fixed secret exploit via ssr code sourcemap

This commit is contained in:
Sebastian Frank 2021-09-14 15:51:05 +02:00
parent 73bfe07b11
commit 45c628fef8
Signed by: apairon
GPG Key ID: A0E05A8199CE3F57
6 changed files with 58 additions and 54 deletions

View File

@ -75,6 +75,7 @@ steps:
- ln -s /cache/user-cache ~/.cache
- yarn build:instanbul
- yarn cy:run
- yarn run nyc report --exclude-after-remap false
- name: modify master config
image: bash

37
api/hooks/lib/ssr.js Normal file
View File

@ -0,0 +1,37 @@
/**
* convert object to string
* @param {any} obj object
*/
function obj2str(obj) {
if (Array.isArray(obj)) {
return JSON.stringify(
obj.map(function (idx) {
return obj2str(idx)
})
)
} else if (typeof obj === "object" && obj !== null) {
var elements = Object.keys(obj)
.sort()
.map(function (key) {
var val = obj2str(obj[key])
if (val) {
return key + ":" + val
}
})
var elementsCleaned = []
for (var i = 0; i < elements.length; i++) {
if (elements[i]) elementsCleaned.push(elements[i])
}
return "{" + elementsCleaned.join("|") + "}"
}
if (obj) return obj
}
// can be used by client code, so DONT INCLUDE hooks/config.js (SECRETS INSIDE)
module.exports = {
obj2str,
}

View File

@ -203,48 +203,14 @@ function clearSSRCache() {
var info = context.db.deleteMany("ssr", {})
context.response.header("X-SSR-Cleared", info.removed)
}
/**
* convert object to string
* @param {any} obj object
*/
function obj2str(obj) {
if (Array.isArray(obj)) {
return JSON.stringify(
obj.map(function (idx) {
return obj2str(idx)
})
)
} else if (typeof obj === "object" && obj !== null) {
var elements = Object.keys(obj)
.sort()
.map(function (key) {
var val = obj2str(obj[key])
if (val) {
return key + ":" + val
}
})
var elementsCleaned = []
for (var i = 0; i < elements.length; i++) {
if (elements[i]) elementsCleaned.push(elements[i])
}
return "{" + elementsCleaned.join("|") + "}"
}
if (obj) return obj
}
module.exports = {
log: log,
randomToken: randomToken,
isPublicToken: isPublicToken,
isSsrToken: isSsrToken,
log,
randomToken,
isPublicToken,
isSsrToken,
tpl: tpl,
Base64: Base64,
parseDate: parseDate,
clearSSRCache: clearSSRCache,
obj2str: obj2str,
Base64,
parseDate,
clearSSRCache,
ssrValidatePath: config.ssRValidatePath,
}

View File

@ -60,8 +60,7 @@ module.exports = (options) => {
return {
errors: [
{
text:
"esbuild-svelte doesn't support creating entry files yet",
text: "esbuild-svelte doesn't support creating entry files yet",
},
],
}
@ -158,7 +157,7 @@ module.exports = (options) => {
if (!js.map.sourcesContent) {
try {
js.map.sourcesContent = [
readFileSync(filename, "utf8"),
readFileSync(filename), // , "utf8"),
]
} catch (e) {}
}

View File

@ -60,16 +60,17 @@ const options = {
}
const bsMiddleware = []
const { createProxyMiddleware } = require("http-proxy-middleware")
const apiBase = process.env.API_BASE || "https://login.wmbasic.de"
bsMiddleware.push(
if (process.argv[2] == "start") {
const { createProxyMiddleware } = require("http-proxy-middleware")
const apiBase = process.env.API_BASE || "https://login.wmbasic.de"
bsMiddleware.push(
createProxyMiddleware("/api", {
target: apiBase,
changeOrigin: true,
})
)
)
}
module.exports = {
sveltePlugin: sveltePlugin,

View File

@ -1,6 +1,6 @@
import { apiBaseURL } from "./config"
import * as sentry from "./sentry"
import * as SSR from "../api/hooks/lib/utils.js"
import * as SSR from "../api/hooks/lib/ssr.js"
// [MIT License](LICENSE.md) © [Jason Miller](https://jasonformat.com/)
const _f = function (url, options): Promise<Response> {