Browse Source
fixes: security stuff (#47)
Insecure randomness (high)
gravatar: md5 insecure hash algorithm (high)
Clear text transmission of sensitive cookie (medium)
pull/686/head
Philip H
1 year ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with
4 additions and
2 deletions
-
src/lib/Server.js
-
src/www/js/app.js
|
|
|
@ -2,6 +2,7 @@ |
|
|
|
|
|
|
|
const path = require('path'); |
|
|
|
const bcrypt = require('bcryptjs'); |
|
|
|
const crypto = require('node:crypto'); |
|
|
|
|
|
|
|
const express = require('express'); |
|
|
|
const expressSession = require('express-session'); |
|
|
|
@ -27,9 +28,10 @@ module.exports = class Server { |
|
|
|
.use('/', express.static(path.join(__dirname, '..', 'www'))) |
|
|
|
.use(express.json()) |
|
|
|
.use(expressSession({ |
|
|
|
secret: String(Math.random()), |
|
|
|
secret: crypto.randomBytes(256).toString('hex'), |
|
|
|
resave: true, |
|
|
|
saveUninitialized: true, |
|
|
|
secure: true, |
|
|
|
})) |
|
|
|
|
|
|
|
.get('/api/release', (Util.promisify(async () => { |
|
|
|
|
|
|
|
@ -131,7 +131,7 @@ new Vue({ |
|
|
|
const clients = await this.api.getClients(); |
|
|
|
this.clients = clients.map((client) => { |
|
|
|
if (client.name.includes('@') && client.name.includes('.')) { |
|
|
|
client.avatar = `https://www.gravatar.com/avatar/${md5(client.name)}?d=blank`; |
|
|
|
client.avatar = `https://www.gravatar.com/avatar/${sha512(client.name)}?d=blank`; |
|
|
|
} |
|
|
|
|
|
|
|
if (!this.clientsPersist[client.id]) { |
|
|
|
|
