Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
镜像
Coder
code-server
提交
3b50bfc1
C
code-server
项目概览
镜像
/
Coder
/
code-server
2022-09-21 03:15:05同步失败
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
C
code-server
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
未验证
提交
3b50bfc1
编写于
6月 07, 2021
作者:
J
Joe Previte
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
fix: sanitize password and cookie key
上级
deaa2242
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
30 addition
and
6 deletion
+30
-6
ci/build/build-standalone-release.sh
ci/build/build-standalone-release.sh
+1
-1
ci/build/npm-postinstall.sh
ci/build/npm-postinstall.sh
+1
-1
src/node/http.ts
src/node/http.ts
+2
-2
src/node/routes/login.ts
src/node/routes/login.ts
+2
-2
src/node/util.ts
src/node/util.ts
+11
-0
test/unit/node/util.test.ts
test/unit/node/util.test.ts
+13
-0
未找到文件。
ci/build/build-standalone-release.sh
浏览文件 @
3b50bfc1
...
...
@@ -3,7 +3,7 @@ set -euo pipefail
# This is due to an upstream issue with RHEL7/CentOS 7 comptability with node-argon2
# See: https://github.com/cdr/code-server/pull/3422#pullrequestreview-677765057
npm_config_build_from_source
=
true
export
npm_config_build_from_source
=
true
main
()
{
cd
"
$(
dirname
"
${
0
}
"
)
/../.."
...
...
ci/build/npm-postinstall.sh
浏览文件 @
3b50bfc1
...
...
@@ -20,7 +20,7 @@ detect_arch() {
ARCH
=
"
${
NPM_CONFIG_ARCH
:-
$(
detect_arch
)
}
"
# This is due to an upstream issue with RHEL7/CentOS 7 comptability with node-argon2
# See: https://github.com/cdr/code-server/pull/3422#pullrequestreview-677765057
npm_config_build_from_source
=
true
export
npm_config_build_from_source
=
true
main
()
{
# Grabs the major version of node from $npm_config_user_agent which looks like
...
...
src/node/http.ts
浏览文件 @
3b50bfc1
...
...
@@ -7,7 +7,7 @@ import { normalize, Options } from "../common/util"
import
{
AuthType
,
DefaultedArgs
}
from
"
./cli
"
import
{
commit
,
rootPath
}
from
"
./constants
"
import
{
Heart
}
from
"
./heart
"
import
{
getPasswordMethod
,
IsCookieValidArgs
,
isCookieValid
}
from
"
./util
"
import
{
getPasswordMethod
,
IsCookieValidArgs
,
isCookieValid
,
sanitizeString
}
from
"
./util
"
declare
global
{
// eslint-disable-next-line @typescript-eslint/no-namespace
...
...
@@ -72,7 +72,7 @@ export const authenticated = async (req: express.Request): Promise<boolean> => {
const
passwordMethod
=
getPasswordMethod
(
hashedPasswordFromArgs
)
const
isCookieValidArgs
:
IsCookieValidArgs
=
{
passwordMethod
,
cookieKey
:
req
.
cookies
.
key
as
string
,
cookieKey
:
sanitizeString
(
req
.
cookies
.
key
)
,
passwordFromArgs
:
req
.
args
.
password
||
""
,
hashedPasswordFromArgs
:
req
.
args
[
"
hashed-password
"
],
}
...
...
src/node/routes/login.ts
浏览文件 @
3b50bfc1
...
...
@@ -4,7 +4,7 @@ import { RateLimiter as Limiter } from "limiter"
import
*
as
path
from
"
path
"
import
{
rootPath
}
from
"
../constants
"
import
{
authenticated
,
getCookieDomain
,
redirect
,
replaceTemplates
}
from
"
../http
"
import
{
getPasswordMethod
,
handlePasswordValidation
,
humanPath
}
from
"
../util
"
import
{
getPasswordMethod
,
handlePasswordValidation
,
humanPath
,
sanitizeString
}
from
"
../util
"
export
enum
Cookie
{
Key
=
"
key
"
,
...
...
@@ -61,7 +61,7 @@ router.get("/", async (req, res) => {
})
router
.
post
(
"
/
"
,
async
(
req
,
res
)
=>
{
const
password
=
req
.
body
.
password
const
password
=
sanitizeString
(
req
.
body
.
password
)
const
hashedPasswordFromArgs
=
req
.
args
[
"
hashed-password
"
]
try
{
...
...
src/node/util.ts
浏览文件 @
3b50bfc1
...
...
@@ -274,6 +274,17 @@ export async function isCookieValid(isCookieValidArgs: IsCookieValidArgs): Promi
return
isValid
}
/** Ensures that the input is sanitized by checking
* - it's a string
* - greater than 0 characters
* - trims whitespace
*/
export
function
sanitizeString
(
str
:
string
):
string
{
// Very basic sanitization of string
// Credit: https://stackoverflow.com/a/46719000/3015595
return
typeof
str
===
"
string
"
&&
str
.
trim
().
length
>
0
?
str
.
trim
()
:
""
}
const
mimeTypes
:
{
[
key
:
string
]:
string
}
=
{
"
.aac
"
:
"
audio/x-aac
"
,
"
.avi
"
:
"
video/x-msvideo
"
,
...
...
test/unit/node/util.test.ts
浏览文件 @
3b50bfc1
...
...
@@ -7,6 +7,7 @@ import {
hashLegacy
,
isHashLegacyMatch
,
isCookieValid
,
sanitizeString
,
}
from
"
../../../src/node/util
"
describe
(
"
getEnvPaths
"
,
()
=>
{
...
...
@@ -382,3 +383,15 @@ describe.only("isCookieValid", () => {
expect
(
isValid
).
toBe
(
false
)
})
})
describe
.
only
(
"
sanitizeString
"
,
()
=>
{
it
(
"
should return an empty string if passed a type other than a string
"
,
()
=>
{
expect
(
sanitizeString
({}
as
string
)).
toBe
(
""
)
})
it
(
"
should trim whitespace
"
,
()
=>
{
expect
(
sanitizeString
(
"
hello
"
)).
toBe
(
"
hello
"
)
})
it
(
"
should always return an empty string
"
,
()
=>
{
expect
(
sanitizeString
(
"
"
)).
toBe
(
""
)
})
})
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录