Remove node-static dependency from testkit-backend

bigmontz · bigmontz · commit 5877e3a41f82 · 2023-08-16T15:02:20.000+02:00
This library has security vulnerabilities and it's not actively mantained. Their usage was replaced by a very basic implementation of static file server. See: https://github.com/neo4j/neo4j-javascript-driver/security/dependabot/134
diff --git a/packages/testkit-backend/package-lock.json b/packages/testkit-backend/package-lock.json
diff --git a/packages/testkit-backend/package.json b/packages/testkit-backend/package.json
@@ -34,7 +34,6 @@
   "dependencies": {
     "neo4j-driver": "5.0.0-dev",
     "neo4j-driver-lite": "5.0.0-dev",
-    "node-static": "^0.7.11",
     "ws": "^8.11.0"
   },
   "devDependencies": {
diff --git a/packages/testkit-backend/src/controller/remote.js b/packages/testkit-backend/src/controller/remote.js
@@ -1,7 +1,7 @@
 import Controller from './interface'
 import { WebSocketServer } from 'ws'
 import { createServer } from 'http'
-import { Server } from 'node-static'
+import { HttpStaticServer } from '../infrastructure'
 
 /**
  * RemoteController handles the requests by sending them a remote client.
@@ -14,7 +14,9 @@ import { Server } from 'node-static'
 export default class RemoteController extends Controller {
   constructor (port) {
     super()
-    this._staticServer = new Server('./public')
+    this._staticServer = new HttpStaticServer({
+      basePath: './public'
+    })
     this._port = port
     this._wss = null
     this._ws = null
diff --git a/packages/testkit-backend/src/infrastructure/http-static.server.js b/packages/testkit-backend/src/infrastructure/http-static.server.js
@@ -0,0 +1,68 @@
+import fs from 'fs'
+
+const DEFAULT_MIME_TYPES = {
+  html: 'text/html',
+  js: 'text/javascript',
+  default: 'text/plain'
+}
+
+const DEFAULT_INDEX_FILE = '/index.html'
+
+/**
+ * This a very minimal implementation of a static files http server.
+ *
+ * This is intend to be used only in the ${@link RemoteController} scenario and
+ * this is not feature complete.
+ *
+ * Some security measures to avoid external elements to sniff to files out of the base
+ * path are in place. Like Directory Transversal.
+ */
+export class HttpStaticServer {
+  constructor ({
+    basePath,
+    mimeTypes,
+    defaultMimeType,
+    indexFile
+  } = {}) {
+    this._basePath = basePath
+    this._mimeTypes = mimeTypes || DEFAULT_MIME_TYPES
+    this._indexFile = indexFile || DEFAULT_INDEX_FILE
+
+    if (this._mimeTypes.default === undefined) {
+      this._mimeTypes.default = defaultMimeType || DEFAULT_MIME_TYPES.default
+    }
+  }
+
+  serve (request, response) {
+    if (request.method === 'GET') {
+      const file = request.url !== '/' ? request.url : this._indexFile
+      const filePath = `${this._basePath}${file}`
+      const [, extension, ...rest] = file.split('.')
+      if (rest.length > 0) {
+        writeError(response, 403, '403 Forbidden!')
+        return
+      }
+
+      if (!fs.existsSync(filePath)) {
+        writeError(response, 404, '404 Not Found!')
+        return
+      }
+
+      fs.readFile(filePath, 'utf-8', (err, message) => {
+        if (err) {
+          writeError(response, 500, '500 Internal Server Error!')
+          return
+        }
+        response.writeHead(200, { 'Content-Type': this._mimeTypes[extension] || this._mimeTypes.default })
+        response.write(message)
+        response.end()
+      })
+    }
+  }
+}
+
+function writeError (response, code, errorMessage) {
+  response.writeHead(code, { 'Content-Type': 'text/plain' })
+  response.write(errorMessage)
+  response.end()
+}
diff --git a/packages/testkit-backend/src/infrastructure/index.js b/packages/testkit-backend/src/infrastructure/index.js
@@ -0,0 +1 @@
+export { HttpStaticServer } from './http-static.server'

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+export { HttpStaticServer } from './http-static.server'`