fix(deps): update to restify 7.1 and mysql 2.15 (#351), r=@rfk

Author: vbudhram

.nsprc

@@ -1,8 +1,3 @@
 {
-  "exceptions": [
-    // mysql
-    "https://nodesecurity.io/advisories/602",
-    // tunnel-agent
-    "https://nodesecurity.io/advisories/598"
-  ]
+  "exceptions": []
 }

db-server/index.js

@@ -3,10 +3,10 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 var restify = require('restify')
-var safeJsonFormatter = require('restify-safe-json-formatter')
 var bufferize = require('./lib/bufferize')
 var version = require('../package.json').version
 var errors = require('./lib/error')
+const safeJsonFormatter = require('./lib/safeJsonFormatter')
 
 function createServer(db) {
 
@@ -47,13 +47,14 @@ function createServer(db) {
     })
   }
 
-  var api = restify.createServer({
+  const api = restify.createServer({
     formatters: {
       'application/json; q=0.9': safeJsonFormatter
     }
   })
-  api.use(restify.bodyParser())
-  api.use(restify.queryParser())
+
+  api.use(restify.plugins.bodyParser())
+  api.use(restify.plugins.queryParser())
   api.use(bufferize.bufferizeRequest.bind(null, new Set([
     // These are all the different params that we handle as binary Buffers,
     // but are passed into the API as hex strings.
@@ -266,6 +267,13 @@ function createServer(db) {
       res.send(result.map(bufferize.unbuffer))
     }
     else {
+
+      // When performing a `HEAD` request, the content type is not
+      // set, manually set to application/json
+      if (req.method === 'HEAD') {
+        res.setHeader('Content-Type', 'application/json')
+      }
+
       res.send(bufferize.unbuffer(result || {}))
     }
   }

db-server/lib/safeJsonFormatter.js

@@ -0,0 +1,13 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+module.exports = (req, res, body) => {
+  let data = body ? JSON.stringify(body) : 'null'
+  data = data.replace(/</g, '\\u003c')
+    .replace(/>/g, '\\u003e')
+    .replace(/&/g, '\\u0026')
+
+  res.setHeader('Content-Length', Buffer.byteLength(data))
+  return data
+}

db-server/test/client-then.js

@@ -1,7 +1,7 @@
 /* Any copyright is dedicated to the Public Domain.
  * http://creativecommons.org/publicdomain/zero/1.0/ */
 
-var restify = require('restify')
+const clients = require('restify-clients')
 var P = require('../../lib/promise')
 
 var ops = [ 'head', 'get', 'post', 'put', 'del' ]
@@ -11,7 +11,7 @@ module.exports = function createClient(cfg) {
   cfg.headers = {
     connection : 'close',
   }
-  var client = restify.createJsonClient(cfg)
+  const client = clients.createJsonClient(cfg)
 
   // create a thenable version of each operation
   ops.forEach(function(name) {

db-server/test/local/safeJsonFormatter.js

@@ -0,0 +1,25 @@
+/* Any copyright is dedicated to the Public Domain.
+ * http://creativecommons.org/publicdomain/zero/1.0/ */
+
+'use strict'
+
+const assert = require('insist')
+const safeJsonFormatter = require('../../lib/safeJsonFormatter')
+
+describe('safeJsonFormatter module', () => {
+  it('safeJsonFormatter function exported', () => {
+    assert.equal(typeof safeJsonFormatter === 'function', true)
+  })
+
+  it('escapes input', () => {
+    const req = {}
+    const res = {
+      setHeader: () => {
+      }
+    }
+    const body = {'foo': '<script>&'}
+    const expectedData = '{"foo":"\\u003cscript\\u003e\\u0026"}'
+    const data = safeJsonFormatter(req, res, body)
+    assert.equal(data, expectedData, 'script is escaped')
+  })
+})