fixed secret exploit via ssr code sourcemap

This commit is contained in:
Sebastian Frank 2021-09-14 15:51:05 +02:00
parent 73bfe07b11
commit 45c628fef8
Signed by: apairon
GPG Key ID: A0E05A8199CE3F57
6 changed files with 58 additions and 54 deletions

View File

@ -75,6 +75,7 @@ steps:
- ln -s /cache/user-cache ~/.cache - ln -s /cache/user-cache ~/.cache
- yarn build:instanbul - yarn build:instanbul
- yarn cy:run - yarn cy:run
- yarn run nyc report --exclude-after-remap false
- name: modify master config - name: modify master config
image: bash image: bash

37
api/hooks/lib/ssr.js Normal file
View File

@ -0,0 +1,37 @@
/**
* convert object to string
* @param {any} obj object
*/
function obj2str(obj) {
if (Array.isArray(obj)) {
return JSON.stringify(
obj.map(function (idx) {
return obj2str(idx)
})
)
} else if (typeof obj === "object" && obj !== null) {
var elements = Object.keys(obj)
.sort()
.map(function (key) {
var val = obj2str(obj[key])
if (val) {
return key + ":" + val
}
})
var elementsCleaned = []
for (var i = 0; i < elements.length; i++) {
if (elements[i]) elementsCleaned.push(elements[i])
}
return "{" + elementsCleaned.join("|") + "}"
}
if (obj) return obj
}
// can be used by client code, so DONT INCLUDE hooks/config.js (SECRETS INSIDE)
module.exports = {
obj2str,
}

View File

@ -203,48 +203,14 @@ function clearSSRCache() {
var info = context.db.deleteMany("ssr", {}) var info = context.db.deleteMany("ssr", {})
context.response.header("X-SSR-Cleared", info.removed) context.response.header("X-SSR-Cleared", info.removed)
} }
/**
* convert object to string
* @param {any} obj object
*/
function obj2str(obj) {
if (Array.isArray(obj)) {
return JSON.stringify(
obj.map(function (idx) {
return obj2str(idx)
})
)
} else if (typeof obj === "object" && obj !== null) {
var elements = Object.keys(obj)
.sort()
.map(function (key) {
var val = obj2str(obj[key])
if (val) {
return key + ":" + val
}
})
var elementsCleaned = []
for (var i = 0; i < elements.length; i++) {
if (elements[i]) elementsCleaned.push(elements[i])
}
return "{" + elementsCleaned.join("|") + "}"
}
if (obj) return obj
}
module.exports = { module.exports = {
log: log, log,
randomToken: randomToken, randomToken,
isPublicToken: isPublicToken, isPublicToken,
isSsrToken: isSsrToken, isSsrToken,
tpl: tpl, tpl: tpl,
Base64: Base64, Base64,
parseDate: parseDate, parseDate,
clearSSRCache: clearSSRCache, clearSSRCache,
obj2str: obj2str,
ssrValidatePath: config.ssRValidatePath, ssrValidatePath: config.ssRValidatePath,
} }

View File

@ -60,8 +60,7 @@ module.exports = (options) => {
return { return {
errors: [ errors: [
{ {
text: text: "esbuild-svelte doesn't support creating entry files yet",
"esbuild-svelte doesn't support creating entry files yet",
}, },
], ],
} }
@ -158,7 +157,7 @@ module.exports = (options) => {
if (!js.map.sourcesContent) { if (!js.map.sourcesContent) {
try { try {
js.map.sourcesContent = [ js.map.sourcesContent = [
readFileSync(filename, "utf8"), readFileSync(filename), // , "utf8"),
] ]
} catch (e) {} } catch (e) {}
} }

View File

@ -60,16 +60,17 @@ const options = {
} }
const bsMiddleware = [] const bsMiddleware = []
const { createProxyMiddleware } = require("http-proxy-middleware")
const apiBase = process.env.API_BASE || "https://login.wmbasic.de" if (process.argv[2] == "start") {
const { createProxyMiddleware } = require("http-proxy-middleware")
bsMiddleware.push( const apiBase = process.env.API_BASE || "https://login.wmbasic.de"
createProxyMiddleware("/api", { bsMiddleware.push(
target: apiBase, createProxyMiddleware("/api", {
changeOrigin: true, target: apiBase,
}) changeOrigin: true,
) })
)
}
module.exports = { module.exports = {
sveltePlugin: sveltePlugin, sveltePlugin: sveltePlugin,

View File

@ -1,6 +1,6 @@
import { apiBaseURL } from "./config" import { apiBaseURL } from "./config"
import * as sentry from "./sentry" import * as sentry from "./sentry"
import * as SSR from "../api/hooks/lib/utils.js" import * as SSR from "../api/hooks/lib/ssr.js"
// [MIT License](LICENSE.md) © [Jason Miller](https://jasonformat.com/) // [MIT License](LICENSE.md) © [Jason Miller](https://jasonformat.com/)
const _f = function (url, options): Promise<Response> { const _f = function (url, options): Promise<Response> {