Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

THREESCALE-11530: Update nanoid #3968

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

THREESCALE-11530: Update nanoid #3968

wants to merge 4 commits into from
+142 −57

Conversation

jlledom
Copy link
Contributor

@jlledom jlledom commented Jan 16, 2025
edited
Loading

What this PR does / why we need it:

Update nanoid to 3.3.8 to fix a CVE.

In order to update it, we also have to update [email protected] to @rjsf/[email protected]

I had to solve some breaking changes but it's working now. One problem I found is our JSONSchema policies from Apicast are not valid if we use the last version of the validator, so I had to use a deprecated version. I explain this better here: #3968 (comment).

Which issue(s) this PR fixes

https://issues.redhat.com/browse/THREESCALE-11530

Verification steps

The policies screen should work properly

@jlledom jlledom force-pushed the THREESCALE-11530-update-nanoid branch from 5697d50 to 83dfa1c Compare January 17, 2025 13:25
@jlledom jlledom self-assigned this Jan 17, 2025
@jlledom jlledom force-pushed the THREESCALE-11530-update-nanoid branch from 83dfa1c to 84618d1 Compare January 17, 2025 13:58
@jlledom jlledom marked this pull request as ready for review January 17, 2025 13:59
jlledom
jlledom commented Jan 17, 2025
View reviewed changes
app/javascript/src/Policies/components/PolicyConfig.tsx
@@ -1,7 +1,11 @@
import Form from 'react-jsonschema-form'
import Form from '@rjsf/core'
import { customizeValidator } from '@rjsf/validator-ajv6'
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here we use validator v6, last version is v8 but we can't use it because our Apicast policies are not valid according to v8 validator.

This comment explains the problem: ajv-validator/ajv#1426 (comment)

And this is how our policies are invalid, for instance, take a look at 3.15.0/policies.json: https://github.com/3scale/APIcast/blob/master/doc/policies_list/3.15.0/policies.json

Our policy url_rewriting defines #/definitions/methods here:

https://github.com/3scale/APIcast/blob/a63be976ce7974c3464ee74f6e2d89f32207004a/doc/policies_list/3.15.0/policies.json#L2418

And this definition is included twice in the same policy, here:
https://github.com/3scale/APIcast/blob/a63be976ce7974c3464ee74f6e2d89f32207004a/doc/policies_list/3.15.0/policies.json#L2378
https://github.com/3scale/APIcast/blob/a63be976ce7974c3464ee74f6e2d89f32207004a/doc/policies_list/3.15.0/policies.json#L2318

Due to that, the field "$id": "#/definitions/methods" is included twice in the policy. This is accepted by the v6 validator but not by v8.

There are more policies that are considered invalid now, for instance keycloak_role_check is also invalid.

I attach a couple of screenshots that show what happens when using the last validator:

image (1)

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@josemigallas josemigallas Awaiting requested review from josemigallas

@lvillen lvillen Awaiting requested review from lvillen

At least 1 approving review is required to merge this pull request.

Assignees

@jlledom jlledom

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jlledom