forked from cms/tibi-svelte-starter
fixed secret exploit via ssr code sourcemap
This commit is contained in:
parent
73bfe07b11
commit
45c628fef8
@ -75,6 +75,7 @@ steps:
|
||||
- ln -s /cache/user-cache ~/.cache
|
||||
- yarn build:instanbul
|
||||
- yarn cy:run
|
||||
- yarn run nyc report --exclude-after-remap false
|
||||
|
||||
- name: modify master config
|
||||
image: bash
|
||||
|
37
api/hooks/lib/ssr.js
Normal file
37
api/hooks/lib/ssr.js
Normal file
@ -0,0 +1,37 @@
|
||||
/**
|
||||
* convert object to string
|
||||
* @param {any} obj object
|
||||
*/
|
||||
function obj2str(obj) {
|
||||
if (Array.isArray(obj)) {
|
||||
return JSON.stringify(
|
||||
obj.map(function (idx) {
|
||||
return obj2str(idx)
|
||||
})
|
||||
)
|
||||
} else if (typeof obj === "object" && obj !== null) {
|
||||
var elements = Object.keys(obj)
|
||||
.sort()
|
||||
.map(function (key) {
|
||||
var val = obj2str(obj[key])
|
||||
if (val) {
|
||||
return key + ":" + val
|
||||
}
|
||||
})
|
||||
|
||||
var elementsCleaned = []
|
||||
for (var i = 0; i < elements.length; i++) {
|
||||
if (elements[i]) elementsCleaned.push(elements[i])
|
||||
}
|
||||
|
||||
return "{" + elementsCleaned.join("|") + "}"
|
||||
}
|
||||
|
||||
if (obj) return obj
|
||||
}
|
||||
|
||||
// can be used by client code, so DONT INCLUDE hooks/config.js (SECRETS INSIDE)
|
||||
|
||||
module.exports = {
|
||||
obj2str,
|
||||
}
|
@ -203,48 +203,14 @@ function clearSSRCache() {
|
||||
var info = context.db.deleteMany("ssr", {})
|
||||
context.response.header("X-SSR-Cleared", info.removed)
|
||||
}
|
||||
|
||||
/**
|
||||
* convert object to string
|
||||
* @param {any} obj object
|
||||
*/
|
||||
function obj2str(obj) {
|
||||
if (Array.isArray(obj)) {
|
||||
return JSON.stringify(
|
||||
obj.map(function (idx) {
|
||||
return obj2str(idx)
|
||||
})
|
||||
)
|
||||
} else if (typeof obj === "object" && obj !== null) {
|
||||
var elements = Object.keys(obj)
|
||||
.sort()
|
||||
.map(function (key) {
|
||||
var val = obj2str(obj[key])
|
||||
if (val) {
|
||||
return key + ":" + val
|
||||
}
|
||||
})
|
||||
|
||||
var elementsCleaned = []
|
||||
for (var i = 0; i < elements.length; i++) {
|
||||
if (elements[i]) elementsCleaned.push(elements[i])
|
||||
}
|
||||
|
||||
return "{" + elementsCleaned.join("|") + "}"
|
||||
}
|
||||
|
||||
if (obj) return obj
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
log: log,
|
||||
randomToken: randomToken,
|
||||
isPublicToken: isPublicToken,
|
||||
isSsrToken: isSsrToken,
|
||||
log,
|
||||
randomToken,
|
||||
isPublicToken,
|
||||
isSsrToken,
|
||||
tpl: tpl,
|
||||
Base64: Base64,
|
||||
parseDate: parseDate,
|
||||
clearSSRCache: clearSSRCache,
|
||||
obj2str: obj2str,
|
||||
Base64,
|
||||
parseDate,
|
||||
clearSSRCache,
|
||||
ssrValidatePath: config.ssRValidatePath,
|
||||
}
|
||||
|
@ -60,8 +60,7 @@ module.exports = (options) => {
|
||||
return {
|
||||
errors: [
|
||||
{
|
||||
text:
|
||||
"esbuild-svelte doesn't support creating entry files yet",
|
||||
text: "esbuild-svelte doesn't support creating entry files yet",
|
||||
},
|
||||
],
|
||||
}
|
||||
@ -158,7 +157,7 @@ module.exports = (options) => {
|
||||
if (!js.map.sourcesContent) {
|
||||
try {
|
||||
js.map.sourcesContent = [
|
||||
readFileSync(filename, "utf8"),
|
||||
readFileSync(filename), // , "utf8"),
|
||||
]
|
||||
} catch (e) {}
|
||||
}
|
||||
|
@ -60,16 +60,17 @@ const options = {
|
||||
}
|
||||
|
||||
const bsMiddleware = []
|
||||
const { createProxyMiddleware } = require("http-proxy-middleware")
|
||||
|
||||
const apiBase = process.env.API_BASE || "https://login.wmbasic.de"
|
||||
|
||||
bsMiddleware.push(
|
||||
if (process.argv[2] == "start") {
|
||||
const { createProxyMiddleware } = require("http-proxy-middleware")
|
||||
const apiBase = process.env.API_BASE || "https://login.wmbasic.de"
|
||||
bsMiddleware.push(
|
||||
createProxyMiddleware("/api", {
|
||||
target: apiBase,
|
||||
changeOrigin: true,
|
||||
})
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
sveltePlugin: sveltePlugin,
|
||||
|
@ -1,6 +1,6 @@
|
||||
import { apiBaseURL } from "./config"
|
||||
import * as sentry from "./sentry"
|
||||
import * as SSR from "../api/hooks/lib/utils.js"
|
||||
import * as SSR from "../api/hooks/lib/ssr.js"
|
||||
|
||||
// [MIT License](LICENSE.md) © [Jason Miller](https://jasonformat.com/)
|
||||
const _f = function (url, options): Promise<Response> {
|
||||
|
Loading…
Reference in New Issue
Block a user