REST API for Exasol
License: MIT License
Exasol REST API is an extension for the Exasol database that provides the ability to interact with the database via REST API endpoints. The REST API is required by the Power Apps Connector for Exasol.
Right now we use parameters to send SQL queries. We want to send them in a more secure way. There are the following possibilities:
Dependabot warns about security issues in test dependencies:
We need an easy way to start the API server. We want to provide a Dockerfile for our users.
We don't have getters for variables in structs and it should be possible to add them.
The database errors are confusing when passed directly to the user of the REST API.
Example:
Authentification failed.
Which authentication failed? Against the REST API or against the database? What can I do against it?
Ideas:
We want to have API documentation generated with swagger.
Integration tests try to connect with encryption disabled. Exasol 8 does not allow unecrypted connections and tests fail with the following error message:
{"status":"error","exception":"E-ERA-2: error while opening a connection with Exasol: E-ERA-15: error while sending a login command via websockets connection: [08004] Connection exception - Only TLS connections are allowed."}
We use 7.0.10 in tests and the test is broken when we switch to 7.1.1. We need to investigate the reason and fix the tests.
Root cause seems to be that the driver does not support TLS: exasol/exasol-driver-go#34
Blocked until the driver supports TLS.
While I'm not 100% sure yet it seems that a Power Apps Connector using a Power Apps Service Gateway possibly doesn't support authentication by API key.
Provide a way to turn off the API Key authentication middleware.
By default the API Key authentication middleware should always be on!
There's a request being done by nancy sleuth that checks for latest versions of nancy (in the container itself as far as I understand),
this is unnecessary in this case.
A workaround has been provided, see:
moov-io/infra#161
pkg:golang/golang.org/x/[email protected]
1 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2023-39325] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
We want to have authentication and authorization (if needed) in the application. Right now we use Exasol user credentials for each query.
Automate the release process for GitHub
We will use the API with Power Apps which is a SaaS. It means we will expose the API to the Internet. So we need to secure it.
Here are a few ideas:
pkg:golang/golang.org/x/[email protected]
1 known vulnerabilities affecting installed version
[CVE-2023-48795] CWE-354: Improper Validation of Integrity Check Value
See https://github.com/exasol/exasol-rest-api/actions/runs/7534818675/job/20509817521
As @jakobbraun suggested, we can use additional library for more readable JSON assertions in tests: https://github.com/kinbiko/jsonassert
Integration tests fail on macOS because of different docker setup.
The Go reference (https://pkg.go.dev/github.com/exasol/exasol-rest-api) does not list any tags. This means that users must use snapshot tags like v0.0.0-20211014072629-7d551578a654.
See also exasol/exasol-driver-go#38
Split off from #44
Automate release to Docker Hub
We need to define the JSON format for responses. We could use the same format as WebSockets or we can modify it slightly.
Right now we return the WebSockets JSON directly on 200 code and some custom error code + error message on 400.
Requirements tracing currently fails because of missing tags in the source code.
pkg:golang/golang.org/x/[email protected]
1 known vulnerabilities affecting installed version
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2022-32149] CWE-772: Missing Release of Resource after Effective Lifetime ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description ┃ An attacker may cause a denial of service by crafting an Accept-Language ┃
┃ ┃ header which ParseAcceptLanguage will take significant time to parse. ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID ┃ CVE-2022-32149 ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score ┃ 7.5/10 (High) ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector ┃ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vulnerability/CVE-2022-32149?component-type=golang&component-name=golang.org%2Fx%2Ftext&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.41 ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
1 Vulnerable Packages
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Summary ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━┫
┃ Audited Dependencies ┃ 35 ┃
┣━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━┫
┃ Vulnerable Dependencies ┃ 1 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━┛
We need to use https://github.com/exasol/error-reporting-go and give each error its own error code.
We need to deliver at least two executable binaries: for Linux and Windows systems.
We want to allow users to start the application with a CLI parameter providing the path to the properties file.
We need additional endpoints for integration with PowerApps.
List of the expected endpoints:
Generate a certificate in the test, configure and start the server and try to connect/make a request using https.
Creating a self signed certificate with OpenSSL should be easy enough:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes
Suggestion: Maybe create a simple endpoint/action for testing this instead of also involving the db (mainly for speed purposes)
We need to use https://github.com/exasol/error-reporting-go and give each error its own error code.
We also want to improve errors messages.
Security scanner github actions fails currently: https://github.com/exasol/exasol-rest-api/actions/runs/4001179395/jobs/6867156944
Checking for updates...
go: downloading google.golang.org/protobuf v1.28.1
Error: Failed to query the GitHub API for updates.
This is most likely due to GitHub rate-limiting on unauthenticated requests.
To make authenticated requests please:
1. Generate a token at https://github.com/settings/tokens
2. Set the token by either adding it to your ~/.gitconfig or
setting the GITHUB_TOKEN environment variable.
Instructions for generating a token can be found at:
https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/
We call the GitHub releases API to look for new releases.
More information about that API can be found here: https://developer.github.com/v3/repos/releases/
: GET https://api.github.com/repos/sonatype-nexus-community/nancy/releases: 403 API rate limit exceeded for 40.122.242.98. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.) [rate reset in 13m07s]
For more information, check the log file at /root/.ossindex/nancy.combined.log
nancy version: 1.0.42
Usage:
nancy sleuth [flags]
Examples:
go list -json -deps ./... | nancy sleuth --username your_user --token your_token
nancy sleuth -p Gopkg.lock --username your_user --token your_token
Flags:
-a, --additional-exclude-vulnerability-files strings Path to additional files containing newline separated CVEs or OSS Index IDs to be excluded
-e, --exclude-vulnerability CveListFlag Comma separated list of CVEs or OSS Index IDs to exclude (default [])
-x, --exclude-vulnerability-file string Path to a file containing newline separated CVEs or OSS Index IDs to be excluded (default "./.nancy-ignore")
-h, --help help for sleuth
-n, --no-color indicate output should not be colorized
-o, --output string Styling for output format. json, json-pretty, text, csv (default "text")
Global Flags:
-v, -- count Set log level, multiple v's is more verbose
-d, --db-cache-path string Specify an alternate path for caching responses from OSS Inde, example: /tmp
--loud indicate output should include non-vulnerable packages
-p, --path string Specify a path to a dep Gopkg.lock file for scanning
-q, --quiet indicate output should contain only packages with vulnerabilities (default true)
--skip-update-check Skip the check for updates.
-t, --token string Specify OSS Index API token for request
-u, --username string Specify OSS Index username for request
-V, --version Get the version
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading golang.org/x/sys v0.1.0
go: downloading github.com/KyleBanks/depth v1.2.1
go: downloading github.com/go-openapi/jsonreference v0.20.0
go: downloading github.com/go-openapi/spec v0.20.7
go: downloading golang.org/x/tools v0.2.0
go: downloading github.com/tidwall/match v1.1.1
go: downloading github.com/tidwall/pretty v1.2.1
go: downloading github.com/go-playground/universal-translator v0.18.0
go: downloading github.com/leodido/go-urn v1.2.1
go: downloading golang.org/x/crypto v0.1.0
go: downloading golang.org/x/text v0.4.0
go: downloading github.com/go-openapi/jsonpointer v0.19.5
go: downloading github.com/go-openapi/swag v0.22.3
go: downloading github.com/go-playground/locales v0.14.0
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading github.com/josharian/intern v1.0.0
pkg/exasol-rest-api/application_runner.go:4:2: package main/doc/swagger is not in GOROOT (/opt/hostedtoolcache/go/1.18.10/x64/src/main/doc/swagger)
Error: Process completed with exit code 1.
See https://github.com/exasol/exasol-rest-api/actions/runs/8334811648/job/22809129091
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ [CVE-2024-24786] CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') ┃
┣━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Description ┃ The protojson.Unmarshal function can enter an infinite loop when ┃
┃ ┃ unmarshaling certain forms of invalid JSON. This condition can occur when ┃
┃ ┃ unmarshaling into a message which contains a google.protobuf.Any value, or ┃
┃ ┃ when the UnmarshalOptions.DiscardUnknown option is set. ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ OSS Index ID ┃ CVE-2024-24786 ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Score ┃ 5.3/10 (Medium) ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ CVSS Vector ┃ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L ┃
┣━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
┃ Link for more info ┃ https://ossindex.sonatype.org/vulnerability/CVE-2024-24786?component-type=golang&component-name=google.golang.org%2Fprotobuf&utm_source=nancy-client&utm_medium=integration&utm_content=1.0.46 ┃
┗━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
We should add support for certificate fingerprints. This could be implemented by using exasol-driver-go which supports fingerprints since exasol/exasol-driver-go#37
Support for SSL/TLS within the API itself is available.
Make it configurable so it's available for use.
This makes setup less complicated: No need for an additional proxy and SSL termination.
Current implementation creates a new connection for each request.
See https://github.com/exasol/exasol-rest-api/actions/runs/5993670555/job/16254341128:
pkg:golang/golang.org/x/[email protected]
1 known vulnerabilities affecting installed version
[CVE-2023-3978] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.