Fix: Security Vulnerabilities in tar-fs, got, and request packages

package.json

@@ -26,7 +26,10 @@
     "ws": "^7.5.10",
     "nth-check": "^2.0.1",
     "body-parser": "^1.20.3",
-    "path-to-regexp": "^0.1.12"
+    "path-to-regexp": "^0.1.12",
+    "request": "^2.88.2",
+    "tar-fs": "^2.1.2",
+    "got": "^11.8.5"
   },
   "resolutions": {
     "canvas": "2.9.3",
@@ -39,7 +42,10 @@
     "ws": "^7.5.10",
     "nth-check": "^2.0.1",
     "body-parser": "^1.20.3",
-    "path-to-regexp": "^0.1.12"
+    "path-to-regexp": "^0.1.12",
+    "request": "^2.88.2",
+    "tar-fs": "^2.1.2",
+    "got": "^11.8.5"
   },
   "dependencies": {
     "bunyan": "^1.8.12",
@@ -90,4 +96,4 @@
   "peerDependencies": {
     "chart.js": ">= 2.0.0"
   }
-}
+}

test/ci/app.js

@@ -1,5 +1,8 @@
 /* eslint-env node, mocha */
 
+// Load the secure wrapper for the request module
+require('./setup');
+
 const assert = require('assert');
 const crypto = require('crypto');
 

test/ci/charts.js

@@ -1,5 +1,8 @@
 /* eslint-env node, mocha */
 
+// Load the secure wrapper for the request module
+require('./setup');
+
 const assert = require('assert');
 
 const getColors = require('get-image-colors');

test/ci/request_wrapper.js

@@ -0,0 +1,93 @@
+/**
+ * This wrapper intercepts calls to the deprecated 'request' package
+ * and uses node-fetch instead, preventing the SSRF vulnerability in request.
+ */
+
+const fetch = require('node-fetch');
+const originalRequest = require('request');
+const { URL } = require('url');
+
+// Create a secure wrapper around request
+function secureRequest(options, callback) {
+  // If options is a string, convert it to an object with a URL
+  if (typeof options === 'string') {
+    options = { url: options };
+  }
+
+  // Get the URL and HTTP method from the options
+  const url = options.url || options.uri;
+  const method = (options.method || 'GET').toUpperCase();
+
+  // Validate URL to prevent SSRF
+  try {
+    const parsedUrl = new URL(url);
+
+    // Block requests to private networks
+    const hostname = parsedUrl.hostname;
+    if (
+      hostname === 'localhost' ||
+      hostname === '127.0.0.1' ||
+      hostname.startsWith('10.') ||
+      hostname.startsWith('172.16.') ||
+      hostname.startsWith('192.168.')
+    ) {
+      const error = new Error('SSRF protection: Requests to private networks are not allowed');
+      return callback(error);
+    }
+
+    // Block requests to non-HTTP protocols
+    if (!['http:', 'https:'].includes(parsedUrl.protocol)) {
+      const error = new Error(`SSRF protection: Protocol ${parsedUrl.protocol} is not allowed`);
+      return callback(error);
+    }
+  } catch (error) {
+    return callback(new Error(`Invalid URL: ${error.message}`));
+  }
+
+  // Convert request options to fetch options
+  const fetchOptions = {
+    method,
+    headers: options.headers || {},
+  };
+
+  // Add body if present
+  if (options.body) {
+    fetchOptions.body = options.body;
+  }
+
+  // Perform the fetch request
+  fetch(url, fetchOptions)
+    .then(response => {
+      // Convert the response to a buffer
+      return response.buffer().then(buffer => {
+        const res = {
+          statusCode: response.status,
+          headers: response.headers.raw(),
+          body: buffer,
+        };
+
+        // Call the callback with the response
+        callback(null, res, buffer);
+      });
+    })
+    .catch(error => {
+      callback(error);
+    });
+}
+
+// Export a function that has the same API as the original request
+module.exports = function wrappedRequest(options, callback) {
+  return secureRequest(options, callback);
+};
+
+// Copy over helper methods from the original request
+Object.keys(originalRequest).forEach(key => {
+  if (typeof originalRequest[key] === 'function') {
+    module.exports[key] = function() {
+      // Redirect to our secure implementation
+      return secureRequest(arguments[0], arguments[1]);
+    };
+  } else {
+    module.exports[key] = originalRequest[key];
+  }
+});

test/ci/setup.js

@@ -0,0 +1,24 @@
+/**
+ * This setup file is used to patch modules before tests run.
+ * It should be required at the beginning of test files.
+ */
+
+// Override the request module to use our secure wrapper
+const Module = require('module');
+const originalRequire = Module.prototype.require;
+
+// Store the original path to the request module
+const requestPath = require.resolve('request');
+
+// Replace the original require with our patched version
+Module.prototype.require = function(path) {
+  // If the request for 'request' module, return our secure wrapper
+  if (path === 'request' || path === requestPath) {
+    return require('./request_wrapper');
+  }
+
+  // Otherwise use the original require
+  return originalRequire.apply(this, arguments);
+};
+
+console.log('Request module patched for security');