From 975c61df6db652ca6a8fcd40e8b9119eefdda9da Mon Sep 17 00:00:00 2001 From: Philip H <47042125+pheiduck@users.noreply.github.com> Date: Mon, 20 May 2024 12:52:18 +0200 Subject: [PATCH 01/11] fixup: desktop example iOS -> macOS --- .github/ISSUE_TEMPLATE/bug_report.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index dd84ea78..89daa669 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -24,13 +24,13 @@ A clear and concise description of what you expected to happen. If applicable, add screenshots to help explain your problem. **Desktop (please complete the following information):** - - OS: [e.g. iOS] + - OS: [e.g. macOS 12.1] - Browser [e.g. chrome, safari] - Version [e.g. 22] **Smartphone (please complete the following information):** - Device: [e.g. iPhone6] - - OS: [e.g. iOS8.1] + - OS: [e.g. iOS 8.1] - Browser [e.g. stock browser, safari] - Version [e.g. 22] From ad80017846de33844ecb70d32b1b2c31fa6ffbbe Mon Sep 17 00:00:00 2001 From: Philip H <47042125+pheiduck@users.noreply.github.com> Date: Thu, 23 May 2024 09:45:37 +0200 Subject: [PATCH 02/11] Dockerfile: remove unused parts We expose ports another way --- Dockerfile | 4 ---- 1 file changed, 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index ea500cd2..ca427af2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -37,10 +37,6 @@ RUN apk add --no-cache \ # Use iptables-legacy RUN update-alternatives --install /sbin/iptables iptables /sbin/iptables-legacy 10 --slave /sbin/iptables-restore iptables-restore /sbin/iptables-legacy-restore --slave /sbin/iptables-save iptables-save /sbin/iptables-legacy-save -# Expose Ports (If needed on buildtime) -#EXPOSE 51820/udp -#EXPOSE 51821/tcp - # Set Environment ENV DEBUG=Server,WireGuard From 678cf5bffb44826dd0611610429308f666b10d63 Mon Sep 17 00:00:00 2001 From: NPM Update Bot Date: Thu, 23 May 2024 07:46:21 +0000 Subject: [PATCH 03/11] npm: package updates --- src/package-lock.json | 43 ++++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/src/package-lock.json b/src/package-lock.json index 801696a2..7b118132 100644 --- a/src/package-lock.json +++ b/src/package-lock.json @@ -938,12 +938,12 @@ } }, "node_modules/braces": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", - "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", + "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", "dev": true, "dependencies": { - "fill-range": "^7.0.1" + "fill-range": "^7.1.1" }, "engines": { "node": ">=8" @@ -2083,9 +2083,9 @@ } }, "node_modules/fill-range": { - "version": "7.0.1", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz", - "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==", + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", + "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", "dev": true, "dependencies": { "to-regex-range": "^5.0.1" @@ -2509,6 +2509,7 @@ "version": "1.0.6", "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", + "deprecated": "This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.", "dev": true, "peer": true, "dependencies": { @@ -2821,9 +2822,9 @@ "dev": true }, "node_modules/jackspeak": { - "version": "2.3.6", - "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-2.3.6.tgz", - "integrity": "sha512-N3yCS/NegsOBokc8GAdM8UcmfsKiSS8cipheD/nivzr700H+nsMOxJjQnvwOcRYVuFkdH0wGUvW2WbXGmrZGbQ==", + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.1.2.tgz", + "integrity": "sha512-kWmLKn2tRtfYMF/BakihVVRzBKOxz4gJMiL2Rj91WnAB5TPZumSH99R/Yf1qE1u4uRimvCSJfm6hnxohXeEXjQ==", "dev": true, "dependencies": { "@isaacs/cliui": "^8.0.2" @@ -2984,12 +2985,12 @@ } }, "node_modules/micromatch": { - "version": "4.0.5", - "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz", - "integrity": "sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==", + "version": "4.0.7", + "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.7.tgz", + "integrity": "sha512-LPP/3KorzCwBxfeUuZmaR6bG2kdeHSbe0P2tY3FLRU4vYrjYz5hI4QZwV0njUx3jeuKe67YukQ1LSPZBKDqO/Q==", "dev": true, "dependencies": { - "braces": "^3.0.2", + "braces": "^3.0.3", "picomatch": "^2.3.1" }, "engines": { @@ -3599,9 +3600,9 @@ } }, "node_modules/postcss-selector-parser": { - "version": "6.0.16", - "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.0.16.tgz", - "integrity": "sha512-A0RVJrX+IUkVZbW3ClroRWurercFhieevHB38sr2+l9eUClMqome3LmEmnhlNy+5Mr2EYN6B2Kaw9wYdd+VHiw==", + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.1.0.tgz", + "integrity": "sha512-UMz42UD0UY0EApS0ZL9o1XnLhSTtvvvLe5Dc2H2O56fvRZi+KulDyf5ctDhhtYJBGKStV2FL1fy6253cmLgqVQ==", "dev": true, "dependencies": { "cssesc": "^3.0.0", @@ -4223,13 +4224,13 @@ } }, "node_modules/sucrase/node_modules/glob": { - "version": "10.3.15", - "resolved": "https://registry.npmjs.org/glob/-/glob-10.3.15.tgz", - "integrity": "sha512-0c6RlJt1TICLyvJYIApxb8GsXoai0KUP7AxKKAtsYXdgJR1mGEUa7DgwShbdk1nly0PYoZj01xd4hzbq3fsjpw==", + "version": "10.3.16", + "resolved": "https://registry.npmjs.org/glob/-/glob-10.3.16.tgz", + "integrity": "sha512-JDKXl1DiuuHJ6fVS2FXjownaavciiHNUU4mOvV/B793RLh05vZL1rcPnCSaOgv1hDT6RDlY7AB7ZUvFYAtPgAw==", "dev": true, "dependencies": { "foreground-child": "^3.1.0", - "jackspeak": "^2.3.6", + "jackspeak": "^3.1.2", "minimatch": "^9.0.1", "minipass": "^7.0.4", "path-scurry": "^1.11.0" From 4cd5d5459ae90bf0e9ba49b32ac5de61a4c1266d Mon Sep 17 00:00:00 2001 From: Philip H <47042125+pheiduck@users.noreply.github.com> Date: Sat, 18 May 2024 16:24:27 +0200 Subject: [PATCH 04/11] Documentation: docker image versions --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index 9795a464..0458edc9 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,17 @@ You have found the easiest way to install & manage WireGuard on any Linux host! * A host with a kernel that supports WireGuard (all modern kernels). * A host with Docker installed. +## Versions + +We provide more then 1 docker image to get, this will help you decide which one is best for you. + +| tag | Branch | Example | Description | +| - | - | - | - | +| `latest` | production | `ghcr.io/wg-easy/wg-easy:latest` or `ghcr.io/wg-easy/wg-easy` | stable as possbile get bug fixes quickly when needed, deployed against `production`. | +| `13` | production | `ghcr.io/wg-easy/wg-easy:13` | same as latest, stick to a version tag. | +| `nightly` | master | `ghcr.io/wg-easy/wg-easy:nightly` | mostly unstable gets frequent package and code updates, deployed against `master`. | +| `development` | pull requests | `ghcr.io/wg-easy/wg-easy:development` | used for development, testing code from PRs before landing into `master`. | + ## Installation ### 1. Install Docker From 8249b92a348b9e7fa5a934f2571600ae6a43209e Mon Sep 17 00:00:00 2001 From: Philip H <47042125+pheiduck@users.noreply.github.com> Date: Fri, 24 May 2024 21:32:17 +0200 Subject: [PATCH 05/11] fixup: add UI_CHART_TYPE docs --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 0458edc9..1b770920 100644 --- a/README.md +++ b/README.md @@ -117,6 +117,7 @@ These options can be configured by setting environment variables using `-e KEY=" | `WG_POST_DOWN` | `...` | `iptables ...` | See [config.js](https://github.com/wg-easy/wg-easy/blob/master/src/config.js#L28) for the default value. | | `LANG` | `en` | `de` | Web UI language (Supports: en, ua, ru, tr, no, pl, fr, de, ca, es, ko, vi, nl, is, pt, chs, cht, it, th, hi). | | `UI_TRAFFIC_STATS` | `false` | `true` | Enable detailed RX / TX client stats in Web UI | +| `UI_CHART_TYPE` | `0` | `1` | UI_CHART_TYPE=0 # Charts disabled, UI_CHART_TYPE=1 # Line chart, UI_CHART_TYPE=2 # Area chart, UI_CHART_TYPE=3 # Bar chart | > If you change `WG_PORT`, make sure to also change the exposed port. From 93d9f0b6fe5c6b54e122e91b82c24912e968927e Mon Sep 17 00:00:00 2001 From: NPM Update Bot Date: Fri, 24 May 2024 19:35:49 +0000 Subject: [PATCH 06/11] npm: package updates --- src/package-lock.json | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/package-lock.json b/src/package-lock.json index 7b118132..aa14185a 100644 --- a/src/package-lock.json +++ b/src/package-lock.json @@ -48,9 +48,9 @@ } }, "node_modules/@babel/helper-validator-identifier": { - "version": "7.24.5", - "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.24.5.tgz", - "integrity": "sha512-3q93SSKX2TWCG30M2G2kwaKeTYgEUp5Snjuj8qm729SObL6nbtUldAi37qbxkD5gg3xnBio+f9nqpSepGZMvxA==", + "version": "7.24.6", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.24.6.tgz", + "integrity": "sha512-4yA7s865JHaqUdRbnaxarZREuPTHrjpDT+pXoAZ1yhyo6uFnIEpS8VMu16siFOHDpZNKYv5BObhsB//ycbICyw==", "dev": true, "peer": true, "engines": { @@ -58,13 +58,13 @@ } }, "node_modules/@babel/highlight": { - "version": "7.24.5", - "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.24.5.tgz", - "integrity": "sha512-8lLmua6AVh/8SLJRRVD6V8p73Hir9w5mJrhE+IPpILG31KKlI9iz5zmBYKcWPS59qSfgP9RaSBQSHHE81WKuEw==", + "version": "7.24.6", + "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.24.6.tgz", + "integrity": "sha512-2YnuOp4HAk2BsBrJJvYCbItHx0zWscI1C3zgWkz+wDyD9I7GIVrfnLyrR4Y1VR+7p+chAEcrgRQYZAGIKMV7vQ==", "dev": true, "peer": true, "dependencies": { - "@babel/helper-validator-identifier": "^7.24.5", + "@babel/helper-validator-identifier": "^7.24.6", "chalk": "^2.4.2", "js-tokens": "^4.0.0", "picocolors": "^1.0.0" @@ -3030,9 +3030,9 @@ } }, "node_modules/minipass": { - "version": "7.1.1", - "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.1.tgz", - "integrity": "sha512-UZ7eQ+h8ywIRAW1hIEl2AqdwzJucU/Kp59+8kkZeSvafXhZjul247BvIJjEVFVeON6d7lM46XX1HXCduKAS8VA==", + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", + "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", "dev": true, "engines": { "node": ">=16 || 14 >=14.17" @@ -4224,16 +4224,16 @@ } }, "node_modules/sucrase/node_modules/glob": { - "version": "10.3.16", - "resolved": "https://registry.npmjs.org/glob/-/glob-10.3.16.tgz", - "integrity": "sha512-JDKXl1DiuuHJ6fVS2FXjownaavciiHNUU4mOvV/B793RLh05vZL1rcPnCSaOgv1hDT6RDlY7AB7ZUvFYAtPgAw==", + "version": "10.4.1", + "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.1.tgz", + "integrity": "sha512-2jelhlq3E4ho74ZyVLN03oKdAZVUa6UDZzFLVH1H7dnoax+y9qyaq8zBkfDIggjniU19z0wU18y16jMB2eyVIw==", "dev": true, "dependencies": { "foreground-child": "^3.1.0", "jackspeak": "^3.1.2", - "minimatch": "^9.0.1", - "minipass": "^7.0.4", - "path-scurry": "^1.11.0" + "minimatch": "^9.0.4", + "minipass": "^7.1.2", + "path-scurry": "^1.11.1" }, "bin": { "glob": "dist/esm/bin.mjs" From 4bfef3c0c0dba7cde0612f5c1eca0055c5213bdb Mon Sep 17 00:00:00 2001 From: NPM Update Bot Date: Mon, 27 May 2024 00:03:06 +0000 Subject: [PATCH 07/11] npm: package updates --- src/package-lock.json | 16 +++++++++------- src/package.json | 2 +- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/src/package-lock.json b/src/package-lock.json index aa14185a..6db68a78 100644 --- a/src/package-lock.json +++ b/src/package-lock.json @@ -18,7 +18,7 @@ }, "devDependencies": { "eslint-config-athom": "^3.1.3", - "nodemon": "^3.1.0", + "nodemon": "^3.1.1", "tailwindcss": "^3.4.3" }, "engines": { @@ -2265,6 +2265,7 @@ "version": "7.2.3", "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", + "deprecated": "Glob versions prior to v9 are no longer supported", "dev": true, "peer": true, "dependencies": { @@ -3084,9 +3085,9 @@ "integrity": "sha512-IhOigYzAKHd244OC0JIMIUrjzctirCmPkaIfhDeGcEETWof5zKYUW7e7MYvChGWh/4CJeXEgsRyGzuF334rOOQ==" }, "node_modules/nodemon": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/nodemon/-/nodemon-3.1.0.tgz", - "integrity": "sha512-xqlktYlDMCepBJd43ZQhjWwMw2obW/JRvkrLxq5RCNcuDDX1DbcPT+qT1IlIIdf+DhnWs90JpTMe+Y5KxOchvA==", + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/nodemon/-/nodemon-3.1.1.tgz", + "integrity": "sha512-k43xGaDtaDIcufn0Fc6fTtsdKSkV/hQzoQFigNH//GaKta28yoKVYXCnV+KXRqfT/YzsFaQU9VdeEG+HEyxr6A==", "dev": true, "dependencies": { "chokidar": "^3.5.2", @@ -3825,6 +3826,7 @@ "version": "3.0.2", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz", "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==", + "deprecated": "Rimraf versions prior to v4 are no longer supported", "dev": true, "peer": true, "dependencies": { @@ -4303,9 +4305,9 @@ } }, "node_modules/table/node_modules/ajv": { - "version": "8.13.0", - "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.13.0.tgz", - "integrity": "sha512-PRA911Blj99jR5RMeTunVbNXMF6Lp4vZXnk5GQjcnUWUTsrXtekg/pnmFFI2u/I36Y/2bITGS30GZCXei6uNkA==", + "version": "8.14.0", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.14.0.tgz", + "integrity": "sha512-oYs1UUtO97ZO2lJ4bwnWeQW8/zvOIQLGKcvPTsWmvc2SYgBb+upuNS5NxoLaMU4h8Ju3Nbj6Cq8mD2LQoqVKFA==", "dev": true, "peer": true, "dependencies": { diff --git a/src/package.json b/src/package.json index 339ac112..f63277e0 100644 --- a/src/package.json +++ b/src/package.json @@ -22,7 +22,7 @@ }, "devDependencies": { "eslint-config-athom": "^3.1.3", - "nodemon": "^3.1.0", + "nodemon": "^3.1.1", "tailwindcss": "^3.4.3" }, "nodemonConfig": { From e80ff54ebc3a23f96a7df104ba45bfc05e43d712 Mon Sep 17 00:00:00 2001 From: davide-acanfora Date: Mon, 27 May 2024 19:18:02 +0200 Subject: [PATCH 08/11] Don't print release number to anyone who visits the service --- src/www/js/app.js | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/www/js/app.js b/src/www/js/app.js index 6b13a3bf..6745f698 100644 --- a/src/www/js/app.js +++ b/src/www/js/app.js @@ -390,9 +390,6 @@ new Vue({ return releasesArray[0]; }); - console.log(`Current Release: ${currentRelease}`); - console.log(`Latest Release: ${latestRelease.version}`); - if (currentRelease >= latestRelease.version) return; this.currentRelease = currentRelease; From 859dd2f25b5b6f2cf737f54f41a8728ae607b110 Mon Sep 17 00:00:00 2001 From: davide-acanfora Date: Mon, 27 May 2024 19:22:09 +0200 Subject: [PATCH 09/11] Replace uuid module with built in crypto for UUIDv4 generation --- src/lib/WireGuard.js | 7 +++---- src/package-lock.json | 15 +-------------- src/package.json | 3 +-- 3 files changed, 5 insertions(+), 20 deletions(-) diff --git a/src/lib/WireGuard.js b/src/lib/WireGuard.js index aa5d42a2..8cdec7cf 100644 --- a/src/lib/WireGuard.js +++ b/src/lib/WireGuard.js @@ -1,10 +1,9 @@ 'use strict'; -const fs = require('fs').promises; +const fs = require('node:fs/promises'); const path = require('path'); - const debug = require('debug')('WireGuard'); -const uuid = require('uuid'); +const crypto = require('node:crypto'); const QRCode = require('qrcode'); const Util = require('./Util'); @@ -248,7 +247,7 @@ Endpoint = ${WG_HOST}:${WG_PORT}`; } // Create Client - const id = uuid.v4(); + const id = crypto.randomUUID(); const client = { id, name, diff --git a/src/package-lock.json b/src/package-lock.json index 6db68a78..32fecae8 100644 --- a/src/package-lock.json +++ b/src/package-lock.json @@ -13,8 +13,7 @@ "debug": "^4.3.4", "express-session": "^1.18.0", "h3": "^1.11.1", - "qrcode": "^1.5.3", - "uuid": "^9.0.1" + "qrcode": "^1.5.3" }, "devDependencies": { "eslint-config-athom": "^3.1.3", @@ -4626,18 +4625,6 @@ "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==", "dev": true }, - "node_modules/uuid": { - "version": "9.0.1", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz", - "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==", - "funding": [ - "https://github.com/sponsors/broofa", - "https://github.com/sponsors/ctavan" - ], - "bin": { - "uuid": "dist/bin/uuid" - } - }, "node_modules/v8-compile-cache": { "version": "2.4.0", "resolved": "https://registry.npmjs.org/v8-compile-cache/-/v8-compile-cache-2.4.0.tgz", diff --git a/src/package.json b/src/package.json index f63277e0..ac533918 100644 --- a/src/package.json +++ b/src/package.json @@ -17,8 +17,7 @@ "debug": "^4.3.4", "express-session": "^1.18.0", "h3": "^1.11.1", - "qrcode": "^1.5.3", - "uuid": "^9.0.1" + "qrcode": "^1.5.3" }, "devDependencies": { "eslint-config-athom": "^3.1.3", From c26b536b65401e36bcd56b5526b78ece77fe2909 Mon Sep 17 00:00:00 2001 From: davide-acanfora Date: Mon, 27 May 2024 19:24:11 +0200 Subject: [PATCH 10/11] Remove unnecessary bcryptjs module usage --- src/lib/Server.js | 10 ---------- src/package-lock.json | 6 ------ src/package.json | 1 - 3 files changed, 17 deletions(-) diff --git a/src/lib/Server.js b/src/lib/Server.js index 529447d7..69c603f4 100644 --- a/src/lib/Server.js +++ b/src/lib/Server.js @@ -1,6 +1,5 @@ 'use strict'; -const bcrypt = require('bcryptjs'); const crypto = require('node:crypto'); const { createServer } = require('node:http'); const { stat, readFile } = require('node:fs/promises'); @@ -118,15 +117,6 @@ module.exports = class Server { return next(); } - if (req.url.startsWith('/api/') && req.headers['authorization']) { - if (bcrypt.compareSync(req.headers['authorization'], bcrypt.hashSync(PASSWORD, 10))) { - return next(); - } - return res.status(401).json({ - error: 'Incorrect Password', - }); - } - return res.status(401).json({ error: 'Not Logged In', }); diff --git a/src/package-lock.json b/src/package-lock.json index 32fecae8..bdf0cd65 100644 --- a/src/package-lock.json +++ b/src/package-lock.json @@ -9,7 +9,6 @@ "version": "1.0.1", "license": "GPL", "dependencies": { - "bcryptjs": "^2.4.3", "debug": "^4.3.4", "express-session": "^1.18.0", "h3": "^1.11.1", @@ -909,11 +908,6 @@ "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", "dev": true }, - "node_modules/bcryptjs": { - "version": "2.4.3", - "resolved": "https://registry.npmjs.org/bcryptjs/-/bcryptjs-2.4.3.tgz", - "integrity": "sha512-V/Hy/X9Vt7f3BbPJEi8BdVFMByHi+jNXrYkW3huaybV/kQ0KJg0Y6PkEMbn+zeT+i+SiKZ/HMqJGIIt4LZDqNQ==" - }, "node_modules/binary-extensions": { "version": "2.3.0", "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz", diff --git a/src/package.json b/src/package.json index ac533918..5183190a 100644 --- a/src/package.json +++ b/src/package.json @@ -13,7 +13,6 @@ "author": "Emile Nijssen", "license": "GPL", "dependencies": { - "bcryptjs": "^2.4.3", "debug": "^4.3.4", "express-session": "^1.18.0", "h3": "^1.11.1", From d2d15fca2ad8bf2fa3009384bfeff6ca1a14f01c Mon Sep 17 00:00:00 2001 From: davide-acanfora Date: Mon, 27 May 2024 19:25:38 +0200 Subject: [PATCH 11/11] Path traversal vulnerability resolved --- src/lib/Server.js | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/src/lib/Server.js b/src/lib/Server.js index 69c603f4..cd1f6d1a 100644 --- a/src/lib/Server.js +++ b/src/lib/Server.js @@ -3,7 +3,7 @@ const crypto = require('node:crypto'); const { createServer } = require('node:http'); const { stat, readFile } = require('node:fs/promises'); -const { join } = require('node:path'); +const { resolve, sep } = require('node:path'); const expressSession = require('express-session'); const debug = require('debug')('Server'); @@ -202,15 +202,41 @@ module.exports = class Server { return { success: true }; })); + const safePathJoin = (base, target) => { + // Manage web root (edge case) + if (target === '/') { + return `${base}${sep}`; + } + + // Prepend './' to prevent absolute paths + const targetPath = `.${sep}${target}`; + + // Resolve the absolute path + const resolvedPath = resolve(base, targetPath); + + // Check if resolvedPath is a subpath of base + if (resolvedPath.startsWith(`${base}${sep}`)) { + return resolvedPath; + } + + throw createError({ + status: 400, + message: 'Bad Request', + }); + }; + // Static assets const publicDir = '/app/www'; app.use( defineEventHandler((event) => { return serveStatic(event, { - getContents: (id) => readFile(join(publicDir, id)), + getContents: (id) => { + return readFile(safePathJoin(publicDir, id)); + }, getMeta: async (id) => { - const stats = await stat(join(publicDir, id)).catch(() => {}); + const filePath = safePathJoin(publicDir, id); + const stats = await stat(filePath).catch(() => {}); if (!stats || !stats.isFile()) { return; }