Giter VIP home page Giter VIP logo

edu-101-typescript-code's Introduction

Code Repository for Temporal 101 (TypeScript)

This repository provides code used for exercises and demonstrations included in the TypeScript version of the Temporal 101 training course.

It's important to remember that the example code used in this course was designed to support learning a specific aspect of Temporal, not to serve as a ready-to-use template for implementing a production system.

For the exercises, make sure to run temporal server start-dev --ui-port 8080 --db-filename clusterdata.db in one terminal to start the Temporal server. For more details on this command, please refer to the Setting up a Local Development Environment chapter in the course. Note: If you're using the Gitpod environment to run this exercise, you can skip this step.

Hands-On Exercises

Directory Name Exercise
exercises/hello-workflow Exercise 1
exercises/hello-web-ui Exercise 2
exercises/farewell-workflow Exercise 3
exercises/finale-workflow Exercise 4

Instructor-Led Demonstrations

Directory Name Description
demos/service-workflow Shows a Workflow that uses a microservice

Examples for Self-Study

Directory Name Description
samples/retry-policy Example of a Workflow that has a custom Retry Policy

Reference

The following links provide additional information that you may find helpful as you work through this course.

Exercise Environment for this Course

You can launch an exercise environment for this course in GitPod by clicking the button below:

Open in Gitpod

Alternatively, you can follow these instructions to set up your own Temporal Cluster with Docker Compose, which you can use as an exercise environment.

edu-101-typescript-code's People

Contributors

angelazhou32 avatar axfelix avatar kimschles avatar lorensr avatar mend-for-github-com[bot] avatar mindaugasrukas avatar napcs avatar rdelgatte avatar tlalfano avatar tomwheeler avatar wu-victor avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

rdelgatte egriff38 patrickbald kannndev jeffreymurdock roger13 fareedfz brianmcgue rlmcneary2

edu-101-typescript-code's Issues

axios-1.5.0.tgz: 1 vulnerabilities (highest severity is: 6.5)

Vulnerable Library - axios-1.5.0.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.5.0.tgz

Path to dependency file: /exercises/farewell-workflow/practice/package.json

Path to vulnerable library: /exercises/farewell-workflow/practice/package.json,/demos/service-workflow/node_modules/axios/package.json,/exercises/farewell-workflow/solution/node_modules/axios/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (axios version) Remediation Possible**
CVE-2023-45857 Medium 6.5 axios-1.5.0.tgz Direct 1.6.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-45857

Vulnerable Library - axios-1.5.0.tgz

Library home page: https://registry.npmjs.org/axios/-/axios-1.5.0.tgz

Path to dependency file: /exercises/farewell-workflow/practice/package.json

Path to vulnerable library: /exercises/farewell-workflow/practice/package.json,/demos/service-workflow/node_modules/axios/package.json,/exercises/farewell-workflow/solution/node_modules/axios/package.json

Dependency Hierarchy:

  • axios-1.5.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

Publish Date: 2023-11-08

URL: CVE-2023-45857

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-11-08

Fix Resolution: 1.6.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

activity-1.7.2.tgz: 1 vulnerabilities (highest severity is: 5.5) - autoclosed

Vulnerable Library - activity-1.7.2.tgz

Path to dependency file: /exercises/hello-workflow/solution/package.json

Path to vulnerable library: /exercises/hello-workflow/solution/node_modules/protobufjs/package.json,/exercises/farewell-workflow/practice/node_modules/protobufjs/package.json

Found in HEAD commit: 6ffaa92e497ffe5ffad8fccd92025ad82ade7a58

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (activity version) Remediation Available
CVE-2023-36665 Medium 5.5 protobufjs-7.1.2.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2023-36665

Vulnerable Library - protobufjs-7.1.2.tgz

Protocol Buffers for JavaScript (& TypeScript).

Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-7.1.2.tgz

Path to dependency file: /exercises/hello-workflow/solution/package.json

Path to vulnerable library: /exercises/hello-workflow/solution/node_modules/protobufjs/package.json,/exercises/farewell-workflow/practice/node_modules/protobufjs/package.json

Dependency Hierarchy:

  • activity-1.7.2.tgz (Root Library)
    • common-1.7.2.tgz
      • protobufjs-7.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 6ffaa92e497ffe5ffad8fccd92025ad82ade7a58

Found in base branch: main

Vulnerability Details

protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about "Object.constructor.prototype. = ...;" whereas CVE-2022-25878 was about "Object.proto. = ...;" instead.

Publish Date: 2023-07-05

URL: CVE-2023-36665

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665

Release Date: 2023-07-05

Fix Resolution: protobufjs - 7.2.4

[Bug] In the exercise finale-workflow the function CertificateGeneratorWorkflow not really running

What are you really trying to do?

I tried to change the code inside the function : CertificateGeneratorWorkflow
in the file: exercises/finale-workflow/src/workflows.ts
Just for learning purposes.
And I got to conclusion that the code inside there is not really running

Describe the bug

I changed the code from:

// The CertificateGeneratorWorkflow workflow calls the CreatePdf activity
export async function CertificateGeneratorWorkflow(name: string): Promise<string> {
  
// CreatePdf is the Activity Type defined in the implementation of the Java Activity code
  return await CreatePdf(name);
}

to

// The CertificateGeneratorWorkflow workflow calls the CreatePdf activity
export async function CertificateGeneratorWorkflow(name: string): Promise<string> {
  
// CreatePdf is the Activity Type defined in the implementation of the Java Activity code
  return await "/test-learning/" + CreatePdf(name);
}

And it did no effect on the result that stayed as it was

Minimal Reproduction

Change the code as described above.

Another conclusion I have got to that I can delete the file : exercises/finale-workflow/src/workflows.ts completely
and in the exercises/finale-workflow/src/client.ts just change

const handle = await client.workflow.start(CertificateGeneratorWorkflow, {

to

const handle = await client.workflow.start('CertificateGeneratorWorkflow', {

So this exercise not really demonstrate a way of invoke java activity from ts workflow.
It just invokes java workflow from ts client so it is missing the point.

Environment/Versions

  • OS and processor: [ M1 Mac]
  • Temporal Version: [0.10.1]
  • using Docker

Additional context

worker-1.5.2.tgz: 1 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - worker-1.5.2.tgz

Path to dependency file: /exercises/hello-workflow/solution/package.json

Path to vulnerable library: /exercises/hello-workflow/solution/node_modules/webpack/package.json,/exercises/farewell-workflow/practice/node_modules/webpack/package.json

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (worker version) Remediation Available
CVE-2023-28154 High 9.8 webpack-5.75.0.tgz Transitive 1.7.0

Details

CVE-2023-28154

Vulnerable Library - webpack-5.75.0.tgz

Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.

Library home page: https://registry.npmjs.org/webpack/-/webpack-5.75.0.tgz

Path to dependency file: /exercises/hello-workflow/solution/package.json

Path to vulnerable library: /exercises/hello-workflow/solution/node_modules/webpack/package.json,/exercises/farewell-workflow/practice/node_modules/webpack/package.json

Dependency Hierarchy:

  • worker-1.5.2.tgz (Root Library)
    • webpack-5.75.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Publish Date: 2023-03-13

URL: CVE-2023-28154

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-03-13

Fix Resolution (webpack): 5.76.0

Direct dependency fix Resolution (@temporalio/worker): 1.7.0

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

worker-1.7.2.tgz: 1 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - worker-1.7.2.tgz

Path to dependency file: /exercises/hello-workflow/solution/package.json

Path to vulnerable library: /exercises/farewell-workflow/practice/node_modules/webpack/package.json,/exercises/hello-workflow/solution/node_modules/webpack/package.json

Found in HEAD commit: 6ffaa92e497ffe5ffad8fccd92025ad82ade7a58

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (worker version) Remediation Available
CVE-2023-28154 Critical 9.8 webpack-5.75.0.tgz Transitive 1.7.3

Details

CVE-2023-28154

Vulnerable Library - webpack-5.75.0.tgz

Packs CommonJs/AMD modules for the browser. Allows to split your codebase into multiple bundles, which can be loaded on demand. Support loaders to preprocess files, i.e. json, jsx, es7, css, less, ... and your custom stuff.

Library home page: https://registry.npmjs.org/webpack/-/webpack-5.75.0.tgz

Path to dependency file: /exercises/farewell-workflow/practice/package.json

Path to vulnerable library: /exercises/farewell-workflow/practice/node_modules/webpack/package.json,/exercises/hello-workflow/solution/node_modules/webpack/package.json

Dependency Hierarchy:

  • worker-1.7.2.tgz (Root Library)
    • webpack-5.75.0.tgz (Vulnerable Library)

Found in HEAD commit: 6ffaa92e497ffe5ffad8fccd92025ad82ade7a58

Found in base branch: main

Vulnerability Details

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Publish Date: 2023-03-13

URL: CVE-2023-28154

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-03-13

Fix Resolution (webpack): 5.76.0

Direct dependency fix Resolution (@temporalio/worker): 1.7.3

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.