Update webpack to v5

lib/client/adminnotifiesclient.js

@@ -66,6 +66,7 @@ function init (client, $) {
     if (messages && messages.length > 0) {
       html += '<p><b>' + translate('You have administration messages') + '</b></p>';
       for(var i = 0 ; i < messages.length; i++) {
+        /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
         var m = messages[i];
         const ago = Math.round((Date.now() - m.lastRecorded) / 60000);
         html += wrapmessage(translate(m.title), translate(m.message), m.count, ago, m.persistent);

lib/client/boluscalc.js

@@ -252,6 +252,7 @@ function init (client, $) {
       var html = '<table  style="float:right;margin-right:20px;font-size:12px">';
       var carbs = 0;
       for (var fi = 0; fi < record.foods.length; fi++) {
+        /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
         var f = record.foods[fi];
         carbs += f.carbs * f.portions;
         html += '<tr>';
@@ -426,6 +427,7 @@ function init (client, $) {
     if (record.foods.length) {
       var gisum = 0;
       for (var fi = 0; fi < record.foods.length; fi++) {
+        /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
         var f = record.foods[fi];
         record.carbs += f.carbs * f.portions;
         gisum += f.carbs * f.portions * f.gi;
@@ -576,7 +578,7 @@ function init (client, $) {
       foods = [];
       $('#bc_addfoodarea').css('display', '');
     } else {
-      var qp = quickpicks[qpiselected];
+      var qp = quickpicks[parseInt(qpiselected)];
       foods = _.cloneDeep(qp.foods);
       $('#bc_addfoodarea').css('display', 'none');
     }
@@ -589,7 +591,7 @@ function init (client, $) {
     var qpiselected = $('#bc_quickpick').val();
 
     if (qpiselected >= 0) {
-      var qp = quickpicks[qpiselected];
+      var qp = quickpicks[parseInt(qpiselected)];
       if (qp.hideafteruse) {
         qp.hidden = true;
 
@@ -652,6 +654,7 @@ function init (client, $) {
     });
     $('#bc_quickpick').empty().append('<option value="-1">' + translate('(none)') + '</option>');
     for (var i = 0; i < records.length; i++) {
+      /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
       var r = records[i];
       $('#bc_quickpick').append('<option value="' + i + '">' + r.name + ' (' + r.carbs + ' g)</option>');
     }
@@ -696,6 +699,7 @@ function init (client, $) {
     }
     $('#bc_data').empty();
     for (var i = 0; i < foodlist.length; i++) {
+      /* eslint-disable security/detect-object-injection */ // verified false positive
       if (filter.category !== '' && foodlist[i].category !== filter.category) { continue; }
       if (filter.subcategory !== '' && foodlist[i].subcategory !== filter.subcategory) { continue; }
       if (filter.name !== '' && foodlist[i].name.toLowerCase().indexOf(filter.name.toLowerCase()) < 0) { continue; }
@@ -705,6 +709,7 @@ function init (client, $) {
       o += foodlist[i].unit + ' | ';
       o += 'Carbs: ' + foodlist[i].carbs + ' g';
       $('#bc_data').append('<option value="' + i + '">' + o + '</option>');
+      /* eslint-enable security/detect-object-injection */ // verified false positive
     }
     $('#bc_addportions').val('1');
 
@@ -728,8 +733,11 @@ function init (client, $) {
             var index = $('#bc_data').val();
             var portions = parseFloat($('#bc_addportions').val().replace(',', '.'));
             if (index !== null && !isNaN(portions) && portions > 0) {
+              index = parseInt(index);
+              /* eslint-disable security/detect-object-injection */ // verified false positive
               foodlist[index].portions = portions;
               foods.push(_.cloneDeep(foodlist[index]));
+              /* eslint-enable security/detect-object-injection */ // verified false positive
               $(this).dialog('close');
               boluscalc.calculateInsulin();
             }

lib/client/browser-settings.js

@@ -170,6 +170,7 @@ function init (client, serverSettings, $) {
     });
 
     //if there is a token, append it to each of the links in the hamburger menu
+    /* eslint-disable security/detect-possible-timing-attacks */ // verified false positive
     if (token != '') {
       token = '?token=' + token;
       $('#reportlink').attr('href', 'report' + token);
@@ -215,6 +216,7 @@ function init (client, serverSettings, $) {
 
       function storeInBrowser (data) {
         Object.keys(data).forEach(k => {
+          /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
           storage.set(k, data[k]);
         });
       }
@@ -279,6 +281,7 @@ function init (client, serverSettings, $) {
   try {
     settings.eachSetting(function setEach (name) {
       var stored = storage.get(name);
+      /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
       return stored !== undefined && stored !== null ? stored : serverSettings.settings[name];
     });
 

lib/client/careportal.js

@@ -76,6 +76,13 @@ function init (client, $) {
       }
     }
 
+    // validate the eventType input - should never hit this but bail if we do
+    if (!Object.prototype.hasOwnProperty.call(inputMatrix, eventType)) {
+      maybePrevent(event);
+      return;
+    }
+
+    /* eslint-disable security/detect-object-injection */ // verified false positive by check above
     var reasons = inputMatrix[eventType]['reasons'];
     $('#reasonLabel').css('display', displayType(reasons && reasons.length > 0));
     $('#targets').css('display', displayType(inputMatrix[eventType]['targets']));
@@ -125,13 +132,20 @@ function init (client, $) {
     resetIfHidden(inputMatrix[eventType]['prebolus'], '#preBolus');
     resetIfHidden(inputMatrix[eventType]['split'], '#insulinSplitNow');
     resetIfHidden(inputMatrix[eventType]['split'], '#insulinSplitExt');
+    /* eslint-enable security/detect-object-injection */ // verified false positive
 
     maybePrevent(event);
   };
 
   careportal.reasonable = function reasonable () {
     var eventType = $('#eventType').val();
-    var reasons = inputMatrix[eventType]['reasons'];
+    var reasons = [];
+
+    // validate the eventType input before getting the reasons list
+    if (Object.prototype.hasOwnProperty.call(inputMatrix, eventType)) {
+      /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
+      reasons = inputMatrix[eventType]['reasons'];
+    }
     var selected = $('#reason').val();
 
     var reason = _.find(reasons, function matches (r) {
@@ -267,7 +281,13 @@ function init (client, $) {
       delete data.preBolus;
     }
 
-    var reasons = inputMatrix[eventType]['reasons'];
+    var reasons = [];
+
+    // validate the eventType input before getting the reasons list
+    if (Object.prototype.hasOwnProperty.call(inputMatrix, eventType)) {
+      /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
+      reasons = inputMatrix[eventType]['reasons'];
+    }
     var reason = _.find(reasons, function matches (r) {
       return r.name === selectedReason;
     });
@@ -315,9 +335,11 @@ function init (client, $) {
 
     let d = {};
     Object.keys(data).forEach(function(key) {
+      /* eslint-disable security/detect-object-injection */ // verified false positive
       if (data[key] !== "" && data[key] !== null) {
-          d[key] = data[key]
-        }
+        d[key] = data[key]
+      }
+      /* eslint-enable security/detect-object-injection */ // verified false positive
     });
 
     return d;

lib/client/chart.js

@@ -703,6 +703,7 @@ function init (client, d3, $) {
     var pointTypes = client.settings.showForecast.split(' ');
 
     var points = pointTypes.reduce( function (points, type) {
+      /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
       return points.concat(client.sbx.pluginBase.forecastPoints[type] || []);
     }, [] );
 

lib/client/clock-client.js

@@ -90,11 +90,15 @@ client.render = function render () {
 
   for (let param in faceParams) {
     if (param === '0') {
-      bgColor = (faceParams[param].substr(0, 1) === 'c'); // do we want colorful background?
-      alwaysShowTime = (faceParams[param].substr(1, 1) === 'y'); // always show "stale time" text?
-      staleMinutes = (faceParams[param].substr(2, 2) - 0 >= 0) ? faceParams[param].substr(2, 2) : 13; // threshold value (0=never)
+      /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
+      let faceParam = faceParams[param];
+      bgColor = (faceParam.substr(0, 1) === 'c'); // do we want colorful background?
+      alwaysShowTime = (faceParam.substr(1, 1) === 'y'); // always show "stale time" text?
+      staleMinutes = (faceParam.substr(2, 2) - 0 >= 0) ? faceParam.substr(2, 2) : 13; // threshold value (0=never)
     } else if (!clockCreated) {
-      let div = '<div class="' + faceParams[param].substr(0, 2) + '"' + ((faceParams[param].substr(2, 2) - 0 > 0) ? ' style="' + ((faceParams[param].substr(0, 2) === 'ar') ? 'height' : 'font-size') + ':' + faceParams[param].substr(2, 2) + 'vmin"' : '') + '></div>';
+      /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
+      let faceParam = faceParams[param];
+      let div = '<div class="' + faceParam.substr(0, 2) + '"' + ((faceParam.substr(2, 2) - 0 > 0) ? ' style="' + ((faceParam.substr(0, 2) === 'ar') ? 'height' : 'font-size') + ':' + faceParam.substr(2, 2) + 'vmin"' : '') + '></div>';
       $inner.append(div);
     }
   }

lib/client/d3locales.js

@@ -234,9 +234,14 @@ d3locales.locale = function locale (language) {
     ,bg: 'bg_BG'
   };
   var loc = 'en_US';
-  if (mapper[language]) {
+
+  // validate the eventType input before getting the reasons list
+  if (Object.prototype.hasOwnProperty.call(mapper, language)) {
+    /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
     loc = mapper[language];
   }
+
+  /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
   return d3locales[loc];
 };
 

lib/client/index.js

@@ -871,9 +871,15 @@ client.load = function load (serverSettings, callback) {
 
   function getClientAlarm (level, group) {
     var key = level + '-' + group;
-    var alarm = clientAlarms[key];
+    var alarm = null;
+    // validate the key before getting the alarm
+    if (Object.prototype.hasOwnProperty.call(clientAlarms, key)) {
+      /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
+      alarm = clientAlarms[key];
+    }
     if (!alarm) {
       alarm = { level: level, group: group };
+      /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
       clientAlarms[key] = alarm;
     }
     return alarm;
@@ -963,6 +969,7 @@ client.load = function load (serverSettings, callback) {
 
     document.addEventListener(visibilityChange, function visibilityChanged () {
       var prevHidden = client.documentHidden;
+      /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
       client.documentHidden = document[hidden];
 
       if (prevHidden && !client.documentHidden) {
@@ -1002,6 +1009,7 @@ client.load = function load (serverSettings, callback) {
 
   $('.bgButton').click(function(e) {
     if (alarmingNow()) {
+      /* eslint-disable-next-line security/detect-non-literal-fs-filename */ // verified false positive
       silenceDropdown.open(e);
     }
   });
@@ -1016,6 +1024,7 @@ client.load = function load (serverSettings, callback) {
       Storages.localStorage.set('focusHours', hours);
       refreshChart();
     } else {
+      /* eslint-disable-next-line security/detect-non-literal-fs-filename */ // verified false positive
       viewDropdown.open(e);
     }
   });

lib/client/receiveddata.js

@@ -11,17 +11,21 @@ function mergeDataUpdate (isDelta, cachedDataArray, receivedDataArray, maxAge) {
     var l = oldArray.length;
 
     for (var i = 0; i < l; i++) {
+      /* eslint-disable security/detect-object-injection */ // verified false positive
       if (oldArray[i] !== null) {
         seen.push(oldArray[i].mills);
       }
+      /* eslint-enable security/detect-object-injection */ // verified false positive
     }
 
     var result = [];
     l = newArray.length;
     for (var j = 0; j < l; j++) {
+      /* eslint-disable security/detect-object-injection */ // verified false positive
       if (!seen.includes(newArray[j].mills)) {
         result.push(newArray[j]); //console.log('delta data found');
       }
+      /* eslint-enable security/detect-object-injection */ // verified false positive
     }
     return result;
   }
@@ -41,6 +45,7 @@ function mergeDataUpdate (isDelta, cachedDataArray, receivedDataArray, maxAge) {
   var twoDaysAgo = new Date().getTime() - mAge;
 
   for (var i = 0; i < cachedDataArray.length; i++) {
+    /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
     var element = cachedDataArray[i];
     if (element !== null && element !== undefined && element.mills <= twoDaysAgo) {
       cachedDataArray.splice(i, 0);
@@ -70,12 +75,14 @@ function mergeTreatmentUpdate (isDelta, cachedDataArray, receivedDataArray) {
   var l = receivedDataArray.length;
   var m = cachedDataArray.length;
   for (var i = 0; i < l; i++) {
+    /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
     var no = receivedDataArray[i];
     if (!no.action) {
       cachedDataArray.push(no);
       continue;
     }
     for (var j = 0; j < m; j++) {
+      /* eslint-disable security/detect-object-injection */ // verified false positive
       if (no._id === cachedDataArray[j]._id) {
         if (no.action === 'remove') {
           cachedDataArray.splice(j, 1);

lib/client/renderer.js

@@ -618,6 +618,7 @@ function init (client, d3) {
       if (treatment.boluscalc.foods && treatment.boluscalc.foods.length) {
         html += '<table><tr><td><strong>' + translate('Food') + '</strong></td></tr>';
         for (var fi = 0; fi < treatment.boluscalc.foods.length; fi++) {
+          /* eslint-disable-next-line security/detect-object-injection */ // verified false positive
           var f = treatment.boluscalc.foods[fi];
           html += '<tr>';
           html += '<td>' + f.name + '</td>';

lib/language.js

@@ -106,7 +106,7 @@ function init (fs) {
 
     if (keys) {
       for (i = 0; i < keys.length; i++) {
-        // eslint-disable-next-line no-useless-escape
+        /* eslint-disable-next-line no-useless-escape, security/detect-non-literal-regexp */ // validated false positive
         var r = new RegExp('\%' + (i + 1), 'g');
         translated = translated.replace(r, keys[i]);
       }
@@ -144,6 +144,7 @@ function init (fs) {
   language.loadLocalization = function loadLocalization (fs, path) {
     let filename = './translations/' + this.getFilename(this.lang);
     if (path) filename = path.resolve(__dirname, filename);
+    /* eslint-disable-next-line security/detect-non-literal-fs-filename */ // verified false positive; well defined set of values
     const l = fs.readFileSync(filename);
     this.offerTranslations(JSON.parse(l));
   }

lib/server/app.js

@@ -311,7 +311,6 @@ function create (env, ctx) {
       middleware(compiler, {
         // webpack-dev-middleware options
         publicPath: webpack_conf.output.publicPath
-        , lazy: false
       })
     );