Skip to content
This repository has been archived by the owner on Apr 16, 2024. It is now read-only.

Bugfix/#1190 UnitController vulnerabilities #1191

Merged
merged 25 commits into from
Mar 22, 2019
Merged

Bugfix/#1190 UnitController vulnerabilities #1191

merged 25 commits into from
Mar 22, 2019

Conversation

torss
Copy link
Collaborator

@torss torss commented Mar 21, 2019

Description:

Closes #1190

Fixes UnitController vulnerabilities.

Improvements:

  • Closed vulnerabilities for all 4 routes via course.checkPrivileges.
  • Added GET & DELETE route unit tests for status code 200.
  • Added status code 403 (not authorized to view / edit course) unit tests for all 4 routes.
  • Some related unit test refactoring (could definitely be refactored further).
  • DELETE route now returns a completely empty object (very minor change).
  • Other minor refactoring, such as async/await usage and errorCodes refactoring.

Known Issues:

The DELETE route uses await unit.remove(), which gives a DeprecationWarning: collection.remove is deprecated. Use deleteOne, deleteMany, or bulkWrite instead., but deleteOne is still missing middleware support (which Unit makes use of): Automattic/mongoose#7195 & https://mongoosejs.com/docs/api.html#model_Model.deleteOne
This problem wasn't introduced by this PR, I just noticed it while running the unit tests, but left it be due to the middleware regression.

torss added 18 commits March 21, 2019 00:59
@torss
Refactor CodeKataUnit POST unit tests with TestHelper
378e165
@torss
Fix CodeKataUnit PUT route test describe section
eacab37
@torss
Refactor CodeKataUnit PUT unit test with TestHelper
7c69486
@torss
Add UnitController GET success unit test
e5f696d
@torss
Add UnitController DELETE success unit test
6a81081
@torss
Add UnitController 403 unit tests
9068197 
These will fail until the corresponding vulnerabilities are fixed.
@torss
Factor out shared UnitController GET unit test code
3260618
@torss
Secure UnitController GET via course.checkPrivileges
f486ad4
@torss
Secure UnitController POST via course.checkPrivileges
93ec3c7
@torss
Secure UnitController PUT via course.checkPrivileges
1a4880a
@torss
Refactor UnitController DELETE to use async/await
aeab1d8
@torss
Fix UnitController DELETE 403 unit test
127440c
@torss
Secure UnitController DELETE via course.checkPrivileges
5d99e44
@torss
Factor out shared UnitController code as getUnitFor
1e1aab2
@torss
Add missing UnitController @apiErrors
72287ba
@torss
Refactor UnitController POST route errorCodes
a0e28d3
@torss
Change UnitController DELETE response to {}
66adf6e
@torss
CHANGELOG: Add entries for issue 1190
c8636b2
@torss torss added bug This Issue describes a unwanted behavior api All Backend related Issues refactoring 🔒 security This directly pertains to geli's security! labels Mar 21, 2019
@torss torss requested a review from kesselb March 21, 2019 19:46
@torss torss mentioned this pull request Mar 22, 2019
Merged
kesselb
kesselb reviewed Mar 22, 2019
View reviewed changes
api/src/controllers/UnitController.ts Outdated Show resolved Hide resolved
api/src/controllers/UnitController.ts Outdated Show resolved Hide resolved
kesselb
kesselb reviewed Mar 22, 2019
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@kesselb kesselb merged commit a2fa446 into develop Mar 22, 2019
@kesselb kesselb deleted the bugfix/#1190-UnitController-vulnerabilities branch March 22, 2019 20:51
@kesselb kesselb mentioned this pull request Mar 22, 2019
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kesselb kesselb kesselb approved these changes

@dboschm dboschm Awaiting requested review from dboschm

@Gargamil Gargamil Awaiting requested review from Gargamil

@lukas-schardt lukas-schardt Awaiting requested review from lukas-schardt

Assignees
No one assigned
Labels
api All Backend related Issues bug This Issue describes a unwanted behavior refactoring 🔒 security This directly pertains to geli's security!
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

🐛 BUG: UnitController vulnerabilities
2 participants
@torss @kesselb