EXUI-2013: Resolve crypto-js CVE (#844)

* Update crypto-js, update cryptowrapper.ts * yarn audit --------- Co-authored-by: Andy Wilkins <[email protected]> Co-authored-by: RiteshHMCTS <[email protected]>
hmcts · Jun 26, 2024 · 4f0669c · 4f0669c
1 parent 726d3c3
commit 4f0669c
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 13 deletions.
diff --git a/package.json b/package.json
@@ -86,7 +86,7 @@
     "@ngrx/store": "^16.3.0",
     "@ngrx/store-devtools": "^16.3.0",
     "@rxweb/reactive-form-validators": "2.1.2",
-    "@types/crypto-js": "^3.1.43",
+    "@types/crypto-js": "^4.2.2",
     "@types/express-session": "^1.17.0",
     "@types/multer": "^1.4.5",
     "@types/passport": "^1.0.3",
@@ -99,7 +99,7 @@
     "connect-redis": "^4.0.4",
     "cookie-parser": "^1.4.4",
     "core-js": "2.6.12",
-    "crypto-js": "^3.1.9-1",
+    "crypto-js": "^4.2.0",
     "csurf": "^1.11.0",
     "dotenv-extended": "^2.7.1",
     "ejs": "~3.1.7",

diff --git a/src/app/services/cryptoWrapper.ts b/src/app/services/cryptoWrapper.ts
@@ -1,14 +1,16 @@
 import { Injectable } from '@angular/core';
-import { AES, enc, SHA256, WordArray } from 'crypto-js';
+import { AES, enc, SHA256 } from 'crypto-js';
 
 @Injectable()
 export class CryptoWrapper {
-  public encrypt(message: string, secret: string = 'secret'): WordArray {
-    const userIdEncrypted = AES.encrypt(message, secret, SHA256);
-    return userIdEncrypted;
+  public encrypt(message: string, secret: string = 'secret'): string {
+    const key = SHA256(secret).toString();
+    return AES.encrypt(message, key).toString();
   }
 
-  public decrypt(encrypted: WordArray, secret: string = 'secret'): string {
-    return AES.decrypt(encrypted, secret, SHA256).toString(enc.Utf8);
+  public decrypt(encrypted: string, secret: string = 'secret'): string {
+    const key = SHA256(secret).toString();
+    const bytes = AES.decrypt(encrypted, key);
+    return bytes.toString(enc.Utf8);
   }
 }
diff --git a/yarn.lock b/yarn.lock
@@ -10059,10 +10059,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"crypto-js@npm:^3.1.9-1":
-  version: 3.3.0
-  resolution: "crypto-js@npm:3.3.0"
-  checksum: 193923143a4784b2f974366068d96fe8280168fd3fef2bfea9551a5c3e32096f5a8fa49ff4eeb5bd0b9716d325618d38cfbe6125e359a4ef488fbca93e600824
+"crypto-js@npm:^4.2.0":
+  version: 4.2.0
+  resolution: "crypto-js@npm:4.2.0"
+  checksum: f051666dbc077c8324777f44fbd3aaea2986f198fe85092535130d17026c7c2ccf2d23ee5b29b36f7a4a07312db2fae23c9094b644cc35f7858b1b4fcaf27774
   languageName: node
   linkType: hard
 
@@ -18589,7 +18589,7 @@ __metadata:
     connect-redis: ^4.0.4
     cookie-parser: ^1.4.4
     core-js: 2.6.12
-    crypto-js: ^3.1.9-1
+    crypto-js: ^4.2.0
     csurf: ^1.11.0
     cucumber-html-reporter: ^7.1.1
     cucumber-pretty: 6.0.1