Convert OMM to OMM Plugin & Integrate Build Tool Functionality

[jvigliotta]

closes #360

Convert Open MCT for MCWS from using OpenM CT as a dependency to being a plugin for Open MCT. Also, update Open MCT for MCWS Plugin to work with the Open MCT Configurator build tool.

Changes:

• Convert any remaining non ES6 Modules
• Consolidated AMMOSPlugins.js and loader.js into the new plugin.js
• Removed Open MCT plugins from plugin and added to recipes for OMM Plugin default.yaml development.yaml
• Convert OMM to a plugin, it now accepts it's previous ocnfiguration (config.js) as plugin options
• Reduce the complexity of the configuration, default non-required config in plugin and start with only required config options
• Removed webpack.dev.js configuration
• Created dev server to work with new plugin/build tool format
• Updated README.md for new plugin format

The best way to fix this SSRF is to restrict outbound requests so that only specific, pre-approved hosts or endpoints can be targeted. Do not allow the user to pick an arbitrary URL, especially in the hostname. Instead, maintain a list of allowed hosts or patterns, and use the user's input only to select among these, or to build paths on these hosts in a controlled way. You can safely handle query/path construction for known hosts, but for absolute URLs, you should parse and validate them against your allow-list before permitting any outbound request.

Specifically:

• Before making a request with fetch(targetUrl, ...), parse the URL (new URL(targetUrl)) and check that the hostname matches an allowed set.
• If the user requests a host not on the list, reject the request with an HTTP 400 or 403.
• The allow-list may be defined at the top of the file or as an environment variable, but it must not be influenced by user input.
• Perform this check just before the fetch call.

You'll need to:

• Import/use the standard url module to safely parse hostnames.
• Add an allow-list (e.g., an array of allowed hosts like ['example.com', 'my-api.com', 'localhost']), configurable if necessary.
• Validate the parsed hostname matches an entry before fetching.
• Respond with an error if not allowed.

To fix the problem, remove the unnecessary argument (config) when calling LinkPlugin in the call to openmct.install within openmctMCWSPlugin. Specifically, edit line 189 to call new LinkPlugin() with no arguments instead of new LinkPlugin(config). This will align the function call with the callee's signature, avoid possible miscommunication about what LinkPlugin is supposed to do, and resolve the flagged issue. No additional imports or methods are necessary, and changes should be limited to this line in plugin.js.

---

To fix the problem, we need to ensure that user input (decodedUrl) is sanitized before it is logged. Specifically, we should remove CR (\r) and LF (\n) characters, as recommended. Logging should also clearly label user input, to help identify it as such in logs.

Only the code line logging decodedUrl (line 70 in serve-instance.js) needs to be modified. Before logging, we should sanitize the decoded value, e.g., with .replace(/\r|\n/g, "") to remove all newline-related control characters. No changes elsewhere, and no extra dependency is needed—this can be done directly in the block.

Required:

• Edit the logging statement to sanitize the value.
• Possibly label the user input in logs, e.g., quote or bracket it.

---

To fix this issue, the value logged from user input needs to be sanitized before being included in the log entry. For plain text logs, the recommended practice is to remove newline characters (\n, \r) from the value. This can be done by using String.prototype.replace with a regular expression. The change should be limited to the specific value logged—urlMatch[1] on line 90 in serve-instance.js. The sanitized value should replace the direct use of urlMatch[1] in the error log.

Specifically:

• On line 90, before logging urlMatch[1], apply .replace(/\r|\n/g, "") to sanitize it.
• It is not necessary to add any imports, as this uses standard JavaScript functionality.
• No functional change for non-error flows.

---

To address this log injection issue, sanitize all user-controlled input before including it in logs. In this context, remove or escape any potentially dangerous control characters from req.originalUrl or req.url before logging them. A standard fix for plain text logs is to remove all carriage return (\r) and newline (\n) characters by using String.prototype.replace, ensuring any log entry cannot be split into multiple lines by attacker input. The fix should only affect the relevant log statement(s) to avoid changing existing functionality. The required change involves assigning a sanitized version of the URL to a local variable and logging that variable in place of the raw input. No new dependencies are required.

To fix the problem, we should simplify the implementation of the map helper function in src/services/dataset/ChannelDictionary.js, specifically lines 37-39. The conditional that checks typeof key === 'function' is unnecessary if callers never supply a function as the key parameter. We can safely remove the conditional, and have the function simply use the property lookup (item[key]). The fix requires editing just the map function definition in this file. No new methods or imports are needed, nor any other changes elsewhere.

---

To fix this problem, we should simplify the groupBy function by removing the typeof key === 'function' ? key(item) : item[key] check and always using item[key], as key is always a string. This involves editing the groupBy implementation in src/services/dataset/EVRDictionary.js to remove the type test and just access the property via item[key]. No changes to other parts of the code, imports, or extra definitions are required.

The fix is to remove the unneeded guard typeof key === 'function' in the helper keyBy, as it always evaluates to false in this context. Specifically, change line 47 to directly assign groupKey = item[key]; (dropping the ternary operator). This change makes the code simpler and avoids misleading future maintainers about the function’s allowed polymorphism. The change is entirely local to the keyBy function in src/services/dataset/EVRDictionary.js.

---

To fix this issue, remove the unnecessary guard in the uniqBy function for the key argument. Currently, the code uses typeof key === 'function' ? key(item) : item[key]; to support either a property string or a function. Since CodeQL has flagged that typeof key === 'function' is always false here, this can be simplified to always use item[key], which removes unneeded complexity without changing the actual behaviour of the function in this codebase. Make the corresponding change on line 57 in src/services/dataset/EVRDictionary.js.

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot
0.0% Coverage on New Code (required ≥ 80%)
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[akhenry]

We should separate each of these pseudo-providers out to their own separate files and makes them ES6 classes. We can then instantiate them into an array further down.

[akhenry]

I don't think this is functionally equivalent to the code it's replacing. The original code imports the script at build time, and encodes its contents into a data URL. The new code defers resolving the web worker script until runtime, requiring the web worker script to be available on the web server.

Is there a reason why we switched?

[akhenry]

Changes in this file appear unrelated to the other changes?