Merge pull request finos#462 from vaibssingh/412-fix-codeql-issues

Address CodeQL issues

package.json

@@ -37,12 +37,14 @@
     "email-validator": "^2.0.4",
     "express": "^4.18.2",
     "express-http-proxy": "^2.0.0",
+    "express-rate-limit": "^7.1.5",
     "express-session": "^1.17.1",
     "generate-password": "^1.5.1",
     "history": "5.3.0",
     "jsonschema": "^1.4.1",
     "load-plugin": "^6.0.0",
     "lodash": "^4.17.21",
+    "lusca": "^1.7.0",
     "moment": "^2.29.4",
     "mongodb": "^5.0.0",
     "nodemailer": "^6.6.1",

src/service/index.js

@@ -3,6 +3,13 @@ const session = require('express-session');
 const http = require('http');
 const cors = require('cors');
 const app = express();
+const rateLimit = require('express-rate-limit');
+const csrf = require('lusca').csrf;
+
+const limiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // limit each IP to 100 requests per windowMs
+});
 
 const { GIT_PROXY_UI_PORT: uiPort } = require('../config/env').Vars;
 
@@ -16,18 +23,20 @@ const corsOptions = {
 };
 
 const start = async () => {
-  // confiugraiton of passport is async
+  // configuration of passport is async
   // Before we can bind the routes - we need the passport
   const passport = await require('./passport').configure();
   const routes = require('./routes');
   app.use(cors(corsOptions));
+  app.use(limiter);
   app.use(
     session({
       secret: 'keyboard cat',
       resave: false,
       saveUninitialized: false,
     }),
   );
+  app.use(csrf());
   app.use(passport.initialize());
   app.use(passport.session());
   app.use(express.json());

src/service/routes/auth.js

@@ -117,7 +117,12 @@ router.post('/password', async (req, res) => {
         throw new Error('current password did not match the given');
       }
     } catch (e) {
-      res.status(500).send(e).end();
+      res
+        .status(500)
+        .send({
+          message: 'An error occurred',
+        })
+        .end();
     }
   } else {
     res.status(401).end();