fixed secret exploit via ssr code sourcemap

2021-09-14 15:51:05 +02:00
parent 73bfe07b11
commit 45c628fef8
6 changed files with 58 additions and 54 deletions
--- a/api/hooks/lib/ssr.js
+++ b/api/hooks/lib/ssr.js
@@ -0,0 +1,37 @@
+/**
+ * convert object to string
+ * @param {any} obj object
+ */
+function obj2str(obj) {
+    if (Array.isArray(obj)) {
+        return JSON.stringify(
+            obj.map(function (idx) {
+                return obj2str(idx)
+            })
+        )
+    } else if (typeof obj === "object" && obj !== null) {
+        var elements = Object.keys(obj)
+            .sort()
+            .map(function (key) {
+                var val = obj2str(obj[key])
+                if (val) {
+                    return key + ":" + val
+                }
+            })
+
+        var elementsCleaned = []
+        for (var i = 0; i < elements.length; i++) {
+            if (elements[i]) elementsCleaned.push(elements[i])
+        }
+
+        return "{" + elementsCleaned.join("|") + "}"
+    }
+
+    if (obj) return obj
+}
+
+// can be used by client code, so DONT INCLUDE hooks/config.js (SECRETS INSIDE)
+
+module.exports = {
+    obj2str,
+}
--- a/api/hooks/lib/utils.js
+++ b/api/hooks/lib/utils.js
@@ -203,48 +203,14 @@ function clearSSRCache() {
    var info = context.db.deleteMany("ssr", {})
    context.response.header("X-SSR-Cleared", info.removed)
 }
-
-/**
- * convert object to string
- * @param {any} obj object
- */
-function obj2str(obj) {
-    if (Array.isArray(obj)) {
-        return JSON.stringify(
-            obj.map(function (idx) {
-                return obj2str(idx)
-            })
-        )
-    } else if (typeof obj === "object" && obj !== null) {
-        var elements = Object.keys(obj)
-            .sort()
-            .map(function (key) {
-                var val = obj2str(obj[key])
-                if (val) {
-                    return key + ":" + val
-                }
-            })
-
-        var elementsCleaned = []
-        for (var i = 0; i < elements.length; i++) {
-            if (elements[i]) elementsCleaned.push(elements[i])
-        }
-
-        return "{" + elementsCleaned.join("|") + "}"
-    }
-
-    if (obj) return obj
-}
-
 module.exports = {
-    log: log,
-    randomToken: randomToken,
-    isPublicToken: isPublicToken,
-    isSsrToken: isSsrToken,
+    log,
+    randomToken,
+    isPublicToken,
+    isSsrToken,
    tpl: tpl,
-    Base64: Base64,
-    parseDate: parseDate,
-    clearSSRCache: clearSSRCache,
-    obj2str: obj2str,
+    Base64,
+    parseDate,
+    clearSSRCache,
    ssrValidatePath: config.ssRValidatePath,
 }