Merge branch 'main' into copilot/upgrade-glob-to-10-5-0

Fix validator security vulnerability CVE in isLength() (#484 )
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>
2025-12-24 02:39:19 -05:00 · 2025-12-05 17:41:25 +08:00 · 2025-12-05 17:40:29 +08:00 · 2025-12-05 09:38:22 +00:00 · 2025-12-05 17:38:03 +08:00 · 2025-12-05 09:32:36 +00:00
4 changed files with 31 additions and 86 deletions
--- a/package.json
+++ b/package.json
@@ -60,7 +60,7 @@
    "dotenv": "^16.6.1",
    "dotenv-expand": "^12.0.2",
    "express": "^4.21.2",
-    "express-validator": "^7.2.1",
+    "express-validator": "^7.3.1",
    "i18next": "^25.5.0",
    "i18next-fs-backend": "^2.6.0",
    "jsonwebtoken": "^9.0.2",
@@ -132,7 +132,9 @@
  "pnpm": {
    "overrides": {
      "brace-expansion@1.1.11": "1.1.12",
-      "brace-expansion@2.0.1": "2.0.2"
+      "brace-expansion@2.0.1": "2.0.2",
+      "glob@10.4.5": "10.5.0"
+      "jws@3.2.2": "4.0.1"
    }
  }
 }
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -7,6 +7,8 @@ settings:
 overrides:
  brace-expansion@1.1.11: 1.1.12
  brace-expansion@2.0.1: 2.0.2
+  glob@10.4.5: 10.5.0
+  jws@3.2.2: 4.0.1

 importers:

@@ -58,8 +60,8 @@ importers:
        specifier: ^4.21.2
        version: 4.22.0
      express-validator:
-        specifier: ^7.2.1
-        version: 7.2.1
+        specifier: ^7.3.1
+        version: 7.3.1
      i18next:
        specifier: ^25.5.0
        version: 25.6.0(typescript@5.9.2)
@@ -2628,8 +2630,8 @@ packages:
    peerDependencies:
      express: '>= 4.11'

-  express-validator@7.2.1:
-    resolution: {integrity: sha512-CjNE6aakfpuwGaHQZ3m8ltCG2Qvivd7RHtVMS/6nVxOM7xVGqr4bhflsm4+N5FP5zI7Zxp+Hae+9RE+o8e3ZOQ==}
+  express-validator@7.3.1:
+    resolution: {integrity: sha512-IGenaSf+DnWc69lKuqlRE9/i/2t5/16VpH5bXoqdxWz1aCpRvEdrBuu1y95i/iL5QP8ZYVATiwLFhwk3EDl5vg==}
    engines: {node: '>= 8.0.0'}

  express@4.22.0:
@@ -2803,8 +2805,8 @@ packages:
    resolution: {integrity: sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==}
    engines: {node: '>=10.13.0'}

-  glob@10.4.5:
-    resolution: {integrity: sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==}
+  glob@10.5.0:
+    resolution: {integrity: sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==}
    hasBin: true

  glob@7.2.3:
@@ -3230,11 +3232,11 @@ packages:
    resolution: {integrity: sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ==}
    engines: {node: '>=12', npm: '>=6'}

-  jwa@1.4.2:
-    resolution: {integrity: sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw==}
+  jwa@2.0.1:
+    resolution: {integrity: sha512-hRF04fqJIP8Abbkq5NKGN0Bbr3JxlQ+qhZufXVr0DvujKy93ZCbXZMHDL4EOtodSbCWxOqR8MS1tXA5hwqCXDg==}

-  jws@3.2.2:
-    resolution: {integrity: sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==}
+  jws@4.0.1:
+    resolution: {integrity: sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA==}

  keyv@4.5.4:
    resolution: {integrity: sha512-oxVHkHR/EJf2CNXnWxRLW6mg7JyCCUcG0DtEGmL2ctUo1PNTin1PUil+r/+4r5MpVgC/fn1kjsx7mjSujKqIpw==}
@@ -4481,8 +4483,8 @@ packages:
    resolution: {integrity: sha512-kiGUalWN+rgBJ/1OHZsBtU4rXZOfj/7rKQxULKlIzwzQSvMJUUNgPwJEEh7gU6xEVxC0ahoOBvN2YI8GH6FNgA==}
    engines: {node: '>=10.12.0'}

-  validator@13.12.0:
-    resolution: {integrity: sha512-c1Q0mCiPlgdTVVVIJIrBuxNicYE+t/7oKeI9MWLj3fh/uq2Pxh/3eeWbVZ4OcGW1TUf53At0njHw5SMdA3tmMg==}
+  validator@13.15.23:
+    resolution: {integrity: sha512-4yoz1kEWqUjzi5zsPbAS/903QXSYp0UOtHsPpp7p9rHAw/W+dkInskAE386Fat3oKRROwO98d9ZB0G4cObgUyw==}
    engines: {node: '>= 0.10'}

  vary@1.1.2:
@@ -5346,7 +5348,7 @@ snapshots:
      chalk: 4.1.2
      collect-v8-coverage: 1.0.2
      exit-x: 0.2.2
-      glob: 10.4.5
+      glob: 10.5.0
      graceful-fs: 4.2.11
      istanbul-lib-coverage: 3.2.2
      istanbul-lib-instrument: 6.0.3
@@ -6964,10 +6966,10 @@ snapshots:
    dependencies:
      express: 5.2.1

-  express-validator@7.2.1:
+  express-validator@7.3.1:
    dependencies:
      lodash: 4.17.21
-      validator: 13.12.0
+      validator: 13.15.23

  express@4.22.0:
    dependencies:
@@ -7210,7 +7212,7 @@ snapshots:
    dependencies:
      is-glob: 4.0.3

-  glob@10.4.5:
+  glob@10.5.0:
    dependencies:
      foreground-child: 3.3.1
      jackspeak: 3.4.3
@@ -7486,7 +7488,7 @@ snapshots:
      chalk: 4.1.2
      ci-info: 4.3.0
      deepmerge: 4.3.1
-      glob: 10.4.5
+      glob: 10.5.0
      graceful-fs: 4.2.11
      jest-circus: 30.2.0
      jest-docblock: 30.2.0
@@ -7681,7 +7683,7 @@ snapshots:
      chalk: 4.1.2
      cjs-module-lexer: 2.1.0
      collect-v8-coverage: 1.0.2
-      glob: 10.4.5
+      glob: 10.5.0
      graceful-fs: 4.2.11
      jest-haste-map: 30.2.0
      jest-message-util: 30.2.0
@@ -7830,7 +7832,7 @@ snapshots:

  jsonwebtoken@9.0.2:
    dependencies:
-      jws: 3.2.2
+      jws: 4.0.1
      lodash.includes: 4.3.0
      lodash.isboolean: 3.0.3
      lodash.isinteger: 4.0.4
@@ -7841,15 +7843,15 @@ snapshots:
      ms: 2.1.3
      semver: 7.7.2

-  jwa@1.4.2:
+  jwa@2.0.1:
    dependencies:
      buffer-equal-constant-time: 1.0.1
      ecdsa-sig-formatter: 1.0.11
      safe-buffer: 5.2.1

-  jws@3.2.2:
+  jws@4.0.1:
    dependencies:
-      jwa: 1.4.2
+      jwa: 2.0.1
      safe-buffer: 5.2.1

  keyv@4.5.4:
@@ -8950,7 +8952,7 @@ snapshots:
      debug: 4.4.3
      dedent: 1.7.0
      dotenv: 16.6.1
-      glob: 10.4.5
+      glob: 10.5.0
      reflect-metadata: 0.2.2
      sha.js: 2.4.12
      sql-highlight: 6.1.0
@@ -9023,7 +9025,7 @@ snapshots:
      '@types/istanbul-lib-coverage': 2.0.6
      convert-source-map: 2.0.0

-  validator@13.12.0: {}
+  validator@13.15.23: {}

  vary@1.1.2: {}

--- a/src/middlewares/auth.ts
+++ b/src/middlewares/auth.ts
@@ -19,7 +19,7 @@ const validateBearerAuth = (req: Request, routingConfig: any): boolean => {
  return authHeader.substring(7) === routingConfig.bearerAuthKey;
 };

-const readonlyAllowPaths = ['/tools/call/', '/auth/change-password'];
+const readonlyAllowPaths = ['/tools/call/'];

 const checkReadonly = (req: Request): boolean => {
  if (!defaultConfig.readonly) {
--- a/tests/middlewares/auth.readonly.test.ts
+++ b/tests/middlewares/auth.readonly.test.ts
@@ -1,59 +0,0 @@
-// Tests for readonly mode in auth middleware
-// Verifies that password change is allowed in readonly mode
-
-describe('Auth Readonly Mode Tests', () => {
-  // Test the readonlyAllowPaths configuration
-  describe('Readonly Allow Paths', () => {
-    // Simulate the checkReadonly logic
-    const readonlyAllowPaths = ['/tools/call/', '/auth/change-password'];
-
-    const checkReadonlyPath = (path: string, method: string, basePath: string = ''): boolean => {
-      for (const allowedPath of readonlyAllowPaths) {
-        if (path.startsWith(basePath + allowedPath)) {
-          return true;
-        }
-      }
-      return method === 'GET';
-    };
-
-    it('should allow /tools/call/ in readonly mode', () => {
-      const result = checkReadonlyPath('/tools/call/test', 'POST');
-      expect(result).toBe(true);
-    });
-
-    it('should allow /auth/change-password in readonly mode', () => {
-      const result = checkReadonlyPath('/auth/change-password', 'POST');
-      expect(result).toBe(true);
-    });
-
-    it('should allow GET requests in readonly mode', () => {
-      const result = checkReadonlyPath('/api/servers', 'GET');
-      expect(result).toBe(true);
-    });
-
-    it('should block other POST requests in readonly mode', () => {
-      const result = checkReadonlyPath('/api/servers', 'POST');
-      expect(result).toBe(false);
-    });
-
-    it('should block PUT requests in readonly mode', () => {
-      const result = checkReadonlyPath('/api/servers/1', 'PUT');
-      expect(result).toBe(false);
-    });
-
-    it('should block DELETE requests in readonly mode', () => {
-      const result = checkReadonlyPath('/api/servers/1', 'DELETE');
-      expect(result).toBe(false);
-    });
-
-    it('should work with base path for /auth/change-password', () => {
-      const result = checkReadonlyPath('/api/auth/change-password', 'POST', '/api');
-      expect(result).toBe(true);
-    });
-
-    it('should work with base path for /tools/call/', () => {
-      const result = checkReadonlyPath('/api/tools/call/test', 'POST', '/api');
-      expect(result).toBe(true);
-    });
-  });
-});
Author	SHA1	Message	Date
samanhappy	29cb6d3f84	Merge branch 'main' into copilot/upgrade-glob-to-10-5-0	2025-12-05 17:41:25 +08:00
Copilot	71667dab2c	Fix validator security vulnerability CVE in isLength() (#484 ) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>	2025-12-05 17:40:29 +08:00
copilot-swe-agent[bot]	723ddb4fb0	Upgrade glob to version 10.5.0 via pnpm override Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>	2025-12-05 09:38:22 +00:00
Copilot	1921a0363b	[WIP] Update auth0/node-jws to version 3.2.3 or 4.0.1 (#482 ) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: samanhappy <2755122+samanhappy@users.noreply.github.com>	2025-12-05 17:38:03 +08:00
copilot-swe-agent[bot]	d276823726	Initial plan	2025-12-05 09:32:36 +00:00