Fix CG for typed-rest-client (#370)

* Fix CG

- Rewrited react samples on vite because of react'scripts contains cve and not maintained

* Fix CG

- Npm audit fix for webpack samples

* Fix CG

- Fixed CVE in typed-rest client
- Migrated package to use node14+ as mocha is not supported in versions below.
- Migrated CI to use Node14+ for tests
_ Bumped ts to v5
- Bumped typed-rest-client to new major version 2
- Added .vscode folder in .gitignore

* Fix CG

- Fixed tests for the new version of the typescript

* Fix CG

- Replaced crypto package(DES-ECB and MD4 algorythms calls) to a packages as they are become legacy in openssl3 which is used new node

* Fix CG

- Regenerated package.lock files in samples.

* Fix CG

- Fixed types in tests
- Fixed webpack samples

* Fix CG

- Bumped supported version

* Fix CG

- Updated README with new information

* Fix CG

- Updated README with new information

.gitignore

@@ -1,6 +1,7 @@
 typings
 node_modules
 _build
+.vscode
 lib/*.js
 samples/*.js
 samples/*.txt

README.md

@@ -73,7 +73,8 @@ set NODE_DEBUG=http
 
 ## Node support
 
-The typed-rest-client is built using the latest LTS version of Node 8. We also support the latest LTS for Node 6 and newer.
+v2 - [current, maintained] - Supports node 16 and above
+v1 - End Of Life, for Node < 16, contains security vulnerabilities, use at your own risk 
 
 ## Contributing
 

azure-pipelines.yml

@@ -10,7 +10,7 @@ variables:
 parameters:
 - name: nodeVersionList
  type: object
- default: [6, 8, 10, 12, 14, 16]
+ default: [16, 18, 20]
 - name: imageList
  type: object
  default: 
@@ -58,8 +58,8 @@ extends:
  steps:
  - task: NodeTool@0
  inputs:
- versionSpec: '8.x'
- displayName: Install node 8
+ versionSpec: '20.x'
+ displayName: Install node 20.x
  - script: npm install
  displayName: npm install
  - script: npm run build

lib/Util.ts

@@ -86,7 +86,7 @@ function buildParamsStringifyOptions(queryParams: IRequestQueryParams): any {
  * @param {string} charset? - optional; defaults to 'utf-8'
  * @return {Promise<string>}
  */
-export async function decompressGzippedContent(buffer: Buffer, charset?: string): Promise<string> {
+export async function decompressGzippedContent(buffer: Buffer, charset?: BufferEncoding): Promise<string> {
  return new Promise<string>(async (resolve, reject) => {
  zlib.gunzip(buffer, function (error, buffer) {
  if (error) {
@@ -128,16 +128,19 @@ export function buildProxyBypassRegexFromEnv(bypass : string) : RegExp {
  * @param {IHttpClientResponse} response
  * @return {string} - Content Encoding Charset; Default=utf-8
  */
-export function obtainContentCharset (response: IHttpClientResponse) : string {
+export function obtainContentCharset (response: IHttpClientResponse) : BufferEncoding {
  // Find the charset, if specified.
  // Search for the `charset=CHARSET` string, not including `;,\r\n`
  // Example: content-type: 'application/json;charset=utf-8'
  // |__ matches would be ['charset=utf-8', 'utf-8', index: 18, input: 'application/json; charset=utf-8']
  // |_____ matches[1] would have the charset :tada: , in our example it's utf-8
  // However, if the matches Array was empty or no charset found, 'utf-8' would be returned by default.
- const nodeSupportedEncodings = ['ascii', 'utf8', 'utf16le', 'ucs2', 'base64', 'binary', 'hex'];
+ const nodeSupportedEncodings: BufferEncoding[] = ['ascii', 'utf8', 'utf16le', 'ucs2', 'base64', 'binary', 'hex'];
  const contentType: string = response.message.headers['content-type'] || '';
  const matches: (RegExpMatchArray|null) = contentType.match(/charset=([^;,\r\n]+)/i);
+ if (matches && matches[1] && nodeSupportedEncodings.indexOf(matches[1] as BufferEncoding) != -1) {
+ return matches[1] as BufferEncoding;
+ }
 
- return (matches && matches[1] && nodeSupportedEncodings.indexOf(matches[1]) != -1) ? matches[1] : 'utf-8';
+ return 'utf-8';
 }

lib/handlers/ntlm.ts

@@ -60,6 +60,7 @@ export class NtlmCredentialHandler implements ifm.IRequestHandler {
  const callbackForResult = function (err: any, res: ifm.IHttpClientResponse) {
  if (err) {
  reject(err);
+ return;
  }
  // We have to readbody on the response before continuing otherwise there is a hang.
  res.readBody().then(() => {

lib/opensource/Node-SMB/lib/common.js

@@ -30,7 +30,7 @@ function oddpar(buf)
  */
 function expandkey(key56)
 {
- var key64 = new Buffer(8);
+ var key64 = Buffer.alloc(8);
 
  key64[0] = key56[0] & 0xFE;
  key64[1] = ((key56[0] << 7) & 0xFF) | (key56[1] >> 1);
@@ -49,7 +49,7 @@ function expandkey(key56)
  */
 function bintohex(bin)
 {
- var buf = (Buffer.isBuffer(buf) ? buf : new Buffer(bin, 'binary'));
+ var buf = (Buffer.isBuffer(buf) ? buf : Buffer.from(bin, 'binary'));
  var str = buf.toString('hex').toUpperCase();
  return zeroextend(str, 32);
 }

lib/opensource/Node-SMB/lib/ntlm.js

@@ -4,6 +4,7 @@ var $ = require('./common');
 var lmhashbuf = require('./smbhash').lmhashbuf;
 var nthashbuf = require('./smbhash').nthashbuf;
 
+var desjs = require("des.js");
 
 function encodeType1(hostname, ntdomain) {
  hostname = hostname.toUpperCase();
@@ -12,7 +13,7 @@ function encodeType1(hostname, ntdomain) {
  var ntdomainlen = Buffer.byteLength(ntdomain, 'ascii');
 
  var pos = 0;
- var buf = new Buffer(32 + hostnamelen + ntdomainlen);
+ var buf = Buffer.alloc(32 + hostnamelen + ntdomainlen);
 
  buf.write('NTLMSSP', pos, 7, 'ascii'); // byte protocol[8];
  pos += 7;
@@ -86,10 +87,10 @@ function encodeType3(username, hostname, ntdomain, nonce, password) {
  hostname = hostname.toUpperCase();
  ntdomain = ntdomain.toUpperCase();
 
- var lmh = new Buffer(21);
+ var lmh = Buffer.alloc(21);
  lmhashbuf(password).copy(lmh);
  lmh.fill(0x00, 16); // null pad to 21 bytes
- var nth = new Buffer(21);
+ var nth = Buffer.alloc(21);
  nthashbuf(password).copy(nth);
  nth.fill(0x00, 16); // null pad to 21 bytes
 
@@ -110,7 +111,7 @@ function encodeType3(username, hostname, ntdomain, nonce, password) {
 
  var pos = 0;
  var msg_len = 64 + ntdomainlen + usernamelen + hostnamelen + lmrlen + ntrlen;
- var buf = new Buffer(msg_len);
+ var buf = Buffer.alloc(msg_len);
 
  buf.write('NTLMSSP', pos, 7, 'ascii'); // byte protocol[8];
  pos += 7;
@@ -189,12 +190,17 @@ function encodeType3(username, hostname, ntdomain, nonce, password) {
 
 function makeResponse(hash, nonce)
 {
- var out = new Buffer(24);
+ var out = Buffer.alloc(24);
+
  for (var i = 0; i < 3; i++) {
  var keybuf = $.oddpar($.expandkey(hash.slice(i * 7, i * 7 + 7)));
- var des = crypto.createCipheriv('DES-ECB', keybuf, '');
- var str = des.update(nonce.toString('binary'), 'binary', 'binary');
- out.write(str, i * 8, i * 8 + 8, 'binary');
+
+ var des = desjs.DES.create({type: 'encrypt', key: keybuf});
+ var magicKey = Buffer.from(nonce.toString('binary'));
+ var insertBuff = Buffer.from(des.update(magicKey));
+
+ out.fill(insertBuff, i * 8, i * 8 + 8, 'binary');
+
  }
  return out;
 }
@@ -210,7 +216,7 @@ exports.challengeHeader = function (hostname, domain) {
 };
 
 exports.responseHeader = function (res, url, domain, username, password) {
- var serverNonce = new Buffer((res.headers['www-authenticate'].match(/^NTLM\s+(.+?)(,|\s+|$)/) || [])[1], 'base64');
+ var serverNonce = Buffer.from((res.headers['www-authenticate'].match(/^NTLM\s+(.+?)(,|\s+|$)/) || [])[1], 'base64');
  var hostname = require('url').parse(url).hostname;
  return 'NTLM ' + exports.encodeType3(username, hostname, domain, exports.decodeType2(serverNonce), password).toString('base64')
 };

lib/opensource/Node-SMB/lib/smbhash.js

@@ -1,6 +1,8 @@
-var crypto = require('crypto');
 var $ = require('./common');
 
+var jsmd4 = require("js-md4");
+var desjs = require("des.js");
+
 /*
  * Generate the LM Hash
  */
@@ -11,7 +13,7 @@ function lmhashbuf(inputstr)
  var xl = Buffer.byteLength(x, 'ascii');
 
  /* null pad to 14 bytes */
- var y = new Buffer(14);
+ var y = Buffer.alloc(14);
  y.write(x, 0, xl, 'ascii');
  y.fill(0, xl);
 
@@ -24,12 +26,13 @@ function lmhashbuf(inputstr)
  /* DES encrypt magic number "KGS!@#$%" to two
  * 8-byte ciphertexts, (ECB, no padding)
  */
- var buf = new Buffer(16);
+ var buf = Buffer.alloc(16);
  var pos = 0;
  var cts = halves.forEach(function(z) {
- var des = crypto.createCipheriv('DES-ECB', z, '');
- var str = des.update('KGS!@#$%', 'binary', 'binary');
- buf.write(str, pos, pos + 8, 'binary');
+ var des = desjs.DES.create({type: 'encrypt', key: z});
+ var magicKey = Buffer.from('KGS!@#$%', 'ascii');
+ var insertBuff = Buffer.from(des.update(magicKey));
+ buf.fill(insertBuff, pos, pos + 8, 'binary');
  pos += 8;
  });
 
@@ -41,10 +44,10 @@ function lmhashbuf(inputstr)
 function nthashbuf(str)
 {
  /* take MD4 hash of UCS-2 encoded password */
- var ucs2 = new Buffer(str, 'ucs2');
- var md4 = crypto.createHash('md4');
+ var ucs2 = Buffer.from(str, 'ucs2');
+ var md4 = jsmd4.create();
  md4.update(ucs2);
- return new Buffer(md4.digest('binary'), 'binary');
+ return Buffer.from(md4.digest('binary'), 'binary');
 }
 
 function lmhash(is)