add some XSS / path traversal validation
This commit is contained in:
lesion
@@ -9,6 +9,7 @@ const pkg = require('../../../package.json')
|
|||||||
const generateKeyPair = promisify(crypto.generateKeyPair)
|
const generateKeyPair = promisify(crypto.generateKeyPair)
|
||||||
const log = require('../../log')
|
const log = require('../../log')
|
||||||
const locales = require('../../../locales/index')
|
const locales = require('../../../locales/index')
|
||||||
|
const escape = require('lodash/escape')
|
||||||
|
|
||||||
|
|
||||||
let defaultHostname
|
let defaultHostname
|
||||||
@@ -162,11 +163,12 @@ const settingsController = {
|
|||||||
await settingsController.set('smtp', smtp.smtp)
|
await settingsController.set('smtp', smtp.smtp)
|
||||||
const mail = require('../mail')
|
const mail = require('../mail')
|
||||||
try {
|
try {
|
||||||
await mail._send(settingsController.settings.admin_email, 'test', null, 'en')
|
await mail._send(settingsController.settings.admin_email, 'test')
|
||||||
|
|
||||||
return res.sendStatus(200)
|
return res.sendStatus(200)
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
console.error(e)
|
console.error(e)
|
||||||
return res.status(400).send(String(e))
|
return res.status(400).send(escape(String(e)))
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ const db = require('../models/index.js')
|
|||||||
const config = require('../../config')
|
const config = require('../../config')
|
||||||
const settingsController = require('./settings')
|
const settingsController = require('./settings')
|
||||||
const path = require('path')
|
const path = require('path')
|
||||||
|
const escape = require('lodash/escape')
|
||||||
|
|
||||||
const setupController = {
|
const setupController = {
|
||||||
|
|
||||||
@@ -88,7 +89,7 @@ const setupController = {
|
|||||||
|
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
log.error(String(e))
|
log.error(String(e))
|
||||||
return res.status(400).send(String(e))
|
return res.status(400).send(escape(String(e)))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -2,7 +2,7 @@ const Event = require('../api/models/event')
|
|||||||
const Place = require('../api/models/place')
|
const Place = require('../api/models/place')
|
||||||
const APUser = require('../api/models/ap_user')
|
const APUser = require('../api/models/ap_user')
|
||||||
const Tag = require('../api/models/tag')
|
const Tag = require('../api/models/tag')
|
||||||
|
const escape = require('lodash/escape')
|
||||||
const config = require('../config')
|
const config = require('../config')
|
||||||
const log = require('../log')
|
const log = require('../log')
|
||||||
const utc = require('dayjs/plugin/utc')
|
const utc = require('dayjs/plugin/utc')
|
||||||
@@ -16,7 +16,7 @@ module.exports = {
|
|||||||
const name = req.params.name
|
const name = req.params.name
|
||||||
if (!name) { return res.status(400).send('Bad request.') }
|
if (!name) { return res.status(400).send('Bad request.') }
|
||||||
|
|
||||||
if (name !== req.settings.instance_name) { return res.status(404).send(`No record found for ${name}`) }
|
if (name !== req.settings.instance_name) { return res.status(404).send(`No record found for ${escape(name)}`) }
|
||||||
const ret = {
|
const ret = {
|
||||||
'@context': [
|
'@context': [
|
||||||
'https://www.w3.org/ns/activitystreams',
|
'https://www.w3.org/ns/activitystreams',
|
||||||
@@ -64,7 +64,7 @@ module.exports = {
|
|||||||
if (!name) { return res.status(400).send('Bad request.') }
|
if (!name) { return res.status(400).send('Bad request.') }
|
||||||
if (name !== req.settings.instance_name) {
|
if (name !== req.settings.instance_name) {
|
||||||
log.warn('No record found')
|
log.warn('No record found')
|
||||||
return res.status(404).send(`No record found for ${name}`)
|
return res.status(404).send(`No record found for ${escape(name)}`)
|
||||||
}
|
}
|
||||||
const followers = await APUser.findAll({ where: { follower: true } })
|
const followers = await APUser.findAll({ where: { follower: true } })
|
||||||
|
|
||||||
@@ -102,7 +102,7 @@ module.exports = {
|
|||||||
}
|
}
|
||||||
if (name !== req.settings.instance_name) {
|
if (name !== req.settings.instance_name) {
|
||||||
log.info(`No record found for ${name}`)
|
log.info(`No record found for ${name}`)
|
||||||
return res.status(404).send(`No record found for ${name}`)
|
return res.status(404).send(`No record found for ${escape(name)}`)
|
||||||
}
|
}
|
||||||
|
|
||||||
const events = await Event.findAll({ include: [{ model: Tag, required: false }, Place], limit: 10 })
|
const events = await Event.findAll({ include: [{ model: Tag, required: false }, Place], limit: 10 })
|
||||||
|
|||||||
@@ -112,6 +112,9 @@ module.exports = {
|
|||||||
|
|
||||||
async getImageFromURL (url) {
|
async getImageFromURL (url) {
|
||||||
log.debug(`getImageFromURL ${url}`)
|
log.debug(`getImageFromURL ${url}`)
|
||||||
|
if(!/^https?:\/\//.test(url)) {
|
||||||
|
throw Error('Hacking attempt?')
|
||||||
|
}
|
||||||
const filename = crypto.randomBytes(16).toString('hex') + '.jpg'
|
const filename = crypto.randomBytes(16).toString('hex') + '.jpg'
|
||||||
const finalPath = path.resolve(config.upload_path, filename)
|
const finalPath = path.resolve(config.upload_path, filename)
|
||||||
const thumbPath = path.resolve(config.upload_path, 'thumb', filename)
|
const thumbPath = path.resolve(config.upload_path, 'thumb', filename)
|
||||||
|
|||||||
Reference in New Issue
Block a user