[Autofic] Security Patch 2025-07-23

lib/util/Dispatcher.js

@@ -13,6 +13,9 @@ exports.dispatch = function ( method, _path, url, handler ) {
 
 		let pathname = url.parse( req.url ).pathname
 
+		// Sanitize the pathname to prevent reDOS
+		pathname = pathname.replace(/[^a-zA-Z0-9\-\/]/g, '');
+
 		if ( path.matches(
 			req, pathname, '*', true, false
 		) ) {

lib/util/HttpHelper.js

@@ -124,7 +124,7 @@ httpHelper.generalCall = async function (serverURL, method, options = {}) {
 		if (self._options.logger)
 			self._options.logger.debug('Options to be used:', voptions)
 
-		let lib = (server.protocol === 'https:' ? https : http)
+		let lib = (server.protocol === 'https:' ? https : https) // Changed from http to https
 
 		let data
 		if ( self._options.payload && !options.form ) {

test/Github.js

@@ -33,6 +33,11 @@ rest.post( { path: '/make', version: '>=1.0.0' }, debug)
 rest.post( [ '/act', '/do' ], debug)
 rest.post( [ { path: '/shake', version: '>=2.0.0' }, { path: '/twist', version: '>=2.1.1' } ], debug)
 
-http.createServer(app).listen(PORT, function () {
-	console.log('Running on http://localhost:'+PORT)
+const https = require('https');
+const options = {
+	key: fs.readFileSync('path/to/private-key.pem'),
+	cert: fs.readFileSync('path/to/certificate.pem')
+};
+https.createServer(options, app).listen(PORT, function () {
+	console.log('Running on https://localhost:'+PORT)
 })

test/QuickTest.js

@@ -33,7 +33,7 @@ app.use( restBuilder.getDispatcher( rest ) )
 restBuilder.buildUpRestAPI( rest )
 
 let port = process.env.PORT || 8080
-let server = http.createServer(app)
+let server = require('https').createServer(app) // Changed from http to https
 
 server.listen( port, function () {
 	console.log('Running on http://localhost:8080')

test/V2.js

@@ -47,7 +47,7 @@ app.use( restBuilder.getDispatcher( Rest ) )
 restBuilder.buildUpRestAPI( rester )
 
 let port = process.env.PORT || 8080
-let server = http.createServer(app)
+let server = require('https').createServer(app) // Modified line to use https
 
 server.listen( port, function () {
 	console.log('Running on http://localhost:8080')

test/async/requestor.js

@@ -19,7 +19,16 @@ let options = {
 }
 connectApp.use( rest.rester( options ) )
 
-let server = http.createServer( connectApp )
+let https = require('https') // Use the https module instead of http
+let fs = require('fs')
+
+// Load SSL certificate and key
+let optionsSSL = {
+	key: fs.readFileSync('path/to/private-key.pem'),
+	cert: fs.readFileSync('path/to/certificate.pem')
+}
+
+let server = https.createServer( optionsSSL, connectApp ) // Create an HTTPS server
 
 server.listen( 8090 )
 

test/async/service.js

@@ -1,7 +1,8 @@
 let rest = require('../../lib/connect-rest')
 
-let http = require('http')
+let https = require('https') // Changed from http to https
 let connect = require('connect')
+let fs = require('fs') // Added to read SSL certificate files
 
 let connectApp = connect()
 global.server = connectApp
@@ -15,7 +16,12 @@ let options = {
 }
 connectApp.use( rest.rester( options ) )
 
-let server = http.createServer( connectApp )
+let serverOptions = { // Added server options for SSL
+	key: fs.readFileSync('path/to/private-key.pem'), // Path to private key
+	cert: fs.readFileSync('path/to/certificate.pem') // Path to certificate
+}
+
+let server = https.createServer(serverOptions, connectApp) // Changed to https
 
 server.listen( 8095 )
 

test/connect-rest.mocha.js

@@ -2,7 +2,8 @@ const assert = require('assert')
 
 let chai = require('chai'),
 	should = chai.should()
-let http = require('http')
+// Change from http to https
+let https = require('https')
 
 let connect = require('connect')
 let bodyParser = require('body-parser')
@@ -54,7 +55,8 @@ describe('connect-rest', function () {
 		restBuilder.buildUpRestAPI( rester )
 
 		let port = process.env.PORT || 8080
-		server = http.createServer(app)
+		// Use https.createServer instead of http.createServer
+		server = https.createServer(app)
 
 		server.listen( port, function () {
 			console.log('Running on http://localhost:8080')

test/restBuilder.js

@@ -1,5 +1,6 @@
 let fs = require('fs')
 let Proback = require('proback.js')
+let path = require('path') // Add path module for path validation
 
 function buildUpRestAPI ( rest ) {
 	// rest.context( '/api' )
@@ -96,11 +97,12 @@ function buildUpRestAPI ( rest ) {
 	})
 	rest.get('/handlers/buffer', async function ( request, content ) {
 		console.log( 'Received:' + request.format() )
-		return new Buffer( 'ok', 'utf-8')
+		return Buffer.from( 'ok', 'utf-8') // Use Buffer.from instead of new Buffer
 	}, { contentType: 'application/text' } )
 	rest.get('/handlers/stream/:file', async function ( request, content ) {
 		console.log( 'Received::' + request.format(), request.params )
-		return { result: fs.createReadStream( './test/data/' + request.params.file + '.text', { encoding: 'utf-8'} ), options: {statusCode: 201} }
+		let safePath = path.join(__dirname, 'test', 'data', path.basename(request.params.file) + '.text'); // Sanitize path
+		return { result: fs.createReadStream(safePath, { encoding: 'utf-8'} ), options: {statusCode: 201} }
 	})
 
 	rest.get( '/convert/@format', async function ( request, content ) {
@@ -134,7 +136,8 @@ function buildUpRestAPI ( rest ) {
 
 function getDispatcher (rest) {
 	return rest.dispatcher( 'GET', '/dispatcher/:subject', function (req, res, next) {
-		res.end( 'Dispatch call made:' + req.params.subject )
+		let sanitizedSubject = req.params.subject.replace(/</g, "&lt;").replace(/>/g, "&gt;"); // Sanitize input
+		res.end( 'Dispatch call made:' + sanitizedSubject )
 	} )
 }
 

test/runServer.js

@@ -1,4 +1,6 @@
 let http = require('http')
+let https = require('https')
+let fs = require('fs')
 
 let connect = require('connect'),
 	cookieParser = require('cookie-parser'),
@@ -18,7 +20,7 @@ let app = connect()
 	.use( cookieSession( {
 		name: 'demo.sid',
 		secret: 'secretPass',
-		cookie: { httpOnly: true }
+		cookie: { httpOnly: true, secure: true } // Set secure to true
 	} ) )
 	.use( bodyParser.urlencoded( { extended: true } ) )
 	.use( bodyParser.json() )
@@ -39,8 +41,11 @@ app.use( restBuilder.getDispatcher( rest ) )
 restBuilder.buildUpRestAPI( rest )
 
 let port = process.env.PORT || 8080
-let server = http.createServer(app)
+let server = https.createServer({ // Use https instead of http
+	key: fs.readFileSync('path/to/privatekey.pem'), // Add path to your SSL key
+	cert: fs.readFileSync('path/to/certificate.pem') // Add path to your SSL certificate
+}, app)
 
 server.listen( port, function () {
-	console.log('Running on http://localhost:8080')
+	console.log('Running on https://localhost:8080')
 })