Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vil 616 #1009

Closed
wants to merge 21 commits into from
Closed

Vil 616 #1009

wants to merge 21 commits into from

Conversation

Benjyhy
Copy link
Collaborator

@Benjyhy Benjyhy commented Nov 21, 2024
edited
Loading

Motivation

Enable filtering on a given phase for a given village.

Changes

Created a phaseHistory entity to track the starting and ending dates of phases for all villages.
Created a phase filter on the statistics dashboard.
Made sure that teachers cannot rollback on a past phase.

Test

When you're logged in as a teacher, create a new student and note what is the active phase.
Using the phase filter, you should see the newly created student on the statistics dashboard when you're logged in as an administrator. Note that the table is displaying all data, whereas the purple cards display data by phases.

Benjyhy added 19 commits November 21, 2024 14:29
@Benjyhy
Create PhaseHistory entity and rework on the UI for phase managers
53688fd
@Benjyhy
Add filtering queries and make sure the admin cannot go back to a pas…
73c9650 
…t phase
@Benjyhy
Add migration for phase history and set starting date for phase 1 of …
d48f101 
…all villages
@Benjyhy
Rename migration for phase history
65776a8
@Benjyhy
Fix migration foreign key
e7aa95c
@Benjyhy
Define villageId in migration
db9d3fe
@Benjyhy
Only create a phase history entry if phase was modified
944c914
@Benjyhy
Added default value for startingOnField in phaseHistory
1ddeae6
@Benjyhy
Added default value for startingOnField in phaseHistory entity
72b82fb
@Benjyhy
Explicitly set startingOn for a post on phaseHistory
82a7c88
@Benjyhy
Create PhaseHistory entity and rework on the UI for phase managers
385bd94
@Benjyhy
Add filtering queries and make sure the admin cannot go back to a pas…
5c2b630 
…t phase
@Benjyhy
Add migration for phase history and set starting date for phase 1 of …
b0cda89 
…all villages
@Benjyhy
Define villageId in migration
6390b07
@Benjyhy
Added default value for startingOnField in phaseHistory
ce7f4f3
@Benjyhy
Quix fixes on fk and ts enum use
df5253c
@Benjyhy
Delete cache
583f496
@Benjyhy
Reset cache
a6ae27b
@Benjyhy
Fix entity
5c3635d
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 21, 2024
View reviewed changes
server/controllers/controller.ts
}

public head(options: RouteOptions, handler: RequestHandler): void {
this.router.head(options.path, handleErrors(authenticate(options.userType)), handleErrors(handler));

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
authorization
Loading
, but is not rate-limited.

Copilot Autofix AI about 1 month ago

To fix the problem, we need to introduce rate limiting to the routes in the Controller class. The best way to do this is by using the express-rate-limit package, which allows us to easily set up rate limiting middleware. We will create a rate limiter and apply it to all routes defined in the Controller class.

  1. Install the express-rate-limit package.
  2. Import the express-rate-limit package in the controller.ts file.
  3. Create a rate limiter with a reasonable configuration (e.g., 100 requests per 15 minutes).
  4. Apply the rate limiter to all routes in the Controller class.
Suggested changeset 1
server/controllers/controller.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/server/controllers/controller.ts b/server/controllers/controller.ts
--- a/server/controllers/controller.ts
+++ b/server/controllers/controller.ts
@@ -4,3 +4,4 @@
 import multer from 'multer';
-import path from 'path';
+import path from 'path';
+import rateLimit from 'express-rate-limit';
 
@@ -23,9 +24,14 @@
 
-  constructor(name: string) {
-    this.router = Router({ mergeParams: true });
-    this.name = name;
-  }
+  private rateLimiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 100, // limit each IP to 100 requests per windowMs
+  });
+
+  constructor(name: string) {
+    this.router = Router({ mergeParams: true });
+    this.name = name;
+  }
 
   public get(options: RouteOptions, handler: RequestHandler): void {
-    this.router.get(options.path, handleErrors(authenticate(options.userType)), handleErrors(handler));
+    this.router.get(options.path, this.rateLimiter, handleErrors(authenticate(options.userType)), handleErrors(handler));
   }
@@ -33,3 +39,3 @@
   public head(options: RouteOptions, handler: RequestHandler): void {
-    this.router.head(options.path, handleErrors(authenticate(options.userType)), handleErrors(handler));
+    this.router.head(options.path, this.rateLimiter, handleErrors(authenticate(options.userType)), handleErrors(handler));
   }
@@ -37,3 +43,3 @@
   public post(options: RouteOptions, handler: RequestHandler): void {
-    this.router.post(options.path, handleErrors(authenticate(options.userType)), handleErrors(handler));
+    this.router.post(options.path, this.rateLimiter, handleErrors(authenticate(options.userType)), handleErrors(handler));
   }
@@ -41,3 +47,3 @@
   public put(options: RouteOptions, handler: RequestHandler): void {
-    this.router.put(options.path, handleErrors(authenticate(options.userType)), handleErrors(handler));
+    this.router.put(options.path, this.rateLimiter, handleErrors(authenticate(options.userType)), handleErrors(handler));
   }
@@ -45,3 +51,3 @@
   public delete(options: RouteOptions, handler: RequestHandler): void {
-    this.router.delete(options.path, handleErrors(authenticate(options.userType)), handleErrors(handler));
+    this.router.delete(options.path, this.rateLimiter, handleErrors(authenticate(options.userType)), handleErrors(handler));
   }
@@ -52,3 +58,4 @@
         options.path,
-        this.uploadVideoMiddleware.single(options.multerFieldName),
+        this.rateLimiter,
+        this.uploadVideoMiddleware.single(options.multerFieldName),
         handleErrors(async (req, res, next) => {
@@ -69,3 +76,4 @@
         options.path,
-        this.uploadMiddleware.single(options.multerFieldName),
+        this.rateLimiter,
+        this.uploadMiddleware.single(options.multerFieldName),
         handleErrors(authenticate(options.userType)),
EOF
@@ -4,3 +4,4 @@
import multer from 'multer';
import path from 'path';
import path from 'path';
import rateLimit from 'express-rate-limit';

@@ -23,9 +24,14 @@

constructor(name: string) {
this.router = Router({ mergeParams: true });
this.name = name;
}
private rateLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // limit each IP to 100 requests per windowMs
});

constructor(name: string) {
this.router = Router({ mergeParams: true });
this.name = name;
}

public get(options: RouteOptions, handler: RequestHandler): void {
this.router.get(options.path, handleErrors(authenticate(options.userType)), handleErrors(handler));
this.router.get(options.path, this.rateLimiter, handleErrors(authenticate(options.userType)), handleErrors(handler));
}
@@ -33,3 +39,3 @@
public head(options: RouteOptions, handler: RequestHandler): void {
this.router.head(options.path, handleErrors(authenticate(options.userType)), handleErrors(handler));
this.router.head(options.path, this.rateLimiter, handleErrors(authenticate(options.userType)), handleErrors(handler));
}
@@ -37,3 +43,3 @@
public post(options: RouteOptions, handler: RequestHandler): void {
this.router.post(options.path, handleErrors(authenticate(options.userType)), handleErrors(handler));
this.router.post(options.path, this.rateLimiter, handleErrors(authenticate(options.userType)), handleErrors(handler));
}
@@ -41,3 +47,3 @@
public put(options: RouteOptions, handler: RequestHandler): void {
this.router.put(options.path, handleErrors(authenticate(options.userType)), handleErrors(handler));
this.router.put(options.path, this.rateLimiter, handleErrors(authenticate(options.userType)), handleErrors(handler));
}
@@ -45,3 +51,3 @@
public delete(options: RouteOptions, handler: RequestHandler): void {
this.router.delete(options.path, handleErrors(authenticate(options.userType)), handleErrors(handler));
this.router.delete(options.path, this.rateLimiter, handleErrors(authenticate(options.userType)), handleErrors(handler));
}
@@ -52,3 +58,4 @@
options.path,
this.uploadVideoMiddleware.single(options.multerFieldName),
this.rateLimiter,
this.uploadVideoMiddleware.single(options.multerFieldName),
handleErrors(async (req, res, next) => {
@@ -69,3 +76,4 @@
options.path,
this.uploadMiddleware.single(options.multerFieldName),
this.rateLimiter,
this.uploadMiddleware.single(options.multerFieldName),
handleErrors(authenticate(options.userType)),
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
server/controllers/controller.ts
const filePath = req.file?.path;
if (filePath) {
res.on('finish', () => {
fs.remove(filePath).catch();

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix AI about 1 month ago

To fix the problem, we need to ensure that the filePath is validated before it is used in the fs.remove function. We can achieve this by normalizing the path using path.resolve and ensuring it is within a designated safe directory. This will prevent directory traversal attacks by removing any .. segments and ensuring the path is within the intended directory.

  1. Normalize the filePath using path.resolve.
  2. Check that the normalized path starts with the designated safe directory.
  3. If the path is valid, proceed with the file removal; otherwise, handle the error appropriately.
Suggested changeset 1
server/controllers/controller.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/server/controllers/controller.ts b/server/controllers/controller.ts
--- a/server/controllers/controller.ts
+++ b/server/controllers/controller.ts
@@ -55,8 +55,14 @@
           // clean up the file after the request is handled
-          const filePath = req.file?.path;
-          if (filePath) {
-            res.on('finish', () => {
-              fs.remove(filePath).catch();
-            });
-          }
+          const filePath = req.file?.path;
+          if (filePath) {
+            const safeDir = path.resolve(__dirname, '../fileUpload/videos');
+            const resolvedPath = path.resolve(filePath);
+            if (resolvedPath.startsWith(safeDir)) {
+              res.on('finish', () => {
+                fs.remove(resolvedPath).catch();
+              });
+            } else {
+              console.error('Invalid file path:', resolvedPath);
+            }
+          }
           next();
EOF
@@ -55,8 +55,14 @@
// clean up the file after the request is handled
const filePath = req.file?.path;
if (filePath) {
res.on('finish', () => {
fs.remove(filePath).catch();
});
}
const filePath = req.file?.path;
if (filePath) {
const safeDir = path.resolve(__dirname, '../fileUpload/videos');
const resolvedPath = path.resolve(filePath);
if (resolvedPath.startsWith(safeDir)) {
res.on('finish', () => {
fs.remove(resolvedPath).catch();
});
} else {
console.error('Invalid file path:', resolvedPath);
}
}
next();
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@Benjyhy Benjyhy closed this Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Benjyhy