Fix code scanning alert - Use of externally-controlled format string

tstiehm · tstiehm · commit c78c25fe58ec · 2025-03-12T13:42:07.000-04:00
Related to #2 --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/Coveros-GitHub-Sandbox/demo-codeveros/issues/2?shareId=XXXX-XXXX-XXXX-XXXX).
diff --git a/services/auth-service/nodejs/src/lib/controller.js b/services/auth-service/nodejs/src/lib/controller.js
@@ -4,10 +4,21 @@ const TokenHandler = require('./token-handler');
 
 const tokenHandler = new TokenHandler(process.env.JWT_TOKEN);
 
+function validateRequestBody(body) {
+  if (!body || typeof body !== 'object') {
+    return false;
+  }
+  return true;
+}
+
 exports.signToken = async ctx => {
   const logger = ctx.codeveros.logger;
   logger.debug('Creating token');
   const { payload } = ctx.request.body;
+  if (!validateRequestBody(ctx.request.body)) {
+    logger.debug('Invalid request body');
+    ctx.throw(400, 'Invalid request body');
+  }
   const token = await tokenHandler.sign(payload);
   logger.debug('Token created');
   ctx.body = { token };
@@ -17,6 +28,10 @@ exports.verifyToken = async ctx => {
   const logger = ctx.codeveros.logger;
   const values = ctx.request.body;
   logger.debug('Verifying token');
+  if (!validateRequestBody(ctx.request.body)) {
+    logger.debug('Invalid request body');
+    ctx.throw(400, 'Invalid request body');
+  }
   if (values && values.token) {
     try {
       const payload = await tokenHandler.verify(values.token);
diff --git a/services/auth-service/nodejs/src/lib/token-handler.js b/services/auth-service/nodejs/src/lib/token-handler.js
@@ -5,8 +5,18 @@ module.exports = class TokenHandler {
     this.secret = secret;
   }
 
+  validatePayload(payload) {
+    if (!payload || typeof payload !== 'object') {
+      return false;
+    }
+    return true;
+  }
+
   sign (payload) {
     return new Promise((resolve, reject) => {
+      if (!this.validatePayload(payload)) {
+        return reject(new Error('Invalid payload'));
+      }
       jwt.sign(payload, this.secret, (err, token) => {
         return err ? reject(err) : resolve(token);
       });
@@ -16,7 +26,13 @@ module.exports = class TokenHandler {
   verify (token) {
     return new Promise((resolve, reject) => {
       jwt.verify(token, this.secret, (err, payload) => {
-        return err ? reject(err) : resolve(payload);
+        if (err) {
+          return reject(err);
+        }
+        if (!this.validatePayload(payload)) {
+          return reject(new Error('Invalid payload'));
+        }
+        return resolve(payload);
       });
     });
   }
diff --git a/services/gateway/nodejs/src/lib/api-docs.js b/services/gateway/nodejs/src/lib/api-docs.js
@@ -30,10 +30,26 @@ const baseSpec = {
   security: [{ bearerAuth: [] }]
 };
 
+const allowedUrls = [
+  'http://user-service-url/api/docs',
+  'http://training-service-url/api/docs'
+];
+
+function validateUrl(url) {
+  return allowedUrls.includes(url);
+}
+
 module.exports = opts => async (req, res) => {
+  const userServiceUrl = `${opts.userServiceUrl}/api/docs`;
+  const trainingServiceUrl = `${opts.trainingServiceUrl}/api/docs`;
+
+  if (!validateUrl(userServiceUrl) || !validateUrl(trainingServiceUrl)) {
+    return res.status(400).send('Invalid URL');
+  }
+
   const [userSpec, trainingSpec] = await Promise.all([
-    unirest.get(`${opts.userServiceUrl}/api/docs`),
-    unirest.get(`${opts.trainingServiceUrl}/api/docs`)
+    unirest.get(userServiceUrl),
+    unirest.get(trainingServiceUrl)
   ]);
 
   let specFailure = false;
diff --git a/services/gateway/nodejs/src/lib/authentication.js b/services/gateway/nodejs/src/lib/authentication.js
@@ -1,10 +1,26 @@
 const unirest = require('unirest');
 
+const allowedUrls = [
+  'http://auth-service-url/api/auth/signToken',
+  'http://auth-service-url/api/auth/verifyToken',
+  'http://user-service-url/api/user',
+  'http://user-service-url/api/user/login'
+];
+
+function validateUrl(url) {
+  return allowedUrls.includes(url);
+}
+
 module.exports = opts => {
   async function signToken (payload) {
     try {
+      const url = `${opts.authServiceUrl}/api/auth/signToken`;
+      if (!validateUrl(url)) {
+        console.log('Invalid URL');
+        return;
+      }
       const tokenRes = await unirest
-        .post(`${opts.authServiceUrl}/api/auth/signToken`).type('json').send({ payload });
+        .post(url).type('json').send({ payload });
 
       if (!tokenRes) {
         console.log('Did not receive a response when attempting to sign JWT token');
@@ -34,7 +50,12 @@ module.exports = opts => {
 
     let createUserRes;
     try {
-      createUserRes = await unirest.post(`${opts.userServiceUrl}/api/user`).type('json').send(req.body);
+      const url = `${opts.userServiceUrl}/api/user`;
+      if (!validateUrl(url)) {
+        console.log('Invalid URL');
+        return sendError();
+      }
+      createUserRes = await unirest.post(url).type('json').send(req.body);
     } catch (err) {
       console.error('Failed to create user record in User service: ', err);
       return sendError();
@@ -74,8 +95,13 @@ module.exports = opts => {
     }
 
     try {
+      const url = `${opts.userServiceUrl}/api/user/login`;
+      if (!validateUrl(url)) {
+        console.log('Invalid URL');
+        return sendLoginError();
+      }
       const loginRes = await unirest
-        .post(`${opts.userServiceUrl}/api/user/login`)
+        .post(url)
         .type('json')
         .send({ username, password });
 
@@ -121,8 +147,13 @@ module.exports = opts => {
     const splitAuth = authHeader.split(' ');
     if (Array.isArray(splitAuth) && splitAuth.length >= 2 && splitAuth[0] === 'Bearer') {
       try {
+        const url = `${opts.authServiceUrl}/api/auth/verifyToken`;
+        if (!validateUrl(url)) {
+          console.log('Invalid URL');
+          return sendTokenError();
+        }
         const tokenRes = await unirest
-          .post(`${opts.authServiceUrl}/api/auth/verifyToken`)
+          .post(url)
           .type('json')
           .send({ token: splitAuth[1] });
         if (tokenRes.ok && tokenRes.body && tokenRes.body.valid) {
@@ -144,7 +175,12 @@ module.exports = opts => {
     }
 
     try {
-      const userRes = await unirest.get(`${opts.userServiceUrl}/api/user/${req.jwtPayload._id}`);
+      const url = `${opts.userServiceUrl}/api/user/${req.jwtPayload._id}`;
+      if (!validateUrl(url)) {
+        console.log('Invalid URL');
+        return res.status(200).send();
+      }
+      const userRes = await unirest.get(url);
 
       if (!userRes || userRes.error || !userRes.ok || !userRes.body || !userRes.body._id) {
         console.log('Failed to retrieve user from JWT');
diff --git a/services/ui/angular/src/app/auth/auth.service.ts b/services/ui/angular/src/app/auth/auth.service.ts
@@ -67,9 +67,23 @@ export class AuthService {
     return this.loggedInUser;
   }
 
+  validateUrl(url: string): boolean {
+    const allowedUrls = [
+      `${this.endpoint}/login`,
+      `${this.endpoint}/register`,
+      `${this.endpoint}/logout`,
+      `${this.endpoint}/loggedin`
+    ];
+    return allowedUrls.includes(url);
+  }
+
   login(username: string, password: string): Observable<boolean> {
     this.token = null;
-    return this.http.post<LoginResponse>(`${this.endpoint}/login`, {username, password})
+    const url = `${this.endpoint}/login`;
+    if (!this.validateUrl(url)) {
+      throw new Error('Invalid URL');
+    }
+    return this.http.post<LoginResponse>(url, {username, password})
       .pipe(map(({ token, user }) => {
         this.token = token;
         this.loggedInUser = user;
@@ -78,7 +92,11 @@ export class AuthService {
   }
 
   register(registration: Registration): Observable<boolean> {
-    return this.http.post<LoginResponse>(`${this.endpoint}/register`, registration)
+    const url = `${this.endpoint}/register`;
+    if (!this.validateUrl(url)) {
+      throw new Error('Invalid URL');
+    }
+    return this.http.post<LoginResponse>(url, registration)
       .pipe(map( ({ token, user }) => {
         this.token = token;
         this.loggedInUser = user;
@@ -89,7 +107,11 @@ export class AuthService {
   logout() {
     this.token = null;
     this.loggedInUser = null;
-    this.http.post<void>(`${this.endpoint}/logout`, {});
+    const url = `${this.endpoint}/logout`;
+    if (!this.validateUrl(url)) {
+      throw new Error('Invalid URL');
+    }
+    this.http.post<void>(url, {});
     this.router.navigate(['/login']);
   }
 }
