BLO: Some vulnerabilities detected

Hello community,

If I build my BLO code, I get some automatic generated massages from the compiler:

Can someone help me, to fix the vulnerabilities at the marked lines?

Best regards,
Marcel

UPDATE:
The error message in point 3 of the rejected promise occurs when the following code is executed:
lastpushed[_uid] = await bfj.read(path.join(_LASTPUSHEDPATH, fname), {});
Does anyone have an idea where the error is?

hi
if bfj.read throws an error, the json file you are trying to read is corrup.
You can add a try catch block around the read block.
e.g.

try {
  lastpushed[_uid] = await bfj.read(path.join(_LASTPUSHEDPATH, fname), {});
} catch(e) {
  
}

According to you previous questions.

  1. your mydatanet server version has only the 7.12.0 version of npm installed. 8.3.0 would be the latest.
  2. i think currently it is not possible to run the audit fix command on a blo. You could try to increase the versions of you installed node packages from the blo settings.

Hi Jakob,
I think the this try/catch block is already in use. Please look the completefollowinin function, in which bfj.read is used:

//Load last pushed
const _LASTPUSHEDPATH = path.join(__dirname, "lastpushed");
async function loadLastPushed() {
	try {
		const files = fs.readdirSync(_LASTPUSHEDPATH);
		for (let fname of files){
			let _uid = path.basename(fname, ".json");
			lastpushed[_uid] = await bfj.read(path.join(_LASTPUSHEDPATH, fname), {});
		}
	} catch (e) {
		throw e;
	}
}

Or do you mean the bfj.read has to be in a separate try/catch block again?

Please let me ask an additional question:
Sometimes if I use thist fuction:

const uplink = async.queue( async(task) => {
		const replyData = await noltaApi.put([task.endpoint, task.noltacode], task.data);
		 return replyData;
}, UPLINK_CONCURRENCY);

I get the following error:

7.2.2022 19:24:00 | info | BAPI.api 75ms PUT https://betarest-af1794c5cd.noltanet.com/api//config0/%5BSmartBox821212x%20043d38076071d963%5D
7.2.2022 19:24:00 | system:error | Error: PUT https://betarest-af1794c5cd.noltanet.com/api//config0/%5BSmartBox821212x%20043d38076071d963%5D {}
7.2.2022 19:24:00 | system:error | info: SyntaxError: Unexpected token S in JSON at position 0
7.2.2022 19:24:00 | system:error | -> c:\myDatanet\mdn++\apmtagBLO\043D38076071D963737473356E616173_dev\index.mjs:109:21 {
7.2.2022 19:24:00 | system:error | at async file:///c:/myDatanet/mdn++/apmtagBLO/043D38076071D963737473356E616173_dev/index.mjs:143:21
7.2.2022 19:24:00 | system:error | at async file:///c:/myDatanet/mdn++/apmtagBLO/043D38076071D963737473356E616173_dev/index.mjs:143:21
7.2.2022 19:24:00 | system:error | at async b.put (file:///c:/myDatanet/mdn++/apmtagBLO/043D38076071D963737473356E616173_dev/studio_modules/~bapi/index.mjs:1:8221)
7.2.2022 19:24:00 | system:error | at async b.request (file:///c:/myDatanet/mdn++/apmtagBLO/043D38076071D963737473356E616173_dev/studio_modules/~bapi/index.mjs:1:7473)
7.2.2022 19:24:00 | system:error | at processTicksAndRejections (internal/process/task_queues.js:95:5)

Please can you explan what does ist mean an how to fix it?
Best regards,
Marcel

Hi Marcel,
is the loadLastPusched() function also placed in a try catch block? Becaus you’re rethrowing the error that is catched by the try catch block in your sample.

Is the task.data variable in this case a JSON string? Looks like the JSON you are passing to the PUT function is invalid

Hello Jakob,

  1. The the loadLastPusched() function isn`t called in a try/catch block, it´s called in an async.series on startup. Here the error should be catched. This is the reason of rethrowing the error. That’s how I imagined it, but it doesn´t seems to work that way…
    Please have a look at the startup code:
//Startup:
async.series([
	async.asyncify(loadLastPushed),
	init_site_subscription,
	init_histdata_subscription,
	async.asyncify(initHistdata),
	init_config_subscription
	
], (err) => {
		if (!err) {
			for (let [sid, noltaDev] of site_cache) {
				noltaDev.queue.resume();
			}
		}
		uplink.resume();
	log.info(err ? `BOOT FAILED WITH ERROR: ${err}` : "BOOTED!");
});
  1. The task.data variable doesn´t seems be a JSON string. I think ist an normal object. If I print it to console before I pass it into the PUT function, I get the following output in case of config0:
BLO	12:09:06.280	  stamp: '20220211110804125',	
BLO	12:09:06.281	  imainstate: 1,	
BLO	12:09:06.282	  bdeviceonoffstate: 1,	
BLO	12:09:06.283	  igsmrssi: -102,	
BLO	12:09:06.284	  ierrorstate: 0,	
BLO	12:09:06.285	  bisinzone: 1,	
BLO	12:09:06.286	  fhours: 0.667,	
BLO	12:09:06.287	  istamplasthoursupdate: 697982584,	
BLO	12:09:06.288	  itxstate: 2	
BLO	12:09:06.289	}

What I definitely don`t understand:
The PUT function works fine with the object obove. But after a while it chrashes and throw the discribed JSON.parse error.
If I convert the task.data variable to JSON like this:

const replyData = await noltaApi.put([task.endpoint, task.noltacode], JSON.stringify( task.data));

I get the same error after a while, ist the same behavior.

Do you have any additional tips for these two topics please?

Best regard,
Marcel

UPDATE:
Forget the BLO log output from above.
This is the config0 object:

BLO	16:05:41.387	{	
BLO	16:05:41.388	  _uid: '4A488D793DDC2465',	
BLO	16:05:41.389	  endpoint: 'config0',	
BLO	16:05:41.390	  data: {	
BLO	16:05:41.391	    stamp: '20220211150304289',	
BLO	16:05:41.393	    imainstate: 1,	
BLO	16:05:41.394	    bdeviceonoffstate: 1,	
BLO	16:05:41.395	    igsmrssi: -102,	
BLO	16:05:41.395	    ierrorstate: 0,	
BLO	16:05:41.396	    bisinzone: 1,	
BLO	16:05:41.397	    fhours: 4.667,	
BLO	16:05:41.398	    istamplasthoursupdate: 697996984,	
BLO	16:05:41.399	    itxstate: 2	
BLO	16:05:41.399	  },	
BLO	16:05:41.400	  noltacode: '[SmartBox821212x 043d38076071d963]'	
BLO	16:05:41.402	}

But it`s no JSON

UPDATE:

at2)

After creating the uplink as described:

const uplink = async.queue( async(task) => {
		const replyData = await noltaApi.put([task.endpoint, task.noltacode], task.data);
		 return replyData;
}, UPLINK_CONCURRENCY);

The push function is converted to a promise like this:

uplink.push = util.promisify(uplink.push);

Now I’ve found that if I uncomment this line, the error in the log obove no longer occurs.

Why its necessary to convert the push function to promise, respectively can I remove the line continuously?

Best regards,
Marcel

As far as I know, this project was built on the async library version 2.x.x . From the async library version 3.x.x onwards the library supports async/await out of the box. so the uplink.promisify isnt necessary anymore if you are using the 3.x version of async.

Hello jast,

so far I used the module BFJ to write a json file to the directory as shown in the following code:
(please look at the commented out line)

//Load last pushed
async function loadLastPushed() {
	try {
		const files = await fs.readdirSync(_LASTPUSHEDPATH);
		for (let fname of files) {
			let _uid = path.basename(fname, ".json");
			//lastpushed[_uid] = await bfj.read(path.join(_LASTPUSHEDPATH, fname), {});
			let file = await fs.readFileSync(path.join(_LASTPUSHEDPATH, fname));
			lastpushed[_uid] = await JSON.parse(file);
			console.log(_uid, lastpushed[_uid]);
		}
	} catch (e) {
		throw e;
	}
}

If I use the bfj.read() function, I get two rejected promises per site onece at startup as shown below:

Since I couldn’t find the error, I switched to reading the file with the fs module to avoid the error.

PS.:
If I put the lastpushed to the console, I see the following object:

BLO	13:48:38.944	4A7151E9F7140169 {	
BLO	13:48:38.944	  histdata4: '20220316124826602',	
BLO	13:48:38.945	  histdata3: '20220316124336108',	
BLO	13:48:38.946	  histdata2: '20220316123959',	
BLO	13:48:38.947	  histdata0: '20220316124826599',	
BLO	13:48:38.947	  histdata5: '20220316124816875',	
BLO	13:48:38.948	  histdata6: '20220316124816880',	
BLO	13:48:38.949	  histdata7: '20220316124826606'	
BLO	13:48:38.950	}

As you can see it’s not very big and I’m wondering if you can do without bfj here?

Best regards,
Marcel