couch2pg - npm Package Compare versions

Comparing version 0.7.0 to 0.7.1

lib/importer.js

@@ -27,2 +27,11 @@ var _ = require('underscore'),
 
+const removeSecurityDetails = function(doc) {
+  const isUserDoc = doc && doc.type === 'user' && doc._id.startsWith('org.couchdb.user:');
+  if (isUserDoc) {
+    delete doc.password_scheme;
+    delete doc.derived_key;
+    delete doc.salt;
+  }
+};
+
 var deleteDocuments = function(db, postgresTable, docIdsToDelete) {
@@ -99,12 +108,9 @@ if (docIdsToDelete && docIdsToDelete.length) {
 
-      var insertSql = format(
-        INSERT_DOC_STMT,
-        postgresTable,
-        couchDbResult.rows.map(function(row) {
-          return [row.doc];
-        })
-      );
+      const docsToInsert = couchDbResult.rows.map(function(row) {
+        removeSecurityDetails(row.doc);
+        return [row.doc];
+      });
 
+      let insertSql = format(INSERT_DOC_STMT, postgresTable, docsToInsert);
       insertSql = sanitise(insertSql);
-
       return db.query(insertSql);
@@ -111,0 +117,0 @@ }).then(function() {

package.json

 {
   "name": "couch2pg",
-  "version": "0.7.0",
+  "version": "0.7.1",
   "bin": {
@@ -5,0 +5,0 @@ "couch2pg": "./cli.js"

README.md

@@ -22,3 +22,3 @@ # couch2pg
 ```
-npm install -g couch2pg`
+npm install -g couch2pg
 couch2pg --help
@@ -25,0 +25,0 @@ ```

tests/unit/importer.js

@@ -74,2 +74,46 @@ require('es6-promise').polyfill();
     });
+
+    it('removes security information from user docs', function () {
+      const userDocId = 'org.couchdb.user:test_user';
+      sinon.stub(db, 'one').resolves(STORED_SEQ);
+      sinon.stub(couchdb, 'changes')
+        .onCall(0).resolves({
+          results: [
+            { id: userDocId, seq: 1 },
+          ],
+          last_seq: 2
+        })
+        .onCall(1).resolves({
+          results: [],
+          last_seq: 2
+        });
+      const query = sinon.stub(db, 'query').resolves();
+      const allDocs = sinon.stub(couchdb, 'allDocs');
+      allDocs.resolves({
+        rows: [{
+          id: userDocId,
+          doc: {
+            _id: userDocId,
+            _rev: '3-37b63ea82ca461bfa6b3d4cfda7dbf88',
+            name: 'test_user',
+            type: 'user',
+            roles: ['chw'],
+            facility_id: 'c0ca5e2b-508a-4ba7-b934-f6e4751223bf',
+            password_scheme: 'pbkdf2',
+            iterations: 10,
+            derived_key: '5ccbfab2b06a67450c3fbcda9fc0f4e27e5ba957',
+            salt: '713733ce185df96773d6bd4a860749ee'
+          }
+        }],
+      });
+
+      return importer(db, couchdb).importBatch().then(function() {
+        allDocs.args[0][0].keys.should.deep.equal([userDocId]);
+        query.args[1][0].should.include(`INSERT INTO couchdb (doc) VALUES ('{"_id":"${userDocId}"`);
+        query.args[1][0].should.include(`"roles":["chw"],`);
+        query.args[1][0].should.not.include('derived_key');
+        query.args[1][0].should.not.include('salt');
+        query.args[1][0].should.not.include('password_scheme');
+      });
+    })
   });
@@ -76,0 +120,0 @@

New alerts

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Fixed alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 6 instances in 1 package

Improved metrics

Total package byte prevSize

50299

increased by5.77%

Number of package files

22

increased by4.76%

Lines of code

886

increased by8.98%

Worsened metrics

Number of low supply chain risk alerts

12

increased by100%

Number of medium supply chain risk alerts

2

increased by100%

No dependency changes