Merge pull request #47 from henrythasler/bugfix/codeql-findings

Fix CodeQL findings
henrythasler · Apr 2, 2024 · be766c5 · be766c5
2 parents 48944bc + 82764c1
commit be766c5
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 7 deletions.
diff --git a/.github/workflows/deploy-lambda.yml b/.github/workflows/deploy-lambda.yml
@@ -0,0 +1,31 @@
+name: Deploy Nodejs Lambda
+
+on:
+ push:
+ branches: [ "master" ]
+ tags: [ '*' ] 
+
+jobs:
+ deploy:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@main
+ - name: Use Node.js 20.x
+ uses: actions/setup-node@main
+ with:
+ node-version: 20.x
+ cache: 'npm'
+ - name: predeploy
+ run: | 
+ npm ci
+ npm run predeploy
+ - name: Setup AWS CLI
+ uses: aws-actions/configure-aws-credentials@main
+ with:
+ aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ aws-region: eu-central-1
+ - name: deploy to AWS lambda
+ run: aws lambda update-function-code --function-name tileserver --zip-file fileb://dist/function.zip
+ #run: aws lambda create-function --dry-run --function-name tileserver --description "Deploy commit ${{github.sha}} by ${{github.actor}}" --runtime nodejs18.x --handler handler --role ${{ secrets.AWS_LAMBDA_TILESERVER_ROLE }} --zip-file fileb://dist/function.zip
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "cloud-tileserver",
- "version": "1.3.0",
+ "version": "1.3.1",
  "description": "AWS lambda function to handle vectortile queries via REST",
  "main": "index.js",
  "scripts": {

diff --git a/src/tileserver.ts b/src/tileserver.ts
@@ -21,8 +21,8 @@ export class Log {
  this.loglevel = level;
  }
 
- show(msg: any, level: number) {
- if (level <= this.loglevel) console.log(msg);
+ show(msg: string, level: number) {
+ if (level <= this.loglevel) console.log(msg.replace(/\n|\r/g, ""));
  }
 }
 
@@ -103,6 +103,10 @@ export class Tileserver {
  * @return a tile for subsequent use or null if no valid Tile could be extracted. 
  */
  extractTile(path: string): Tile | null {
+ if (path.length > 1000) {
+ this.log.show(`extractTile(): input path length exceeds limit`, LogLevels.ERROR);
+ return null;
+ }
  const tile: Tile = { x: 0, y: 0, z: 0 };
  const tilepath: RegExpMatchArray | null = path.match(/\d+\/\d+\/\d+(?=\.mvt\b)/g);
  if (tilepath) {
@@ -121,6 +125,10 @@ export class Tileserver {
  * @return the name of the source if found
  */
  extractSource(path: string): string | null {
+ if (path.length > 1000) {
+ this.log.show(`extractSource(): input path length exceeds limit`, LogLevels.ERROR);
+ return null;
+ }
  // match the last word between slashes before the actual tile (3-numbers + extension)
  const sourceCandidates: RegExpMatchArray | null = path.match(/(?!\/)\w+(?=\/\d+\/\d+\/\d+\.mvt\b)/g)
  if (sourceCandidates != null && sourceCandidates.length > 0) {
@@ -352,7 +360,7 @@ export class Tileserver {
  const error: Error = _e as Error;
  mvt.res = -4;
  mvt.status = `[ERROR] - Database error: ${error.message}`;
- this.log.show(error, LogLevels.ERROR);
+ this.log.show(error.message, LogLevels.ERROR);
  return mvt;
  }
  }
@@ -365,7 +373,7 @@ export class Tileserver {
  data = Buffer.from("");
  }
 
- this.log.show(data, LogLevels.TRACE);
+ this.log.show(data.toString("base64"), LogLevels.TRACE);
 
  const uncompressedBytes = data.byteLength;
  if (this.gzip) mvt.data = await asyncgzip(data) as Buffer;

diff --git a/test/parser.test.ts b/test/parser.test.ts
@@ -35,11 +35,16 @@ describe("Parsing functions", function () {
  let tile: Tile | null = tileserver.extractTile("foo");
  expect(tile).to.be.null;
  });
- it("extractTile negative #3 - invalid extension", function () {
+ it("extractTile negative #4 - invalid extension", function () {
  let tile: Tile | null = tileserver.extractTile("/local/14/8691/5677.mvtinvalid");
  expect(tile).to.be.null;
  });
-
+ it("extractTile negative #5 - oversized input", function () {
+ const longString = '9'.repeat(1024);
+ let tile: Tile | null = tileserver.extractTile(longString);
+ expect(tile).to.be.null;
+ });
+
 
  it("extractSource regular #1 - simple path", function () {
  let source: string | null = tileserver.extractSource("/local/0/0/0.mvt");
@@ -58,6 +63,11 @@ describe("Parsing functions", function () {
  let source: string | null = tileserver.extractSource("foo");
  expect(source).to.be.null;
  });
+ it("extractSource negative #3 - input length limit exceeded", function () {
+ const longString = '9'.repeat(1024);
+ let source: string | null = tileserver.extractSource(longString);
+ expect(source).to.be.null;
+ }); 
  it("extractSource SQL-Injection #1 - `select now()`", function () {
  let source: string | null = tileserver.extractSource("/select+now%28%29/0/0/0.mvt");
  expect(source).to.be.equal('29');