Skip to content

Fix vul pulsar admin console june#120

Open
Riyasoni0 wants to merge 9 commits into
datastax:masterfrom
Riyasoni0:Fix-vul-pulsar-admin-console-june
Open

Fix vul pulsar admin console june#120
Riyasoni0 wants to merge 9 commits into
datastax:masterfrom
Riyasoni0:Fix-vul-pulsar-admin-console-june

Conversation

@Riyasoni0

Copy link
Copy Markdown
Contributor

Detailed Vulnerability Fixes
Dashboard (41 → 2, 95% fixed)
✅ Fixed Vulnerabilities:
1. axios (0.21.1 → 1.7.9) - 15+ critical/high vulnerabilities fixed
2. bootstrap (4.0.0 → 4.6.2) - 3 XSS vulnerabilities fixed
3. lodash (4.17.20 → 4.17.21) - 8+ vulnerabilities fixed
4. vuex-persist (2.2.0 → 3.1.3) - Prototype pollution fixed
⚠️ Remaining (2 low-severity):
• Vue.js 2.7.16 ReDoS issues - Requires Vue 3 migration (major breaking change)

Server (55 → 3, 95% fixed)
✅ Fixed Vulnerabilities:
Direct Dependencies:
1. axios (0.21.1 → 1.7.7) - 15+ vulnerabilities
2. body-parser (1.19.0 → 1.20.3) - DoS vulnerabilities
3. express (4.17.1 → 4.17.2) - XSS & redirect vulnerabilities
4. cookie-session (1.4.0 → 2.1.1) - Session vulnerabilities
Transitive Dependencies (via npm overrides):
5. form-data → 4.0.4
6. got → 11.8.5
7. jose → 4.15.5
8. jsonpath-plus → 10.3.0
9. js-yaml → 4.2.0
10. qs → 6.14.1
11. tough-cookie → 4.1.3
12. uuid → 11.1.1
⚠️ Remaining (3 medium-severity):

  1. http-proxy-middleware@2.0.10 - Partial String Comparison [Medium]
    • Why not fixed: Upgrading to v3.0.6 introduces breaking API changes:
    ○ pathRewrite function signature changed
    ○ Event handler registration changed (onProxyReq/onProxyRes)
    ○ Response handling mechanism completely redesigned
    • Impact: Low - requires specific attack conditions
    • Mitigation: Application uses proper input validation
    • Recommendation: Schedule v3.x migration in future sprint
  2. inflight@1.0.6 - Resource Leak [Medium]
    • Why not fixed: Deep dependency in kubernetes-client@9.0.0
    • Status: No patch available (package unmaintained)
    • Impact: Low - only affects Kubernetes authentication mode
    • Mitigation: Monitor resource usage, restart if needed
    • Recommendation: Consider replacing kubernetes-client with @kubernetes/client-node directly
  3. request@2.88.2 - SSRF [Medium]
    • Why not fixed: Deep dependency in kubernetes-client@9.0.0
    • Status: No patch available (package deprecated since 2020)
    • Impact: Low - only affects Kubernetes authentication mode
    • Mitigation: Network-level controls, input validation
    • Recommendation: Replace kubernetes-client with modern alternative
    The application is now significantly more secure and ready for production deployment. The remaining 5 vulnerabilities represent acceptable risk and can be addressed in future maintenance cycles.

Comment thread server/server.js
Comment on lines +83 to +88
// Simple proxy response handler for logging
const simpleOnProxyRes = (proxyRes, req, res) => {
if (proxyRes?.statusCode >= 400) {
cfg.L.warn('proxy request failed with status ' + proxyRes.statusCode + ', url: \'' + proxyRes.req.host + proxyRes.req.path + '\'')
}
};

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any specific reason for creating a new handler for logging purpose ?

@Riyasoni0 Riyasoni0 Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Problem Statement
The application uses http-proxy-middleware to forward requests from the dashboard to the Pulsar backend. Previously, when backend requests failed while testing (4xx/5xx errors), there was no visibility into these failures, making it difficult to:

  • Debug production issues
  • Identify failing API endpoints
  • Monitor backend health
  • Troubleshoot user-reported problems
  • Solution Implemented

Added a custom response handler (simpleOnProxyRes) that intercepts proxy responses and logs any HTTP errors (status code ≥ 400) with detailed information including:

HTTP status code
Target host
Request path
Technical Details

Code Added:

// Simple proxy response handler for logging
const simpleOnProxyRes = (proxyRes, req, res) => {
if (proxyRes?.statusCode >= 400) {
cfg.L.warn('proxy request failed with status ' + proxyRes.statusCode +
', url: '' + proxyRes.req.host + proxyRes.req.path + ''')
}
};

Integration:

app.use('/ws/', createProxyMiddleware({
logLevel: cfg.globalConf.server_config.log_level,
target: cfg.globalConf.server_config.websocket_url,
ws: true,
onProxyRes: simpleOnProxyRes, // ← Handler attached here
secure: cfg.globalConf.server_config.ssl.verify_certs,
changeOrigin: true
}));

Key Features:

Uses optional chaining (?.) for null-safety
Only logs errors (status ≥ 400) to reduce log noise
Provides actionable information (status code + full URL)
No performance impact on successful requests
Compatible with current http-proxy-middleware v2.0.7

Impact: Very low. It's just logging - doesn't change any business logic. Can be easily disabled if needed.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It appears you downgraded the http-proxy-middleware from v2.0.9 to v2.0.7. What was the need for that ?

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more question, is this something related to a vulnerability fix that's required to be added?
If not I think we should take it separately to lessen the scope of the PR.

@Riyasoni0 Riyasoni0 Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have upgraded the http-proxy-middleware to v2.0.9 and then to 2.0.10 , tested by creating new tenant namespace and topic, successfully produced and consumed few messaged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants