@vue-storefront/middleware - npm Package Compare versions

Comparing version 3.10.0 to 3.10.1

lib/handlers/index.d.ts

@@ -5,2 +5,3 @@ export * from "./callApiFunction";
 export * from "./prepareArguments";
+export * from "./validateParams";
 //# sourceMappingURL=index.d.ts.map

lib/index.cjs.js

@@ -10,2 +10,3 @@ 'use strict';
 var helmet = require('helmet');
+var xss = require('xss');
 
@@ -19,2 +20,3 @@ function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
 var helmet__default = /*#__PURE__*/_interopDefaultLegacy(helmet);
+var xss__default = /*#__PURE__*/_interopDefaultLegacy(xss);
 
@@ -332,2 +334,19 @@ /**
 
+function validateParams(integrations) {
+    return (req, res, next) => {
+        // Validate & sanitize the request params
+        Object.entries(req.params).forEach(([key, value]) => {
+            req.params[key] = typeof value === "string" ? xss__default["default"](value) : value;
+        });
+        // Validate the integration
+        const { integrationName } = req.params;
+        if (!integrations || !integrations[integrationName]) {
+            res.status(404);
+            res.send(`"${integrationName}" integration is not configured. Please, check the request path or integration configuration.`);
+            return;
+        }
+        next();
+    };
+}
+
 const defaultCorsOptions = {
@@ -364,4 +383,4 @@ credentials: true,
     consola__default["default"].success("Integrations loaded!");
-    app.post("/:integrationName/:extensionName?/:functionName", prepareApiFunction(integrations), prepareErrorHandler(integrations), prepareArguments, callApiFunction);
-    app.get("/:integrationName/:extensionName?/:functionName", prepareApiFunction(integrations), prepareErrorHandler(integrations), prepareArguments, callApiFunction);
+    app.post("/:integrationName/:extensionName?/:functionName", validateParams(integrations), prepareApiFunction(integrations), prepareErrorHandler(integrations), prepareArguments, callApiFunction);
+    app.get("/:integrationName/:extensionName?/:functionName", validateParams(integrations), prepareApiFunction(integrations), prepareErrorHandler(integrations), prepareArguments, callApiFunction);
     app.get("/healthz", (_req, res) => {
@@ -368,0 +387,0 @@ res.end("ok");

lib/index.es.js

@@ -6,2 +6,3 @@ import consola from 'consola';
 import helmet from 'helmet';
+import xss from 'xss';
 
@@ -319,2 +320,19 @@ /**
 
+function validateParams(integrations) {
+    return (req, res, next) => {
+        // Validate & sanitize the request params
+        Object.entries(req.params).forEach(([key, value]) => {
+            req.params[key] = typeof value === "string" ? xss(value) : value;
+        });
+        // Validate the integration
+        const { integrationName } = req.params;
+        if (!integrations || !integrations[integrationName]) {
+            res.status(404);
+            res.send(`"${integrationName}" integration is not configured. Please, check the request path or integration configuration.`);
+            return;
+        }
+        next();
+    };
+}
+
 const defaultCorsOptions = {
@@ -351,4 +369,4 @@ credentials: true,
     consola.success("Integrations loaded!");
-    app.post("/:integrationName/:extensionName?/:functionName", prepareApiFunction(integrations), prepareErrorHandler(integrations), prepareArguments, callApiFunction);
-    app.get("/:integrationName/:extensionName?/:functionName", prepareApiFunction(integrations), prepareErrorHandler(integrations), prepareArguments, callApiFunction);
+    app.post("/:integrationName/:extensionName?/:functionName", validateParams(integrations), prepareApiFunction(integrations), prepareErrorHandler(integrations), prepareArguments, callApiFunction);
+    app.get("/:integrationName/:extensionName?/:functionName", validateParams(integrations), prepareApiFunction(integrations), prepareErrorHandler(integrations), prepareArguments, callApiFunction);
     app.get("/healthz", (_req, res) => {
@@ -355,0 +373,0 @@ res.end("ok");

package.json

 {
   "name": "@vue-storefront/middleware",
-  "version": "3.10.0",
+  "version": "3.10.1",
   "main": "lib/index.cjs.js",
@@ -27,3 +27,4 @@ "module": "lib/index.es.js",
     "express": "^4.18.1",
-    "helmet": "^5.1.1"
+    "helmet": "^5.1.1",
+    "xss": "^1.0.15"
   },
@@ -38,3 +39,6 @@ "devDependencies": {
   },
-  "packageManager": "yarn@1.22.10"
+  "packageManager": "yarn@1.22.10",
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/"
+  }
 }

No alert changes

Improved metrics

Total package byte prevSize

80817

increased by2.97%

Number of package files

64

increased by3.23%

Lines of code

1395

increased by2.88%

Worsened metrics

Dependency count

6

increased by20%

Dependency changes

• + Addedxss@^1.0.15

• + Addedcommander@2.20.3(transitive)

• + Addedcssfilter@0.0.10(transitive)

• + Addedxss@1.0.15(transitive)