From f03e2d4d08ee443d772b808dfc14fe527298377b Mon Sep 17 00:00:00 2001 From: "Peter A. Jonsson" Date: Sun, 5 May 2024 17:32:18 +0200 Subject: [PATCH] Replace express-brute This replaces express-brute with rate-limiter-flexible, which removes the dependency on the vulnerable underscore version, and does not have a rate limit bypass vulnerability. --- lib/makeserver.js | 8 +++++--- package.json | 5 +---- yarn.lock | 23 +++++------------------ 3 files changed, 11 insertions(+), 25 deletions(-) diff --git a/lib/makeserver.js b/lib/makeserver.js index e9c4d1a2..4d449caf 100644 --- a/lib/makeserver.js +++ b/lib/makeserver.js @@ -8,7 +8,7 @@ var cors = require('cors'); var exists = require('./exists'); var basicAuth = require('basic-auth'); var fs = require('fs'); -var ExpressBrute = require('express-brute'); +const ExpressBruteFlexible = require('rate-limiter-flexible/lib/ExpressBruteFlexible'); /* Creates and returns a single express server. */ module.exports = function(options) { @@ -75,7 +75,6 @@ module.exports = function(options) { var auth = options.settings.basicAuthentication; if (auth && auth.username && auth.password) { - var store = new ExpressBrute.MemoryStore(); var rateLimitOptions = { freeRetries: 2, minWait: 200, @@ -86,7 +85,10 @@ module.exports = function(options) { rateLimitOptions.minWait = options.settings.rateLimit.minWait; rateLimitOptions.maxWait = options.settings.rateLimit.maxWait; } - var bruteforce = new ExpressBrute(store, rateLimitOptions); + const bruteforce = new ExpressBruteFlexible( + ExpressBruteFlexible.LIMITER_TYPES.MEMORY, + rateLimitOptions + ); app.use(bruteforce.prevent, function(req, res, next) { var user = basicAuth(req); if (user && user.name === auth.username && user.pass === auth.password) { diff --git a/package.json b/package.json index 79b02355..b2b87391 100644 --- a/package.json +++ b/package.json @@ -6,9 +6,6 @@ "engines": { "node": ">=12.0.0" }, - "resolutions": { - "underscore": "^1.12.1" - }, "main": "lib/app.js", "scripts": { "test": "jasmine", @@ -39,12 +36,12 @@ "compression": "^1.6.0", "cors": "^2.7.1", "express": "^4.8.0", - "express-brute": "^1.0.1", "json5": "^2.2.3", "morgan": "^1.7.0", "proj4": "^2.3.12", "proj4js-defs": "0.0.1", "range_check": "^1.4.0", + "rate-limiter-flexible": "^5.0.3", "request": "^2.88.2", "request-promise": "^4.0.1", "yargs": "^13.2.4" diff --git a/yarn.lock b/yarn.lock index a6d44a8a..12080726 100644 --- a/yarn.lock +++ b/yarn.lock @@ -392,14 +392,6 @@ events@1.1.1: resolved "https://registry.yarnpkg.com/events/-/events-1.1.1.tgz#9ebdb7635ad099c70dcc4c2a1f5004288e8bd924" integrity sha512-kEcvvCBByWXGnZy6JUlgAp2gBIUjfCAV6P6TgT1/aaQKcmuAEC4OZTV1I4EWQLz2gxZw76atuVyvHhTxvi0Flw== -express-brute@^1.0.1: - version "1.0.1" - resolved "https://registry.yarnpkg.com/express-brute/-/express-brute-1.0.1.tgz#9f36d107fe34e40a682593e39bffcc53102b5335" - integrity sha512-ieZmwox3oIZdQCVjvvnwQvrKQumWdb/JjmC9mWplF42AuHCBXr6Yk/I+nLTRQx+9F+2aapOW9kYLwA6xIlwA9g== - dependencies: - long-timeout "~0.1.1" - underscore "~1.8.3" - express@^4.8.0: version "4.19.2" resolved "https://registry.yarnpkg.com/express/-/express-4.19.2.tgz#e25437827a3aa7f2a827bc8171bbbb664a356465" @@ -801,11 +793,6 @@ lodash@^4.17.19: resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c" integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg== -long-timeout@~0.1.1: - version "0.1.1" - resolved "https://registry.yarnpkg.com/long-timeout/-/long-timeout-0.1.1.tgz#9721d788b47e0bcb5a24c2e2bee1a0da55dab514" - integrity sha512-BFRuQUqc7x2NWxfJBCyUrN8iYUYznzL9JROmRz1gZ6KlOIgmoD+njPVbb+VNn2nGMKggMsK79iUNErillsrx7w== - media-typer@0.3.0: version "0.3.0" resolved "https://registry.yarnpkg.com/media-typer/-/media-typer-0.3.0.tgz#8710d7af0aa626f8fffa1ce00168545263255748" @@ -1051,6 +1038,11 @@ range_check@^1.4.0: ip6 "0.0.4" ipaddr.js "1.2" +rate-limiter-flexible@^5.0.3: + version "5.0.3" + resolved "https://registry.yarnpkg.com/rate-limiter-flexible/-/rate-limiter-flexible-5.0.3.tgz#bfbfd7585e09073ebe22d177126116862b1024ae" + integrity sha512-lWx2y8NBVlTOLPyqs+6y7dxfEpT6YFqKy3MzWbCy95sTTOhOuxufP2QvRyOHpfXpB9OUJPbVLybw3z3AVAS5fA== + raw-body@2.5.2: version "2.5.2" resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.5.2.tgz#99febd83b90e08975087e8f1f9419a149366b68a" @@ -1318,11 +1310,6 @@ type-is@~1.6.18: media-typer "0.3.0" mime-types "~2.1.24" -underscore@^1.12.1, underscore@~1.8.3: - version "1.13.6" - resolved "https://registry.yarnpkg.com/underscore/-/underscore-1.13.6.tgz#04786a1f589dc6c09f761fc5f45b89e935136441" - integrity sha512-+A5Sja4HP1M08MaXya7p5LvjuM7K6q/2EaC0+iovj/wOcMsTzMvDFbasi/oSapiwOlt252IqsKqPjCl7huKS0A== - unpipe@1.0.0, unpipe@~1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/unpipe/-/unpipe-1.0.0.tgz#b2bf4ee8514aae6165b4817829d21b2ef49904ec"