diff --git a/Meadowlark-js/backends/meadowlark-elasticsearch-backend/package.json b/Meadowlark-js/backends/meadowlark-elasticsearch-backend/package.json index 7098889c..bae0bff6 100644 --- a/Meadowlark-js/backends/meadowlark-elasticsearch-backend/package.json +++ b/Meadowlark-js/backends/meadowlark-elasticsearch-backend/package.json @@ -1,7 +1,7 @@ { "name": "@edfi/meadowlark-elasticsearch-backend", "main": "dist/index.js", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "description": "Meadowlark backend plugin for elasticsearch", "license": "Apache-2.0", "publishConfig": { @@ -19,8 +19,8 @@ "build:copy-non-ts": "copyfiles -u 1 -e \"**/*.ts\" \"src/**/*\" dist --verbose" }, "dependencies": { - "@edfi/meadowlark-core": "0.4.1-pre.1", - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-core": "0.4.1-pre.2", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "@elastic/elasticsearch": "^8.10.0", "@elastic/transport": "^8.3.4" }, diff --git a/Meadowlark-js/backends/meadowlark-mongodb-backend/package.json b/Meadowlark-js/backends/meadowlark-mongodb-backend/package.json index ff1c83de..84095072 100644 --- a/Meadowlark-js/backends/meadowlark-mongodb-backend/package.json +++ b/Meadowlark-js/backends/meadowlark-mongodb-backend/package.json @@ -1,7 +1,7 @@ { "name": "@edfi/meadowlark-mongodb-backend", "main": "dist/index.js", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "description": "Meadowlark backend plugin for MongoDB", "license": "Apache-2.0", "publishConfig": { @@ -19,9 +19,9 @@ "build:copy-non-ts": "copyfiles -u 1 -e \"**/*.ts\" \"src/**/*\" dist --verbose" }, "dependencies": { - "@edfi/meadowlark-authz-server": "0.4.1-pre.1", - "@edfi/meadowlark-core": "0.4.1-pre.1", - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-authz-server": "0.4.1-pre.2", + "@edfi/meadowlark-core": "0.4.1-pre.2", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "async-retry": "^1.3.3", "mongodb": "^5.9.2", "ramda": "0.29.1" diff --git a/Meadowlark-js/backends/meadowlark-opensearch-backend/package.json b/Meadowlark-js/backends/meadowlark-opensearch-backend/package.json index aeb44f13..528d8d3c 100644 --- a/Meadowlark-js/backends/meadowlark-opensearch-backend/package.json +++ b/Meadowlark-js/backends/meadowlark-opensearch-backend/package.json @@ -1,7 +1,7 @@ { "name": "@edfi/meadowlark-opensearch-backend", "main": "dist/index.js", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "description": "Meadowlark backend plugin for OpenSearch", "license": "Apache-2.0", "publishConfig": { @@ -19,8 +19,8 @@ "build:copy-non-ts": "copyfiles -u 1 -e \"**/*.ts\" \"src/**/*\" dist --verbose" }, "dependencies": { - "@edfi/meadowlark-core": "0.4.1-pre.1", - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-core": "0.4.1-pre.2", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "@opensearch-project/opensearch": "^2.4.0" }, "devDependencies": { diff --git a/Meadowlark-js/backends/meadowlark-postgresql-backend/package.json b/Meadowlark-js/backends/meadowlark-postgresql-backend/package.json index 4552133d..253df115 100644 --- a/Meadowlark-js/backends/meadowlark-postgresql-backend/package.json +++ b/Meadowlark-js/backends/meadowlark-postgresql-backend/package.json @@ -1,7 +1,7 @@ { "name": "@edfi/meadowlark-postgresql-backend", "main": "dist/index.js", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "description": "Meadowlark backend plugin for PostgreSQL", "license": "Apache-2.0", "publishConfig": { @@ -19,9 +19,9 @@ "build:copy-non-ts": "copyfiles -u 1 -e \"**/*.ts\" \"src/**/*\" dist --verbose" }, "dependencies": { - "@edfi/meadowlark-authz-server": "0.4.1-pre.1", - "@edfi/meadowlark-core": "0.4.1-pre.1", - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-authz-server": "0.4.1-pre.2", + "@edfi/meadowlark-core": "0.4.1-pre.2", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "pg": "^8.11.3", "pg-format": "^1.0.4", "ramda": "0.29.1" diff --git a/Meadowlark-js/lerna.json b/Meadowlark-js/lerna.json index 58b0eebf..e367818e 100644 --- a/Meadowlark-js/lerna.json +++ b/Meadowlark-js/lerna.json @@ -3,7 +3,7 @@ "packages": [ "packages/*" ], - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "npmClient": "npm", "useWorkspaces": true } diff --git a/Meadowlark-js/package-lock.json b/Meadowlark-js/package-lock.json index 10a9f33c..eafd3d4e 100644 --- a/Meadowlark-js/package-lock.json +++ b/Meadowlark-js/package-lock.json @@ -52,11 +52,11 @@ }, "backends/meadowlark-elasticsearch-backend": { "name": "@edfi/meadowlark-elasticsearch-backend", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "license": "Apache-2.0", "dependencies": { - "@edfi/meadowlark-core": "0.4.1-pre.1", - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-core": "0.4.1-pre.2", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "@elastic/elasticsearch": "^8.10.0", "@elastic/transport": "^8.3.4" }, @@ -70,12 +70,12 @@ }, "backends/meadowlark-mongodb-backend": { "name": "@edfi/meadowlark-mongodb-backend", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "license": "Apache-2.0", "dependencies": { - "@edfi/meadowlark-authz-server": "0.4.1-pre.1", - "@edfi/meadowlark-core": "0.4.1-pre.1", - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-authz-server": "0.4.1-pre.2", + "@edfi/meadowlark-core": "0.4.1-pre.2", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "async-retry": "^1.3.3", "mongodb": "^5.9.2", "ramda": "0.29.1" @@ -88,11 +88,11 @@ }, "backends/meadowlark-opensearch-backend": { "name": "@edfi/meadowlark-opensearch-backend", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "license": "Apache-2.0", "dependencies": { - "@edfi/meadowlark-core": "0.4.1-pre.1", - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-core": "0.4.1-pre.2", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "@opensearch-project/opensearch": "^2.4.0" }, "devDependencies": { @@ -105,12 +105,12 @@ }, "backends/meadowlark-postgresql-backend": { "name": "@edfi/meadowlark-postgresql-backend", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "license": "Apache-2.0", "dependencies": { - "@edfi/meadowlark-authz-server": "0.4.1-pre.1", - "@edfi/meadowlark-core": "0.4.1-pre.1", - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-authz-server": "0.4.1-pre.2", + "@edfi/meadowlark-core": "0.4.1-pre.2", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "pg": "^8.11.3", "pg-format": "^1.0.4", "ramda": "0.29.1" @@ -22595,11 +22595,11 @@ }, "packages/meadowlark-authz-server": { "name": "@edfi/meadowlark-authz-server", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "license": "Apache-2.0", "dependencies": { "@apideck/better-ajv-errors": "^0.3.6", - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "ajv": "^8.12.0", "didyoumean2": "^6.0.1", "dotenv": "^16.3.1", @@ -22649,11 +22649,11 @@ }, "packages/meadowlark-core": { "name": "@edfi/meadowlark-core", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "license": "Apache-2.0", "dependencies": { "@apideck/better-ajv-errors": "^0.3.6", - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "@isaacs/ttlcache": "^1.4.1", "ajv": "^8.12.0", "ajv-formats": "^2.1.1", @@ -22743,7 +22743,7 @@ }, "packages/meadowlark-utilities": { "name": "@edfi/meadowlark-utilities", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "license": "Apache-2.0", "dependencies": { "pino": "^8.15.7", @@ -22790,12 +22790,12 @@ }, "services/meadowlark-fastify": { "name": "@edfi/meadowlark-fastify", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "license": "Apache-2.0", "dependencies": { - "@edfi/meadowlark-authz-server": "0.4.1-pre.1", - "@edfi/meadowlark-core": "0.4.1-pre.1", - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-authz-server": "0.4.1-pre.2", + "@edfi/meadowlark-core": "0.4.1-pre.2", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "@fastify/rate-limit": "^6.0.1", "dotenv": "^16.3.1", "fastify": "^3.29.5" @@ -22808,10 +22808,10 @@ }, "tests/e2e": { "name": "@edfi/meadowlark-e2e-tests", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "license": "Apache-2.0", "devDependencies": { - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "@testcontainers/mongodb": "^10.3.1", "@testcontainers/postgresql": "^10.3.1", "@types/chance": "^1.1.6", diff --git a/Meadowlark-js/packages/meadowlark-authz-server/package.json b/Meadowlark-js/packages/meadowlark-authz-server/package.json index 840b0fad..d8ac5dd9 100644 --- a/Meadowlark-js/packages/meadowlark-authz-server/package.json +++ b/Meadowlark-js/packages/meadowlark-authz-server/package.json @@ -1,7 +1,7 @@ { "name": "@edfi/meadowlark-authz-server", "main": "dist/index.js", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "description": "Meadowlark authorization server", "license": "Apache-2.0", "publishConfig": { @@ -14,7 +14,7 @@ ], "dependencies": { "@apideck/better-ajv-errors": "^0.3.6", - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "ajv": "^8.12.0", "didyoumean2": "^6.0.1", "dotenv": "^16.3.1", diff --git a/Meadowlark-js/packages/meadowlark-core/package.json b/Meadowlark-js/packages/meadowlark-core/package.json index 03685c22..844ed04e 100644 --- a/Meadowlark-js/packages/meadowlark-core/package.json +++ b/Meadowlark-js/packages/meadowlark-core/package.json @@ -1,7 +1,7 @@ { "name": "@edfi/meadowlark-core", "main": "dist/index.js", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "description": "Meadowlark core functionality", "license": "Apache-2.0", "publishConfig": { @@ -14,7 +14,7 @@ ], "dependencies": { "@apideck/better-ajv-errors": "^0.3.6", - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "@isaacs/ttlcache": "^1.4.1", "ajv": "^8.12.0", "ajv-formats": "^2.1.1", diff --git a/Meadowlark-js/packages/meadowlark-utilities/package.json b/Meadowlark-js/packages/meadowlark-utilities/package.json index 3b412a4f..47f01413 100644 --- a/Meadowlark-js/packages/meadowlark-utilities/package.json +++ b/Meadowlark-js/packages/meadowlark-utilities/package.json @@ -1,7 +1,7 @@ { "name": "@edfi/meadowlark-utilities", "main": "dist/index.js", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "description": "Meadowlark shared utilities", "license": "Apache-2.0", "publishConfig": { diff --git a/Meadowlark-js/services/meadowlark-fastify/package.json b/Meadowlark-js/services/meadowlark-fastify/package.json index f5b28edb..7cac7ea8 100644 --- a/Meadowlark-js/services/meadowlark-fastify/package.json +++ b/Meadowlark-js/services/meadowlark-fastify/package.json @@ -1,6 +1,6 @@ { "name": "@edfi/meadowlark-fastify", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "description": "Meadowlark service using Fastify", "license": "Apache-2.0", "publishConfig": { @@ -12,9 +12,9 @@ "/package.json" ], "dependencies": { - "@edfi/meadowlark-authz-server": "0.4.1-pre.1", - "@edfi/meadowlark-core": "0.4.1-pre.1", - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-authz-server": "0.4.1-pre.2", + "@edfi/meadowlark-core": "0.4.1-pre.2", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "@fastify/rate-limit": "^6.0.1", "dotenv": "^16.3.1", "fastify": "^3.29.5" diff --git a/Meadowlark-js/tests/e2e/package.json b/Meadowlark-js/tests/e2e/package.json index 4a8d298e..b2c2644a 100644 --- a/Meadowlark-js/tests/e2e/package.json +++ b/Meadowlark-js/tests/e2e/package.json @@ -1,13 +1,13 @@ { "name": "@edfi/meadowlark-e2e-tests", "main": "dist/index.js", - "version": "0.4.1-pre.1", + "version": "0.4.1-pre.2", "description": "Meadowlark Ed-Fi API end to end tests", "license": "Apache-2.0", "private": true, "files": [], "devDependencies": { - "@edfi/meadowlark-utilities": "0.4.1-pre.1", + "@edfi/meadowlark-utilities": "0.4.1-pre.2", "@testcontainers/mongodb": "^10.3.1", "@testcontainers/postgresql": "^10.3.1", "@types/chance": "^1.1.6", diff --git a/Meadowlark-js/tests/e2e/scenarios/RequestSmuggling.test.ts b/Meadowlark-js/tests/e2e/scenarios/RequestSmuggling.test.ts new file mode 100644 index 00000000..ebd4d0eb --- /dev/null +++ b/Meadowlark-js/tests/e2e/scenarios/RequestSmuggling.test.ts @@ -0,0 +1,168 @@ +// SPDX-License-Identifier: Apache-2.0 +// Licensed to the Ed-Fi Alliance under one or more agreements. +// The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0. +// See the LICENSE and NOTICES files in the project root for more information. + +import { baseURLRequest } from '../helpers/Shared'; + +describe('when accepting an incoming token request', () => { + describe('given it does not have Transfer-Encoding or Content-Length headers', () => { + it('should respond with 401', async () => { + await baseURLRequest() + .post('/oauth/token') + .send({ grant_type: 'client_credentials', client_id: 'a', client_secret: 'b' }) + .expect(401); + }); + }); + + describe('given it has a Transfer-Encoding of gzip', () => { + it('should respond with 400', async () => { + await baseURLRequest() + .post('/oauth/token') + .set({ 'Transfer-Encoding': 'gzip' }) + .send({}) + .expect(400) + .then((response) => { + expect(response.body).toMatchInlineSnapshot(` + { + "error": "Bad Request", + "message": "Client Error", + "statusCode": 400, + } + `); + }); + }); + }); + + describe('given it has both Transfer-Encoding and Content-Length (proper case)', () => { + it('should respond with 400', async () => { + await baseURLRequest() + .post('/oauth/token') + .set({ 'Transfer-Encoding': 'chunked', 'Content-Length': 1 }) + .send({}) + .expect(400) + .then((response) => { + expect(response.body).toMatchInlineSnapshot(` + { + "error": "Bad Request", + "message": "Client Error", + "statusCode": 400, + } + `); + }); + }); + }); + + describe('given it has both Transfer-Encoding and Content-Length (lower case)', () => { + it('should respond with 400', async () => { + await baseURLRequest() + .post('/oauth/token') + .set({ 'transfer-encoding': 'chunked', 'content-length': 1 }) + .send({}) + .expect(400) + .then((response) => { + expect(response.body).toMatchInlineSnapshot(` + { + "error": "Bad Request", + "message": "Client Error", + "statusCode": 400, + } + `); + }); + }); + }); +}); + +describe('when accepting an incoming PUT request for a resource', () => { + describe('given it does not have Transfer-Encoding or Content-Length headers', () => { + it('should respond with 400', async () => { + await baseURLRequest() + .put('/v3.3b/ed-fi/persons') + .send({ firstName: 'a' }) + .expect(400) + .then((response) => { + expect(response.body).toMatchInlineSnapshot(` + { + "error": "Invalid authorization header", + } + `); + }); + }); + }); + + describe('given it has a Transfer-Encoding of gzip', () => { + it('should respond with 400', async () => { + await baseURLRequest() + .put('/v3.3b/ed-fi/students') + .set({ 'Transfer-Encoding': 'gzip' }) + .send({}) + .expect(400) + .then((response) => { + expect(response.body).toMatchInlineSnapshot(` + { + "error": "Bad Request", + "message": "Client Error", + "statusCode": 400, + } + `); + }); + }); + }); + + describe('given it has a Transfer-Encoding of chunked', () => { + it('should respond with 400', async () => { + await baseURLRequest() + .put('/v3.3b/ed-fi/students') + .set({ 'Transfer-Encoding': 'chunked' }) + .send({}) + .expect(400) + .then((response) => { + expect(response.body).toMatchInlineSnapshot(` + { + "error": "Bad Request", + "message": "Client Error", + "statusCode": 400, + } + `); + }); + }); + }); + + describe('given it has both Transfer-Encoding and Content-Length (proper case)', () => { + it('should respond with 400', async () => { + await baseURLRequest() + .put('/v3.3b/ed-fi/persons') + .set({ 'Transfer-Encoding': 'chunked', 'Content-Length': 1 }) + .send({}) + .expect(400) + .then((response) => { + expect(response.body).toMatchInlineSnapshot(` + { + "error": "Bad Request", + "message": "Client Error", + "statusCode": 400, + } + `); + }); + }); + }); + + describe('given it has both Transfer-Encoding and Content-Length (lower case)', () => { + it('should respond with 400', async () => { + await baseURLRequest() + .put('/v3.3b/ed-fi/persons') + .set({ 'transfer-encoding': 'chunked', 'content-length': 1 }) + .send({}) + .expect(400) + .then((response) => { + expect(response.body).toMatchInlineSnapshot(` + { + "error": "Bad Request", + "message": "Client Error", + "statusCode": 400, + } + `); + }); + }); + }); +}); diff --git a/Meadowlark-js/tests/e2e/scenarios/ResourcesCRUDValidation.test.ts b/Meadowlark-js/tests/e2e/scenarios/ResourcesCRUDValidation.test.ts index 5665748b..b45df5d2 100644 --- a/Meadowlark-js/tests/e2e/scenarios/ResourcesCRUDValidation.test.ts +++ b/Meadowlark-js/tests/e2e/scenarios/ResourcesCRUDValidation.test.ts @@ -1,3 +1,8 @@ +// SPDX-License-Identifier: Apache-2.0 +// Licensed to the Ed-Fi Alliance under one or more agreements. +// The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0. +// See the LICENSE and NOTICES files in the project root for more information. + import { Response } from 'supertest'; import { getAccessToken } from '../helpers/Credentials'; import { baseURLRequest, rootURLRequest } from '../helpers/Shared'; diff --git a/Meadowlark-js/tests/e2e/scenarios/SecurityValidation.test.ts b/Meadowlark-js/tests/e2e/scenarios/SecurityValidation.test.ts index 174b8b2e..1286b1df 100644 --- a/Meadowlark-js/tests/e2e/scenarios/SecurityValidation.test.ts +++ b/Meadowlark-js/tests/e2e/scenarios/SecurityValidation.test.ts @@ -1,3 +1,8 @@ +// SPDX-License-Identifier: Apache-2.0 +// Licensed to the Ed-Fi Alliance under one or more agreements. +// The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0. +// See the LICENSE and NOTICES files in the project root for more information. + import { Credentials, createClient, getAccessToken } from '../helpers/Credentials'; import { createResource, deleteResourceByLocation } from '../helpers/Resources'; import { baseURLRequest, rootURLRequest } from '../helpers/Shared';