finos / fdc3-conformance-framework Goto Github PK
View Code? Open in Web Editor NEWA framework for testing whether desktop containers implement the FDC3 standard
License: Apache License 2.0
A framework for testing whether desktop containers implement the FDC3 standard
License: Apache License 2.0
We've run into an issue with the tests while testing that we think will affect most other desktop agents and needs fixing in the test framework:
The broadcast/User channel tests are using the system/user channels to send control messages to the mock apps, specifically a 'close' message here:
FDC3-conformance-framework/tests/src/test/fdc3.broadcast.ts
Lines 802 to 805 in 10a7db6
However, if the channel retains context (which many implementations do), that context will already be present and will be received in the second broadcast test, breaking it (and no doubt a few others). I.e. it will immediately be received here:
FDC3-conformance-framework/tests/src/test/fdc3.broadcast.ts
Lines 50 to 53 in 10a7db6
You can replicate this by opening another component and putting it on the first system/user channel before you start the test as this will stop Finsemble draining the channel of state:
To fix, move these messages off of the system channels and onto a dedicated app channel (which the mocks should always independently listen for).
This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.
This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.
This will be done by utilizing the /v1/apps/search
in the app directory to get all the applications that is registered in the app directory.
App | Step | Details |
---|---|---|
A | joinChannel | fdc3.getOrCreateChannel("test-channel") |
A | addContextListener | Call testChannel.addContextListener(null, handler) Check listener object returned Check that there is an unsubscribe function on the returned object |
B | joinChannel | fdc3. getOrCreateChannel("test-channel") |
B | Broadcast | testChannel.broadcast(<some instrument>) |
A | Receive Context | Instrument object matches the one broadcast in 2 above. |
AC Basic Usage 1
Perform above testAC Basic Usage 2
Perform above test, but join channel first and then testChannel.addContextListener()
AC Basic Usage 3
Do the app B steps first but in reverse order to populate the channel with context, check that A will receive the context after joiningApp | Step | Details |
---|---|---|
A | joinChannel | fdc3.getOrCreateChannel("test-channel") |
A | addContextListener | Call testChannel.addContextListener("fdc3.instrument", handler) Check listener object returned Check that there is an unsubscribe function on the returned object |
B | joinChannel | fdc3. getOrCreateChannel("test-channel") |
B | Broadcast | testChannel.broadcast() the instrument context.testChannel.broadcast() a contact context. |
A | Receive Context | Instrument object matches the one broadcast in 2 above. Check that the contact is not received. |
AC Filtered Context 1
: Perform above test
AC Filtered Context 2
: Perform above test, except joining a different channel. Check that you don't receive anything.
AC Unsubscribe
: Perform above test, except that after joining, A then unsubscribe()
s the channel. Check that A doesn't receive anything.
AC Filtered Context 3
: Perform above test, except that after joining, A changes channel with a further different channel. Check that A doesn't receive anything.
AC Filtered Context 4
: Perform above test, except that after joining, A calls fdc3.leaveChannel()
and doesn't receive anything.
AC Invalid Broadcast 1
(1.2 ONLY): Broadcast is sent either without type field / invalid object structure. NOT DELIVERED, no other errors.
AC Invalid Broadcast 2
(2.0 ONLY): Broadcast is sent either without type field / invalid object structure. NOT DELIVERED, promise is rejected.
App | Step | Details |
---|---|---|
A | joinChannel | fdc3.getOrCreateChannel("test-channel") |
B | joinChannel | fdc3. getOrCreateChannel("test-channel") |
B | Broadcast | testChannel.broadcast() the instrument context.testChannel.broadcast() a contact context. |
A | Receive Context | testChannel.getCurrentContext('fdc.instrument') returns the last instrumenttestChannel.getCurrentContext('fdc.contact')` returns the last broadcast contact |
AC Context History Typed
: Perform above test.AC Context History Multiple
: B Broadcasts multiple history items of both types. Only the last version of each type is received by A.AC Context History Last
: A calls testChannel.getCurrentContext()
retrieves the last broadcast context itemJavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7
Found in base branch: main
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24772
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772
Release Date: 2022-03-18
Fix Resolution: node-forge - 1.3.0
Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset
Library home page: https://registry.npmjs.org/browserslist/-/browserslist-4.14.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/browserslist/package.json
Dependency Hierarchy:
Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7
Found in base branch: main
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Publish Date: 2021-04-28
URL: CVE-2021-23364
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
Release Date: 2021-04-28
Fix Resolution: browserslist - 4.16.5
An elegant lib that converts the chalked (ANSI) text to HTML.
Library home page: https://registry.npmjs.org/ansi-html/-/ansi-html-0.0.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ansi-html/package.json
Dependency Hierarchy:
Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7
Found in base branch: main
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Publish Date: 2021-08-18
URL: CVE-2021-23424
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23424
Release Date: 2021-08-18
Fix Resolution: VueJS.NetCore - 1.1.1;Indianadavy.VueJsWebAPITemplate.CSharp - 1.0.1;NorDroN.AngularTemplate - 0.1.6;CoreVueWebTest - 3.0.101;dotnetng.template - 1.0.0.4;Fable.Template.Elmish.React - 0.1.6;SAFE.Template - 3.0.1;GR.PageRender.Razor - 1.8.0;Envisia.DotNet.Templates - 3.0.1
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/css-what/package.json
Dependency Hierarchy:
Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7
Found in base branch: main
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution: css-what - 5.0.1
The FDC3 Desktop Agent is a Chrome Extension implementation of FDC3.
Test instructions:
It currently passes 4 of the 15 tests.
Most failures seem to relate to unresolved promises.
fdc3.addContextListener - Method is callable (passed)
fdc3.addIntentListener - Method is callable (passed)
fdc3.broadcast - Method is callable (passed)
fdc3.getCurrentChannel - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
fdc3.getInfo - Method is callable (passed)
fdc3.getOrCreateChannel - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
fdc3.getSystemChannels - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
fdc3.joinChannel - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
fdc3.joinChannel - "after each" hook for "Method is callable" (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
fdc3.leaveCurrentChannel - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
fdc3.findIntent - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
fdc3.open - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
fdc3.raiseIntent - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
fdc3.raiseIntentForContext - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
fdc3.findIntentsByContext - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
NOTE: The above is the text output from #23
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ejs/package.json
Dependency Hierarchy:
Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7
Found in base branch: main
Arbitrary Code Injection vulnerability was found in ejs before 3.1.6. Caused by filename which isn't sanitized for display.
Publish Date: 2021-01-22
URL: WS-2021-0153
Base Score Metrics:
When a failure occurs, an Error
should be returned, with a defined string message. For example, with open:
If opening errors, it returns an Error with a string from the OpenError enumeration.
Currently our tests check whether a promise is rejected with a string message, see for example:
https://github.com/finos/FDC3-conformance-framework/blob/main/tests/src/test/fdc3.open.ts#L89
Notably container implementation seem to reject with string, e.g.
finos/FDC3-Sail#53
InteropIO/finsemble-seed#773
However, they should reject with an Error
with the given string message.
This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.
This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-1.9.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-url/package.json
Dependency Hierarchy:
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-3.3.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/normalize-url/package.json
Dependency Hierarchy:
Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7
Found in base branch: main
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution: normalize-url - 4.5.1,5.3.1,6.0.1
Must update the Readme files on how to setup and start the project and tests.
There are a number of refinements that should be made to the test framework to make it more usable:
(superceded by #240)
Adding a 'done' message in the main view after all tests have run would:
Adding a restart or refresh button after all tests have run would make it easier to re-run tests without closing and reopening. This functionality is partially available in that clicking on a group heading in the tests will navigate the framework to grep URL (e.g. http://localhost:3001/v1.2/app/index.html?grep=fdc3%5C.getOrCreateChannel) that will allow you to run just that group. However, there is no way to navigate back to the beginning and re-run all tests.
If you click on group heading in the test report, the framework navigates to a grep URL (e.g. http://localhost:3001/v1.2/app/index.html?grep=fdc3%5C.getOrCreateChannel) which will run just that set of tests. However, the menu is not aware of this and will indicate that all tests are being re-run - when they will not be.
The menu should be aware of the current filter (so it can select the appropriate entry from the menu) and should be able to override/change it. This may mean rebuilding that functionality using Mocha's own filtering support.
This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.
This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.
as per issue title!
At the moment the mocha test are executed within the 'browser' with some very simple formatting:
Currently this doesn't include the test suite names (i.e. the 'describes'), and the order to tests is a bit surprising. I'm pretty sure other test runners (e.g. Jasmine) have a browser-based test runner, but I couldn't find one for mocha.
Ideally we'd have a simple way to run the tests, understand the stricture, watch progress and understand errors ... without having to write much code!
This directory (mock/fdc3-app-config-examples), currently containing a Finsemble config example, probably should not live under the 'mock' directory. Rather it should move up a level and be referred to from the README.
Both the README file and these examples should be deployed with the framework (copied into the same location as the app builds) so that they can be referenced from the deployed location. Internal links from the README to the examples should use relative paths to ensure that these work post-deployment.
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nth-check/package.json
Dependency Hierarchy:
Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7
Found in base branch: main
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
Base Score Metrics:
Uncaught SyntaxError: Identifier 'channelType' has already been declared (at channelService-2_0.js:1:1)
Both channel services declare the same constant.
App | Step | Details |
---|---|---|
A | addContextListener | Call fdc3.addContextListener(null, handler) Check listener object returned Check that there is an unsubscribe function on the returned object |
A | joinChannel | fdc3.getSystemChannels() Check channels are returned. Call fdc3.joinChannel() on first non-global channel |
B | joinChannel | fdc3.getSystemChannels() Check channels are returned. Call fdc3.joinChannel() on first non-global channel |
B | Broadcast | fdc3.broadcast(<some instrument>) |
A | Receive Context | Instrument object matches the one broadcast in 2 above. |
UC Basic Usage 1
Perform above testUC Basic Usage 2
Perform above test, but join channel first and then fdc3.addContextListener()
UC Basic Usage 3
Do the app B steps first to populate the channel with context, check that A will receive the context after joiningUC Basic Usage 4
Do the app B steps first but in reverse order to populate the channel with context, check that A will receive the context after joiningApp | Step | Details |
---|---|---|
A | addContextListener | Call fdc3.addContextListener("fdc3.instrument", handler) Check listener object returned Check that there is an unsubscribe function on the returned object |
A | joinChannel | fdc3.getSystemChannels() Check channels are returned. Call fdc3.joinChannel() on first non-global channel |
B | joinChannel | fdc3.getSystemChannels() Check channels are returned. Call fdc3.joinChannel() on first non-global channel |
B | Broadcast | fdc3.broadcast() the instrument context.fdc3.broadcast() a contact context. |
A | Receive Context | Instrument object matches the one broadcast in 2 above. Check that the contact is not received. |
UC Filtered Context 1
: Perform above testApp | Step | Details |
---|---|---|
A | addContextListener | Call addContextListener (“fdc3.instrument”, handler) Check listener object returned Check that there is an unsubscribe function on the returned object Call addContextListener (“fdc3.contact”, handler) Check listener object returned Check that there is an unsubscribe function on the returned object |
A | joinChannel | Check that there is an unsubscribe function on the returned object |
B | joinChannel | fdc3.getSystemChannels() Check channels are returned. Call fdc3.joinChannel() on first non-global channel |
B | Broadcast | fdc3.broadcast() the instrument context.fdc3.broadcast() a contact context. |
A | Receive Context | Instrument object matches the one broadcast in 2 above. Contact object matches the one broadcast in 2 above. |
UC Filtered Context 2
: Perform above testUC Filtered Context 3
: Perform above test, except joining a different channel. Check that you don't receive anything.UC Unsubscribe
: Perform above test, except that after joining, A then unsubscribe()
s the channel. Check that A doesn't receive anything.UC Filtered Context 4
: Perform above test, except that after joining, A changes channel with a further different channel. Check that A doesn't receive anything.UC Filtered Context 5
: Perform above test, except that after joining, A calls fdc3.leaveChannel()
and doesn't receive anything.UC Invalid Broadcast 1
(1.2 ONLY): Broadcast is sent either without type field / invalid object structure. NOT DELIVERED, no other errors.UC Invalid Broadcast 2
(2.0 ONLY): Broadcast is sent either without type field / invalid object structure. NOT DELIVERED, promise is rejected.UC Current Channel
: A call to fdc3.getCurrentChannel()
returns null if called prior to any joinChannel
.JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7
Found in base branch: main
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo
for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24773
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773
Release Date: 2022-03-18
Fix Resolution: node-forge - 1.3.0
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7
Found in base branch: main
Forge (also called node-forge
) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in node-forge
version 1.3.0. There are currently no known workarounds.
Publish Date: 2022-03-18
URL: CVE-2022-24771
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771
Release Date: 2022-03-18
Fix Resolution: node-forge - 1.3.0
The fdc3
object may not be immediately available in some implementations. As a result, the mock applications should await the fdc3Ready
event before interacting with the API:
https://fdc3.finos.org/docs/1.2/api/ref/Globals#fdc3ready-event
You will need to pre-populate the AppDirectory with the following items:
App | Required Metadata |
---|---|
A | A’s AppD Record contains: aTestingIntent (with context type testContextX , testContextZ ) and sharedTestingIntent1 (with context type testContextX ) |
B | B’s AppD Record contains bTestingIntent (with context type testContextY ) and sharedTestingIntent1 (with context types testContextX and testContextY ) |
C | C’s AppD Record contains cTestingIntent (with context type testContextX ) |
Also we assume a fourth app D that is going to discover the intents in the other 3.
IntentAppD
: Calls fdc3.findIntent(‘aTestingIntent’)
. Receives promise containing an appIntent with metadata containing aTestingIntent
and only A app metadata.WrongIntentAppD
: Calls fdc3.findIntent(‘nonExistentIntent’)
. Rejects with no apps found error https://fdc3.finos.org/docs/api/ref/Errors#resolveerrorIntentAppDRightContext
: Calls fdc3.findIntent(‘aTestingIntent’, ‘fdc3.testContextX’)
. Receives promise containing an appIntent with metadata containing aTestingIntent
and only A app metadata.IntentAppDWrongContext
: Calls fdc3.findIntent(‘aTestingIntent’, ‘fdc3.testContextY’)
. Rejects with no apps found error https://fdc3.finos.org/docs/api/ref/Errors#resolveerrorIntentAppDMultiple1
: Calls fdc3.findIntent(‘sharedTestingIntent1’)
. Receives promise containing an appIntent with metadata containing sharedTestingIntent
and only A and B app metadata.IntentAppDMultiple2
: Calls fdc3.findIntent(‘sharedTestingIntent1’, 'testContextX
). Receives promise containing an appIntent with metadata containing
sharedTestingIntent` and only A and B app metadata.IntentAppDMultiple2
: Calls fdc3.findIntent(‘sharedTestingIntent1’, 'testContextY
). Receives promise containing an appIntent with metadata containing
sharedTestingIntent` and only B app metadata.SingleContext
: Call fdc3.findIntentsByContext(‘fdc3.testContextX’)
. Should return aTestingIntent
(app A), sharedTestingIntent
(A, B) and cTestingIntent
(C) AND nothing else.NoContext
: Call fdc3.findIntentsByContext()
. Throws error of some kind?App | Step | Details |
---|---|---|
D | Raise | fdc3.raiseIntent(‘sharedTestingIntent1’, {testContextY}) starts app B. |
B | Gather Context | fdc.addIntentListener(‘sharedTestingIntent1’) Receives testContextY, matching that sent by D |
SingleResolve1
: Perform above testTargetedResolve1
: Use fdc3.raiseIntent(‘aTestingIntent’, {testContextX}, <A’s App Name>)
to
start app A, otherwise, as aboveTargetedResolve2,3,4
Use the other ways of addressing apps (via ID, metadata) as described at the start of #18FailedResolve1-4
As above, but use fdc3.raiseIntent(‘aTestingIntent’, {testContextY}, <A’s App Name>)
and variations. You will receive No Apps Available Resolve ErrorFailedResolve5-8
As above, but use fdc3.raiseIntent(‘aTestingIntent’, {testContextX}, <C’s App Name>)
and variations. You will receive No Apps Available Resolve ErrorStrips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7
Found in base branch: main
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
We should add the javascript actions from this:
https://github.com/maoo/security-scanning
Embedded JavaScript templates
Library home page: https://registry.npmjs.org/ejs/-/ejs-2.7.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/ejs/package.json
Dependency Hierarchy:
Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7
Found in base branch: main
The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).
Publish Date: 2022-04-25
URL: CVE-2022-29078
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~
Release Date: 2022-04-25
Fix Resolution: ejs - v3.1.7
Create your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-8.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/immer/package.json
Dependency Hierarchy:
Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7
Found in base branch: main
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Publish Date: 2021-09-02
URL: CVE-2021-3757
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/23d38099-71cd-42ed-a77a-71e68094adfa/
Release Date: 2021-09-02
Fix Resolution: immer - 9.0.6
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7
Found in base branch: main
forge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution: node-forge - 1.0.0
AOpensB1
: [ ] A calls fdc3.open(‘app B Name’)
, check app B opensAOpensB1
: [ ] A calls fdc3.open({name: “<app B Name>”})
, check app B opensAOpensB1
: [ ] A calls fdc3.open({name: “<app B Name>”, appId: “<app B ID”})
, check app B opensAOpensB1
: [ ] A calls {appID: “<app ID>”}, check app **B** opens. (
FDC3 2.0`)AFailsToOpenB
: Run the above 4 tests again with a non-existent app name/app id. Should return “App Not Found” Error from https://fdc3.finos.org/docs/api/ref/Errors#openerrorApp | Step | Description |
---|---|---|
A | Opening App | various open methods as in AOpensB1 except with a <context> argument check app opens |
B | Context present | fdc3.addContextListener() - receives <context> from A |
AOpensBWithContext
: Perform above testsAOpensBWithSpecificContext
: Perform above but replace Bs call with fdc3.addContextListener('fdc3.instrument
)`App | Step | Description |
---|---|---|
A | Opening App | fdc3.open(‘app Name’, <contact context>) check app opens |
B | Context present | fdc3.addContextListener() - receives from a |
A | Promise | - receives a rejection from the open promise with “App Timeout’ from https://fdc3.finos.org/docs/api/ref/Errors#openerror |
AOpensBWithWrongContext
: As aboveAOpensBNoListen
: Skip `fdc3.addContextListener() above.AOpensBMultipleListen
: B performs fdc3.addContextListener('fdc3.instrument') prior to the existing
addContextListener`. The correct context listener should receive the context, and the promise completes successfullyAOpensBMalformedContext
: A tries to pass malformed context to B. Context listener receives nothing, promise completes successfully.This is an initial test run against electron-fdc3, an open implementation of the FDC3 standard using Electron and an integrated App Directory.
Steps to run:
http://locahost:3001
Test results, 8/16 tests passed. There seem to be a couple of issues
unsubscribe
method is missing from the listenerPromise<void>
do not resolve the promisefdc3.addContextListener - Method is callable (passed)
fdc3.addContextListener - "after each" hook for "Method is callable" (failed)
listener.unsubscribe is not a function
fdc3.addIntentListener - Method is callable (passed)
fdc3.addIntentListener - "after each" hook for "Method is callable" (failed)
listener.unsubscribe is not a function
fdc3.broadcast - Method is callable (passed)
fdc3.getCurrentChannel - Method is callable (passed)
fdc3.getInfo - Method is callable (passed)
fdc3.getOrCreateChannel - Method is callable (passed)
fdc3.getSystemChannels - Method is callable (passed)
fdc3.joinChannel - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
fdc3.leaveCurrentChannel - Method is callable (passed)
fdc3.findIntent - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
fdc3.open - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
fdc3.raiseIntent - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
fdc3.raiseIntentForContext - Method is callable (failed)
Timeout of 1000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves.
fdc3.findIntentsByContext - Method is callable (failed)
Expected error NoAppsFound not thrown
Exception thrown: Expected error NoAppsFound not thrown
Create your next immutable state by mutating the current one
Library home page: https://registry.npmjs.org/immer/-/immer-8.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/immer/package.json
Dependency Hierarchy:
Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7
Found in base branch: main
This affects the package immer before 9.0.6. A type confusion vulnerability can lead to a bypass of CVE-2020-28477 when the user-provided keys used in the path parameter are arrays. In particular, this bypass is possible because the condition (p === "proto" || p === "constructor") in applyPatches_ returns false if p is ['proto'] (or ['constructor']). The === operator (strict equality operator) returns false if the operands have different type.
Publish Date: 2021-09-01
URL: CVE-2021-23436
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23436
Release Date: 2021-09-01
Fix Resolution: immer - 9.0.6
This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.
This should ensure reproducible builds!
These are the tests results for an initial run again Finsemble.
Instructions to reproduce:
Test results 14 pass, 1 fail.
The failure occurs because our fdc3.open
tests relies on the desktop agent throwing AppNotFound
for the given appId. Finsemble throws ErrorOnLaunch
instead.
fdc3.addContextListener - Method is callable (passed)
fdc3.addIntentListener - Method is callable (passed)
fdc3.broadcast - Method is callable (passed)
fdc3.getCurrentChannel - Method is callable (passed)
fdc3.getInfo - Method is callable (passed)
fdc3.getOrCreateChannel - Method is callable (passed)
fdc3.getSystemChannels - Method is callable (passed)
fdc3.joinChannel - Method is callable (passed)
fdc3.leaveCurrentChannel - Method is callable (passed)
fdc3.findIntent - Method is callable (passed)
fdc3.open - Method is callable (failed)
Expected error AppNotFound not thrown
Exception thrown: ErrorOnLaunch
fdc3.raiseIntent - Method is callable (passed)
fdc3.raiseIntentForContext - Method is callable (passed)
fdc3.findIntentsByContext - Method is callable (passed)
This test should invoke the intent with the mock data that is described in the documentation and ensure that no errors has been thrown.
Our first review of the tests turned up some incorrectly defined tests.
(So far I haven't found the below in the issues raised with test cases, hence, they may have been added during implementation. In one case this could be an area that the standard could improve, but doesn't currently cover (and hence can't be part of a compliance test).
This directly contradicts the Standard: Joining User Channels in 2.0 and Joining Channels in 1.2:
If an app is not joined to a User channel fdc3.broadcast will be a no-op and handler functions added with fdc3.addContextListener will not receive any broadcasts.
Remove this test please.
No such error exists in FDC3 1.2 or 2.0. See https://fdc3.finos.org/docs/1.2/api/ref/Errors
There is at present no statement of what should or should not happen when an invalid context object is passed. What is known is that it would not be delivered to a filtered context listener without a type, but that is all that's specified.
Remove this test please - or at least comment it out with a note that its not defined in the standard.
No such error exists in FDC3 1.2 or 2.0. See https://fdc3.finos.org/docs/1.2/api/ref/Errors
Remove this test please - or at least comment it out with a note that its not defined in the standard.
You didn't wait for it to do its broadcasts here as you do in other tests:
FDC3-conformance-framework/tests/src/test/fdc3.broadcast.ts
Lines 749 to 757 in cd8969b
This is an example of a place where coordinating messages could be used instead of waits... see Implementation feedback #74.
This test should/will never pass as the (malformed) context has no type, so it can't be routed to a typed context listener. Perhaps better to confirm it did get started by another means... However, behaviour with an invalid argument is not defined in the standard. Hence, I'd probably just go ahead and remove this test.
Note that IntentResolution.source
is of type TargetApp
, which can be the string name
or an AppMetadata
object. Thats not why Finsemble fails this test - but led me to this error.
Note that this needs fixing in multiple tests in this file.
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-forge/package.json
Dependency Hierarchy:
Found in HEAD commit: 464478c8d773c9f1db106df334cccbe96b76f1e7
Found in base branch: main
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution: node-forge - 1.0.0
While investigating test failure we collected up some initial feedback on the implementation of the test suite:
App Directory configuration is in an inconsistent location for different containers:
Ideally, the following should be provided:
Its not clear why multiple servers are started for the different apps, different tours on a single server or at most two should suffice. Minor issue.
Tests involving the mocks can be hard to follow as the implementation is split across the test and the mock (necessary but can be made much easier to follow) and some of the function names don't tell you whats going to happen, e.g. AppChannelService.addContextListener
does indeed add a listener... but it will always immediately leave the channel after receiving its first message. This could be a more specific name that links better to the addition of that listener here and the broadcast to it here.
Further, it would be better if the channelsAppContext
(used to drive the mock app's behavior) defined the name of the app channel that's being joined and what it will do once it's joined it, rather than that being baked in the the object's defaults and the mock implementation:
FDC3-conformance-framework/tests/src/test/fdc3.broadcast.ts
Lines 428 to 438 in cd8969b
To confirm what this test is doing you currently have to seek out the ChannelsApp implementation (which involves reading the appD config to get the port, then package.json to figure out which command ran on that port and how it was built, then find the right folder, dig through the files and find a script tag in an HTML file and read it).
To make this more penetrable:
broadcastContextItems
in the index.html and AppChannelService.broadcast in channelService.js), could make use of typescript to provide interfaces (governing the polymorphism of the ChannelServices) and should include comments.
broadcastContextItems
based on explicit arguments to the function (pulled from the context object passed in).The use of wait times also makes me nervous. Where possible these could/should be replaced with an exchange of ready messages - although I grant you it's not ideal doing such coordination of the comms mechanism being tested.
However, timeouts like this:
FDC3-conformance-framework/tests/src/test/fdc3.broadcast.ts
Lines 445 to 454 in cd8969b
This is again dependent on a wait time (could reply first then close immediately and shorten the wait right down)...
Also the close method is Finsemble specific currently - probably because FDC3 doesn't contemplate a standard way to close a window (which it perhaps could...). You could use [window.close()
}(https://developer.mozilla.org/en-US/docs/Web/API/Window/close) to do this as its part of the HTML standard (although it doesn't work in Finsemble browserview windows I note - which we'll address - due to the fact that the content pane doesn't own the window). It does work if you set finsemble.appd[].manifest.foreign.components.Window Manager.titlebarType = "injected"
in the individual component config or finsemble.Window Manager.titlebarType = "injected"
in the whole desktop config.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.