add some XSS / path traversal validation
This commit is contained in:
lesion
@@ -9,6 +9,7 @@ const pkg = require('../../../package.json')
|
||||
const generateKeyPair = promisify(crypto.generateKeyPair)
|
||||
const log = require('../../log')
|
||||
const locales = require('../../../locales/index')
|
||||
const escape = require('lodash/escape')
|
||||
|
||||
|
||||
let defaultHostname
|
||||
@@ -162,11 +163,12 @@ const settingsController = {
|
||||
await settingsController.set('smtp', smtp.smtp)
|
||||
const mail = require('../mail')
|
||||
try {
|
||||
await mail._send(settingsController.settings.admin_email, 'test', null, 'en')
|
||||
await mail._send(settingsController.settings.admin_email, 'test')
|
||||
|
||||
return res.sendStatus(200)
|
||||
} catch (e) {
|
||||
console.error(e)
|
||||
return res.status(400).send(String(e))
|
||||
return res.status(400).send(escape(String(e)))
|
||||
}
|
||||
},
|
||||
|
||||
|
||||
@@ -5,6 +5,7 @@ const db = require('../models/index.js')
|
||||
const config = require('../../config')
|
||||
const settingsController = require('./settings')
|
||||
const path = require('path')
|
||||
const escape = require('lodash/escape')
|
||||
|
||||
const setupController = {
|
||||
|
||||
@@ -88,7 +89,7 @@ const setupController = {
|
||||
|
||||
} catch (e) {
|
||||
log.error(String(e))
|
||||
return res.status(400).send(String(e))
|
||||
return res.status(400).send(escape(String(e)))
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@ const Event = require('../api/models/event')
|
||||
const Place = require('../api/models/place')
|
||||
const APUser = require('../api/models/ap_user')
|
||||
const Tag = require('../api/models/tag')
|
||||
|
||||
const escape = require('lodash/escape')
|
||||
const config = require('../config')
|
||||
const log = require('../log')
|
||||
const utc = require('dayjs/plugin/utc')
|
||||
@@ -16,7 +16,7 @@ module.exports = {
|
||||
const name = req.params.name
|
||||
if (!name) { return res.status(400).send('Bad request.') }
|
||||
|
||||
if (name !== req.settings.instance_name) { return res.status(404).send(`No record found for ${name}`) }
|
||||
if (name !== req.settings.instance_name) { return res.status(404).send(`No record found for ${escape(name)}`) }
|
||||
const ret = {
|
||||
'@context': [
|
||||
'https://www.w3.org/ns/activitystreams',
|
||||
@@ -64,7 +64,7 @@ module.exports = {
|
||||
if (!name) { return res.status(400).send('Bad request.') }
|
||||
if (name !== req.settings.instance_name) {
|
||||
log.warn('No record found')
|
||||
return res.status(404).send(`No record found for ${name}`)
|
||||
return res.status(404).send(`No record found for ${escape(name)}`)
|
||||
}
|
||||
const followers = await APUser.findAll({ where: { follower: true } })
|
||||
|
||||
@@ -102,7 +102,7 @@ module.exports = {
|
||||
}
|
||||
if (name !== req.settings.instance_name) {
|
||||
log.info(`No record found for ${name}`)
|
||||
return res.status(404).send(`No record found for ${name}`)
|
||||
return res.status(404).send(`No record found for ${escape(name)}`)
|
||||
}
|
||||
|
||||
const events = await Event.findAll({ include: [{ model: Tag, required: false }, Place], limit: 10 })
|
||||
|
||||
@@ -112,6 +112,9 @@ module.exports = {
|
||||
|
||||
async getImageFromURL (url) {
|
||||
log.debug(`getImageFromURL ${url}`)
|
||||
if(!/^https?:\/\//.test(url)) {
|
||||
throw Error('Hacking attempt?')
|
||||
}
|
||||
const filename = crypto.randomBytes(16).toString('hex') + '.jpg'
|
||||
const finalPath = path.resolve(config.upload_path, filename)
|
||||
const thumbPath = path.resolve(config.upload_path, 'thumb', filename)
|
||||
|
||||
Reference in New Issue
Block a user