Security vulnerability patched and minor improvements (#1071)

Thank you so much @davide-acanfora!
10 months ago · 5e015bfdb5
5 changed files with 34 additions and 43 deletions
--- a/src/lib/Server.js
+++ b/src/lib/Server.js
@ -1,10 +1,9 @@
 'use strict';

-const bcrypt = require('bcryptjs');
 const crypto = require('node:crypto');
 const { createServer } = require('node:http');
 const { stat, readFile } = require('node:fs/promises');
-const { join } = require('node:path');
+const { resolve, sep } = require('node:path');

 const expressSession = require('express-session');
 const debug = require('debug')('Server');
@ -118,15 +117,6 @@ module.exports = class Server {
          return next();
        }

-        if (req.url.startsWith('/api/') && req.headers['authorization']) {
-          if (bcrypt.compareSync(req.headers['authorization'], bcrypt.hashSync(PASSWORD, 10))) {
-            return next();
-          }
-          return res.status(401).json({
-            error: 'Incorrect Password',
-          });
-        }
-
        return res.status(401).json({
          error: 'Not Logged In',
        });
@ -212,15 +202,41 @@ module.exports = class Server {
        return { success: true };
      }));

+    const safePathJoin = (base, target) => {
+      // Manage web root (edge case)
+      if (target === '/') {
+        return `${base}${sep}`;
+      }
+
+      // Prepend './' to prevent absolute paths
+      const targetPath = `.${sep}${target}`;
+
+      // Resolve the absolute path
+      const resolvedPath = resolve(base, targetPath);
+
+      // Check if resolvedPath is a subpath of base
+      if (resolvedPath.startsWith(`${base}${sep}`)) {
+        return resolvedPath;
+      }
+
+      throw createError({
+        status: 400,
+        message: 'Bad Request',
+      });
+    };
+
    // Static assets
    const publicDir = '/app/www';
    app.use(
      defineEventHandler((event) => {
        return serveStatic(event, {
-          getContents: (id) => readFile(join(publicDir, id)),
+          getContents: (id) => {
+            return readFile(safePathJoin(publicDir, id));
+          },
          getMeta: async (id) => {
-            const stats = await stat(join(publicDir, id)).catch(() => {});
+            const filePath = safePathJoin(publicDir, id);

+            const stats = await stat(filePath).catch(() => {});
            if (!stats || !stats.isFile()) {
              return;
            }
--- a/src/lib/WireGuard.js
+++ b/src/lib/WireGuard.js
@ -1,10 +1,9 @@
 'use strict';

-const fs = require('fs').promises;
+const fs = require('node:fs/promises');
 const path = require('path');
-
 const debug = require('debug')('WireGuard');
-const uuid = require('uuid');
+const crypto = require('node:crypto');
 const QRCode = require('qrcode');

 const Util = require('./Util');
@ -248,7 +247,7 @@ Endpoint = ${WG_HOST}:${WG_PORT}`;
    }

    // Create Client
-    const id = uuid.v4();
+    const id = crypto.randomUUID();
    const client = {
      id,
      name,
--- a/src/package-lock.json
+++ b/src/package-lock.json
@ -9,12 +9,10 @@
      "version": "1.0.1",
      "license": "GPL",
      "dependencies": {
-        "bcryptjs": "^2.4.3",
        "debug": "^4.3.4",
        "express-session": "^1.18.0",
        "h3": "^1.11.1",
-        "qrcode": "^1.5.3",
-        "uuid": "^9.0.1"
+        "qrcode": "^1.5.3"
      },
      "devDependencies": {
        "eslint-config-athom": "^3.1.3",
@ -910,11 +908,6 @@
      "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
      "dev": true
    },
-    "node_modules/bcryptjs": {
-      "version": "2.4.3",
-      "resolved": "https://registry.npmjs.org/bcryptjs/-/bcryptjs-2.4.3.tgz",
-      "integrity": "sha512-V/Hy/X9Vt7f3BbPJEi8BdVFMByHi+jNXrYkW3huaybV/kQ0KJg0Y6PkEMbn+zeT+i+SiKZ/HMqJGIIt4LZDqNQ=="
-    },
    "node_modules/binary-extensions": {
      "version": "2.3.0",
      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
@ -4626,18 +4619,6 @@
      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==",
      "dev": true
    },
-    "node_modules/uuid": {
-      "version": "9.0.1",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz",
-      "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
-      "funding": [
-        "https://github.com/sponsors/broofa",
-        "https://github.com/sponsors/ctavan"
-      ],
-      "bin": {
-        "uuid": "dist/bin/uuid"
-      }
-    },
    "node_modules/v8-compile-cache": {
      "version": "2.4.0",
      "resolved": "https://registry.npmjs.org/v8-compile-cache/-/v8-compile-cache-2.4.0.tgz",
--- a/src/package.json
+++ b/src/package.json
@ -13,12 +13,10 @@
  "author": "Emile Nijssen",
  "license": "GPL",
  "dependencies": {
-    "bcryptjs": "^2.4.3",
    "debug": "^4.3.4",
    "express-session": "^1.18.0",
    "h3": "^1.11.1",
-    "qrcode": "^1.5.3",
-    "uuid": "^9.0.1"
+    "qrcode": "^1.5.3"
  },
  "devDependencies": {
    "eslint-config-athom": "^3.1.3",
--- a/src/www/js/app.js
+++ b/src/www/js/app.js
@ -390,9 +390,6 @@ new Vue({
          return releasesArray[0];
        });

-      console.log(`Current Release: ${currentRelease}`);
-      console.log(`Latest Release: ${latestRelease.version}`);
-
      if (currentRelease >= latestRelease.version) return;

      this.currentRelease = currentRelease;