +215,7 @@ function assignUidToParameterSchemas(doc) {`
`214`	`215`	`doc.channelNames().forEach(channelName => {`
`215`	`216`	`const channel = doc.channel(channelName);`
`216`	`217`	`for (const [parameterKey, parameterSchema] of Object.entries(channel.parameters())) {`
`217`		`- parameterSchema.json()[xParserSchemaId] = parameterKey;`
	`218`	`+ parameterSchema.json()[String(xParserSchemaId)] = parameterKey;`
`218`	`219`	`}`
`219`	`220`	`});`
`220`	`221`	`}`
`@@ -227,7 +228,7 @@ function assignUidToParameterSchemas(doc) {`
`227`	`228`	`function assignUidToComponentSchemas(doc) {`
`228`	`229`	`if (doc.hasComponents()) {`
`229`	`230`	`for (const [key, s] of Object.entries(doc.components().schemas())) {`
`230`		`- s.json()[xParserSchemaId] = key;`
	`231`	`+ s.json()[String(xParserSchemaId)] = key;`
`231`	`232`	`}`
`232`	`233`	`}`
`233`	`234`	`}`
`@@ -257,7 +258,7 @@ function assignNameToAnonymousMessages(doc) {`
`257`	`258`	`function addNameToKey(messages, number) {`
`258`	`259`	`messages.forEach(m => {`
`259`	`260`	`if (m.name() === undefined) {`
`260`		- m.json()[xParserMessageName] = `<anonymous-message-${number}>`;
	`261`	+ m.json()[String(xParserMessageName)] = `<anonymous-message-${number}>`;
`261`	`262`	`}`
`262`	`263`	`});`
`263`	`264`	`}`
`@@ -362,7 +363,7 @@ function assignIdToAnonymousSchemas(doc) {`
`362`	`363`	`let anonymousSchemaCounter = 0;`
`363`	`364`	`const callback = (schema) => {`
`364`	`365`	`if (!schema.uid()) {`
`365`		- schema.json()[xParserSchemaId] = `<anonymous-schema-${++anonymousSchemaCounter}>`;
	`366`	+ schema.json()[String(xParserSchemaId)] = `<anonymous-schema-${++anonymousSchemaCounter}>`;
`366`	`367`	`}`
`367`	`368`	`};`
`368`	`369`	`schemaDocument(doc, callback);`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ class Base {`
`17`	`17`	`json(key) {`
`18`	`18`	`if (key === undefined) return this._json;`
`19`	`19`	`if (!this._json) return;`
`20`		`- return this._json[key];`
	`20`	`+ return this._json[String(key)];`
`21`	`21`	`}`
`22`	`22`	`}`
`23`	`23`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-const { addExtensions } = require('../utils');`
	`1`	`+const { getMapValueByKey, addExtensions } = require('../utils');`
`2`	`2`	`const Base = require('./base');`
`3`	`3`	`const Tag = require('./tag');`
`4`	`4`	`const ExternalDocs = require('./external-docs');`
`@@ -66,7 +66,7 @@ class OperationTraitable extends Base {`
`66`	`66`	`* @returns {Object}`
`67`	`67`	`*/`
`68`	`68`	`binding(name) {`
`69`		`- return this._json.bindings ? this._json.bindings[name] : null;`
	`69`	`+ return getMapValueByKey(this._json.bindings, name);`
`70`	`70`	`}`
`71`	`71`	`}`
`72`	`72`
Original file line number	Diff line number	Diff line change
`@@ -30,10 +30,10 @@ class Operation extends OperationTraitable {`
`30`	`30`	`* @returns {Message}`
`31`	`31`	`*/`
`32`	`32`	`message(index) {`
`33`		`- if (!this._json.message) return null;`
	`33`	`+ if (typeof index !== 'number' \|\| !this._json.message) return null;`
`34`	`34`	`if (!this._json.message.oneOf) return new Message(this._json.message);`
`35`	`35`	`if (index > this._json.message.oneOf.length - 1) return null;`
`36`		`- return new Message(this._json.message.oneOf[index]);`
	`36`	`+ return new Message(this._json.message.oneOf[+index]);`
`37`	`37`	`}`
`38`	`38`	`}`
`39`	`39`