Security/remove checkmarx action

.circleci/config.yml

@@ -0,0 +1,47 @@
+version: 2.1
+
+orbs:
+  aws-cli: circleci/aws-cli@1.3.1
+
+workflows:
+  version: 2
+  master:
+    jobs:
+      - deploy:
+          filters:
+            branches:
+              only: master
+
+commands:
+  build:
+    steps:
+      - checkout
+      - aws-cli/install
+      - restore_cache:
+          key: dependency-cache-{{ checksum "yarn.lock" }}
+      - run:
+          name: Install Dependencies 📦
+          command: yarn install --ignore-engines
+      - save_cache:
+          key: dependency-cache-{{ checksum "yarn.lock" }}
+          paths:
+            - ./node_modules
+  test:
+    steps:
+      - run:
+          name: Test 🛠
+          command: yarn test-core-plugins
+  deploy:
+    steps:
+      - run:
+          name: Deploy 🚢
+          command: yarn deploy
+
+jobs:
+  deploy:
+    docker:
+      - image: cimg/node:22.22.0
+    steps:
+      - build
+      - test
+      - deploy

.env.sample

@@ -0,0 +1,2 @@
+export FACEBOOK_APP_ID=
+export FACEBOOK_APP_SECRET=

.gitignore

@@ -5,7 +5,6 @@ node_modules
 config.local.js
 test/test2.js
 static/test
-iframely-*.json
 
 node_modules083
 node_modules2

.nvmrc

@@ -0,0 +1 @@
+22

.whitesource

@@ -0,0 +1,41 @@
+{
+  "scanSettings": {
+    "configMode": "AUTO",
+    "configExternalURL": "",
+    "projectToken": "",
+    "baseBranches": []
+  },
+  "scanSettingsSAST": {
+    "enableScan": false,
+    "scanPullRequests": false,
+    "incrementalScan": true,
+    "baseBranches": [],
+    "snippetSize": 10
+  },
+  "checkRunSettings": {
+    "vulnerableCheckRunConclusionLevel": "failure",
+    "displayMode": "diff",
+    "useMendCheckNames": true
+  },
+  "checkRunSettingsSAST": {
+    "checkRunConclusionLevel": "failure",
+    "severityThreshold": "high"
+  },
+  "issueSettings": {
+    "minSeverityLevel": "LOW",
+    "issueType": "DEPENDENCY"
+  },
+  "remediateSettings": {
+    "workflowRules": {
+      "enabled": true
+    }
+  },
+   "imageSettings":{
+       "imageTracing":{
+           "enableImageTracingPR": false,
+           "addRepositoryCoordinate": false,
+           "addDockerfilePath": false,
+           "addMendIdentifier": false
+       }
+   }
+}

README.md

@@ -60,3 +60,8 @@ Please submit your PR against `develop` branch. This is where everything gets me
 
 MIT License. (c) 2012-2022 Itteco Software Corp. [Nazar Leush](https://github.com/nleush), [Ivan Paramonau](https://twitter.com/iparamonau) and the [contributors](https://github.com/itteco/iframely/graphs/contributors).
 
+## Important Links
+
+- [Pipeline](https://app.circleci.com/pipelines/github/blackbaud-services/iframely)
+- [API Gateway](https://us-east-1.console.aws.amazon.com/apigateway/home?region=us-east-1#/apis/tmc9fp38w6/resources)
+- [Lambda](https://us-east-1.console.aws.amazon.com/lambda/home?region=us-east-1#/functions/iframelyProd-iframelyProd-1CNBJQIOZ30IT)

app.js

@@ -1,4 +1,5 @@
 import { cacheMiddleware, NotFound } from './utils.js';
+// import awsServerlessExpressMiddleware from 'aws-serverless-express/middleware'
 import CONFIG from './config.loader.js';
 global.CONFIG = CONFIG;
 
@@ -42,6 +43,7 @@ app.use(function(req, res, next) {
 });
 
 app.use(cacheMiddleware);
+// app.use(awsServerlessExpressMiddleware.eventContext());
 
 import apiViews from './modules/api/views.js';
 import debugViews from './modules/debug/views.js';
@@ -174,4 +176,4 @@ app.get('/', function(req, res) {
   res.end();
 });
 
-process.title = "iframely";
+process.title = "iframely";

bin/template.cjs

@@ -0,0 +1,19 @@
+const fs = require('fs')
+const { join } = require('path')
+
+const generateTemplate = (from, to) => {
+  const fileContent = fs.readFileSync(`${__dirname}/../templates/${from}`, 'utf8')
+
+  const updatedContent = fileContent
+    .replace(/AWS_ACCOUNT_ID/g, process.env.AWS_ACCOUNT_ID)
+    .replace(/AWS_REGION/g, process.env.AWS_REGION)
+    .replace(/AWS_IAM_ROLE/g, process.env.AWS_IAM_ROLE)
+    .replace(/AWS_FN_NAME/g, process.env.AWS_FN_NAME)
+    .replace(/AWS_API_STAGE/g, process.env.AWS_API_STAGE)
+
+  const filePath = join(`${__dirname}/../${to}`)
+  fs.writeFileSync(filePath, updatedContent, 'utf-8')
+}
+
+generateTemplate('cloudformation.template.yaml', 'cloudformation.yaml')
+generateTemplate('simple-proxy-api.template.yaml', 'simple-proxy-api.yaml')

config.js

@@ -373,6 +373,14 @@
         OEMBED_RELS_PRIORITY: ["app", "player", "survey", "image", "reader"],
         OEMBED_RELS_MEDIA_PRIORITY: ["player", "survey", "image", "reader", "app"],
 
+        ADD_OEMBED_PARAMS: [{
+            // Facebook https://developers.facebook.com/docs/plugins/oembed/
+            re: [/^https:\/\/graph\.facebook\.com\/v\d+\.\d+\/oembed_/i],
+            params: {
+                access_token: `${process.env.FACEBOOK_APP_ID}|${process.env.FACEBOOK_APP_SECRET}`
+            }
+         }],
+
         providerOptions: {
             "readability": {},
             "twitter.status": {}

config.production.js

@@ -0,0 +1,11 @@
+export default {
+  CACHE_ENGINE: 'no-cache',
+  allowedOrigins: ["*"],
+  baseAppUrl: "https://iframely.blackbaud.services",
+  providerOptions: {
+    locale: "en_US",
+    twitch: {
+      parent: 'blackbaud-sites.com,blackbaud.services'
+    }
+  }
+}

docker-compose.yml

@@ -0,0 +1,13 @@
+build:
+  image: everydayhero/lambda:10
+  working_dir: /code
+  volumes:
+    - .:/code
+  environment:
+    - AWS_ACCESS_KEY_ID=${ACCESS_KEY}
+    - AWS_SECRET_ACCESS_KEY=${SECRET_KEY}
+    - AWS_ACCOUNT_ID
+    - AWS_REGION
+    - AWS_IAM_ROLE
+    - AWS_S3_BUCKET
+    - AWS_FN_NAME

lambda.js

@@ -0,0 +1,32 @@
+'use strict'
+import awsServerlessExpress from 'aws-serverless-express'
+import app from './app.js'
+
+// NOTE: If you get ERR_CONTENT_DECODING_FAILED in your browser, this is likely
+// due to a compressed response (e.g. gzip) which has not been handled correctly
+// by aws-serverless-express and/or API Gateway. Add the necessary MIME types to
+// binaryMimeTypes below, then redeploy (`npm run package-deploy`)
+const binaryMimeTypes = [
+  'application/javascript',
+  'application/json',
+  'application/octet-stream',
+  'application/xml',
+  'font/eot',
+  'font/opentype',
+  'font/otf',
+  'image/jpeg',
+  'image/png',
+  'image/svg+xml',
+  'text/comma-separated-values',
+  'text/css',
+  'text/html',
+  'text/javascript',
+  'text/plain',
+  'text/text',
+  'text/xml'
+]
+const server = awsServerlessExpress.createServer(app, null, binaryMimeTypes)
+
+export const handler = (event, context) => awsServerlessExpress.proxy(server, event, context)
+
+export default handler

lib/fetch.js

@@ -1,5 +1,5 @@
 import { URL } from 'url';
-import { h1NoCache, noCache, createUrl, AbortController, AbortError, FetchError } from '@adobe/helix-fetch';
+import { h1NoCache, noCache, createUrl, AbortController, AbortError, FetchError } from '@adobe/fetch';
 import log from '../logging.js';
 
 const fetchKeepAlive = noCache({

lib/utils.js

@@ -458,7 +458,6 @@ export function parseJSONSource(text, decode) {
                     asBuffer: true
                 }, {
                     onResponse: function(res) {
-
                         abortController = res.abortController;
 
                         var content_type = res.headers['content-type'];
@@ -475,12 +474,15 @@ export function parseJSONSource(text, decode) {
                                 imageResponseStarted = totalTime();
                             }
                             contentLength = parseInt(res.headers['content-length'] || '0', 10);
-                            imagesize(res, function(error, data) {
-                                if (data && data.type) {
-                                    data.format = data.type;
-                                }
-                                finishCb(error, data, 'imagesize');
-                            });
+                            imagesize(uri)
+                                .then(data => {
+                                    if (data && data.type) {
+                                        data.format = data.type;
+                                    }
+
+                                    finishCb('', data, 'imagesize');
+                                })
+                                .catch(error => finishCb(error, {}, 'imagesize'))
                         } else {
                             finishCb(res.status, undefined, 'onResponse !200');
                         }

modules/api/views.js

@@ -236,6 +236,15 @@ export default function(app) {
             }
 */
 
+            if (getBooleanParam(req, 'oembed')) {
+              var oembed = oembedUtils.getOembed(uri, result, {
+                  mediaPriority: getBooleanParam(req, 'media'),
+                  omit_css: getBooleanParam(req, 'omit_css'),
+                  targetWidthForResponsive: getIntParam(req, 'width')
+              });
+              result.oembed = oembed;
+            }
+
             res.sendJsonCached(result);
 
 

package.json

@@ -20,24 +20,25 @@
     },
     "license": "MIT",
     "dependencies": {
-        "@adobe/helix-fetch": "^3.0.0",
-        "async": "2.4.1",
-        "cheerio": "^0.22.0",
+        "@adobe/fetch": "^4.1.1",
+        "async": "2.6.4",
+        "aws-serverless-express": "^3.3.6",
+        "cheerio": "1.0.0-rc.12",
         "chokidar": "^3.3.1",
-        "ejs": "^3.1.6",
+        "ejs": "3.1.9",
         "entities": "1.1.1",
-        "express": "^4.16.3",
+        "express": "4.18.2",
         "globby": "^12.0.2",
         "graceful-cluster": "0.0.3",
         "htmlparser2": "^7.1.2",
         "iconv-lite": "^0.6.3",
         "jslint": "^0.12.1",
         "jsontoxml": "0.0.11",
         "memcached": "2.2.2",
-        "moment": "2.19.3",
+        "moment": "2.29.4",
         "node-cache": "1.*",
         "parse-iso-duration": "1.0.0",
-        "probe-image-size": "^5.0.0",
+        "probe-image-size": "6.0.0",
         "readabilitySAX": "1.6.1",
         "redis": "3.1.1",
         "redis-clustr": "1.7.0",
@@ -48,19 +49,31 @@
         "underscore": "^1.13.1"
     },
     "devDependencies": {
-        "chai": "^4.3.0",
+        "chai": "5.1.0",
         "feedparser": "2.2.0",
-        "mocha": "^9.2.0",
+        "mocha": "10.3.0",
         "mock-http-server": "^1.0.0",
-        "mongoose": "^5.13.7",
-        "supertest": "^4.0.2"
+        "mongoose": "5.13.20",
+        "supertest": "6.3.4"
+    },
+    "resolutions": {
+        "jslint/glob/minimatch": "3.0.5",
+        "mock-http-server/body-parser/qs": "6.7.3",
+        "redis-clustr/redis": "3.1.1",
+        "request/http-signature/jsprim/json-schema": "0.4.0",
+        "request/qs": "6.7.3"
     },
     "iframely-proxy-plugins": true,
     "main": "./lib/core.js",
     "scripts": {
         "test": "npm run test-core-plugins && npm run test-e2e",
         "test-core-plugins": "mocha --exit test/core-plugins.js",
-        "test-e2e": "NODE_ENV=test PORT=8080 mocha --exit test/e2e.js"
+        "test-e2e": "NODE_ENV=test PORT=8080 mocha --exit test/e2e.js",
+        "template": "AWS_API_STAGE=prod node bin/template.cjs",
+        "package": "aws cloudformation package --template ./cloudformation.yaml --s3-bucket $AWS_S3_BUCKET --s3-prefix iframely --output-template packaged-sam.yaml --region eu-west-2",
+        "upload": "aws cloudformation deploy --template-file packaged-sam.yaml --stack-name $AWS_FN_NAME --capabilities CAPABILITY_IAM --region eu-west-2",
+        "delete-stack": "aws cloudformation delete-stack --stack-name $AWS_FN_NAME --region eu-west-2",
+        "deploy": "yarn template && yarn package && yarn upload"
     },
     "engines": {
         "node": ">=12.0"