Skip to content

Feat/stage#69

Open
AdriGeorge wants to merge 570 commits intomainfrom
feat/stage
Open

Feat/stage#69
AdriGeorge wants to merge 570 commits intomainfrom
feat/stage

Conversation

@AdriGeorge
Copy link

@AdriGeorge AdriGeorge commented Dec 11, 2025

enterprise node

AdriGeorge and others added 30 commits May 20, 2025 12:11
@AdriGeorge
fix: logs
7f239f3
@AdriGeorge
fix: remove logs
430a140
@AdriGeorge
fix: update ethers v
89ccfd8
@mariacarmina
Merge branch 'main' into feature/credentials-check-for-compute
fed76d7
@mariacarmina
remove initialize compute command. Update initializeCompute handler.
bc2ee4d
@mariacarmina
Enhance code.
cefed63
@mariacarmina
Define dedicated type for policy server when it comes on the handler …
656b69b 
…task.
@mariacarmina
Fix type of policy server on http requests.
04ae7e7
@Breta01
Add algoCustomData.json file into c2d (oceanprotocol#942)
f2e3034 
* Add algoCustomData.json file into c2d

* Fix linting
@giurgiur99
Check wallet signature (oceanprotocol#947)
e25a483 
* check wallet signature

* lint fix

* configurable ddo validate env

* add tests
@mariacarmina
Fix consistency for job id generation within codebase. (oceanprotocol…
c9faa2f 
…#934)

* Fix consistency for job id generation within codebase.

* Fix type for jobId.

* Make chainId optional for job id generation.

* Fix unit tests env config.

* fix imports.

* Fix condition.

* Fix review.

* Added logs for debugging validating order.

* Remove log.

* Fix bigint serialization.

* Cleanup logs.
@AdriGeorge
sync
ebd1317
@AdriGeorge
fix: build
8b57967
@mariacarmina
Fix conflicts.
3b4c42e
@AdriGeorge
chore: sync
6e5240c
@AdriGeorge
fix: lint
8c29a8b
@AdriGeorge
fix: ci
3926a47
@AdriGeorge
fix: ci
dc402a8
@AdriGeorge
fix: tests
5656a4f
@AdriGeorge
fix: console
a541140
@AdriGeorge
fix: tests
8975648
@AdriGeorge
fix: tests
6a3c8f5
@AdriGeorge
fix: ci cd
2f98604
@AdriGeorge
fix: ci
bc21da1
@AdriGeorge
fix: ci
b7b8698
@AdriGeorge
fix: tests
b35071a
@AdriGeorge
add log
6b32375
@AdriGeorge
fix: logs
edcdedd
@AdriGeorge
fix: test and logs
696953e
@AdriGeorge
fix: tests
be9a5e9
ndrpp and others added 29 commits January 29, 2026 14:35
@ndrpp
fix: show node logs in integration tests fail, update check node curl
256b7d0
@AdriGeorge
fix: log
92c4dbc
@AdriGeorge
fix: fix
36362b1
@ndrpp
fix: display curl node output
203576e
@ndrpp
fix: update start ocean node script
ab4b41f
@ndrpp
Revert "fix: restore"
d68d5d4 
This reverts commit 0b54f30.
@ndrpp
fix: add db username & password
3a53dd7
@ndrpp
fix: comment rejection and exception logs
3fce507
@ndrpp
fix: update start ocean node to use main shell
6f75270
@ndrpp
fix: add logs to build & start
84d6ed5
@ndrpp
fix: print node version
fd6ca91
@ndrpp
Merge branch 'feat/sync28-01' into fix/test-system
194908f
@ndrpp
fix: revert workflow and index logs
47c8d97
@ndrpp
fix: add more logs in start paid compute
9ab12d2
@ndrpp
fix: switch to log message instead of error
5ddb871
@ndrpp
fix: add log in validation for initialize compute
594a626
@ndrpp
fix: add more logs
7332908
@ndrpp
fix: throw error if unable to add job to db
4b82d7e
@ndrpp
ci: update test_sytem job to point to ocean cli branch with more logs
0d77df9
@ndrpp
fix: switch node private key in ci tests
d50f073
@ndrpp
fix: update logs in escrow.ts
95d7491
@ndrpp
fix: revert to previous private key for node in system test
28e339f
@ndrpp
Revert "fix: show node logs in integration tests fail, update check n…
76b6b7e 
…ode curl"

This reverts commit 256b7d0.
@ndrpp
Revert "fix: add more logs in start paid compute"
66de20b 
This reverts commit 9ab12d2.
@ndrpp
chore: cleanup
77c969c
@ndrpp
chore: cleanup leftovers
aca00b4
@ndrpp
chore: fix formatting
745e961
@AdriGeorge
Merge pull request #74 from OceanProtocolEnterprise/fix/test-system
62f197c 
fix: test system
@AdriGeorge
Merge pull request #73 from OceanProtocolEnterprise/feat/sync28-01
3db55b0 
Merge remote-tracking branch 'upstream/main' into feat/stage
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 2, 2026
View reviewed changes
src/components/httpRoutes/commands.ts
}
} catch (err) {
HTTP_LOGGER.error(err.message)
res.status(500).send(err.message)

Check warning

Code scanning / CodeQL

Exception text reinterpreted as HTML Medium

Exception text
Loading
is reinterpreted as HTML without escaping meta-characters.
Exception text
Loading
is reinterpreted as HTML without escaping meta-characters.
Exception text
Loading
is reinterpreted as HTML without escaping meta-characters.
Exception text
Loading
is reinterpreted as HTML without escaping meta-characters.
Exception text
Loading
is reinterpreted as HTML without escaping meta-characters.
Exception text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 4 days ago

General approach: Avoid returning raw exception messages directly to HTTP clients in a way that can be rendered as HTML. Instead, send a generic, non-sensitive message and log the detailed error server-side. If the client needs details, prefer structured JSON with sanitized content, and explicitly set a non-HTML content type.

Best targeted fix here:

  • In the catch block of directCommandRoute.post, replace res.status(500).send(err.message) with a safe, fixed response body (e.g., “Internal server error”) and optionally a JSON shape that does not expose internals.
  • Keep logging err.message (or the full error) to HTTP_LOGGER so server operators still see the details.
  • Optionally, ensure we treat err as unknown and coerce to string safely for logging, but avoid using that string in the response.

Concretely, in src/components/httpRoutes/commands.ts:

  • Modify lines 136–139 (the catch block) to:
    • Type err as any or unknown (we can keep any to avoid broader changes).
    • Log something like HTTP_LOGGER.error(err instanceof Error ? err.message : String(err)).
    • Respond with res.status(500).json({ error: 'Internal server error' }) or a similar generic message, instead of sending err.message.
  • No changes are needed in validateCommands.ts for this issue; it only affects log messages and standard 400 responses that are not derived from thrown exceptions.

This single change ensures all the alert variants—each concerned with err.message being sent—are addressed, because the exception text will no longer be reinterpreted as HTML in the client.

Suggested changeset 1
src/components/httpRoutes/commands.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/components/httpRoutes/commands.ts b/src/components/httpRoutes/commands.ts
--- a/src/components/httpRoutes/commands.ts
+++ b/src/components/httpRoutes/commands.ts
@@ -134,8 +134,10 @@
         res.end()
       }
     } catch (err) {
-      HTTP_LOGGER.error(err.message)
-      res.status(500).send(err.message)
+      // Log detailed error on the server side
+      HTTP_LOGGER.error(err instanceof Error ? err.message : String(err))
+      // Return a generic error message to the client to avoid exposing internal details
+      res.status(500).json({ error: 'Internal server error' })
     }
   }
 )
EOF
@@ -134,8 +134,10 @@
res.end()
}
} catch (err) {
HTTP_LOGGER.error(err.message)
res.status(500).send(err.message)
// Log detailed error on the server side
HTTP_LOGGER.error(err instanceof Error ? err.message : String(err))
// Return a generic error message to the client to avoid exposing internal details
res.status(500).json({ error: 'Internal server error' })
}
}
)
Copilot is powered by AI and may make mistakes. Always verify output.
src/components/httpRoutes/logs.ts
if (!database || !database.logs) {
res.status(503).send('Logs database is not available')
return
}

Check warning

Code scanning / CodeQL

Exception text reinterpreted as HTML Medium

Exception text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 4 days ago

In general, to fix this type of vulnerability, you should avoid returning raw exception messages directly to the client, especially when they may contain user input. Instead, return a generic, constant error message to the client (e.g., “Internal Server Error”) and log the detailed error message server-side. If you do need to expose some error details, encode or escape the message appropriately for the output context (HTML, JSON, etc.).

For this specific code, the best minimal fix that doesn’t change core functionality is to stop concatenating error.message into the HTTP response and send a static error message instead, while still logging the detailed error via HTTP_LOGGER. This preserves current behavior from the client’s perspective (still a 500 with an “Internal Server Error” message) but removes the XSS vector. Concretely, in src/components/httpRoutes/logs.ts, in the /log/:id route’s catch block, replace res.status(500).send('Internal Server Error' + error.message) with res.status(500).send('Internal Server Error'). No new imports or helper methods are needed because detailed error info is already captured by HTTP_LOGGER.error.

Suggested changeset 1
src/components/httpRoutes/logs.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/components/httpRoutes/logs.ts b/src/components/httpRoutes/logs.ts
--- a/src/components/httpRoutes/logs.ts
+++ b/src/components/httpRoutes/logs.ts
@@ -87,6 +87,6 @@
     }
   } catch (error) {
     HTTP_LOGGER.error(`Error retrieving log: ${error.message}`)
-    res.status(500).send('Internal Server Error' + error.message)
+    res.status(500).send('Internal Server Error')
   }
 })
EOF
@@ -87,6 +87,6 @@
}
} catch (error) {
HTTP_LOGGER.error(`Error retrieving log: ${error.message}`)
res.status(500).send('Internal Server Error' + error.message)
res.status(500).send('Internal Server Error')
}
})
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexcos20 alexcos20 alexcos20 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@AdriGeorge @alexcos20 @mariacarmina @Breta01 @giurgiur99 @ndrpp