Annual npm vulnerabilities audit (#21)

Olha Virolainen · web-flow · commit fd72e1139723 · 2020-11-20T11:36:02.000+02:00
Annual npm vulnerabilities audit
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -0,0 +1,31 @@
+version: 2
+jobs:
+  test:
+    docker:
+      - image: circleci/node:14-stretch
+    steps:
+      - checkout
+      - restore_cache:
+          key: dependency-cache-{{ checksum "package.json" }}
+      - run:
+          name: Audit Dependencies
+          command: npm audit --audit-level=high
+      - run:
+          name: Installing Dependencies
+          command: npm install
+      - save_cache:
+          key: dependency-cache-{{ checksum "package.json" }}
+          paths:
+            - node_modules
+      - run:
+          name: Running Unit Tests
+          command: npm test
+      - run:
+          name: Running Integration Tests
+          command: npm run integration-test
+
+workflows:
+  version: 2
+  build_and_test:
+    jobs:
+      - test
diff --git a/.travis.yml b/.travis.yml
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+ ## 1.1.3 (November 20, 2020)
+
+  * Update Sailor version to 2.6.18
+  * Annual audit of the component code to check if it exposes a sensitive data in the logs
+  * Annual npm vulnerabilities audit
+
  ## 1.1.2 (July 24, 2020)
  
   * Update sailor version to 2.6.14
diff --git a/README.md b/README.md
@@ -1,4 +1,5 @@
-# mssql-component [![NPM version][npm-image]][npm-url] [![Build Status][travis-image]][travis-url] [![Dependency Status][daviddm-image]][daviddm-url]
+[![CircleCI](https://circleci.com/gh/elasticio/mssql-component.svg?style=svg)](https://circleci.com/gh/elasticio/mssql-component)
+# mssql-component 
 > elastic.io integration component for Microsoft SQL Server
 
 # mssql-component
diff --git a/lib/actions/insert.js b/lib/actions/insert.js
@@ -26,18 +26,18 @@ function init(cfg) {
     cfg.database
   }${(cfg.domain) ? `?domain=${cfg.domain}&encrypt=${cfg.encrypt}`
     : `?encrypt=${cfg.encrypt}`}`;
-  logger.trace(conString);
+  logger.debug('Connection string is created');
   return co(function* gen() {
     logger.info('Connecting to the database');
     const connection = new cosql.Connection(conString);
     // Always attach an error listener
-    connection.on('error', (err) => this.emit('error', err));
+    connection.on('error', err => this.emit('error', err));
     let sql = cfg.query;
     yield connection.connect();
     logger.info('Connection established');
-    logger.trace('Preparing query=%s', sql);
+    logger.debug('Preparing query...');
     const vars = sql.match(VARS_REGEXP);
-    logger.trace('Found following prepared variable:type pairs=%j', vars);
+    logger.debug('Found prepared variable:type pairs');
     pstmt = new cosql.PreparedStatement(connection);
     for (const tuple of vars) {
       const [placeholder, type] = tuple.split(':');
@@ -74,7 +74,7 @@ function init(cfg) {
       // Now let's remove all :string :boolean :date etc to the name only
       sql = sql.replace(tuple, placeholder);
     }
-    logger.trace('Resulting SQL=%s', sql);
+    logger.trace('Resulting SQL is ready');
     yield pstmt.prepare(sql);
     logger.info('Preparing statement created');
   }.bind(this));
diff --git a/lib/actions/select.js b/lib/actions/select.js
@@ -28,7 +28,7 @@ function init(cfg) {
   return co(function* gen() {
     logger.info('Connecting to the database');
     connection = new cosql.Connection(conString);
-    connection.on('error', (err) => this.emit('error', err));
+    connection.on('error', err => this.emit('error', err));
     yield connection.connect();
     logger.info('Connection established');
   }.bind(this));
@@ -47,15 +47,14 @@ function processAction(msg, cfg, snapshot = {}) {
   const lastPoll = snapshot.lastPoll || new Date(0).toISOString();
   this.logger.info('Last polling timestamp=%s', lastPoll);
   const sql = originalSql.split(LAST_POLL_PLACEHOLDER).join(lastPoll);
-  this.logger.trace('Original query=%s', originalSql);
-  this.logger.trace('Transformed query=%s', sql);
+  this.logger.debug('Transformed query is ready');
   const that = this;
   return co(function* gen() {
     const request = new cosql.Request(connection);
     request.stream = true;
 
-    request.on('recordset', (recordset) => {
-      that.logger.trace('Have got recordset metadata=%j', recordset);
+    request.on('recordset', () => {
+      that.logger.trace('Have got recordset metadata');
     });
 
     request.on('row', (row) => {
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "mssql-component",
-  "version": "1.1.2",
+  "version": "1.1.3",
   "description": "elastic.io integration component for Microsoft SQL Server",
   "homepage": "https://www.elastic.io",
   "author": {
@@ -25,16 +25,16 @@
     "node": ">=12.13.0"
   },
   "scripts": {
-    "pretest": "node_modules/.bin/eslint lib spec spec-integration --ext .json --ext .js --fix",
+    "pretest": "eslint lib spec spec-integration --ext .json --ext .js --fix",
     "test": "NODE_ENV=test mocha spec/*",
-    "integration-test": "NODE_ENV=test mocha spec-integration/* --exit"
+    "integration-test": "mocha spec-integration --recursive --timeout 10000 --exit"
   },
   "dependencies": {
     "bluebird": "3.4.6",
     "co": "4.6.0",
     "co-mssql": "1.3.0",
     "elasticio-node": "0.0.9",
-    "elasticio-sailor-nodejs": "2.6.14",
+    "elasticio-sailor-nodejs": "2.6.18",
     "@elastic.io/component-logger": "0.0.1",
     "mssql": "4.1.0",
     "request": "2.87.0",
diff --git a/spec-integration/integration.spec.js b/spec-integration/integration.spec.js
@@ -92,7 +92,7 @@ describe('Integration test', () => {
       select.process.call({
         emit: emitter,
         logger,
-      }, msg, cfg).catch((err) => done(err));
+      }, msg, cfg).catch(err => done(err));
     });
   });
 
@@ -124,7 +124,7 @@ describe('Integration test', () => {
       select.process.call({
         emit: emitter,
         logger,
-      }, msg, cfg).catch((err) => done(err));
+      }, msg, cfg).catch(err => done(err));
     });
   });
 
@@ -158,7 +158,7 @@ describe('Integration test', () => {
       select.process.call({
         emit: emitter,
         logger,
-      }, msg, cfg, {}).catch((err) => done(err));
+      }, msg, cfg, {}).catch(err => done(err));
     });
   });
 });
diff --git a/spec-integration/verifyCredentials.spec.js b/spec-integration/verifyCredentials.spec.js
@@ -0,0 +1,37 @@
+const fs = require('fs');
+const { expect } = require('chai');
+const logger = require('@elastic.io/component-logger')();
+const verifyCredentials = require('../verifyCredentials');
+
+describe('Integration test verify credentials', () => {
+  if (fs.existsSync('.env')) {
+    // eslint-disable-next-line global-require
+    require('dotenv').config();
+  }
+  before(() => {
+    if (!process.env.MSSQL_USERNAME) { throw new Error('Please set MSSQL_USERNAME env variable to proceed'); }
+    if (!process.env.MSSQL_PASSWORD) { throw new Error('Please set MSSQL_PASSWORD env variable to proceed'); }
+    if (!process.env.MSSQL_SERVER) { throw new Error('Please set MSSQL_SERVER env variable to proceed'); }
+    if (!process.env.MSSQL_DATABASE) { throw new Error('Please set MSSQL_DATABASE env variable to proceed'); }
+  });
+  const cfg = {
+    username: process.env.MSSQL_USERNAME,
+    password: process.env.MSSQL_PASSWORD,
+    server: process.env.MSSQL_SERVER,
+    port: process.env.MSSQL_PORT,
+    instance: process.env.MSSQL_INSTANCE,
+    database: process.env.MSSQL_DATABASE,
+    domain: process.env.MSSQL_DOMAIN,
+    encrypt: process.env.MSSQL_ENCRYPT,
+  };
+
+  it('should successfully verify credentials', (done) => {
+    verifyCredentials.call({ logger }, cfg, (err, result) => {
+      if (err) {
+        done(err);
+      }
+      expect(result).deep.equal({ verified: true });
+      done();
+    });
+  });
+});
diff --git a/verifyCredentials.js b/verifyCredentials.js
@@ -1,31 +1,31 @@
-'use strict';
 const co = require('co');
 const sql = require('co-mssql');
 
 // This function will be called by the platform to verify credentials
 module.exports = function verifyCredentials(credentials, cb) {
-  console.log('Credentials passed for verification %j', credentials);
-  co(function*() {
-    console.log('Connecting to the database');
-    var uri = 'mssql://'
-      + encodeURIComponent(credentials.username)
-      + ':'
-      + encodeURIComponent(credentials.password)
-      + '@'
-      + credentials.server
-      + ((credentials.port) ? ':' + credentials.port : '')
-      + ((credentials.instance) ? '/' + credentials.instance : '')
-      + '/'
-      + credentials.database
-      + ((credentials.domain) ? '?domain=' + credentials.domain + '&encrypt=' + credentials.encrypt
-                              : '?encrypt=' + credentials.encrypt);
-    var connection = new sql.Connection(uri);
+  const self = this;
+  self.logger.info('Starting credentials verification');
+  co(function* () {
+    self.logger.info('Connecting to the database');
+    const uri = `mssql://${
+      encodeURIComponent(credentials.username)
+    }:${
+      encodeURIComponent(credentials.password)
+    }@${
+      credentials.server
+    }${(credentials.port) ? `:${credentials.port}` : ''
+    }${(credentials.instance) ? `/${credentials.instance}` : ''
+    }/${
+      credentials.database
+    }${(credentials.domain) ? `?domain=${credentials.domain}&encrypt=${credentials.encrypt}`
+      : `?encrypt=${credentials.encrypt}`}`;
+    const connection = new sql.Connection(uri);
     yield connection.connect();
-    console.log('Verification completed successfully');
+    self.logger.info('Verification completed successfully');
     yield connection.close();
-    cb(null, {verified: true});
-  }).catch(err => {
-    console.log('Error occurred', err.stack || err);
-    cb(err , {verified: false});
+    cb(null, { verified: true });
+  }).catch((err) => {
+    self.logger.info('Error occurred, credentials are not valid');
+    cb(err, { verified: false });
   });
 };
