CVE-2019-18413. Patch for potential SQL injections (#137)

* CVE-2019-18413. Patch for potential SQL injections * Fix request 400 on get applications by permission
OS2iot · Jan 28, 2022 · 889736f · 889736f
1 parent 6a0ffb1
commit 889736f
Show file tree

Hide file tree

Showing 18 changed files with 141 additions and 50 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -36,7 +36,7 @@
         "@nestjs/passport": "^7.1.5",
         "@nestjs/platform-express": "^7.6.1",
         "@nestjs/schedule": "^0.4.1",
-        "@nestjs/swagger": "^4.7.6",
+        "@nestjs/swagger": "^4.8.2",
         "@nestjs/typeorm": "^7.1.5",
         "@types/bcryptjs": "^2.4.2",
         "@types/geojson": "^7946.0.7",
@@ -48,8 +48,8 @@
         "axios-cache-adapter": "^2.5.0",
         "bcryptjs": "^2.4.3",
         "bluebird": "^3.7.2",
-        "class-transformer": "^0.3.1",
-        "class-validator": "^0.12.2",
+        "class-transformer": "^0.5.1",
+        "class-validator": "^0.13.2",
         "compression": "^1.7.4",
         "cookie-parser": "^1.4.5",
         "kafkajs": "^1.15.0",
@@ -85,6 +85,7 @@
         "@types/passport-jwt": "^3.0.3",
         "@types/passport-local": "^1.0.33",
         "@types/supertest": "^2.0.10",
+        "@types/validator": "^13.7.1",
         "@typescript-eslint/eslint-plugin": "^4.10.0",
         "@typescript-eslint/parser": "^4.10.0",
         "eslint": "^7.15.0",

diff --git a/src/controllers/user-management/auth.controller.ts b/src/controllers/user-management/auth.controller.ts
@@ -142,8 +142,7 @@ export class AuthController {
     @UseGuards(LocalAuthGuard)
     async login(
         @Request() req: AuthenticatedRequestLocalStrategy,
-        // eslint-disable-next-line @typescript-eslint/no-unused-vars
-        @Body() body: LoginDto
+        @Body() _: LoginDto
     ): Promise<any> {
         const { email, id } = req.user;
         return this.authService.issueJwt(email, id, false);

diff --git a/src/entities/dto/chirpstack/chirpstack-paginated-list.dto.ts b/src/entities/dto/chirpstack/chirpstack-paginated-list.dto.ts
@@ -1,10 +1,14 @@
 import { ApiProperty } from "@nestjs/swagger";
+import { IsOptional } from "class-validator";
 
 export class ChirpstackPaginatedListDto {
     @ApiProperty({ type: Number, required: false })
+    @IsOptional()
     limit? = 100;
     @ApiProperty({ type: Number, required: false })
+    @IsOptional()
     offset? = 0;
     @ApiProperty({ type: Number, required: false })
+    @IsOptional()
     organizationId?: number;
 }
diff --git a/src/entities/dto/create-device-model.dto.ts b/src/entities/dto/create-device-model.dto.ts
@@ -1,11 +1,13 @@
 import { ApiProperty } from "@nestjs/swagger";
-import { IsNumber } from "class-validator";
+import { IsDefined, IsNumber } from "class-validator";
 
 export class CreateDeviceModelDto {
     @ApiProperty({ required: true })
     @IsNumber()
     belongsToId: number;
 
     @ApiProperty({ required: true })
+    // @IsJSON or @IsString does not work. Will be validated during the flow
+    @IsDefined()
     body: JSON;
 }
diff --git a/src/entities/dto/list-all-entities.dto.ts b/src/entities/dto/list-all-entities.dto.ts
@@ -1,13 +1,23 @@
+import { StringToNumber } from "@helpers/string-to-number-validator";
 import { ApiProperty } from "@nestjs/swagger";
+import { IsOptional, IsString } from "class-validator";
 
 export class ListAllEntitiesDto {
     @ApiProperty({ type: Number, required: false })
+    @IsOptional()
+    @StringToNumber()
     limit? = 100;
     @ApiProperty({ type: Number, required: false })
+    @IsOptional()
+    @StringToNumber()
     offset? = 0;
     @ApiProperty({ type: String, required: false })
+    @IsOptional()
+    @IsString()
     sort?: "ASC" | "DESC";
     @ApiProperty({ type: String, required: false })
+    @IsOptional()
+    @IsString()
     orderOn?:
         | "id"
         | "name"
@@ -17,5 +27,5 @@ export class ListAllEntitiesDto {
         | "type"
         | "organisations"
         | "active"
-        | "groupName"
+        | "groupName";
 }
diff --git a/src/entities/dto/list-all-iot-devices-minimal-response.dto.ts b/src/entities/dto/list-all-iot-devices-minimal-response.dto.ts
@@ -1,4 +1,5 @@
 import { ApiProperty, ApiPropertyOptional } from "@nestjs/swagger";
+import { IsSwaggerOptional } from "@helpers/optional-validator";
 
 export class ListAllIoTDevicesMinimalResponseDto {
     @ApiProperty()
@@ -34,9 +35,9 @@ export class IoTDeviceMinimalRaw {
 }
 
 export class PayloadDecoderIoDeviceMinimalQuery {
-    @ApiPropertyOptional()
-    limit?: number = 20;
+    @IsSwaggerOptional()
+    limit? = 20;
 
-    @ApiPropertyOptional()
-    offset?: number = 0;
+    @IsSwaggerOptional()
+    offset? = 0;
 }
diff --git a/src/entities/dto/list-all-paginated.dto.ts b/src/entities/dto/list-all-paginated.dto.ts
@@ -1,8 +1,8 @@
-import { ApiProperty } from "@nestjs/swagger";
+import { IsSwaggerOptional } from "@helpers/optional-validator";
 
 export class ListAllPaginated {
-    @ApiProperty({ type: Number, required: false })
+    @IsSwaggerOptional({ type: Number })
     limit? = 100;
-    @ApiProperty({ type: Number, required: false })
+    @IsSwaggerOptional({ type: Number })
     offset? = 0;
 }
diff --git a/src/entities/dto/login.dto.ts b/src/entities/dto/login.dto.ts
@@ -1,8 +1,11 @@
 import { ApiProperty } from "@nestjs/swagger";
+import { IsString } from "class-validator";
 
 export class LoginDto {
     @ApiProperty({ default: "john@localhost.dk" })
+    @IsString()
     username: string;
     @ApiProperty({ default: "hunter2" })
+    @IsString()
     password: string;
 }
diff --git a/src/entities/dto/receive-data.dto.ts b/src/entities/dto/receive-data.dto.ts
@@ -1,6 +1,15 @@
+import { Exclude } from "class-transformer";
+import { IsOptional } from "class-validator";
+
 /**
  * This only exists to nudge Swagger to make an JSON body for us to post.
  *
- * Intentionally left blank.
+ * Validation won't work for empty objects and we can't disable it, seemingly.
+ *
+ * @see https://github.com/typestack/class-validator/issues/1503
  */
-export class ReceiveDataDto {}
+export class ReceiveDataDto {
+    @Exclude()
+    @IsOptional()
+    ignoreMe: unknown;
+}
diff --git a/src/entities/dto/sigfox/internal/create-sigfox-group-request.dto.ts b/src/entities/dto/sigfox/internal/create-sigfox-group-request.dto.ts
@@ -1,12 +1,16 @@
 import { ApiProperty } from "@nestjs/swagger";
+import { IsNumber, IsString } from "class-validator";
 
 export class CreateSigFoxGroupRequestDto {
     @ApiProperty({ required: true })
+    @IsNumber()
     organizationId: number;
 
     @ApiProperty({ required: true })
+    @IsString()
     username: string;
 
     @ApiProperty({ required: true })
+    @IsString()
     password: string;
 }
diff --git a/src/entities/dto/sigfox/internal/sigfox-get-all-request.dto.ts b/src/entities/dto/sigfox/internal/sigfox-get-all-request.dto.ts
@@ -1,3 +1,6 @@
+import { StringToNumber } from "@helpers/string-to-number-validator";
+
 export class SigFoxGetAllRequestDto {
+    @StringToNumber()
     organizationId: number;
 }
diff --git a/src/entities/dto/sigfox/sigfox-callback.dto.ts b/src/entities/dto/sigfox/sigfox-callback.dto.ts
@@ -1,23 +1,37 @@
+import { IsNumber, IsOptional, IsString } from "class-validator";
+
 /**
  * Callback as expected from SigFox
  * Docs: https://support.sigfox.com/docs/uplink
  */
 export class SigFoxCallbackDto {
+    @IsNumber()
     time: number;
+    @IsString()
     deviceTypeId: string;
+    @IsString()
     deviceId: string;
+    @IsString()
     data: string;
+    @IsNumber()
     seqNumber: number;
     // If true, then the device expects a downlink
     ack: boolean;
 
     // Only included in BIDIR
+    @IsOptional()
     longPolling?: boolean;
 
     // these are not available for all contracts "Condition: for devices with contract option NETWORK METADATA"
     // https://support.sigfox.com/docs/bidir
     // We cannot assume they'll exists
+    @IsOptional()
+    @IsNumber()
     snr?: number;
+    @IsOptional()
+    @IsNumber()
     rssi?: number;
+    @IsOptional()
+    @IsString()
     station?: string;
 }
diff --git a/src/entities/dto/test-payload-decoder.dto.ts b/src/entities/dto/test-payload-decoder.dto.ts
@@ -1,5 +1,10 @@
+import { IsString } from "class-validator";
+
 export class TestPayloadDecoderDto {
+    @IsString()
     code: string;
+    @IsString()
     iotDeviceJsonString: string;
+    @IsString()
     rawPayloadJsonString: string;
 }
diff --git a/src/entities/dto/user-management/create-organization.dto.ts b/src/entities/dto/user-management/create-organization.dto.ts
@@ -1,3 +1,6 @@
+import { IsString } from "class-validator";
+
 export class CreateOrganizationDto {
+    @IsString()
     name: string;
 }
diff --git a/src/helpers/optional-validator.ts b/src/helpers/optional-validator.ts
@@ -0,0 +1,14 @@
+import { ApiPropertyOptional, ApiPropertyOptions } from "@nestjs/swagger";
+import { IsOptional } from "class-validator";
+
+/**
+ * Sets a property as optional on the swagger and controller level
+ */
+export const IsSwaggerOptional = (swaggerOptions?: ApiPropertyOptions): PropertyDecorator => {
+    return (propertyValue: unknown, propertyName: string): void => {
+        // Set as optional in the swagger document
+        ApiPropertyOptional(swaggerOptions)(propertyValue, propertyName);
+        // If no value is passed, then ignore all validators
+        IsOptional()(propertyValue, propertyName);
+    };
+};