ealenn / echo-server Goto Github PK

View Code? Open in Web Editor NEW

239.0 4.0 47.0 852 KB

REST Server Tests (Echo-Server) API / Docker / Kubernetes / Helm

Home Page: https://ealenn.github.io/Echo-Server

License: GNU General Public License v3.0

Dockerfile 0.84% JavaScript 99.16%

docker kubernetes echo server nodejs helm helm-charts rest-api testing devops-tools

echo-server's Introduction

Hi there !

👋 I'm an DevOps engineer, love to work with .NET Core / TypeScript Stacks
🏠 I live in France
🔭 I’m currently working on Echo-Server, my blog ealen.fr and other projects
💬 Ask me about Typescript, .NET Core, Docker, Kubernetes or deploy with Azure Pipeline / GitHub Actions
📫 How to reach me: Twitter @Ealen_

echo-server's People

Contributors

Stargazers

Watchers

echo-server's Issues

[BUG] arm/v7 build contains x86_64 binaries

Describe the bug
The arm/v7 build appears to contain an x86_64 /usr/local/bin/node binary. Likely the build process didn't get the build platform propagated correctly. This may be impacting other non-x86_64 builds as well.

To Reproduce

$ docker run --rm --entrypoint /bin/cat \
  ealen/echo-server:latest@sha256:0f888333c27fab959441f8e745552915e2ef662abf9570ff9237e96595709be4  \
  /usr/local/bin/node | file -

Expected behavior
I expect to see an ARM binary.

Response
I instead get:

/dev/stdin: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-x86_64.so.1, with debug_info, not stripped

Additional context
Attempting to start a pod using this image results in this error:

standard_init_linux.go:211: exec user process caused "exec format error"

Unitary/API tests

Replace Helm-UI links with Helm.sh

helm/hub#247

[BUG] Documentation links on Docker hub are broken

Describe the bug
On the home page for this project on docker hub (https://hub.docker.com/r/ealen/echo-server) the links to documentation get 404s.
e.g. Docker (under Table of contents)
It appears to be ALL the links, not just the examples provided here.

To Reproduce
Click the link https://ealenn.github.io/Echo-Server/pages/docker.html and get a github 404 page

Expected behavior
Probably should link to here - https://github.com/Ealenn/Echo-Server#docker - at least for the example broken link

Response
N/A

Additional context
N/A

[BUG] Support Multiple custom headers with comma value

Describe the bug
I want to emulate several upstream response with cache-control header. As you know cache-control policy can have several values with "," as a delimiter.
Example:
Cache-Control: max-age=300, public.must-revalidate

Current the code is splitting the custom headers with "," and the proposal is to switch to ";" in order to support several values on a header

To Reproduce
X-ECHO-HEADER=Cache-Control: max-age=300, public; One: 1

Expected behavior
The response should have the following headers:
Cache-Control: max-age=300, public
One: 1

Additional context
I can open a PR if you want to fix this issue

[FEATURE] Support custom HTTP verb

Is your feature request related to a problem? Please describe.
I use the echo-server to fake external micro-services during some integration tests.
Some requests use a custom HTTP method "BAN" that is not supported by the echo-server

Describe the solution you'd like
The support to echo custom methods.

[FEATURE] Automatic Dependency Updates

Is your feature request related to a problem? Please describe.
There are some CVEs always appearing in any image. It's important to keep the images up to date. This is somehow related to #108.

Describe the solution you'd like

Integrate Mend Renovate updates including auto-merge GitHub actions functionality to keep the image up to date.
Change Dockerfile base version to something more concrete to keep getting a fresh image every time patches are released. e.g. node:20.6.1-alpine3.18.
Release the new image version on every PR merge automatically.

Describe alternatives you've considered
The alternative is to keep the echo-server updated by hand. It's time-consuming for the authors. Another alternative is GitHub Dependabot, however, it does not come with the same "bells and whistles" as Renovate.

Additional context
The current CVE in ealen/echo-server:0.7.1: https://nvd.nist.gov/vuln/detail/CVE-2022-48174.

Base Score: 9.8 CRITICAL

Save request history

Save queries for later viewing. Ex: Debug mobile applications

Configure :

Route of GUI
Enable/Disable feature
Time to live of data
Auto Refresh

Lightweight Docker Images

Make the docker image smaller

[FORK] Update alpine based image

@Niksko

Alpine 3.9 includes a musl libc version vulnerable to this CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28928. Newer versions of alpine are not vulnerable.

Niksko@4afe3ea

[FEATURE] Graceful shutdown on SIGTERM signal

Is your feature request related to a problem? Please describe.
The app does not react when receiving a SIGTERM, we have to send a SIGKILL for it to stop. Getting a SIGKILL means the app is not gracefully shutdown.
In a Kubernetes context, this means that it systematically wait for a 30s timeout before stopping the processes.

Describe the solution you'd like
Handle the SIGTERM signal and gracefully stop the app.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
When this app runs in a Kubernetes context (for eg.) and someone asks to stop the pod, Kubernetes will first send a SIGTERM signal to ask the app to stop by itself. If the app does not exit by itself, it waits for a timeout (terminationGracePeriod, defaults to 30s) before sending a SIGKILL signal that asks the system to stop the process forcibly. See https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-terminating-with-grace.

[BUG] Force GitHub Pages build on Tag/Release

Describe the bug
On tag, the documentation is not build. In the Documentation on example section, the tag is not updated.

Response

Load Testing

Add route or request for distributed load testing, scalability or kubernetes configuration.

Choose to display environment variables or not

Possibility to hide environment variables

[FEATURE] Create release with conventional commits

Is your feature request related to a problem? Please describe.

Use GH Actions to bump the version and auto tag like https://github.com/Ealenn/OpenGarden/blob/master/.github/workflows/github-bump.yml

[BUG] exception throwing PayloadTooLargeError: request entity too large

Describe the bug
A clear and concise description of what the bug is.

Listening on port 80.
PayloadTooLargeError: request entity too large
at s (/app/webserver.js:1:217738)
at n.exports (/app/webserver.js:1:217478)
at n.exports (/app/webserver.js:1:31917)
at /app/webserver.js:1:209478
at a.handle_request (/app/webserver.js:1:107089)
at /app/webserver.js:1:102946
at /app/webserver.js:1:102968
at Function.m.process_params (/app/webserver.js:1:103477)
at x (/app/webserver.js:1:102517)
at /app/webserver.js:1:454387

To Reproduce
send some json data that is very large.

Expected behavior
it should handle any kind of response,

Response
If applicable, add result to help explain your problem.

Additional context
Add any other context about the problem here.

Remove X-Powered-By header

[FEATURE] Improved logs

Is your feature request related to a problem? Please describe.
It is important to improve the logs and be able to use Seq or an ELK and view requests more easily.

Describe the solution you'd like
We can serialize requests / responses to log them. We can also make all of this configurable.

Additional context

Don't forget to update the examples
Related to #55

Customize response headers

Customize headers in response with echo_header query parameter or X-ECHO-HEADER.

[FEATURE] We should have option to set the content-type expected for json body

Is your feature request related to a problem? Please describe.
I have a service that sends a request with application/ld+json header saying that the body contains a JSON-LD. Today the server is logging the request however without the body, as it wasn't able to parse it.

Describe the solution you'd like
We should have a configuration that determine which content-types should be used to understand the body as a JSON: https://github.com/Ealenn/Echo-Server/blob/master/src/app.js#L21, so I can run the echo-server saying that the content-type expected for json are json and jsonld

Describe alternatives you've considered
I forked the project and manually changed the line to be:

app.use(bodyParser.json({type: ['json', 'jsonld']}));

[FEATURE] Exclude cookies

Is your feature request related to a problem? Please describe.

We use your container to check if our traffic paths are working correctly. While doing so we found an issue. The echo-server exposes cookies which is in itself not an issue. problem is that if you have another XSS exploitable service you could use the echo service to expose these cookies. This basically circumvents any protection via the cookies httpOnly flag.

You can read about that here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies

Describe the solution you'd like

The easiest solution would be to make the echoing of cookies optional. So one could simply disable it like you can with the files and environment feature.

Describe alternatives you've considered

Our current alternative is to secure the echo service by other means, but we would like to keep it open without "exposing" cookies.

Additional context

Yes we know that this basically just echos the cookies the client already has. So it's not exposing them. But with a slightly complicated attack and some help from another XSS issue this can be used in a bad way. An option to turn echos of cookies off would easily solve that.

[FEATURE] Publish image to GHCR

Is your feature request related to a problem? Please describe.

Hi 👋🏼 In order to combat dockerhub's imposed rate limits it would be great to host these images on GHCR.

Describe the solution you'd like

Push echo-server to an additional registry like GHCR

[BUG] Broken Links

Describe the bug

Many links are broken after #61

Readme :

Seq image is not displayed.

Documentation :

Status	URL	Source link text
404 Not Found	https://ealenn.github.io/pages/configuration/loggers	More information
404 Not Found	https://ealenn.github.io/pages/configuration/commands	commands
404 Not Found	https://ealenn.github.io/assets/images/seq.png	img/src
404 Not Found	https://ealenn.github.io/pages/configuration	More information
404 Not Found	https://ealenn.github.io/pages/configuration/configuration	conditions

Run docker container as non privileged user (node with UID 1000?)

Is your feature request related to a problem? Please describe.
At the moment docker image runs as root user which is not good from security perspective.

Describe the solution you'd like
Run docker container at leas as built-in node user with UID 1000.

Describe alternatives you've considered
Build custom image which is not great idea.

Additional context
Want to run this image in K8s as non root.

[FEATURE] Websockets

Similarly to https://github.com/jmalloc/echo-server, how much work would it be to support WS/WSS?

Resources limits

Add limits by default in charts

Add option for read Directory/Files/Volumes informations

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

bundler

docs/Gemfile

github-pages undefined

jekyll-github-metadata undefined

jekyll-toc undefined

webrick "~> 1.7"

docker-compose

docker-compose/ELK/docker-compose.yml

elasticsearch 8.12.0

kibana 8.12.0

logstash 8.12.0

docker-compose/SEQ/docker-compose.yml

docs/docker-compose.yml

dockerfile

Dockerfile

docker-compose/Dockerfile.local

github-actions

.github/workflows/docker.yml

actions/checkout v4

crazy-max/ghaction-docker-buildx v3

.github/workflows/gh-page.yml

.github/workflows/github-bump.yml

actions/checkout v4

mathieudutour/github-tag-action v6.1

ncipollo/release-action v1

.github/workflows/nodejs-tests.yml

actions/checkout v4

actions/setup-node v4

npm

package.json

body-parser ^1.x

bunyan ^1.x

bunyan-seq ^1.0.0

cookie-parser ^1.x

express ^4.x

multer 1.4.5-lts.1

nconf ^0.12.x

mocha ^10.x

nyc ^15.x

supertest ^6.x

terser-webpack-plugin ^5.x

webpack ^5.x

webpack-cli ^5.x

Check this box to trigger a request for Renovate to run again on this repository

Improved logs

[BUG] Fatal process OOM in insufficient memory to create an Isolate

Describe the bug
When trying to run the Echo server it crashes immediately with this output:


<--- Last few GCs --->


<--- JS stacktrace --->


#
# Fatal process OOM in insufficient memory to create an Isolate
#

To Reproduce
I am running a free oracle cloud linux/arm64/v8 instance with 1 cpu core and 6GB of memory. I have docker and k3s installed. I am using the command docker run -p 3000:80 ealen/echo-server

Expected behavior
The container doesn't crash with an OOM error

Additional context
You can create a free oracle cloud account and create the v8 vm there for free.

TRAVIS CI integration

Security issues discovered during scan

Is your feature request related to a problem? Please describe.
Trivy scan finds issues in container image.

$ trivy image ealen/echo-server
...

ealen/echo-server (alpine 3.16.1)
=================================
Total: 17 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 10, CRITICAL: 1)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-4450  │ HIGH     │ fixed  │ 1.1.1q-r0         │ 1.1.1t-r0     │ double free after calling PEM_read_bio_ex                  │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4450                  │
│              ├────────────────┤          │        │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0215  │          │        │                   │               │ use-after-free following BIO_new_NDEF                      │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0215                  │
│              ├────────────────┤          │        │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0286  │          │        │                   │               │ X.400 address type confusion in X.509 GeneralName          │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0286                  │
│              ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0464  │          │        │                   │ 1.1.1t-r1     │ Denial of service by excessive resource usage in verifying │
│              │                │          │        │                   │               │ X509 policy constraints...                                 │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0464                  │
│              ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-2650  │          │        │                   │ 1.1.1u-r0     │ Possible DoS translating ASN.1 object identifiers          │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-2650                  │
│              ├────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2022-4304  │ MEDIUM   │        │                   │ 1.1.1t-r0     │ timing attack in RSA Decryption implementation             │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4304                  │
│              ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0465  │          │        │                   │ 1.1.1t-r2     │ Invalid certificate policies in leaf certificates are      │
│              │                │          │        │                   │               │ silently ignored                                           │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0465                  │
│              ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-3446  │          │        │                   │ 1.1.1u-r2     │ Excessive time spent checking DH keys and parameters       │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3446                  │
├──────────────┼────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│ libssl1.1    │ CVE-2022-4450  │ HIGH     │        │                   │ 1.1.1t-r0     │ double free after calling PEM_read_bio_ex                  │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4450                  │
│              ├────────────────┤          │        │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0215  │          │        │                   │               │ use-after-free following BIO_new_NDEF                      │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0215                  │
│              ├────────────────┤          │        │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0286  │          │        │                   │               │ X.400 address type confusion in X.509 GeneralName          │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0286                  │
│              ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0464  │          │        │                   │ 1.1.1t-r1     │ Denial of service by excessive resource usage in verifying │
│              │                │          │        │                   │               │ X509 policy constraints...                                 │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0464                  │
│              ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-2650  │          │        │                   │ 1.1.1u-r0     │ Possible DoS translating ASN.1 object identifiers          │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-2650                  │
│              ├────────────────┼──────────┤        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2022-4304  │ MEDIUM   │        │                   │ 1.1.1t-r0     │ timing attack in RSA Decryption implementation             │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4304                  │
│              ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0465  │          │        │                   │ 1.1.1t-r2     │ Invalid certificate policies in leaf certificates are      │
│              │                │          │        │                   │               │ silently ignored                                           │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0465                  │
│              ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-3446  │          │        │                   │ 1.1.1u-r2     │ Excessive time spent checking DH keys and parameters       │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3446                  │
├──────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ zlib         │ CVE-2022-37434 │ CRITICAL │        │ 1.2.12-r1         │ 1.2.12-r2     │ heap-based buffer over-read and overflow in inflate() in   │
│              │                │          │        │                   │               │ inflate.c via a large...                                   │
│              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                 │
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
2023-08-02T11:57:01.615+0100	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Node.js (node-pkg)
==================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │ Status │ Installed Version │    Fixed Version    │                           Title                            │
├─────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼────────────────────────────────────────────────────────────┤
│ http-cache-semantics (package.json) │ CVE-2022-25881 │ HIGH     │ fixed  │ 4.1.0             │ 4.1.1               │ Regular Expression Denial of Service (ReDoS) vulnerability │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-25881                 │
├─────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────┼────────────────────────────────────────────────────────────┤
│ semver (package.json)               │ CVE-2022-25883 │ MEDIUM   │        │ 7.3.7             │ 5.7.2, 6.3.1, 7.5.2 │ Regular expression denial of service                       │
│                                     │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2022-25883                 │
└─────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴────────────────────────────────────────────────────────────┘

Describe the solution you'd like
Update the used packages with fixed issues.

Describe alternatives you've considered
N/A

Additional context
No

ECHO-CODE:500 will cause echo server to always return HTTP status code 500

Ignore Kubernetes Ping logs

All x seconds K8S ping pods. You can ignore logs for /ping route.

Add configuration in charts :) !

Docker ARM Build

Idea of @kyounger

kyounger@0931ffa

[Question] Echo Time Limit?

Just a little question:

Echo-Server/src/middlewares/customResponseTime.js

Lines 3 to 9 in cb68b93

 const timeToSleep = (value) => { 

 if (value && 

 value <= 30000 && 

 value >= 0) { 

 return value 

 } 

 }

Why is there a limit of 30000?

POST Body in Echo Response not present

POST Body isn't present on response

	const timeToSleep = (value) => {
	if (value &&
	value <= 30000 &&
	value >= 0) {
	return value
	}
	}

ealenn / echo-server Goto Github PK

echo-server's Introduction

Hi there !

echo-server's People

Contributors

Stargazers

Watchers

Forkers

echo-server's Issues

Open

Detected dependencies

Recommend Projects

Recommend Topics

Recommend Org