Skip to content

fix: add credentials: 'omit' to all calls to recruit #7061

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

fix: add credentials: 'omit' to all calls to recruit #7061

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
32b3ce2
fix: add credentials: 'omit' to all calls to recruit
kkartunov Feb 3, 2025
9bf44dc
Revert "fix: add credentials: 'omit' to all calls to recruit"
kkartunov Feb 3, 2025
5b338a0
fix: add debug logs
kkartunov Feb 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .circleci/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -358,6 +358,7 @@ workflows:
branches:
only:
- develop
- fix-gig-apply-issue
# This is alternate dev env for parallel testing
# Deprecate this workflow due to beta env shutdown
# https://topcoder.atlassian.net/browse/CORE-251
Expand Down
8 changes: 7 additions & 1 deletion src/server/routes/recruitCRM.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
/* eslint-disable no-console */
/**
* The routes related to RecruitCRM.io integration
*/
Expand Down Expand Up @@ -50,7 +51,12 @@
allowedHeaders: ['Content-Type', 'Authorization'],
};
routes.options('/jobs/:id/apply', cors(applyOptions));
routes.post('/jobs/:id/apply', cors(applyOptions), (req, res, next) => authenticator(authenticatorOptions)(req, res, next), upload.single('resume'), (req, res, next) => new RecruitCRMService().applyForJob(req, res, next));
routes.post('/jobs/:id/apply', (req, res, next) => {
console.log('debug: /jobs/:id/apply - req.headers', req.headers);
console.log('debug: /jobs/:id/apply - req.body', req.body);
console.log('debug: /jobs/:id/apply - req.params', req.params);
next();
}, cors(applyOptions), (req, res, next) => authenticator(authenticatorOptions)(req, res, next), upload.single('resume'), (req, res, next) => new RecruitCRMService().applyForJob(req, res, next));

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
authorization
Loading
, but is not rate-limited.

Copilot Autofix

AI 3 months ago

To fix the problem, we need to introduce rate limiting to the route handler to prevent denial-of-service attacks. The best way to do this is by using the express-rate-limit package, which allows us to easily set up rate limiting for our Express application.

We will:

  1. Install the express-rate-limit package.
  2. Import the package in the file.
  3. Set up a rate limiter with appropriate configuration.
  4. Apply the rate limiter to the specific route handler that performs authorization.
Suggested changeset 2
src/server/routes/recruitCRM.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/server/routes/recruitCRM.js b/src/server/routes/recruitCRM.js
--- a/src/server/routes/recruitCRM.js
+++ b/src/server/routes/recruitCRM.js
@@ -13,2 +13,3 @@
 const authenticatorOptions = _.pick(config.SECRET.JWT_AUTH, ['AUTH_SECRET', 'VALID_ISSUERS']);
+const RateLimit = require('express-rate-limit');
 const cors = require('cors');
@@ -23,2 +24,6 @@
 });
+const limiter = RateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // max 100 requests per windowMs
+});
 const routes = express.Router();
@@ -58,3 +63,3 @@
   next();
-}, cors(applyOptions), (req, res, next) => authenticator(authenticatorOptions)(req, res, next), upload.single('resume'), (req, res, next) => new RecruitCRMService().applyForJob(req, res, next));
+}, cors(applyOptions), limiter, (req, res, next) => authenticator(authenticatorOptions)(req, res, next), upload.single('resume'), (req, res, next) => new RecruitCRMService().applyForJob(req, res, next));
 
EOF
@@ -13,2 +13,3 @@
const authenticatorOptions = _.pick(config.SECRET.JWT_AUTH, ['AUTH_SECRET', 'VALID_ISSUERS']);
const RateLimit = require('express-rate-limit');
const cors = require('cors');
@@ -23,2 +24,6 @@
});
const limiter = RateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // max 100 requests per windowMs
});
const routes = express.Router();
@@ -58,3 +63,3 @@
next();
}, cors(applyOptions), (req, res, next) => authenticator(authenticatorOptions)(req, res, next), upload.single('resume'), (req, res, next) => new RecruitCRMService().applyForJob(req, res, next));
}, cors(applyOptions), limiter, (req, res, next) => authenticator(authenticatorOptions)(req, res, next), upload.single('resume'), (req, res, next) => new RecruitCRMService().applyForJob(req, res, next));

package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -175,3 +175,4 @@
     "xml2json": "^0.11.2",
-    "xss": "^1.0.15"
+    "xss": "^1.0.15",
+    "express-rate-limit": "^7.5.0"
   },
EOF
@@ -175,3 +175,4 @@
"xml2json": "^0.11.2",
"xss": "^1.0.15"
"xss": "^1.0.15",
"express-rate-limit": "^7.5.0"
},
This fix introduces these dependencies
Package Version Security advisories
express-rate-limit (npm) 7.5.0 None
Copilot is powered by AI and may make mistakes. Always verify output.

routes.options('/candidates/search', cors());
routes.get('/candidates/search', cors(), (req, res, next) => new RecruitCRMService().searchCandidates(req, res, next));
Expand Down
3 changes: 3 additions & 0 deletions src/server/services/recruitCRM.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
/* eslint-disable no-console */
/**
* Server-side functions necessary for effective integration with recruitCRM
*/
Expand Down Expand Up @@ -413,6 +414,7 @@ export default class RecruitCRMService {
async applyForJob(req, res, next) {
const { id } = req.params;
const { body, file } = req;
console.log('debug: applyForJob', id, body, file);
const form = JSON.parse(body.form);
const fileData = new FormData();
if (file) {
Expand Down Expand Up @@ -605,6 +607,7 @@ export default class RecruitCRMService {
const data = await applyResponse.json();
return res.send(data);
} catch (err) {
console.log('applyForJob error', err);
return next(err);
}
}
Expand Down