Merge pull request #148 from Arquisoft/Ruben

Eliminación de security hotspots

apis/allquestionservice/Dockerfile

@@ -11,7 +11,13 @@ COPY package*.json ./
 RUN npm install
 
 # Copy the app source code to the working directory
-COPY . .
+COPY .dockerignore ./
+COPY allquestions-api.js ./
+COPY allquestions-api.test.js ./
+COPY home.png ./
+COPY package-lock.json ./
+COPY package.json ./
+COPY question-model.js ./
 
 # Expose the port the app runs on 
 EXPOSE 8007

apis/allquestionservice/allquestions-api.js

@@ -4,6 +4,7 @@ const Question = require('./question-model')
 const bodyParser = require('body-parser');
 
 const app = express();
+app.disable('x-powered-by');
 const port = 8007;
 
 const originEndpoint = process.env.REACT_APP_API_ORIGIN_ENDPOINT || 'http://localhost:3000';

apis/alluserservice/Dockerfile

@@ -11,7 +11,12 @@ COPY package*.json ./
 RUN npm install
 
 # Copy the app source code to the working directory
-COPY . .
+COPY .dockerignore ./
+COPY allusers-api.js ./
+COPY allusers-api.test.js ./
+COPY package-lock.json ./
+COPY package.json ./
+COPY user-model.js ./
 
 # Expose the port the app runs on
 EXPOSE 8006

apis/alluserservice/allusers-api.js

@@ -4,6 +4,7 @@ const bodyParser = require('body-parser');
 const User = require('./user-model')
 
 const app = express();
+app.disable('x-powered-by');
 const port = 8006;
 
 const originEndpoint = process.env.REACT_APP_API_ORIGIN_ENDPOINT || 'http://localhost:3000';

gamehistoryservice/Dockerfile

@@ -12,7 +12,12 @@ COPY package*.json ./
 RUN npm install
 
 # Copy the app source code to the working directory
-COPY . .
+COPY .dockerignore ./
+COPY gamehistory-model.js ./
+COPY gamehistory.js ./
+COPY gamehistory.test.js ./
+COPY package-lock.json ./
+COPY package.json ./
 
 # Expose the port the app runs on
 EXPOSE 8004 

gamehistoryservice/gamehistory.js

@@ -9,6 +9,7 @@ mongoose.connect(mongoUri);
 const originEndpoint = process.env.REACT_APP_API_ORIGIN_ENDPOINT || 'http://localhost:3000';
 
 const app = express();
+app.disable('x-powered-by');
 const port = 8004;
 
 // Middleware to parse JSON in request body

gamehistoryservice/gamehistory.test.js

@@ -130,7 +130,6 @@ describe('Game History Service', () => {
             .get('/topUsers');
 
         expect(response.status).toBe(200);
-        console.log(response.body);
         expect(response.body).toEqual({
             primero: 'user1 - 90%',
             segundo: 'user2 - 85%',

gatewayservice/Dockerfile

@@ -11,7 +11,12 @@ COPY package*.json ./
 RUN npm install
 
 # Copy the app source code to the working directory
-COPY . .
+COPY .dockerignore ./
+COPY gateway-service.js ./
+COPY gateway-service.test.js ./
+COPY openapi.yaml ./
+COPY package-lock.json ./
+COPY package.json ./
 
 # Define the command to run your app
 CMD ["node", "gateway-service.js"]

gatewayservice/gateway-service.js

@@ -8,6 +8,7 @@ const fs = require("fs")
 const YAML = require('yaml')
 
 const app = express();
+app.disable('x-powered-by');
 const port = 8000;
 
 const gamehistoryUrl = process.env.GAMEHISTORY_SERVICE_URL || 'http://localhost:8004';

gatewayservice/gateway-service.test.js

@@ -3,10 +3,21 @@ const axios = require('axios');
 const app = require('./gateway-service'); 
 const { createServer } = require('http');
 const sinon = require('sinon');
-
+const { randomBytes } = require('crypto');
 
 const server = createServer(app);
-const newPassword = Math.floor(Math.random() * 10).toString(); // Genera una nueva contraseña aleatoria para evitar el Security Hostpot de SonarCloud en las pruebas
+const newString = generateSecureRandomPassword(8); // Genera una nueva contraseña aleatoria para evitar el Security Hostpot de SonarCloud en las pruebas
+
+function generateSecureRandomPassword(length) {
+  const characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+';
+  const password = [];
+  const bytes = randomBytes(length);
+  for (let i = 0; i < length; i++) {
+    const randomIndex = bytes[i] % characters.length;
+    password.push(characters[randomIndex]);
+  }
+  return password.join('');
+}
 
 afterAll(async () => {
     app.close();
@@ -58,7 +69,7 @@ describe('Gateway Service', () => {
   it('should forward login request to auth service', async () => {
     const response = await request(app)
       .post('/login')
-      .send({ username: 'testuser', password: newPassword });
+      .send({ username: 'testuser', password: newString });
 
     expect(response.statusCode).toBe(200);
     expect(response.body.token).toBe('mockedToken');
@@ -73,7 +84,7 @@ describe('Gateway Service', () => {
   it('should forward add user request to user service', async () => {
     const response = await request(app)
       .post('/adduser')
-      .send({ username: 'newuser', email: '[email protected]', password: newPassword });
+      .send({ username: 'newuser', email: '[email protected]', password: newString });
 
     expect(response.statusCode).toBe(200);
     expect(response.body.userId).toBe('mockedUserId');

gatewayservice/package.json

@@ -20,6 +20,7 @@
     "dependencies": {
         "axios": "^1.6.5",
         "cors": "^2.8.5",
+        "crypto": "^1.0.1",
         "express": "^4.18.2",
         "express-openapi": "^12.1.3",
         "express-prom-bundle": "^7.0.0",
@@ -28,7 +29,7 @@
     },
     "devDependencies": {
         "jest": "^29.7.0",
-        "supertest": "^6.3.4",
-        "sinon": "^11.0.0"
+        "sinon": "^11.0.0",
+        "supertest": "^6.3.4"
     }
 }

perfilservice/Dockerfile

@@ -11,7 +11,12 @@ COPY package*.json ./
 RUN npm install
 
 # Copy the app source code to the working directory
-COPY . .
+COPY .dockerignore ./
+COPY package-lock.json ./
+COPY package.json ./
+COPY perfil-api.js ./
+COPY perfil-api.test.js ./
+COPY user-model.js ./
 
 # Expose the port the app runs on
 EXPOSE 8005

perfilservice/perfil-api.js

@@ -4,6 +4,7 @@ const User = require('./user-model')
 const bodyParser = require('body-parser');
 
 const app = express();
+app.disable('x-powered-by');
 const port = 8005;
 
 const originEndpoint = process.env.REACT_APP_API_ORIGIN_ENDPOINT || 'http://localhost:3000';

questiongenerator/Dockerfile

@@ -11,7 +11,17 @@ COPY package*.json ./
 RUN npm install
 
 # Copy the app source code to the working directory
-COPY . .
+COPY .dockerignore ./
+COPY game-model.js ./
+COPY image-questions.js ./
+COPY image-questions.test.js ./
+COPY package-lock.json ./
+COPY package.json ./
+COPY question-model.js ./
+COPY question.js ./
+COPY question.test.js ./
+COPY text-questions.js ./
+COPY text-questions.test.js ./
 
 COPY game-model.js /usr/src/gamehistoryservice
 

questiongenerator/package.json

@@ -18,16 +18,17 @@
   },
   "homepage": "https://github.com/arquisoft/wiq_es2c#readme",
   "dependencies": {
+    "axios": "^0.21.1",
     "bcrypt": "^5.1.1",
     "body-parser": "^1.20.2",
+    "crypto": "^1.0.1",
     "express": "^4.18.2",
-    "mongoose": "^8.0.4",
-    "axios": "^0.21.1"
+    "mongoose": "^8.0.4"
   },
   "devDependencies": {
     "jest": "^29.7.0",
     "mongodb-memory-server": "^9.1.5",
-    "supertest": "^6.3.4",
-    "sinon": "^11.0.0"
+    "sinon": "^11.0.0",
+    "supertest": "^6.3.4"
   }
 }

questiongenerator/question.js

@@ -2,6 +2,7 @@ const axios = require('axios');
 const express = require('express');
 const mongoose = require('mongoose');
 const bodyParser = require('body-parser');
+const crypto = require('crypto');
 const Question = require('./question-model');
 const Game = require('./game-model');
 const { queries:textQueries } = require('./text_questions');
@@ -10,6 +11,7 @@ const { queries:imagesQueries } = require('./image_questions');
 const generatorEndpoint = process.env.REACT_APP_API_ORIGIN_ENDPOINT || 'http://localhost:3000';
 
 const app = express();
+app.disable('x-powered-by');
 const port = 8003;
 
 var language = 'undefined';
@@ -164,10 +166,10 @@ function getAllValues() {
 
 
 async function generarPregunta() {
-    randomNumber = Math.floor(Math.random() * 2);
+    randomNumber = crypto.randomInt(0, 2);
     try {
         // Petición a la API de WikiData
-        randomNumber = Math.floor(Math.random() * queries.length);
+        randomNumber = crypto.randomInt(0, queries.length);
         var response = await axios.get(url, {
             params: {
                 query: queries[randomNumber][0],
@@ -197,7 +199,7 @@ function procesarDatos(data) {
 
     // Obtenemos cuatro índices aleatorios sin repetición
     while (randomIndexes.length < 4) {
-        var randomIndex = Math.floor(Math.random() * data.length);
+        var randomIndex = crypto.randomInt(0, data.length);
         var option = data[randomIndex].optionLabel.value;
         var quest = "";
 
@@ -218,7 +220,7 @@ function procesarDatos(data) {
     }
 
     // Escogemos un índice aleatorio como la opción correcta
-    var correctIndex = Math.floor(Math.random() * 4);
+    var correctIndex = crypto.randomInt(0, 4);
     correctOption = data[randomIndexes[correctIndex]].optionLabel.value;
 
     if(quest == "") {

questiongenerator/question.test.js

@@ -51,7 +51,7 @@ describe('Question Generator test', () => {
     });
 
     it('Should manager errors when calling /generateQuestion', async () => {
-        await simulateError('get', '/generateQuestion', 'Error al obtener datos', { error: "Error al obtener datos TypeError: Cannot read properties of undefined (reading '0')" });
+        await simulateError('get', '/generateQuestion', 'Error al obtener datos', { error: "Error al obtener datos RangeError [ERR_OUT_OF_RANGE]: The value of \"max\" is out of range. It must be greater than the value of \"min\" (0). Received 0" });
     });
 
     it('Should configure the game when calling /configureGame', async () => {

questiongenerator/text_questions.js

@@ -236,7 +236,7 @@ queries["en"] = {
             BIND(CONCAT(?day, "/", ?month, "/", ?year) AS ?option)  
             SERVICE wikibase:label { bd:serviceParam wikibase:language "[AUTO_LANGUAGE],en". }
         }
-        `, "¿En que fecha se creó "],
+        `, "Where was created "],
                     [
                             // pregunta = creador, opcion = lenguaje de programacion
                             `