Fix vul pulsar admin console june#120
Conversation
…tion deployment. The remaining 5 vulnerabilities represent acceptable risk and can be addressed in future maintenance cycles.
| // Simple proxy response handler for logging | ||
| const simpleOnProxyRes = (proxyRes, req, res) => { | ||
| if (proxyRes?.statusCode >= 400) { | ||
| cfg.L.warn('proxy request failed with status ' + proxyRes.statusCode + ', url: \'' + proxyRes.req.host + proxyRes.req.path + '\'') | ||
| } | ||
| }; |
There was a problem hiding this comment.
Any specific reason for creating a new handler for logging purpose ?
There was a problem hiding this comment.
Problem Statement
The application uses http-proxy-middleware to forward requests from the dashboard to the Pulsar backend. Previously, when backend requests failed while testing (4xx/5xx errors), there was no visibility into these failures, making it difficult to:
- Debug production issues
- Identify failing API endpoints
- Monitor backend health
- Troubleshoot user-reported problems
- Solution Implemented
Added a custom response handler (simpleOnProxyRes) that intercepts proxy responses and logs any HTTP errors (status code ≥ 400) with detailed information including:
HTTP status code
Target host
Request path
Technical Details
Code Added:
// Simple proxy response handler for logging
const simpleOnProxyRes = (proxyRes, req, res) => {
if (proxyRes?.statusCode >= 400) {
cfg.L.warn('proxy request failed with status ' + proxyRes.statusCode +
', url: '' + proxyRes.req.host + proxyRes.req.path + ''')
}
};
Integration:
app.use('/ws/', createProxyMiddleware({
logLevel: cfg.globalConf.server_config.log_level,
target: cfg.globalConf.server_config.websocket_url,
ws: true,
onProxyRes: simpleOnProxyRes, // ← Handler attached here
secure: cfg.globalConf.server_config.ssl.verify_certs,
changeOrigin: true
}));
Key Features:
Uses optional chaining (?.) for null-safety
Only logs errors (status ≥ 400) to reduce log noise
Provides actionable information (status code + full URL)
No performance impact on successful requests
Compatible with current http-proxy-middleware v2.0.7
Impact: Very low. It's just logging - doesn't change any business logic. Can be easily disabled if needed.
There was a problem hiding this comment.
It appears you downgraded the http-proxy-middleware from v2.0.9 to v2.0.7. What was the need for that ?
There was a problem hiding this comment.
One more question, is this something related to a vulnerability fix that's required to be added?
If not I think we should take it separately to lessen the scope of the PR.
There was a problem hiding this comment.
I have upgraded the http-proxy-middleware to v2.0.9 and then to 2.0.10 , tested by creating new tenant namespace and topic, successfully produced and consumed few messaged.
Detailed Vulnerability Fixes
⚠️ Remaining (2 low-severity):
Dashboard (41 → 2, 95% fixed)
✅ Fixed Vulnerabilities:
1. axios (0.21.1 → 1.7.9) - 15+ critical/high vulnerabilities fixed
2. bootstrap (4.0.0 → 4.6.2) - 3 XSS vulnerabilities fixed
3. lodash (4.17.20 → 4.17.21) - 8+ vulnerabilities fixed
4. vuex-persist (2.2.0 → 3.1.3) - Prototype pollution fixed
• Vue.js 2.7.16 ReDoS issues - Requires Vue 3 migration (major breaking change)
Server (55 → 3, 95% fixed)
⚠️ Remaining (3 medium-severity):
✅ Fixed Vulnerabilities:
Direct Dependencies:
1. axios (0.21.1 → 1.7.7) - 15+ vulnerabilities
2. body-parser (1.19.0 → 1.20.3) - DoS vulnerabilities
3. express (4.17.1 → 4.17.2) - XSS & redirect vulnerabilities
4. cookie-session (1.4.0 → 2.1.1) - Session vulnerabilities
Transitive Dependencies (via npm overrides):
5. form-data → 4.0.4
6. got → 11.8.5
7. jose → 4.15.5
8. jsonpath-plus → 10.3.0
9. js-yaml → 4.2.0
10. qs → 6.14.1
11. tough-cookie → 4.1.3
12. uuid → 11.1.1
• Why not fixed: Upgrading to v3.0.6 introduces breaking API changes:
○ pathRewrite function signature changed
○ Event handler registration changed (onProxyReq/onProxyRes)
○ Response handling mechanism completely redesigned
• Impact: Low - requires specific attack conditions
• Mitigation: Application uses proper input validation
• Recommendation: Schedule v3.x migration in future sprint
• Why not fixed: Deep dependency in kubernetes-client@9.0.0
• Status: No patch available (package unmaintained)
• Impact: Low - only affects Kubernetes authentication mode
• Mitigation: Monitor resource usage, restart if needed
• Recommendation: Consider replacing kubernetes-client with @kubernetes/client-node directly
• Why not fixed: Deep dependency in kubernetes-client@9.0.0
• Status: No patch available (package deprecated since 2020)
• Impact: Low - only affects Kubernetes authentication mode
• Mitigation: Network-level controls, input validation
• Recommendation: Replace kubernetes-client with modern alternative
The application is now significantly more secure and ready for production deployment. The remaining 5 vulnerabilities represent acceptable risk and can be addressed in future maintenance cycles.