From 8ab47761df1c9ca3a869303faa834f25f5e92bdd Mon Sep 17 00:00:00 2001 From: SamTv12345 Date: Tue, 20 Aug 2024 16:09:06 +0200 Subject: [PATCH] Fixed. --- src/node/hooks/express.ts | 3 +- src/node/hooks/express/errorhandling.ts | 1 + src/node/hooks/express/padurlsanitize.ts | 25 ++++++++++----- src/node/hooks/express/webaccess.ts | 39 +++++++++++------------- 4 files changed, 37 insertions(+), 31 deletions(-) diff --git a/src/node/hooks/express.ts b/src/node/hooks/express.ts index 16a25dffc..ba8c02a00 100644 --- a/src/node/hooks/express.ts +++ b/src/node/hooks/express.ts @@ -56,8 +56,7 @@ const closeServer = async () => { await events.once(socketsEvents, 'updated'); } await p; - await appInstance?.shutdown() - appInstance!.close() + appInstance?.close() clearTimeout(timeout); exports.server = null; appInstance = null diff --git a/src/node/hooks/express/errorhandling.ts b/src/node/hooks/express/errorhandling.ts index 1d0fc140b..40b09def0 100644 --- a/src/node/hooks/express/errorhandling.ts +++ b/src/node/hooks/express/errorhandling.ts @@ -15,6 +15,7 @@ exports.expressCreateServer = (hook_name:string, args: ArgsExpressType, cb:Funct console.error(error.stack ? error.stack : error.toString()); //res.status(500).json({error: 'Sorry, something bad happened!'}); stats.meter('http500').mark(); + res.status(500).json({error: 'Sorry, something bad happened123!'}); }) diff --git a/src/node/hooks/express/padurlsanitize.ts b/src/node/hooks/express/padurlsanitize.ts index d4aa27c97..c5dced8a5 100644 --- a/src/node/hooks/express/padurlsanitize.ts +++ b/src/node/hooks/express/padurlsanitize.ts @@ -6,27 +6,36 @@ const padManager = require('../../db/PadManager'); exports.expressCreateServer = (hookName:string, args:ArgsExpressType, cb:Function) => { // redirects browser to the pad's sanitized url if needed. otherwise, renders the html - /*args.app.param('pad', (req:any, res:any, next:Function, padId:string) => { - (async () => { + args.app.use(async (req, res, next) => { + console.log("Hier gehe ich durch") + const possiblePad = req.params.pad + + try { + if (!possiblePad) { + next() + } // ensure the padname is valid and the url doesn't end with a / - if (!padManager.isValidPadId(padId) || /\/$/.test(req.url)) { + if (!padManager.isValidPadId(possiblePad) || /\/$/.test(req.url)) { res.status(404).send('Such a padname is forbidden'); return; } - const sanitizedPadId = await padManager.sanitizePadId(padId); + const sanitizedPadId = await padManager.sanitizePadId(possiblePad); - if (sanitizedPadId === padId) { + if (sanitizedPadId === possiblePad) { // the pad id was fine, so just render it next(); } else { // the pad id was sanitized, so we redirect to the sanitized version const realURL = - encodeURIComponent(sanitizedPadId) + new URL(req.url, 'http://invalid.invalid').search; + encodeURIComponent(sanitizedPadId) + new URL(req.url, 'http://invalid.invalid').search; res.header('Location', realURL); res.status(302).send(`You should be redirected to ${realURL}`); } - })().catch((err) => next(err || new Error(err))); - });*/ + } + catch (e) { + return e + } + }) return cb(); }; diff --git a/src/node/hooks/express/webaccess.ts b/src/node/hooks/express/webaccess.ts index 27bf99890..90de79100 100644 --- a/src/node/hooks/express/webaccess.ts +++ b/src/node/hooks/express/webaccess.ts @@ -18,8 +18,8 @@ const aCallFirst = (hookName: string, context:any, pred = null) => new Promise(( }); const aCallFirst0 = - // @ts-ignore - async (hookName: string, context:any, pred = null) => (await aCallFirst(hookName, context, pred))[0]; + // @ts-ignore + async (hookName: string, context:any, pred = null) => (await aCallFirst(hookName, context, pred))[0]; exports.normalizeAuthzLevel = (level: string|boolean) => { if (!level) return false; @@ -63,19 +63,17 @@ const checkAccess = async (req:any, res:any, next: Function) => { const preAuthorizeNext = (...args:any) => { skip = true; next(...args); }; try { results = await aCallFirst('preAuthorize', {req, res, next: preAuthorizeNext}, - // This predicate will cause aCallFirst to call the hook functions one at a time until one - // of them returns a non-empty list, with an exception: If the request is for an /admin - // page, truthy entries are filtered out before checking to see whether the list is empty. - // This prevents plugin authors from accidentally granting admin privileges to the general - // public. - // @ts-ignore - (r) => (skip || (r != null && r.filter((x) => (!requireAdmin || !x)).length > 0))) as boolean[]; + // This predicate will cause aCallFirst to call the hook functions one at a time until one + // of them returns a non-empty list, with an exception: If the request is for an /admin + // page, truthy entries are filtered out before checking to see whether the list is empty. + // This prevents plugin authors from accidentally granting admin privileges to the general + // public. + // @ts-ignore + (r) => (skip || (r != null && r.filter((x) => (!requireAdmin || !x)).length > 0))) as boolean[]; } catch (err:any) { httpLogger.error(`Error in preAuthorize hook: ${err.stack || err.toString()}`); - if (!skip) { - res.status(500).send('Internal Server Error'); - return; - } + if (!skip) res.status(500).send('Internal Server Error'); + return; } if (skip) return; if (requireAdmin) { @@ -130,8 +128,8 @@ const checkAccess = async (req:any, res:any, next: Function) => { if (await authorize()) { if(requireAdmin) { - res.status(200).send('Authorized') - return + res.status(200).send('Authorized') + return } return next(); } @@ -151,7 +149,7 @@ const checkAccess = async (req:any, res:any, next: Function) => { const httpBasicAuth = req.headers.authorization && req.headers.authorization.startsWith('Basic '); if (httpBasicAuth) { const userpass = - Buffer.from(req.headers.authorization.split(' ')[1], 'base64').toString().split(':'); + Buffer.from(req.headers.authorization.split(' ')[1], 'base64').toString().split(':'); ctx.username = userpass.shift(); // Prevent prototype pollution vulnerabilities in plugins. This also silences a prototype // pollution warning below (when setting settings.users[ctx.username]) that isn't actually a @@ -165,8 +163,8 @@ const checkAccess = async (req:any, res:any, next: Function) => { const {[ctx.username]: {password} = {}} = settings.users as SettingsUser; if (!httpBasicAuth || - !ctx.username || - password == null || password.toString() !== ctx.password) { + !ctx.username || + password == null || password.toString() !== ctx.password) { httpLogger.info(`Failed authentication from IP ${req.ip}`); if (await aCallFirst0('authnFailure', {req, res})) return; if (await aCallFirst0('authFailure', {req, res, next})) return; @@ -191,7 +189,7 @@ const checkAccess = async (req:any, res:any, next: Function) => { } if (req.session.user == null) { httpLogger.error('authenticate hook failed to add user settings to session'); - throw new Error('authenticate hook failed to add user settings to session') + return res.status(500).send('Internal Server Error'); } const {username = ''} = req.session.user; httpLogger.info(`Successful authentication from IP ${req.ip} for user ${username}`); @@ -213,7 +211,6 @@ const checkAccess = async (req:any, res:any, next: Function) => { if (await aCallFirst0('authFailure', {req, res, next})) return; // No plugin handled the authorization failure. res.status(403).send('Forbidden'); - return }; /** @@ -221,5 +218,5 @@ const checkAccess = async (req:any, res:any, next: Function) => { * express-session middleware. */ exports.checkAccess = (req:any, res:any, next:Function) => { - checkAccess(req, res, next); + checkAccess(req, res, next).catch((err) => next(err || new Error(err))); };