Skip to content

Commit

Permalink
🐛 fixed a bug in the oidc configuration preventing saving changes
Browse files Browse the repository at this point in the history
🔒 fixed admin authorization validation for all administration pages
🔒 fixed a stored XSS vulnerability in the task functionality
  • Loading branch information
faburem committed Jun 27, 2022
1 parent 0b09798 commit fe8c3cd
Show file tree
Hide file tree
Showing 6 changed files with 14 additions and 13 deletions.
8 changes: 4 additions & 4 deletions imports/api/customfields/server/methods.js
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import CustomFields from '../customfields.js'
import { checkAuthentication } from '../../../utils/server_method_helpers'
import { checkAdminAuthentication } from '../../../utils/server_method_helpers'

Meteor.methods({
addCustomField: function addCustomField({
Expand All @@ -10,7 +10,7 @@ Meteor.methods({
check(type, String)
check(desc, String)
check(possibleValues, Match.Maybe([String]))
checkAuthentication(this)
checkAdminAuthentication(this)
if (CustomFields.findOne({ name })) {
throw new Meteor.Error('error-custom-field-exists', 'Custom field already exists', { method: 'addCustomField' })
}
Expand All @@ -28,7 +28,7 @@ Meteor.methods({
},
removeCustomField: function removeCustomField({ _id }) {
check(_id, String)
checkAuthentication(this)
checkAdminAuthentication(this)
if (!CustomFields.findOne({ _id })) {
throw new Meteor.Error('error-custom-field-not-found', 'Custom field not found', { method: 'removeCustomField' })
}
Expand All @@ -37,7 +37,7 @@ Meteor.methods({
updateCustomField: function updateCustomField({
_id, desc, type, possibleValues,
}) {
checkAuthentication(this)
checkAdminAuthentication(this)
check(_id, String)
check(type, String)
check(desc, String)
Expand Down
10 changes: 5 additions & 5 deletions imports/api/extensions/methods.js
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
import AdmZip from 'adm-zip'
import Extensions from './extensions'
import { checkAuthentication } from '../../utils/server_method_helpers'
import { checkAdminAuthentication } from '../../utils/server_method_helpers'

Meteor.methods({
addExtension({ zipFile }) {
checkAuthentication(this)
checkAdminAuthentication(this)
const regex = /^data:.+\/(.+);base64,(.*)$/
const matches = zipFile.match(regex)
const data = matches[2]
Expand Down Expand Up @@ -36,7 +36,7 @@ Meteor.methods({
return new Meteor.Error('Extension has been added before.')
},
removeExtension({ extensionId }) {
checkAuthentication(this)
checkAdminAuthentication(this)
const extension = Extensions.findOne({ _id: extensionId })
if (extension) {
Extensions.remove({ _id: extension._id })
Expand All @@ -45,7 +45,7 @@ Meteor.methods({
return new Meteor.Error('Extension does not exist.')
},
launchExtension({ extensionId }) {
checkAuthentication(this)
checkAdminAuthentication(this)
const extension = Extensions.findOne({ _id: extensionId })
if (extension) {
eval(extension.server)
Expand All @@ -54,7 +54,7 @@ Meteor.methods({
return new Meteor.Error('Extension does not exist')
},
toggleExtensionState({ extensionId, state }) {
checkAuthentication(this)
checkAdminAuthentication(this)
const extension = Extensions.findOne({ _id: extensionId })
if (extension) {
Extensions.update({ _id: extension._id }, { $set: { isActive: state } })
Expand Down
3 changes: 2 additions & 1 deletion imports/api/globalsettings/methods.js
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,11 @@ Meteor.methods({
}
},
updateOidcSettings(configuration) {
check(configuration, Object)
checkAdminAuthentication(this)
ServiceConfiguration.configurations.remove({
service: 'oidc',
})
ServiceConfiguration.configurations.insert(configuration)
}
},
})
2 changes: 1 addition & 1 deletion imports/ui/components/projectTasks.js
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ Template.projectTasks.onRendered(() => {
const ganttTasks = tasks.fetch()?.map((task) => (
{
id: task._id,
name: task.name,
name: $('span').text(task.name).get(0).innerHTML,
start: dayjs(task.start).format('YYYY-MM-DD'),
end: dayjs(task.end).format('YYYY-MM-DD'),
dependencies: task.dependencies,
Expand Down
2 changes: 1 addition & 1 deletion imports/ui/pages/administration.js
Original file line number Diff line number Diff line change
Expand Up @@ -289,7 +289,7 @@ Template.administration.events({
}

// Fetch the value of each input field
Oidc.fields.forEach((field) => {
oidcFields.forEach((field) => {
configuration[field.property] = document.getElementById(
`configure-oidc-${field.property}`
).value.replace(/^\s*|\s*$/g, '') // trim() doesnt work on IE8
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "titra",
"version": "0.79.0",
"version": "0.79.1",
"private": true,
"scripts": {
"start": "meteor run"
Expand Down

0 comments on commit fe8c3cd

Please sign in to comment.