We Keep Coding

Ignore snyk code quality issue with .snyk file

Snyk finds some code quality issue that should be ignored. I'm using Snyk CLI:
"snyk code test"
✗ [High] Server-Side Request Forgery (SSRF)
Path: project/src/main/java/com/MyClass.java, line 140
Info: Unsanitized input from an HTTP parameter flows into org.apache.http.client.methods.HttpPost, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.
That's example.
I know to ignore something I need to put this in .snyk file.
I had trouble doing that so I've put 4 times same thing:
ignore:
'java/Ssrf':
- '*':
reason: None Given
expires: 2023-02-17T14:43:55.203Z
created: 2023-01-18T14:43:55.205Z
'CWE-918':
- '*':
reason: None Given
expires: 2023-02-17T14:43:55.203Z
created: 2023-01-18T14:43:55.205Z
java/Ssrf:
- '*':
reason: None Given
expires: 2023-02-17T14:43:55.203Z
created: 2023-01-18T14:43:55.205Z
CWE-918:
- '*':
reason: None Given
expires: 2023-02-17T14:43:55.203Z
created: 2023-01-18T14:43:55.205Z
But it still throws that problem.
I've added to 'snyk code test' --policy-path=.snyk - no help.
I've tried to use in the id 'Server-Side Request Forgery (SSRF)' <- no success.
All I see is ingoring dependency vulnerabilites in documentation. Is it possible to use that for code check?
I got CWE-918 and 'java/Ssrf' by calling that test to json:
"rules": [
{
"id": "java/Ssrf",
"name": "Ssrf",
"shortDescription": {
"text": "Server-Side Request Forgery (SSRF)"
},
"defaultConfiguration": {
"level": "error"
},
"precision": "very-high",
"repoDatasetSize": 233,
"cwe": [
"CWE-918"
]
}
Is it anyhow possible to do that?

Node.js GraphQL API Stops working as soon as I deploy it: "Error validating datasource `db`: the URL must start with the protocol `mysql://"

I build a GraphQL API with Apollo and Prisma ORM which is connected to my hosted MySQL Database (The Database has already content in it).
When I run it on my localhost everything works fine and I can query the Database with GraphQL statements.
As soon as I deploy my node.js project to DigitalOcean (auto deployed with GitHub) it stops working and I get the following error:
{
"errors": [
{
"message": "\nInvalid `prisma.content.findMany()` invocation in\n/workspace/src/schema.js:36:29\n\n 33 const resolvers = {\n 34 Query: {\n 35 memes: (parent, args) => {\n→ 36 return prisma.content.findMany(\n error: Error validating datasource `db`: the URL must start with the protocol `mysql://`.\n --> schema.prisma:7\n | \n 6 | provider = \"mysql\"\n 7 | url = env(\"DATABASE_URL\")\n | \n\nValidation Error Count: 1",
"locations": [
{
"line": 2,
"column": 3
}
],
"path": [
"memes"
],
"extensions": {
"code": "INTERNAL_SERVER_ERROR",
"exception": {
"clientVersion": "3.6.0",
"stacktrace": [
"Error: ",
"Invalid `prisma.content.findMany()` invocation in",
"/workspace/src/schema.js:36:29",
"",
" 33 const resolvers = {",
" 34 Query: {",
" 35 memes: (parent, args) => {",
"→ 36 return prisma.content.findMany(",
" error: Error validating datasource `db`: the URL must start with the protocol `mysql://`.",
" --> schema.prisma:7",
" | ",
" 6 | provider = \"mysql\"",
" 7 | url = env(\"DATABASE_URL\")",
" | ",
"",
"Validation Error Count: 1",
" at cb (/workspace/node_modules/#prisma/client/runtime/index.js:38689:17)",
" at processTicksAndRejections (internal/process/task_queues.js:97:5)"
]
}
}
}
],
"data": null
}
Here is my schema.prisma file:
generator client {
provider = "prisma-client-js"
}
datasource db {
provider = "mysql"
url = env("DATABASE_URL")
}
...
The only thing that is different from the hosted project compared to the local project is that I put .env file and node_modules on the .gitignore file.
So it seems like the project is accessing the wrong DATABASE_URL, but how should the hosted project know the DATABASE_URL in my .env file when the .env file is on .gitignore?
Here is what I do:
Change the DATABASE_URL in my .env file to my local MySQL Database hosted on a docker container
Run npx prisma migrate dev --preview-feature to generate the migration files
Run git add .
Run git commit -m "New Commit"
Run DATABASE_URL=mysql://censored:censored#censored:3306/censored npx prisma migrate resolve --applied "my_migration_folder_name" --preview-feature which succeeds and tells me "Migration my_migration_folder_name marked as applied."
Run git push
I can see that the Migration is successfully created on my MySQL Database but as soon as I run the app and try to query the database it gives me that error.
The code has to be correct because it is working on my localhost even when querying the hosted MySQL Database.
I also double checked that the Model in the schema.prisma file is in sync with my hosted MySQL Database schema.
I'm running out of ideas on what I could try.
EDIT
I actually think it has something to do with the environment variables I set in the settings of my DigitalOcean application.
Before it was set to:
envs:
- key: DATABASE_URL
scope: RUN_AND_BUILD_TIME
value: ${db.DATABASE_URL}
Now I set it to:
envs:
- key: DATABASE_URL
scope: RUN_AND_BUILD_TIME
value: mysql://censored:cesnored#censored:3306/censored
I thought that this will fix the problem but now it tells me that the connection fails because of wrong database credentials even though it is the right link with the right credentials.

I fixed it by clicking "Force rebuild and deploy" on my digitalOcean app.

isGranted returns false for logged in user JWT - Symfony API-Platform AWS-EB

I have deployed an API-Platform app using JWT token to ElasticBeanstalk which, as usual, works fine in my local server.
On EB though it is denying access to logged in users despite the correct BearerToken being provided.
This is the error thrown:
{
"errors": [
{
"message": "Access Denied.",
"extensions": {
"category": "graphql"
},
"locations": [
{
"line": 6,
"column": 9
}
],
"path": [
"retrievedQueryUser"
]
}
],
"data": {
"retrievedQueryUser": null
}
}
The query in question attempts to retrieve user profile info through the below graphql config:
* "retrievedQuery"={
* "item_query"=UserProfileResolver::class,
* "normalization_context"={"groups"={"get-owner"}},
* "security"="is_granted('IS_AUTHENTICATED_FULLY') and object == user"
* },
So, it should be a simple matter of checking if the users IS_AUTHENTICATED_FULLY and if it is the user him/herself trying to execute the query.
Far as I could tell, by dump below on /vendor/symfony/security-core/Authorization/AuthorizationChecker.php, it's failing to retrieve a token.
var_dump($this->tokenStorage->getToken()->getUser()->getUsername());
I did a cursory comparison of phpinfo() between my local installation and the one at AWS-EB and could not find any obvious mismatch.
This is the config for JWT at /config/packages/lexik_jwt_authentication.yaml.
lexik_jwt_authentication:
secret_key: '%env(resolve:JWT_SECRET_KEY)%'
public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
pass_phrase: '%env(JWT_PASSPHRASE)%'
user_identity_field: email
token_ttl: 1800
Just to confirm that the users are able to login. It's passing through the isGranted() check that fails.
Any ideas?
EDIT - add `/config/packages/security.yaml
security:
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
encoders:
App\Entity\User:
algorithm: auto
#algorithm: bcrypt
#algorithm: argon2i
cost: 12
providers:
database:
entity:
class: App\Entity\User
property: email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
refresh:
pattern: ^/api/token/refresh
stateless: true
anonymous: true
api:
pattern: ^/api
stateless: true
anonymous: true
json_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
guard:
authenticators:
- app.google_login_authenticator
- App\Security\TokenAuthenticator
entry_point: App\Security\TokenAuthenticator
user_checker: App\Security\UserEnabledChecker
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_SUPERADMIN }
- { path: ^/api/token/refresh, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: IS_AUTHENTICATED_ANONYMOUSLY }
role_hierarchy:
ROLE_PROVIDER: ROLE_USER
ROLE_ADMIN: [ROLE_PROVIDER, ROLE_EDITOR]
ROLE_SUPERADMIN: ROLE_ADMIN

Upon further research I found out that Apache was stripping the authorization token from the request.
On the method supports of /lexik/jwt-authenticator-bundle/Security/Guard/JWTTokenAuthenticator, the dump as below will not include the token on AWS:
var_dump($request->headers->all());
var_dump($_SERVER);
As per this question, this is an issue of Apache configuration which is not accepting the authorization headers.
The indicated solution is to add the following to .htaccess:
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
This resolves the issue, though one should note that the local Apache installation works fine without the above edit to .htaccess.
So, it should also be possible to change Apache config directly, but I could not find how to go about it.
EDIT: Later I found a specific instruction on 'JWT-Token' docs as follows, that confirm that solution on this link.

log4js configure function error [NodeJs]

I am getting the following error in console window when running my NodeJs application. I am using log4js for logging. Runtime platform is express.
Error:
undefined:1
?{
^
SyntaxError: Unexpected token ? in JSON at position 0
Code:
var log4js = require('log4js');
var mylog = log4js.configure('log4jsConfig.json');
logger = log4js.getLogger("absolute-logger");
Config json:
{
"appenders": [
{
"type": "file",
"absolute": true,
"filename": "c:/temp/log_file.log",
"maxLogSize": 20480,
"backups": 10,
"category": "absolute-logger"
}
]
}
Question:
Any thoughts. I am thinking this is parsing error, but not sure how to resolve it.
Thanks,

Are you on a windows system? Sometimes, parsers get upset with \r\n (carriage returns). Try converting it UNIX (new line only) style lines.

Problems with cosmos auth and Identity manager integration

I want to integrate cosmos-auth with Idm GE.
Config for node.js application is:
{
"host": "192.168.4.180",
"port": 13000,
"private_key_file": "key.pem",
"certificate_file": "cert.pem",
"idm": {
"host": "192.168.4.33",
"port": "443",
"path": "/oauth2/token"
},
"cosmos_app": {
"client_id": "0434fdf60897479588c3c31cfc957b6d",
"client_secret": "a7c3540aa5de4de3a0b1c52a606b82df"
},
"log": {
"file_name": "/var/log/cosmos/cosmos-auth/cosmos-auth.log",
"date_pattern": ".dd-MM-yyyy"
}
}
When i send HTTP POST request directly to IDM GE to url
https://192.168.4.33:443/oauth2/token
with required parameters i get ok results:
{
access_token: "LyZT5DRGSn0F8IKqYU8EmRFTLo1iPJ"
token_type: "Bearer"
expires_in: 3600
refresh_token: "XiyfKCHrIVyludabjaCyGqVsTkx8Sf"
}
But when i curl the cosmos-auth node.js application
curl -X POST "https://192.168.4.180:13000/cosmos-auth/v1/token" -H
"Content-Type: application/x-www-form-urlencoded" -d
"grant_type=password&username=idm&password=idm" -k
I get next result:
{"statusCode":500,"error":"Internal Server Error","message":"An internal server error occurred"}
Has anyone encountered something similar?
What could be the problem?

The error i made was using unsigned certificate.How clumsy of me.
So either sign the certificate or insert additional element in options object (rejectUnauthorized: false)
var options = {
host : host,
port : port,
path : path,
method : method,
headers: headers,
rejectUnauthorized: false
};
or in the beginning of the file insert:
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
Ofcourse this is only temporary solution until we use fully signed cert.
Anyways error handling and logs in cosmos-auth node.js app should show a little bit more.