From 45c628fef8d449c587af61ab16b994bd71a1b91a Mon Sep 17 00:00:00 2001 From: Sebastian Frank Date: Tue, 14 Sep 2021 15:51:05 +0200 Subject: [PATCH] fixed secret exploit via ssr code sourcemap --- .drone.yml | 1 + api/hooks/lib/ssr.js | 37 +++++++++++++++++++++++++++++++ api/hooks/lib/utils.js | 48 ++++++---------------------------------- esbuild-svelte.plugin.js | 5 ++--- esbuild.config.js | 19 ++++++++-------- src/api.ts | 2 +- 6 files changed, 58 insertions(+), 54 deletions(-) create mode 100644 api/hooks/lib/ssr.js diff --git a/.drone.yml b/.drone.yml index adca04a..3a25949 100644 --- a/.drone.yml +++ b/.drone.yml @@ -75,6 +75,7 @@ steps: - ln -s /cache/user-cache ~/.cache - yarn build:instanbul - yarn cy:run + - yarn run nyc report --exclude-after-remap false - name: modify master config image: bash diff --git a/api/hooks/lib/ssr.js b/api/hooks/lib/ssr.js new file mode 100644 index 0000000..317433d --- /dev/null +++ b/api/hooks/lib/ssr.js @@ -0,0 +1,37 @@ +/** + * convert object to string + * @param {any} obj object + */ +function obj2str(obj) { + if (Array.isArray(obj)) { + return JSON.stringify( + obj.map(function (idx) { + return obj2str(idx) + }) + ) + } else if (typeof obj === "object" && obj !== null) { + var elements = Object.keys(obj) + .sort() + .map(function (key) { + var val = obj2str(obj[key]) + if (val) { + return key + ":" + val + } + }) + + var elementsCleaned = [] + for (var i = 0; i < elements.length; i++) { + if (elements[i]) elementsCleaned.push(elements[i]) + } + + return "{" + elementsCleaned.join("|") + "}" + } + + if (obj) return obj +} + +// can be used by client code, so DONT INCLUDE hooks/config.js (SECRETS INSIDE) + +module.exports = { + obj2str, +} diff --git a/api/hooks/lib/utils.js b/api/hooks/lib/utils.js index a9509f4..68f6674 100644 --- a/api/hooks/lib/utils.js +++ b/api/hooks/lib/utils.js @@ -203,48 +203,14 @@ function clearSSRCache() { var info = context.db.deleteMany("ssr", {}) context.response.header("X-SSR-Cleared", info.removed) } - -/** - * convert object to string - * @param {any} obj object - */ -function obj2str(obj) { - if (Array.isArray(obj)) { - return JSON.stringify( - obj.map(function (idx) { - return obj2str(idx) - }) - ) - } else if (typeof obj === "object" && obj !== null) { - var elements = Object.keys(obj) - .sort() - .map(function (key) { - var val = obj2str(obj[key]) - if (val) { - return key + ":" + val - } - }) - - var elementsCleaned = [] - for (var i = 0; i < elements.length; i++) { - if (elements[i]) elementsCleaned.push(elements[i]) - } - - return "{" + elementsCleaned.join("|") + "}" - } - - if (obj) return obj -} - module.exports = { - log: log, - randomToken: randomToken, - isPublicToken: isPublicToken, - isSsrToken: isSsrToken, + log, + randomToken, + isPublicToken, + isSsrToken, tpl: tpl, - Base64: Base64, - parseDate: parseDate, - clearSSRCache: clearSSRCache, - obj2str: obj2str, + Base64, + parseDate, + clearSSRCache, ssrValidatePath: config.ssRValidatePath, } diff --git a/esbuild-svelte.plugin.js b/esbuild-svelte.plugin.js index 6b18b24..3dbdd0c 100644 --- a/esbuild-svelte.plugin.js +++ b/esbuild-svelte.plugin.js @@ -60,8 +60,7 @@ module.exports = (options) => { return { errors: [ { - text: - "esbuild-svelte doesn't support creating entry files yet", + text: "esbuild-svelte doesn't support creating entry files yet", }, ], } @@ -158,7 +157,7 @@ module.exports = (options) => { if (!js.map.sourcesContent) { try { js.map.sourcesContent = [ - readFileSync(filename, "utf8"), + readFileSync(filename), // , "utf8"), ] } catch (e) {} } diff --git a/esbuild.config.js b/esbuild.config.js index b3c8986..dd80942 100644 --- a/esbuild.config.js +++ b/esbuild.config.js @@ -60,16 +60,17 @@ const options = { } const bsMiddleware = [] -const { createProxyMiddleware } = require("http-proxy-middleware") -const apiBase = process.env.API_BASE || "https://login.wmbasic.de" - -bsMiddleware.push( - createProxyMiddleware("/api", { - target: apiBase, - changeOrigin: true, - }) -) +if (process.argv[2] == "start") { + const { createProxyMiddleware } = require("http-proxy-middleware") + const apiBase = process.env.API_BASE || "https://login.wmbasic.de" + bsMiddleware.push( + createProxyMiddleware("/api", { + target: apiBase, + changeOrigin: true, + }) + ) +} module.exports = { sveltePlugin: sveltePlugin, diff --git a/src/api.ts b/src/api.ts index cd17de7..6b22d17 100644 --- a/src/api.ts +++ b/src/api.ts @@ -1,6 +1,6 @@ import { apiBaseURL } from "./config" import * as sentry from "./sentry" -import * as SSR from "../api/hooks/lib/utils.js" +import * as SSR from "../api/hooks/lib/ssr.js" // [MIT License](LICENSE.md) © [Jason Miller](https://jasonformat.com/) const _f = function (url, options): Promise {