Skip to content

Commit 5cb1e09

Browse files
pregnantboypregnantboy
authored
Release v1.53.0 (#1212)
VAPT fixes: * PLU-549: For each restrict number of rows ([#1187](#1187)) * PLU-553: SSRF dns rebinding ([#1197](#1197)) * PLU-554: Limit screen names ([#1192](#1192)) * PLU-560: add file validation to excel file id ([#1189](#1189)) * PLU-558: Potential overflow of OTP login attempts ([#1206](#1206)) * PLU-550: Postman attachment size limit check ([#1199](#1199)) * PLU-556: GZip compression bombs ([#1198](#1198)) * PLU-559: HTML injection via pipe name to blacklist emails ([#1204](#1204)) UI fixes: * PLU-500: Pipe name is squished in smaller browsers / mobile view ([#1203](#1203))
2 parents a73ee4d + ecd01d2 commit 5cb1e09

File tree

90 files changed

+2132
-865
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

90 files changed

+2132
-865
lines changed

package-lock.json

Lines changed: 11 additions & 153 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/backend/package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@
3232
"@as-integrations/express4": "1.1.2",
3333
"@aws-sdk/client-dynamodb": "3.460.0",
3434
"@aws-sdk/client-s3": "3.369.0",
35-
"@aws-sdk/s3-request-presigner": "3.369.0",
35+
"@aws-sdk/s3-presigned-post": "3.369.0",
3636
"@bull-board/express": "5.17.0",
3737
"@graphql-tools/schema": "10.0.25",
3838
"@graphql-tools/utils": "10.9.1",
@@ -111,5 +111,5 @@
111111
"tsconfig-paths": "^4.2.0",
112112
"type-fest": "4.10.3"
113113
},
114-
"version": "1.52.0"
114+
"version": "1.53.0"
115115
}

packages/backend/src/apps/custom-api/__tests__/actions/http-request-interceptors.test.ts

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@ import app from '../..'
88
import makeRequestAction from '../../actions/http-request'
99
import {
1010
DISALLOWED_IP_RESOLVED_ERROR,
11-
RECURSIVE_WEBHOOK_ERROR_NAME,
12-
} from '../../common/check-urls'
11+
RECURSIVE_WEBHOOK_ERROR,
12+
} from '../../common/constants'
1313

1414
const CF_REDIRECTION_WORKER_FOR_UNIT_TESTS =
1515
'https://http-request-unit-tester.plumber-wrench.workers.dev'
@@ -68,7 +68,7 @@ describe('http request interceptors', () => {
6868
$.step.parameters.method = 'GET'
6969
$.step.parameters.url = url
7070
await expect(makeRequestAction.run($)).rejects.toThrowError(
71-
RECURSIVE_WEBHOOK_ERROR_NAME,
71+
RECURSIVE_WEBHOOK_ERROR,
7272
)
7373
})
7474

@@ -118,7 +118,7 @@ describe('http request interceptors', () => {
118118
redirectTo: url,
119119
})
120120
await expect(makeRequestAction.run($)).rejects.toThrowError(
121-
RECURSIVE_WEBHOOK_ERROR_NAME,
121+
RECURSIVE_WEBHOOK_ERROR,
122122
)
123123
})
124124

@@ -128,7 +128,7 @@ describe('http request interceptors', () => {
128128
'http://localhost:3001',
129129
'http://127.0.0.1:8080',
130130
'http://192.168.0.1',
131-
])('should prevent internal IPs', async (url: string) => {
131+
])('should prevent internal IPs during redirects', async (url: string) => {
132132
$.step.parameters.method = 'POST'
133133
$.step.parameters.data = JSON.stringify({
134134
statusCode: 307,

packages/backend/src/apps/custom-api/__tests__/actions/http-request.test.ts

Lines changed: 26 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -9,21 +9,30 @@ import StepError from '@/errors/step'
99
import app from '../..'
1010
import makeRequestAction from '../../actions/http-request'
1111
import {
12+
CUSTOM_API_TIMEOUT,
1213
DISALLOWED_IP_RESOLVED_ERROR,
13-
RECURSIVE_WEBHOOK_ERROR_NAME,
14-
} from '../../common/check-urls'
15-
import { CUSTOM_API_TIMEOUT } from '../../common/constants'
14+
RECURSIVE_WEBHOOK_ERROR,
15+
} from '../../common/constants'
1616

1717
const mocks = vi.hoisted(() => ({
1818
httpRequest: vi.fn(),
1919
isUrlAllowed: vi.fn(() => true),
2020
stepQueryResult: vi.fn(() => ({
2121
config: {},
2222
})),
23+
addInterceptors: vi.fn(),
2324
}))
2425

25-
vi.mock('../../common/ip-resolver', () => ({
26-
isUrlAllowed: mocks.isUrlAllowed,
26+
vi.mock('../../common/ip-resolver', () => {
27+
const originalModule = vi.importActual('../../common/ip-resolver')
28+
return {
29+
...originalModule,
30+
safeAxiosLookup: mocks.isUrlAllowed,
31+
}
32+
})
33+
34+
vi.mock('../../common/add-interceptors', () => ({
35+
default: mocks.addInterceptors,
2736
}))
2837

2938
vi.mock('@/models/step', () => ({
@@ -68,13 +77,13 @@ describe('make http request', () => {
6877
$.step.parameters.data = 'meep meep'
6978
$.step.parameters.url = 'http://test.local/endpoint?1234'
7079
mocks.httpRequest.mockReturnValue('mock response')
71-
7280
await makeRequestAction.run($).catch((): void => null)
7381
expect(mocks.httpRequest).toHaveBeenCalledWith(
7482
expect.objectContaining({
7583
url: $.step.parameters.url,
7684
method: $.step.parameters.method,
7785
data: $.step.parameters.data,
86+
responseType: 'stream',
7887
}),
7988
)
8089
})
@@ -95,6 +104,7 @@ describe('make http request', () => {
95104
url: $.step.parameters.url,
96105
method: $.step.parameters.method,
97106
data: $.step.parameters.data,
107+
responseType: 'stream',
98108
headers: {
99109
Key1: 'Value1',
100110
Key2: 'Value2',
@@ -171,13 +181,15 @@ describe('make http request', () => {
171181
url: 'http://test.local/endpoint?1234',
172182
method: 'POST',
173183
data: 'meep meep',
184+
responseType: 'stream',
174185
}),
175186
)
176187
expect(mocks.httpRequest).toHaveBeenCalledWith(
177188
expect.objectContaining({
178189
url: 'https://redirect.com',
179190
method: 'GET',
180191
data: 'meep meep',
192+
responseType: 'stream',
181193
}),
182194
)
183195
})
@@ -200,13 +212,15 @@ describe('make http request', () => {
200212
url: 'http://test.local/endpoint?1234',
201213
method: 'POST',
202214
data: 'meep meep',
215+
responseType: 'stream',
203216
}),
204217
)
205218
expect(mocks.httpRequest).toHaveBeenCalledWith(
206219
expect.objectContaining({
207220
url: 'https://redirect.com',
208221
method: 'POST',
209222
data: 'meep meep',
223+
responseType: 'stream',
210224
}),
211225
)
212226
})
@@ -227,7 +241,7 @@ describe('make http request', () => {
227241
$.step.parameters.method = 'GET'
228242
$.step.parameters.data = 'go crazy'
229243
$.step.parameters.url = 'http://beta.plumber.gov.sg'
230-
const recursiveWebhookError = new Error(RECURSIVE_WEBHOOK_ERROR_NAME)
244+
const recursiveWebhookError = new Error(RECURSIVE_WEBHOOK_ERROR)
231245
mocks.httpRequest.mockRejectedValueOnce(recursiveWebhookError)
232246
await expect(makeRequestAction.run($)).rejects.toThrowError(StepError)
233247
})
@@ -251,6 +265,7 @@ describe('make http request', () => {
251265
expect(mocks.httpRequest).toHaveBeenCalledWith(
252266
expect.objectContaining({
253267
timeout: CUSTOM_API_TIMEOUT,
268+
responseType: 'stream',
254269
}),
255270
)
256271
})
@@ -274,6 +289,7 @@ describe('make http request', () => {
274289
expect(mocks.httpRequest).toHaveBeenCalledWith(
275290
expect.objectContaining({
276291
timeout: 360000,
292+
responseType: 'stream',
277293
}),
278294
)
279295
})
@@ -298,6 +314,7 @@ describe('make http request', () => {
298314
expect(mocks.httpRequest).toHaveBeenCalledWith(
299315
expect.objectContaining({
300316
timeout: CUSTOM_API_TIMEOUT,
317+
responseType: 'stream',
301318
}),
302319
)
303320
},
@@ -350,6 +367,7 @@ describe('make http request', () => {
350367
url: $.step.parameters.url,
351368
method: $.step.parameters.method,
352369
data: $.step.parameters.data as any,
370+
responseType: 'stream',
353371
}),
354372
)
355373
},
@@ -378,6 +396,7 @@ describe('make http request', () => {
378396
url: $.step.parameters.url,
379397
method: $.step.parameters.method,
380398
data: $.step.parameters.data as any,
399+
responseType: 'stream',
381400
}),
382401
)
383402
},

0 commit comments

Comments
 (0)