Delo 4068 cloudinary web speed test server package json remote code e…

…xecution rce (#61)

* updated deps, minor adjustments and improvements

* paackage name change to avoid confusion (https://security.snyk.io/package/npm/pagespeed-server)

app.js

@@ -13,7 +13,7 @@ app.use(function (req, res, next) {
   res.header('Access-Control-Allow-Methods', 'GET, PUT, POST, DELETE, OPTIONS');
   if ('OPTIONS' === req.method) {
     //respond with 200
-    res.send(200);
+    res.sendStatus(200);
   }
   else {
     //move on

cloudinary/apiCaller.js

@@ -11,7 +11,7 @@ const _ = require('lodash');
 const cloudinaryParser = require('./cloudinaryResultParser');
 const cloudinary = require('cloudinary');
 const async = require('async');
-const request = require('got');
+const got = (...args) => import('got').then(({default: got}) => got(...args));
 
 const sendToAnalyze = (imagesArray, dpr, metaData, quality, cb, rollBarMsg) => {
   let batchSize = config.get('cloudinary.batchSize');
@@ -23,7 +23,7 @@ const addServerInfo = (imageList, batchSize, dpr, metaData, quality, cb, rollBar
   const list = imageList.filter((el) => el);
   let bs = list.length > batchSize ? batchSize : list.length;
   async.eachLimit(list, bs, (img, callback) => {
-    request.head(img.url).then(({headers}) => {
+    got({method: "HEAD", url: img.url}).then(({headers}) => {
       img.server = (headers.server) ? headers.server : 'N/A';
       callback();
     }).catch((e) => {

package.json

@@ -1,33 +1,35 @@
 {
-  "name": "pagespeed-server",
+  "name": "web-speed-test-server",
   "version": "1.1.2",
   "private": true,
   "scripts": {
     "test": "mocha",
-    "start": "node start.js"
+    "start": "node start.js",
+    "postinstall": "patch-package"
   },
   "dependencies": {
     "async": "^3.2.4",
     "body-parser": "~1.20.2",
     "bytes": "^3.1.2",
-    "cloudinary": "https://github.com/cloudinary/cloudinary_npm.git#analyze_api_legacy",
+    "cloudinary": "1.41.0",
     "config": "^3.3.9",
     "cookie-parser": "~1.4.6",
     "debug": "~4.3.4",
-    "dotenv": "^16.1.4",
+    "dotenv": "^16.3.1",
     "express": "~4.18.2",
-    "got": "^11.8.6",
+    "got": "^13.0.0",
     "lodash": "^4.17.21",
-    "rollbar": "^2.26.1",
+    "rollbar": "^2.26.2",
     "valid-url": "^1.0.9"
   },
   "devDependencies": {
-    "chai": "^4.3.7",
+    "chai": "^4.3.10",
     "chai-http": "^4.4.0",
     "husky": "^8.0.3",
     "mocha": "^10.2.0",
-    "nock": "^13.3.1",
-    "sinon": "^15.1.2",
+    "nock": "^13.3.3",
+    "patch-package": "^8.0.0",
+    "sinon": "^16.1.0",
     "sinon-chai": "^3.7.0"
   }
 }

patches/cloudinary+1.41.0.patch

@@ -0,0 +1,30 @@
+diff --git a/node_modules/cloudinary/lib-es5/utils/index.js b/node_modules/cloudinary/lib-es5/utils/index.js
+index 35f9385..76fd24e 100644
+--- a/node_modules/cloudinary/lib-es5/utils/index.js
++++ b/node_modules/cloudinary/lib-es5/utils/index.js
+@@ -437,7 +437,9 @@ function build_upload_params(options) {
+     accessibility_analysis: utils.as_safe_bool(options.accessibility_analysis),
+     use_asset_folder_as_public_id_prefix: utils.as_safe_bool(options.use_asset_folder_as_public_id_prefix),
+     visual_search: utils.as_safe_bool(options.visual_search),
+-    on_success: options.on_success
++    on_success: options.on_success,
++    /* for internal use only */
++    analyze: JSON.stringify(options.analyze)
+   };
+   return utils.updateable_resource_params(options, params);
+ }
+diff --git a/node_modules/cloudinary/lib/utils/index.js b/node_modules/cloudinary/lib/utils/index.js
+index 47acd25..a3ac938 100644
+--- a/node_modules/cloudinary/lib/utils/index.js
++++ b/node_modules/cloudinary/lib/utils/index.js
+@@ -415,7 +415,9 @@ function build_upload_params(options) {
+     accessibility_analysis: utils.as_safe_bool(options.accessibility_analysis),
+     use_asset_folder_as_public_id_prefix: utils.as_safe_bool(options.use_asset_folder_as_public_id_prefix),
+     visual_search: utils.as_safe_bool(options.visual_search),
+-    on_success: options.on_success
++    on_success: options.on_success,
++    /* for internal use only */
++    analyze: JSON.stringify(options.analyze)
+   };
+   return utils.updateable_resource_params(options, params);
+ }

wtp/apiCaller.js

@@ -6,7 +6,7 @@
 
 
 const path = require('path');
-const got = require('got');
+const got = (...args) => import('got').then(({default: got}) => got(...args));
 const config = require('config');
 const logger = require('../logger');
 const log = logger.logger;
@@ -19,12 +19,13 @@ const GET_TEST_STATUS = 'http://www.webpagetest.org/testStatus.php';
 
 const getTestResults = async (testId, quality, cb) => {
   let options = {
+    method: "GET",
     url: RESULTS_URL,
     searchParams: {test: testId},
     headers: { 'User-Agent': 'WebSpeedTest' }
   };
   try {
-    const response = await got.get(options)
+    const response = await got(options)
     const {statusCode, body} = response;
     let resBody = JSON.parse(body);
     let rollBarMsg = {testId: resBody.data.id, analyzedUrl: resBody.data.testUrl, thirdPartyErrorCode: "", file: path.basename((__filename))};
@@ -62,6 +63,7 @@ const runWtpTest = async (url, mobile, cb) => {
   const apiKeys = config.get('wtp.apiKey').split(',');
   const apiKey = apiKeys[Math.floor(Math.random() * apiKeys.length)];
   let options = {
+    method: "POST",
     url: RUN_TEST_URL,
     searchParams: {
             url: url,
@@ -81,7 +83,7 @@ const runWtpTest = async (url, mobile, cb) => {
   let response;
   let rollBarMsg = {testId: "", analyzedUrl: url, thirdPartyErrorCode: "", file: path.basename((__filename))};
   try {
-    response = await got.post(options);
+    response = await got(options);
     const {statusCode, body} = response;
     if (statusCode !== 200) {
       rollBarMsg.thirdPartyErrorCode = response.statusCode;
@@ -112,14 +114,15 @@ const runWtpTest = async (url, mobile, cb) => {
 
 const checkTestStatus = async (testId, quality, cb) => {
   let options = {
+    method: "GET",
     url: GET_TEST_STATUS,
     searchParams: {test: testId, k: config.get('wtp.apiKey'), f: "json"},
     'headers': { 'User-Agent': 'WebSpeedTest' }
   };
   let response;
   let rollBarMsg = {};
   try {
-    response = await got.get(options);
+    response = await got(options);
     const {statusCode, body} = response;
     let bodyJson = JSON.parse(body);
     rollBarMsg = {testId: testId, thirdPartyErrorCode: "", file: path.basename((__filename))};