fix(security): address CVE-2021-3749 - axios >=0.22.0

Ensured that axios is updated to >=0.22.0 in all packages that use it. The only place where it was not possible to upgrade it through upgrading transitive dependencies was the ubiquity connector package so for that one I forced the issue through the resolutions section of the root package.json. ----------------------------------------------- The GitHub Cacti security advisory: https://github.com/hyperledger/cacti/security/dependabot/361 The general GitHub security advisory: GHSA-cph5-m8f7-6c5x Weaknesses - [WeaknessCWE-400](https://cwe.mitre.org/data/definitions/400.html) - [WeaknessCWE-1333](https://cwe.mitre.org/data/definitions/1333.html) CVE ID: `CVE-2021-3749` GHSA ID: `GHSA-cph5-m8f7-6c5x` Fixes #2790 [skip ci] Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
hyperledger · Oct 18, 2023 · 61fc700 · 61fc700
1 parent 4e8b553
commit 61fc700
Show file tree

Hide file tree

Showing 56 changed files with 259 additions and 906 deletions.
diff --git a/.cspell.json b/.cspell.json
@@ -20,11 +20,11 @@
         "cactusf",
         "cafile",
         "caio",
-        "cccs",
-        "ccep",
-        "cccg",
         "cbdc",
         "Cbdc",
+        "cccg",
+        "cccs",
+        "ccep",
         "ccid",
         "celo",
         "cids",
@@ -69,6 +69,7 @@
         "immalleable",
         "ipaddress",
         "ipfs",
+        "IPFSHTTP",
         "Iroha",
         "Irohad",
         "isready",
@@ -89,8 +90,8 @@
         "miekg",
         "mitchellh",
         "MSPCONFIGPATH",
-        "Mspids",
         "MSPID",
+        "Mspids",
         "MSPIDSCOPEALLFORTX",
         "MSPIDSCOPEANYFORTX",
         "Mtls",

diff --git a/examples/cactus-example-carbon-accounting-business-logic-plugin/package.json b/examples/cactus-example-carbon-accounting-business-logic-plugin/package.json
@@ -64,7 +64,7 @@
     "@hyperledger/cactus-plugin-ledger-connector-fabric": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-ledger-connector-xdai": "2.0.0-alpha.2",
     "async-exit-hook": "2.0.1",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "express": "4.18.2",
     "openapi-types": "9.1.0",
     "typescript-optional": "2.0.1",

diff --git a/examples/cactus-example-cbdc-bridging-backend/package.json b/examples/cactus-example-cbdc-bridging-backend/package.json
@@ -70,7 +70,7 @@
     "@openzeppelin/contracts": "4.9.3",
     "@openzeppelin/contracts-upgradeable": "4.9.3",
     "async-exit-hook": "2.0.1",
-    "axios": "^0.27.2",
+    "axios": "1.5.1",
     "crypto-js": "4.1.1",
     "dotenv": "^16.0.1",
     "fabric-network": "2.2.19",

diff --git a/examples/cactus-example-discounted-asset-trade/package.json b/examples/cactus-example-discounted-asset-trade/package.json
@@ -24,7 +24,7 @@
     "@hyperledger/cactus-plugin-ledger-connector-fabric": "2.0.0-alpha.2",
     "@hyperledger/cactus-verifier-client": "2.0.0-alpha.2",
     "@types/node": "14.18.54",
-    "axios": "0.24.0",
+    "axios": "1.5.1",
     "body-parser": "1.20.2",
     "cookie-parser": "1.4.6",
     "debug": "3.1.0",

diff --git a/examples/cactus-example-supply-chain-backend/package.json b/examples/cactus-example-supply-chain-backend/package.json
@@ -64,7 +64,7 @@
     "@hyperledger/cactus-plugin-ledger-connector-quorum": "2.0.0-alpha.2",
     "@hyperledger/cactus-test-tooling": "2.0.0-alpha.2",
     "async-exit-hook": "2.0.1",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "dotenv": "16.0.0",
     "express": "4.18.2",
     "express-jwt": "8.4.1",

diff --git a/examples/cactus-example-supply-chain-business-logic-plugin/package.json b/examples/cactus-example-supply-chain-business-logic-plugin/package.json
@@ -65,7 +65,7 @@
     "@hyperledger/cactus-plugin-ledger-connector-fabric": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-ledger-connector-quorum": "2.0.0-alpha.2",
     "async-exit-hook": "2.0.1",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "express": "4.18.2",
     "openapi-types": "9.1.0",
     "typescript-optional": "2.0.1",

diff --git a/extensions/cactus-plugin-htlc-coordinator-besu/package.json b/extensions/cactus-plugin-htlc-coordinator-besu/package.json
@@ -64,7 +64,7 @@
     "@hyperledger/cactus-plugin-htlc-eth-besu-erc20": "2.0.0-alpha.2",
     "@hyperledger/cactus-plugin-ledger-connector-besu": "2.0.0-alpha.2",
     "@hyperledger/cactus-test-plugin-htlc-eth-besu-erc20": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "body-parser": "1.20.2",
     "fast-safe-stringify": "2.1.1",
     "joi": "14.3.1",

diff --git a/extensions/cactus-plugin-object-store-ipfs/package.json b/extensions/cactus-plugin-object-store-ipfs/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@hyperledger/cactus-plugin-object-store-ipfs",
   "version": "2.0.0-alpha.2",
-  "description": "IPFS backed objec store plugin implementation for Hyperledger Cactus",
+  "description": "IPFS backed object store plugin implementation for Hyperledger Cactus",
   "keywords": [
     "Hyperledger",
     "Cactus",
@@ -58,7 +58,7 @@
     "@hyperledger/cactus-common": "2.0.0-alpha.2",
     "@hyperledger/cactus-core": "2.0.0-alpha.2",
     "@hyperledger/cactus-core-api": "2.0.0-alpha.2",
-    "axios": "0.21.4",
+    "axios": "1.5.1",
     "ipfs-http-client": "60.0.1",
     "run-time-error": "1.4.0",
     "typescript-optional": "2.0.1",
@@ -68,7 +68,7 @@
     "@hyperledger/cactus-test-tooling": "2.0.0-alpha.2",
     "@types/express": "4.17.19",
     "express": "4.18.2",
-    "ipfs-core-types": "0.6.1",
+    "ipfs-core-types": "0.14.1",
     "multiformats": "9.4.9"
   },
   "engines": {

diff --git a/extensions/cactus-plugin-object-store-ipfs/src/main/typescript/i-ipfs-http-client.ts b/extensions/cactus-plugin-object-store-ipfs/src/main/typescript/i-ipfs-http-client.ts
@@ -1,11 +1,11 @@
 import type { IPFS } from "ipfs-core-types";
-import type { EndpointConfig } from "ipfs-http-client";
+import type { EndpointConfig, IPFSHTTPClient } from "ipfs-http-client";
 
 export interface IIpfsHttpClient extends IPFS {
   getEndpointConfig: () => EndpointConfig;
 }
 
-export function isIpfsHttpClientOptions(x: unknown): x is IIpfsHttpClient {
+export function isIpfsHttpClientOptions(x: unknown): x is IPFSHTTPClient {
   if (!x) {
     return false;
   }

diff --git a/extensions/cactus-plugin-object-store-ipfs/src/main/typescript/plugin-object-store-ipfs.ts b/extensions/cactus-plugin-object-store-ipfs/src/main/typescript/plugin-object-store-ipfs.ts
@@ -1,6 +1,6 @@
 import path from "path";
 import type { Express } from "express";
-import { create } from "ipfs-http-client";
+import { create, IPFSHTTPClient } from "ipfs-http-client";
 import type { Options } from "ipfs-http-client";
 import { RuntimeError } from "run-time-error";
 import { Logger, Checks, LoggerProvider } from "@hyperledger/cactus-common";
@@ -22,7 +22,6 @@ import OAS from "../json/openapi.json";
 import { GetObjectEndpointV1 } from "./web-services/get-object-endpoint-v1";
 import { SetObjectEndpointV1 } from "./web-services/set-object-endpoint-v1";
 import { HasObjectEndpointV1 } from "./web-services/has-object-endpoint-v1";
-import type { IIpfsHttpClient } from "./i-ipfs-http-client";
 import { isIpfsHttpClientOptions } from "./i-ipfs-http-client";
 
 export const K_IPFS_JS_HTTP_ERROR_FILE_DOES_NOT_EXIST =
@@ -31,13 +30,13 @@ export const K_IPFS_JS_HTTP_ERROR_FILE_DOES_NOT_EXIST =
 export interface IPluginObjectStoreIpfsOptions extends ICactusPluginOptions {
   readonly logLevel?: LogLevelDesc;
   readonly parentDir: string;
-  readonly ipfsClientOrOptions: Options | IIpfsHttpClient;
+  readonly ipfsClientOrOptions: Options | IPFSHTTPClient;
 }
 
 export class PluginObjectStoreIpfs implements IPluginObjectStore {
   public static readonly CLASS_NAME = "PluginObjectStoreIpfs";
 
-  private readonly ipfs: IIpfsHttpClient;
+  private readonly ipfs: IPFSHTTPClient;
   private readonly log: Logger;
   private readonly instanceId: string;
   private readonly parentDir: string;

diff --git a/...-plugin-object-store-ipfs/src/test/typescript/fixtures/mock/ipfs/ipfs-http-client-mock.ts b/...-plugin-object-store-ipfs/src/test/typescript/fixtures/mock/ipfs/ipfs-http-client-mock.ts