libre-service.eu/pad.libre-service.eu-etherpad
libre-service.eu/pad.libre-service.eu-etherpad
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-01-19 14:13:34 +01:00
Code Issues Projects Releases Wiki Activity

webaccess: Silence prototype pollution warning

Browse source
This commit is contained in:
Richard Hansen 2022-01-12 20:00:40 -05:00
parent dcd43e9849
commit ab85db4426
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/node/hooks/express/webaccess.js
View file

@ -151,12 +151,16 @@ const checkAccess = async (req, res, next) => {
const userpass =
Buffer.from(req.headers.authorization.split(' ')[1], 'base64').toString().split(':');
ctx.username = userpass.shift();
// Prevent prototype pollution vulnerabilities in plugins. This also silences a prototype
// pollution warning below (when setting settings.users[ctx.username]) that isn't actually a
// problem unless the attacker can also set Object.prototype.password.
if (ctx.username === '__proto__') ctx.username = null;
ctx.password = userpass.join(':');
}
if (!(await aCallFirst0('authenticate', ctx))) {
// Fall back to HTTP basic auth.
const {[ctx.username]: {password} = {}} = settings.users;
if (!httpBasicAuth || password == null || password !== ctx.password) {
if (!httpBasicAuth || !ctx.username || password == null || password !== ctx.password) {
httpLogger.info(`Failed authentication from IP ${req.ip}`);
if (await aCallFirst0('authnFailure', {req, res})) return;
if (await aCallFirst0('authFailure', {req, res, next})) return;