[Prod] Resolve issues found during pen test

bin/test-backend-ci

@@ -41,7 +41,7 @@ main(){
 	check_exit "$?"
 
     # then list through the folders and run the tests
-    targets=("lib" "middleware" "models" "policies" "routes" "scopes" "services" "tools" "widgets" "goalServices")
+    targets=("lib" "middleware" "models" "policies" "routes" "scopes" "services" "tools" "widgets" "goalServices" "hooks")
 
     for target in "${targets[@]}"; do
         # jest command to

package.json

@@ -52,7 +52,7 @@
     "db:seed:prod": "node_modules/.bin/sequelize db:seed:all --options-path .production.sequelizerc",
     "db:seed:undo": "node_modules/.bin/sequelize db:seed:undo:all",
     "db:seed:undo:prod": "node_modules/.bin/sequelize db:seed:undo:all --options-path .production.sequelizerc",
-    "docker:deps": "docker-compose run --rm backend yarn install && docker-compose run --rm frontend yarn install",
+    "docker:deps": "docker-compose run --rm backend yarn install && docker-compose run --rm frontend yarn install && docker-compose run --rm testingonly yarn install",
     "docker:reset": "./bin/reset-all",
     "docker:start": "docker-compose up",
     "docker:start:debug": "docker-compose --compatibility -f docker-compose.yml -f docker-compose.debug.yml up",

packages/common/README.md

@@ -21,6 +21,9 @@ Note: On Windows you will need to use `yarn add @ttahub/[email protected]` to update
 
 ## Versions
 
+## 2.0.19
+Add "escapeHTML" function
+
 ## 1.4.0 
 Add SUPPORT_TYPE
 

packages/common/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@ttahub/common",
-    "version": "2.0.18",
+    "version": "2.1.2",
     "description": "The purpose of this package is to reduce code duplication between the frontend and backend projects.",
     "main": "src/index.js",
     "author": "",

packages/common/src/utils.js

@@ -31,5 +31,5 @@ function determineMergeGoalStatus(statuses) {
 }
 
 module.exports = {
-  determineMergeGoalStatus
+  determineMergeGoalStatus,
 }

src/models/hooks/activityReport.js → src/hooks/activityReport.js

@@ -1,31 +1,35 @@
+import escapeFields from '../models/helpers/escapeFields';
+
 const { Op } = require('sequelize');
 const { REPORT_STATUSES } = require('@ttahub/common');
 const {
   OBJECTIVE_STATUS,
   AWS_ELASTIC_SEARCH_INDEXES,
   GOAL_COLLABORATORS,
   OBJECTIVE_COLLABORATORS,
-} = require('../../constants');
-const { auditLogger } = require('../../logger');
+} = require('../constants');
+const { auditLogger } = require('../logger');
 const { findOrCreateGoalTemplate } = require('./goal');
-const { GOAL_STATUS } = require('../../constants');
+const { GOAL_STATUS } = require('../constants');
 const { findOrCreateObjectiveTemplate } = require('./objective');
 const {
   scheduleUpdateIndexDocumentJob,
   scheduleDeleteIndexDocumentJob,
-} = require('../../lib/awsElasticSearch/queueManager');
-const { collectModelData } = require('../../lib/awsElasticSearch/datacollector');
-const { formatModelForAwsElasticsearch } = require('../../lib/awsElasticSearch/modelMapper');
-const { addIndexDocument, deleteIndexDocument } = require('../../lib/awsElasticSearch/index');
+} = require('../lib/awsElasticSearch/queueManager');
+const { collectModelData } = require('../lib/awsElasticSearch/datacollector');
+const { formatModelForAwsElasticsearch } = require('../lib/awsElasticSearch/modelMapper');
+const { addIndexDocument, deleteIndexDocument } = require('../lib/awsElasticSearch/index');
 const {
   findOrCreateCollaborator,
   removeCollaboratorsForType,
-} = require('../helpers/genericCollaborator');
+} = require('../models/helpers/genericCollaborator');
 const { destroyLinkedSimilarityGroups } = require('./activityReportGoal');
 
+const AR_FIELDS_TO_ESCAPE = ['additionalNotes', 'context'];
+
 const processForEmbeddedResources = async (sequelize, instance, options) => {
   // eslint-disable-next-line global-require
-  const { calculateIsAutoDetectedForActivityReport, processActivityReportForResourcesById } = require('../../services/resource');
+  const { calculateIsAutoDetectedForActivityReport, processActivityReportForResourcesById } = require('../services/resource');
   const changed = instance.changed() || Object.keys(instance);
   if (calculateIsAutoDetectedForActivityReport(changed)) {
     await processActivityReportForResourcesById(instance.id);
@@ -816,6 +820,7 @@ const automaticGoalObjectiveStatusCachingOnApproval = async (sequelize, instance
 
 const beforeCreate = async (instance) => {
   copyStatus(instance);
+  escapeFields(instance, AR_FIELDS_TO_ESCAPE);
 };
 
 const getActivityReportDocument = async (sequelize, instance) => {
@@ -1033,6 +1038,7 @@ const beforeValidate = async (sequelize, instance, options) => {
 };
 
 const beforeUpdate = async (sequelize, instance, options) => {
+  escapeFields(instance, AR_FIELDS_TO_ESCAPE);
   copyStatus(instance);
   setSubmittedDate(sequelize, instance, options);
   clearAdditionalNotes(sequelize, instance, options);

src/models/hooks/activityReport.test.js → src/hooks/activityReport.test.js

@@ -12,16 +12,16 @@ import db, {
   Recipient,
   Grant,
   User,
-} from '..';
-import { unlockReport } from '../../routes/activityReports/handlers';
-import ActivityReportPolicy from '../../policies/activityReport';
+} from '../models';
+import { unlockReport } from '../routes/activityReports/handlers';
+import ActivityReportPolicy from '../policies/activityReport';
 import {
   moveDraftGoalsToNotStartedOnSubmission,
   propagateSubmissionStatus,
 } from './activityReport';
-import { auditLogger } from '../../logger';
+import { auditLogger } from '../logger';
 
-jest.mock('../../policies/activityReport');
+jest.mock('../policies/activityReport');
 
 describe('activity report model hooks', () => {
   describe('automatic goal status changes', () => {

src/models/hooks/activityReportApprover.js → src/hooks/activityReportApprover.js

@@ -1,4 +1,7 @@
 const { APPROVER_STATUSES, REPORT_STATUSES } = require('@ttahub/common');
+const { default: escapeFields } = require('../models/helpers/escapeFields');
+
+const FIELDS_TO_ESCAPE = ['note'];
 
 /**
  * Helper function called by model hooks.
@@ -124,9 +127,19 @@ const afterUpdate = async (sequelize, instance) => {
   await updateReportStatus(sequelize, instance);
 };
 
+const beforeUpdate = async (_sequelize, instance) => {
+  escapeFields(instance, FIELDS_TO_ESCAPE);
+};
+
+const beforeCreate = async (_sequelize, instance) => {
+  escapeFields(instance, FIELDS_TO_ESCAPE);
+};
+
 export {
   calculateReportStatusFromApprovals,
   calculateReportStatus,
+  beforeCreate,
+  beforeUpdate,
   afterCreate,
   afterDestroy,
   afterRestore,

src/models/hooks/activityReportApprover.test.js → src/hooks/activityReportApprover.test.js

@@ -4,7 +4,7 @@ import {
   User,
   ActivityReport,
   ActivityReportApprover,
-} from '..';
+} from '../models';
 import {
   calculateReportStatusFromApprovals,
   afterDestroy,

src/models/hooks/activityReportFile.js → src/hooks/activityReportFile.js

@@ -1,7 +1,7 @@
 import { REPORT_STATUSES } from '@ttahub/common';
 import { propagateDestroyToFile } from './genericFile';
 
-const { cleanupOrphanFiles } = require('../helpers/orphanCleanupHelper');
+const { cleanupOrphanFiles } = require('../models/helpers/orphanCleanupHelper');
 
 const checkForUseOnApprovedReport = async (sequelize, instance, options) => {
   const activityReport = await sequelize.models.ActivityReport.findOne({

src/models/hooks/activityReportFile.test.js → src/hooks/activityReportFile.test.js

@@ -7,16 +7,16 @@ import {
   sequelize,
   User,
   ActivityReport,
-} from '..';
+} from '../models';
 import { propagateDestroyToFile } from './genericFile';
-import { cleanupOrphanFiles } from '../helpers/orphanCleanupHelper';
+import { cleanupOrphanFiles } from '../models/helpers/orphanCleanupHelper';
 import { draftObject, mockApprovers, approverUserIds } from './testHelpers';
 
 jest.mock('./genericFile', () => ({
   propagateDestroyToFile: jest.fn(),
 }));
 
-jest.mock('../helpers/orphanCleanupHelper', () => ({
+jest.mock('../models/helpers/orphanCleanupHelper', () => ({
   cleanupOrphanFiles: jest.fn(),
 }));
 

src/models/hooks/activityReportGoal.js → src/hooks/activityReportGoal.js

@@ -1,14 +1,14 @@
 const { REPORT_STATUSES } = require('@ttahub/common');
-const { GOAL_COLLABORATORS } = require('../../constants');
+const { GOAL_COLLABORATORS } = require('../constants');
 const {
   currentUserPopulateCollaboratorForType,
   removeCollaboratorsForType,
-} = require('../helpers/genericCollaborator');
-const { onlyAllowTrGoalSourceForGoalsCreatedViaTr } = require('../helpers/goalSource');
+} = require('../models/helpers/genericCollaborator');
+const { onlyAllowTrGoalSourceForGoalsCreatedViaTr } = require('../models/helpers/goalSource');
 
 const processForEmbeddedResources = async (sequelize, instance, options) => {
   // eslint-disable-next-line global-require
-  const { calculateIsAutoDetectedForActivityReportGoal, processActivityReportGoalForResourcesById } = require('../../services/resource');
+  const { calculateIsAutoDetectedForActivityReportGoal, processActivityReportGoalForResourcesById } = require('../services/resource');
   const changed = instance.changed() || Object.keys(instance);
   if (calculateIsAutoDetectedForActivityReportGoal(changed)) {
     await processActivityReportGoalForResourcesById(instance.id);

src/models/hooks/activityReportGoalResource.js → src/hooks/activityReportGoalResource.js

@@ -1,5 +1,5 @@
-const { getSingularOrPluralData } = require('../helpers/hookMetadata');
-const { cleanupOrphanResources } = require('../helpers/orphanCleanupHelper');
+const { getSingularOrPluralData } = require('../models/helpers/hookMetadata');
+const { cleanupOrphanResources } = require('../models/helpers/orphanCleanupHelper');
 
 const propagateOnAR = async (sequelize, instance, options) => sequelize.models.GoalResource
   .update(

src/models/hooks/activityReportGoalResource.test.js → src/hooks/activityReportGoalResource.test.js

@@ -8,7 +8,7 @@ import {
   ActivityReportGoalResource,
   User,
   Resource,
-} from '..';
+} from '../models';
 import { recalculateOnAR } from './activityReportGoalResource';
 
 const draftObject = {

src/models/hooks/activityReportObjective.js → src/hooks/activityReportObjective.js

@@ -1,10 +1,10 @@
-import { Op } from 'sequelize';
-import { validateChangedOrSetEnums } from '../helpers/enum';
-import { OBJECTIVE_COLLABORATORS, OBJECTIVE_STATUS } from '../../constants';
-import {
+const { Op } = require('sequelize');
+const { validateChangedOrSetEnums } = require('../models/helpers/enum');
+const { OBJECTIVE_COLLABORATORS, OBJECTIVE_STATUS } = require('../constants');
+const {
   currentUserPopulateCollaboratorForType,
   removeCollaboratorsForType,
-} from '../helpers/genericCollaborator';
+} = require('../models/helpers/genericCollaborator');
 
 const propagateDestroyToMetadata = async (sequelize, instance, options) => Promise.all(
   [
@@ -97,7 +97,7 @@ const afterCreate = async (sequelize, instance, options) => {
   await propagateSupportTypeToObjective(sequelize, instance, options);
 };
 
-const beforeValidate = async (sequelize, instance, options) => {
+const beforeValidate = async (sequelize, instance) => {
   validateChangedOrSetEnums(sequelize, instance);
 };
 
@@ -110,7 +110,7 @@ const afterDestroy = async (sequelize, instance, options) => {
   await recalculateOnAR(sequelize, instance, options);
 };
 
-export {
+module.exports = {
   propagateDestroyToMetadata,
   recalculateOnAR,
   afterCreate,

src/models/hooks/activityReportObjective.test.js → src/hooks/activityReportObjective.test.js

@@ -1,3 +1,4 @@
+import { SUPPORT_TYPES } from '@ttahub/common';
 import {
   sequelize,
   ActivityReportObjective,
@@ -9,17 +10,20 @@ import {
   File,
   ActivityReport,
   Topic,
-} from '..';
+} from '../models';
 
 import { draftObject } from './testHelpers';
-import { FILE_STATUSES, OBJECTIVE_STATUS } from '../../constants';
+import { FILE_STATUSES, OBJECTIVE_STATUS } from '../constants';
 import { beforeDestroy } from './activityReportObjective';
-import { processObjectiveForResourcesById, processActivityReportObjectiveForResourcesById } from '../../services/resource';
+import { processObjectiveForResourcesById, processActivityReportObjectiveForResourcesById } from '../services/resource';
 
 describe('activityReportObjective hooks', () => {
   let ar;
   let topic;
   let objective;
+  let secondObjective;
+  let thirdObjective;
+
   let aro;
   let file;
 
@@ -31,10 +35,32 @@ describe('activityReportObjective hooks', () => {
       status: OBJECTIVE_STATUS.IN_PROGRESS,
     });
 
+    secondObjective = await Objective.create({
+      title: 'second test objective',
+      status: OBJECTIVE_STATUS.IN_PROGRESS,
+    });
+
+    thirdObjective = await Objective.create({
+      title: 'third test objective',
+      status: OBJECTIVE_STATUS.IN_PROGRESS,
+      supportType: SUPPORT_TYPES[0],
+    });
+
     aro = await ActivityReportObjective.create({
       activityReportId: ar.id,
       objectiveId: objective.id,
-    });
+      supportType: SUPPORT_TYPES[0],
+    }, { individualHooks: true });
+
+    await ActivityReportObjective.create({
+      activityReportId: ar.id,
+      objectiveId: secondObjective.id,
+    }, { individualHooks: true });
+
+    await ActivityReportObjective.create({
+      activityReportId: ar.id,
+      objectiveId: thirdObjective.id,
+    }, { individualHooks: true });
 
     topic = await Topic.create({
       name: 'Javascript Mastery',
@@ -87,11 +113,23 @@ describe('activityReportObjective hooks', () => {
     });
 
     await ActivityReportObjective.destroy({
-      where: { id: aro.id },
+      where: {
+        objectiveId: [
+          objective.id,
+          secondObjective.id,
+          thirdObjective.id,
+        ],
+      },
     });
 
     await Objective.destroy({
-      where: { id: objective.id },
+      where: {
+        id: [
+          objective.id,
+          secondObjective.id,
+          thirdObjective.id,
+        ],
+      },
       force: true,
     });
 
@@ -102,6 +140,18 @@ describe('activityReportObjective hooks', () => {
     await sequelize.close();
   });
 
+  describe('supportType', () => {
+    it('should propogate supportType to objective', async () => {
+      const objective1 = await Objective.findByPk(objective.id);
+      const objective2 = await Objective.findByPk(secondObjective.id);
+      const objective3 = await Objective.findByPk(thirdObjective.id);
+
+      expect(objective1.supportType).toBe(SUPPORT_TYPES[0]);
+      expect(objective2.supportType).toBe(null);
+      expect(objective3.supportType).toBe(SUPPORT_TYPES[0]);
+    });
+  });
+
   describe('beforeDestroy', () => {
     it('should propagate destroy to metadata', async () => {
       const transaction = await sequelize.transaction();

src/models/hooks/activityReportObjectiveFile.js → src/hooks/activityReportObjectiveFile.js

@@ -1,5 +1,5 @@
-const { getSingularOrPluralData } = require('../helpers/hookMetadata');
-const { cleanupOrphanFiles } = require('../helpers/orphanCleanupHelper');
+const { getSingularOrPluralData } = require('../models/helpers/hookMetadata');
+const { cleanupOrphanFiles } = require('../models/helpers/orphanCleanupHelper');
 
 const recalculateOnAR = async (sequelize, instance, options) => {
   // check to see if objectiveId or objectiveIds is validly defined
@@ -9,8 +9,7 @@ const recalculateOnAR = async (sequelize, instance, options) => {
   let fileOnReport;
   // by using the passed in objectives we can use a more performant version of the query
   if (objectiveIds !== undefined
-    && Array.isArray(objectiveIds)
-    && objectiveIds.map((i) => typeof i).every((i) => i === 'number')) {
+    && Array.isArray(objectiveIds)) {
     fileOnReport = `
       SELECT
         f."id",