fix: rewrite BE endpoint resolution method

[ajhollid]

This PR rewrites the endpoint resolution functionality. The original implementation was insufficient and only handle DNS resolution, which is only a subset of resolution we need to check.

• use axios to check for endpoint resolution
  • accepts all status code as resolution, we just want to know if the server is there or not and responding
  • add statusCode and statusText to success response in case we need this later
• update tests

[coderabbitai]

Walkthrough

The pull request introduces significant changes to the monitorController.js and its corresponding test suite. The primary modification involves replacing the DNS resolution approach with HTTP requests using the axios library for endpoint checks. The checkEndpointResolution function has been updated to make GET requests and handle responses, while the test cases have been revised to reflect these changes, ensuring proper error handling and validation of HTTP responses.

Changes

File Path	Change Summary
Server/controllers/monitorController.js	- Removed dns import; added axios import. - Updated checkEndpointResolution to use axios.get for HTTP requests instead of DNS resolution.
Server/tests/controllers/monitorController.test.js	- Replaced dns with axios in tests. - Updated tests for checkEndpointResolution to validate HTTP responses. - Enhanced error handling in tests for deleteMonitor, deleteAllMonitors, and editMonitor.

Possibly related PRs

• check if the url resolves before adding the monitor #946: This PR includes changes to the monitorController.js file, specifically the implementation of the checkEndpointResolution function, which is directly related to the changes made in the main PR that also modifies this function to use axios for HTTP requests instead of DNS resolution.
• Add ssl-checker, refactor fetchMonitorCertificate #975: This PR also modifies the monitorController.js file, specifically updating the getMonitorCertificate function and changing the import statements. While it focuses on SSL certificate fetching, it indicates ongoing changes in the same controller file, which may relate to the overall refactoring of the controller's functionality.
• Feat/be/network service tests #983: This PR introduces a new NetworkService that utilizes axios, which aligns with the changes in the main PR where axios is introduced for endpoint resolution checks in the monitorController.js.
• Feat/be/job queue tests #1035: This PR enhances the testing framework for the JobQueue, which may indirectly relate to the changes in the monitorController.js if the job queue interacts with the monitoring functionalities.
• Add missing test cases for pagespeed and hardware monitor types #1124: This PR adds missing test cases for the monitorModule, which could be relevant as it may include tests that validate the functionality of the monitorController.js changes.
• Update tests for JobQueue and StatusService after chanages to hardwar… #1142: This PR updates tests for the JobQueue and StatusService, which may include interactions with the monitorController.js if those services are involved in monitoring tasks.

Suggested reviewers

• jennifer-gan
• marcelluscaio

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (3)

Server/controllers/monitorController.js (2)

294-294: Consider reducing the timeout value

A 5-second timeout might be too long for health checks, potentially causing queue buildup during outages.

-  timeout: 5000,
+  timeout: 3000,

---

291-301: Consider adding resilience patterns

The endpoint checking mechanism could benefit from:

1. Implementing a retry mechanism with exponential backoff for transient failures
2. Adding a circuit breaker pattern to prevent cascade failures
3. Implementing request rate limiting per origin

This would improve reliability and prevent system overload during outages.

Would you like me to provide example implementations of these patterns?

🧰 Tools

🪛 GitHub Check: CodeQL

[failure] 293-296: Server-side request forgery
The URL of this request depends on a user-provided value.

Server/tests/controllers/monitorController.test.js (1)

505-507: Enhance axios error simulation for accuracy

Consider refining the simulated axios error to more closely reflect the actual error structure returned by axios. This can improve the reliability of your tests.

Apply this diff to improve the error simulation:

 const axiosError = new Error("resolution failed");
 axiosError.code = "ENOTFOUND";
+axiosError.config = {};
+axiosError.request = {};
+axiosError.response = null;
 axiosGetStub.rejects(axiosError);

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between cb02716 and 58be0c0.

📒 Files selected for processing (2)

• Server/controllers/monitorController.js (2 hunks)
• Server/tests/controllers/monitorController.test.js (2 hunks)

🧰 Additional context used

🪛 GitHub Check: CodeQL

Server/controllers/monitorController.js

[failure] 293-296: Server-side request forgery
The URL of this request depends on a user-provided value.

🔇 Additional comments (7)

Server/controllers/monitorController.js (2)

22-22: LGTM! Import change aligns with new implementation

The switch from dns to axios reflects the architectural shift from DNS resolution to HTTP-based endpoint checking.

---

299-300: LGTM! Enhanced response structure

The addition of status code and status text provides valuable information for monitoring and debugging purposes.

Server/tests/controllers/monitorController.test.js (5)

21-21: Great addition: Importing axios

The inclusion of axios is essential for the updated endpoint resolution logic.

---

485-485: Properly stubbing axios.get

Using sinon.stub to mock axios.get ensures the tests accurately simulate HTTP requests.

---

488-488: Ensuring clean test environment

Calling sinon.restore() in the afterEach hook effectively resets stubs and restores the original functionality after each test.

---

491-491: Accurate simulation of successful response

Mocking axiosGetStub to resolve with { status: 200, statusText: "OK" } correctly emulates a successful endpoint resolution.

---

497-498: Verifying response details

Asserting that the response includes the correct code and statusText ensures that the controller returns the expected data.

[coderabbitai]

⚠️ Potential issue

Critical: Implement SSRF protection measures

The current implementation is vulnerable to Server-Side Request Forgery (SSRF) attacks. An attacker could provide a URL pointing to internal network resources.

Apply this diff to add basic SSRF protection:

 const { monitorURL } = req.query;
 const parsedUrl = new URL(monitorURL);
+ // Block private IP ranges and localhost
+ const hostname = parsedUrl.hostname;
+ if (hostname === 'localhost' || 
+     hostname === '127.0.0.1' ||
+     hostname.startsWith('192.168.') ||
+     hostname.startsWith('10.') ||
+     hostname.startsWith('172.16.')) {
+   throw new Error('Access to internal networks is not allowed');
+ }
 const response = await axios.get(parsedUrl, {

Committable suggestion skipped: line range outside the PR's diff.

[llamapreview]

Auto Pull Request Review from LlamaPReview

1. Overview

1.1 PR Summary

• Business value and requirements alignment: This PR rewrites the endpoint resolution functionality to improve the monitoring capabilities of the BlueWave Uptime system. The changes ensure that the system can determine if a server is reachable and responding, not just performing DNS resolution.
• Key components modified: The primary changes are in Server/controllers/monitorController.js and Server/tests/controllers/monitorController.test.js.
• Impact assessment: The changes impact the functionality of monitoring endpoints, affecting how the system determines if a server is responding.
• System dependencies and integration impacts: Introduces axios as a dependency for HTTP requests, changing how the controller interacts with network resources.

1.2 Architecture Changes

• System design modifications: The use of axios for HTTP requests introduces a dependency on an external library and changes how endpoint resolution is handled.
• Component interactions: The checkEndpointResolution function now uses axios instead of the dns module, altering how the controller interacts with network resources.
• Integration points: The change affects the integration points related to endpoint monitoring and resolution.

2. Detailed Technical Analysis

2.1 Code Logic Deep-Dive

Core Logic Changes

Server/controllers/monitorController.js - checkEndpointResolution

• Submitted PR Code:

  const checkEndpointResolution = async (req, res, next) => {
      try {
          await getMonitorURLByQueryValidation.validateAsync(req.query);
      } catch (error) {
          next(handleValidationError(error, SERVICE_NAME));
          return;
      }
  
      try {
          const { monitorURL } = req.query;
          const parsedUrl = new URL(monitorURL);
          const response = await axios.get(parsedUrl, {
              timeout: 5000,
              validateStatus: () => true,
          });
          return res.status(200).json({
              success: true,
              code: response.status,
              statusText: response.statusText,
              msg: `URL resolved successfully`,
          });
      } catch (error) {
          next(handleError(error, SERVICE_NAME, "checkEndpointResolution"));
      }
  };

• Analysis:

  • Current logic and potential issues:
    • The new implementation uses axios to make an HTTP GET request to the provided URL.
    • The response status code and status text are included in the success response.
    • Error handling is in place to catch any issues during the HTTP request.
  • Edge cases and error handling:
    • The code handles validation errors and HTTP request errors gracefully.
    • The validateStatus function is set to true to accept all status codes.
  • Cross-component impact:
    • The change impacts the monitorController and any component that relies on the checkEndpointResolution function.
  • Business logic considerations:
    • The business logic is correctly implemented to check if the server is reachable and responding.

• LlamaPReview Suggested Improvements:

  // No immediate improvements required as the logic is sound.

• Improvement rationale:

  • Technical benefits:
    • The use of axios provides a more robust way to check endpoint resolution compared to DNS resolution.
  • Business value:
    • Ensures that the system can effectively monitor the reachability and responsiveness of endpoints.
  • Risk assessment:
    • Introduces a dependency on an external library (axios), which needs to be managed for updates and potential security issues.

Server/tests/controllers/monitorController.test.js - checkEndpointResolution

• Submitted PR Code:

  describe("Monitor Controller - checkEndpointResolution", () => {
      let req, res, next, axiosGetStub;
      beforeEach(() => {
          req = { query: { monitorURL: "https://example.com" } };
          res = { status: sinon.stub().returnsThis(), json: sinon.stub() };
          next = sinon.stub();
          axiosGetStub = sinon.stub(axios, "get");
      });
      afterEach(() => {
          sinon.restore();
      });
      it("should resolve the URL successfully", async () => {
          axiosGetStub.resolves({ status: 200, statusText: "OK" });
          await checkEndpointResolution(req, res, next);
          expect(res.status.calledWith(200)).to.be.true;
          expect(
              res.json.calledWith({
                  success: true,
                  code: 200,
                  statusText: "OK",
                  msg: "URL resolved successfully",
              })
          ).to.be.true;
          expect(next.called).to.be.false;
      });
      it("should return an error if endpoint resolution fails", async () => {
          const axiosError = new Error("resolution failed");
          axiosError.code = "ENOTFOUND";
          axiosGetStub.rejects(axiosError);
          await checkEndpointResolution(req, res, next);
          expect(next.calledOnce).to.be.true;
          const errorPassedToNext = next.getCall(0).args[0];
          expect(errorPassedToNext).to.be.an.instanceOf(Error);
          expect(errorPassedToNext.message).to.include("resolution failed");
          expect(errorPassedToNext.code).to.equal("ENOTFOUND");
          expect(errorPassedToNext.status).to.equal(500);
      });
      it("should reject with an error if query validation fails", async () => {
          req.query.monitorURL = "invalid-url";
          await checkEndpointResolution(req, res, next);
          expect(next.calledOnce).to.be.true;
          const error = next.getCall(0).args[0];
          expect(next.firstCall.args[0]).to.be.an("error");
          expect(next.firstCall.args[0].status).to.equal(422);
      });
  });

• Analysis:

  • Current logic and potential issues:
    • The tests cover the main functionality and edge cases, including validation errors and HTTP request errors.
  • Edge cases and error handling:
    • The tests ensure that the checkEndpointResolution function handles validation errors and HTTP request errors correctly.
  • Cross-component impact:
    • The tests validate the integration with the axios library and ensure that the function works as expected in different scenarios.
  • Business logic considerations:
    • The tests align with the business logic of checking if the server is reachable and responding.

• LlamaPReview Suggested Improvements:

  // No immediate improvements required as the tests cover the main functionality and edge cases.

• Improvement rationale:

  • Technical benefits:
    • Comprehensive tests ensure that the checkEndpointResolution function works as expected in different scenarios.
  • Business value:
    • Ensures that the system can effectively monitor the reachability and responsiveness of endpoints.
  • Risk assessment:
    • The tests help identify and mitigate potential issues in the implementation.

Cross-cutting Concerns

• Data flow analysis:
  • The data flow involves validating the input URL, making an HTTP request using axios, and returning the response status code and status text.
• State management implications:
  • The function is stateless and does not introduce any state management concerns.
• Error propagation paths:
  • Errors are propagated to the next middleware for handling, ensuring proper error propagation.
• Edge case handling across components:
  • The function handles validation errors and HTTP request errors gracefully.

2.2 Implementation Quality

• Code organization and structure:
  • The code is well-organized and modular, with clear separation of concerns.
  • The controller pattern is maintained, handling requests and responses appropriately.
• Design patterns usage:
  • Follows the controller pattern, handling requests and responses appropriately.
• Error handling approach:
  • Comprehensive error handling for validation and HTTP request errors.
  • Errors are passed to the next middleware for handling, ensuring proper error propagation.
• Resource management:
  • Introduces a network request, which should be considered for performance implications.
  • The use of axios is scalable for handling multiple requests.

3. Critical Findings

3.1 Potential Issues

• 🔴 Critical Issues

  • Issue: None identified.

• 🟡 Warnings

  • Warning description: None identified.

3.2 Code Quality Concerns

• Maintainability aspects: The code is easy to read and maintain, with clear error handling and validation.
• Readability issues: None identified.
• Performance bottlenecks: The HTTP request could be a bottleneck if not handled properly in high-load scenarios.

4. Security Assessment

4.1 Security Considerations

• Authentication/Authorization impacts: None identified.
• Data handling concerns: Ensure that sensitive data is not exposed in error messages or logs.
• Input validation: The input URL is validated, reducing the risk of injection attacks.
• Security best practices: Ensure that the axios library is kept up to date to mitigate security risks.

4.2 Vulnerability Analysis

• Potential security risks: Regularly check for vulnerabilities in axios and update accordingly.
• Mitigation strategies: Implement error reporting to track and analyze issues in production.
• Security testing requirements: Ensure comprehensive logging and error reporting for monitoring and debugging.

5. Testing Strategy

5.1 Test Coverage

• Unit test analysis: Ensure that the checkEndpointResolution function handles validation errors and HTTP request errors correctly.
• Integration test requirements: Test the integration with the axios library and ensure that the function works as expected in different scenarios.
• Edge cases coverage: Validate edge cases such as invalid URLs and network errors.

5.2 Test Recommendations

Suggested Test Cases

// No additional test cases required as the current tests cover the main functionality and edge cases.

• Coverage improvements: None identified.
• Performance testing needs: Consider performance testing for the HTTP request.

6. Documentation & Maintenance

• Documentation updates needed (API, architecture, configuration): Add comments explaining the purpose of the validateStatus function and other critical decisions.
• Long-term maintenance considerations: Ensure that the axios dependency is managed for updates and potential security issues.
• Technical debt and monitoring requirements: Implement caching or parallel requests for optimization.

7. Deployment & Operations

• Deployment impact and strategy: Ensure that axios is added to the project's dependencies and properly managed.
• Key operational considerations: Make the timeout and other configurations configurable via environment variables or configuration files.

8. Summary & Recommendations

8.1 Key Action Items

1. Critical changes required: None identified.
2. Important improvements suggested:
   • Make the timeout configurable via environment variables or configuration files.
   • Regularly update and monitor the axios dependency for security vulnerabilities.
3. Best practices to implement:
   • Implement caching or parallel requests for optimization.
   • Ensure comprehensive logging and error reporting for monitoring and debugging.
4. Cross-cutting concerns to address: None identified.

8.2 Future Considerations

• Technical evolution path: Continuously monitor and update the axios dependency for security and performance improvements.
• Business capability evolution: Ensure that the system can effectively monitor the reachability and responsiveness of endpoints as business needs evolve.
• System integration impacts: Consider the impact of network requests on performance and scalability.

---

💡 LlamaPReview Community
Have feedback on this AI Code review tool? Join our GitHub Discussions to share your thoughts and help shape the future of LlamaPReview.

[jennifer-gan]

looks good