From cd8100636279fb690fb691f94fa87e73cd60ef07 Mon Sep 17 00:00:00 2001 From: Matej Sychra Date: Tue, 1 Mar 2022 20:47:55 +0100 Subject: [PATCH 1/2] sanitize all owners in router --- lib/router.js | 72 +++++++++++++++++++++++++-------------------------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/lib/router.js b/lib/router.js index 1f109a983..932263298 100644 --- a/lib/router.js +++ b/lib/router.js @@ -532,7 +532,7 @@ module.exports = function (app) { // Applies only to post requests! if (req.method == "POST") { if (typeof (req.body) !== "undefined") { - let xowner = req.body.owner; + let xowner = sanitka.owner(req.session.owner); let api_key = req.body.api_key; if (typeof (xowner) !== "undefined" && typeof (api_key) !== "undefined") { // Using Owner/API Key @@ -570,7 +570,7 @@ module.exports = function (app) { /* List all devices for user. */ app.get("/api/user/devices", function (req, res) { if (!(validateSecureGETRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); devices.list(owner, (success, response) => { respond(res, response); }); @@ -581,7 +581,7 @@ module.exports = function (app) { /* Attach code source to a device. Expects unique device identifier and source alias. */ app.post("/api/device/attach", function (req, res) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); var body = req.body; devices.attach(owner, body, responder, res); }); @@ -597,7 +597,7 @@ module.exports = function (app) { /* Attach device to a mesh. Expects unique mesh identifier and device id. */ app.post("/api/device/mesh/attach", function (req, res) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); var body = req.body; if ((typeof (owner) === "undefined") || (owner === null)) { owner = sanitka.owner(body.owner); @@ -608,7 +608,7 @@ module.exports = function (app) { /* Detach device from a mesh. Expects unique device identifier and unique mesh identifier. */ app.post("/api/device/mesh/detach", function (req, res) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); var body = req.body; if ((typeof (owner) === "undefined") || (owner === null)) { owner = body.owner; @@ -654,7 +654,7 @@ module.exports = function (app) { /* Post device data. */ app.post("/api/device/data", function (req, res) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); var udid = sanitka.udid(req.body.udid); app.messenger.data(owner, udid, responder, res); @@ -672,7 +672,7 @@ module.exports = function (app) { app.post("/api/transformer/run", function (req, res) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); if (typeof (owner) === "undefined" || owner === null) { respond(res, { success: false, @@ -700,7 +700,7 @@ module.exports = function (app) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); if (typeof (req.body.alias) === "undefined") { respond(res, { @@ -738,7 +738,7 @@ module.exports = function (app) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); var api_key_hashes = []; if (typeof (req.body.fingerprint) !== "undefined") { @@ -769,7 +769,7 @@ module.exports = function (app) { if (!(validateSecureGETRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); apikey.list(owner, (success, keys) => { if (success) { @@ -795,7 +795,7 @@ module.exports = function (app) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); if (typeof (req.body.key) === "undefined") { respond(res, { @@ -838,7 +838,7 @@ module.exports = function (app) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); var env_var_names; if (typeof (req.body.name) !== "undefined") { @@ -877,7 +877,7 @@ module.exports = function (app) { if (!(validateSecureGETRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); apienv.list(owner, (success, response) => { if (success) { @@ -900,7 +900,7 @@ module.exports = function (app) { /* List available sources */ app.get("/api/user/sources/list", function (req, res) { if (!(validateSecureGETRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); if (typeof (owner) === "undefined") { res.status(401); } @@ -959,7 +959,7 @@ module.exports = function (app) { app.post("/api/user/source/revoke", function (req, res) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); if (typeof (req.body.source_ids) === "undefined") { respond(res, { success: false, @@ -982,7 +982,7 @@ module.exports = function (app) { if (!validateSession(req, res)) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); rsakey.create(owner, (success, response) => { respond(res, { @@ -997,7 +997,7 @@ module.exports = function (app) { if (!(validateSecureGETRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); rsakey.list(owner, (success, response) => { if (success === false) { @@ -1023,7 +1023,7 @@ module.exports = function (app) { var owner; if (typeof (req.session.owner) !== "undefined") { - owner = req.session.owner; + owner = sanitka.owner(req.session.owner); } else { respond(res, { success: false, @@ -1138,7 +1138,7 @@ module.exports = function (app) { app.post("/api/user/profile", function (req, res) { if (!(validateSecurePOSTRequest(req) && validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); if (typeof (owner) === "undefined") { res.status(401); // cannot POST without owner } @@ -1154,7 +1154,7 @@ module.exports = function (app) { // /user/profile GET app.get("/api/user/profile", function (req, res) { if (!(validateSecureGETRequest(req) && validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); if (typeof (owner) === "undefined") { res.status(401); } @@ -1495,7 +1495,7 @@ module.exports = function (app) { } // Hybrid Cookie/APIKey authentication (could be global middleware... of values exist, shall be validated, then this becomes duplicate op in chain) - let owner = req.body.owner; + let owner = sanitka.owner(req.session.owner); let api_key = req.body.apikey; if (typeof (owner) !== "undefined" && typeof (api_key) !== "undefined") { // Using Owner/API Key @@ -1513,7 +1513,7 @@ module.exports = function (app) { } else { // Using cookies if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - owner = req.session.owner; + owner = sanitka.owner(req.session.owner); implementation(owner, req.body.changes, res); } }); @@ -1531,7 +1531,7 @@ module.exports = function (app) { let socket = null; if (typeof (existing_sockets) !== "undefined") { console.log("app._ws owner:", req.session.owner); - let sowner = req.session.owner; + let sowner = sanitka.owner(req.session.owner); if (typeof (sowner) !== "undefined") { let xocket = existing_sockets[sowner]; if ((typeof (xocket) !== "undefined")) { @@ -1549,7 +1549,7 @@ module.exports = function (app) { // Input validation let unsafe_build = req.body.build; - let owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); let udid = sanitka.udid(unsafe_build.udid); let source_id = sanitka.udid(unsafe_build.source_id); let dryrun = false; @@ -1584,8 +1584,8 @@ module.exports = function (app) { // should be under /api app.post("/api/device/envelope", function (req, res) { - let udid = req.body.udid; - let owner = req.session.owner; + let udid = sanitka.udid(req.body.udid); + let owner = sanitka.owner(req.session.owner); if ((typeof (udid) === "undefined") || (typeof (owner) === "undefined")) { respond(res, "{}"); } else { @@ -1597,7 +1597,7 @@ module.exports = function (app) { // Get build artifacts app.post("/api/device/artifacts", function (req, res) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); var udid = sanitka.udid(req.body.udid); var build_id = sanitka.udid(req.body.build_id); @@ -1639,7 +1639,7 @@ module.exports = function (app) { /* Returns all audit logs per owner */ app.get("/api/user/logs/audit", function (req, res) { if (!(validateSecureGETRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); alog.fetch(owner, (err, body) => { @@ -1672,7 +1672,7 @@ module.exports = function (app) { if (!(validateSecureGETRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); if (typeof (owner) === "undefined") { respond(res, { @@ -1768,7 +1768,7 @@ module.exports = function (app) { /* Returns specific build log for owner */ app.post("/api/user/logs/build", function (req, res) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); if (typeof (req.body.build_id) === "undefined") { respond(res, { success: false, @@ -1830,7 +1830,7 @@ module.exports = function (app) { /* Request device transfer */ app.post("/api/transfer/request", function (req, res) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); transfer.request(owner, req.body, function (success, response) { transferResultRedirect(success, res, response); }); @@ -2315,7 +2315,7 @@ module.exports = function (app) { if (!(validateSecureGETRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); stats.week(owner, (success, body) => { @@ -2355,7 +2355,7 @@ module.exports = function (app) { /* Websocket to Slack chat */ app.post("/api/user/chat", function (req, res) { if (!validateSecurePOSTRequest(req)) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); var message = req.body.message; app.messenger.slack(owner, message, function (err, response) { if (err) { @@ -2373,7 +2373,7 @@ module.exports = function (app) { app.post("/api/user/message", function (req, res) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); var message = req.body.message; app.messenger.slack(owner, message, function (err, response) { console.log("Message: '" + message + "' with error " + err); @@ -2391,7 +2391,7 @@ module.exports = function (app) { /* Respond to actionable notification */ app.post("/api/device/push", function (req, res) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); devices.push(owner, req.body, (push_success, push_response) => { respond(res, { success: push_success, @@ -2407,7 +2407,7 @@ module.exports = function (app) { /* Respond to actionable notification */ app.post("/api/device/notification", function (req, res) { if (!(validateSecurePOSTRequest(req) || validateSession(req, res))) return; - var owner = req.session.owner; + let owner = sanitka.owner(req.session.owner); var device_id = Validator.udid(req.body.udid); var nid = "nid:" + device_id; var reply = req.body.reply; From 208eaf68e56c0a9a51cfb16d4e6371357289145f Mon Sep 17 00:00:00 2001 From: Matej Sychra Date: Tue, 1 Mar 2022 20:52:13 +0100 Subject: [PATCH 2/2] one less useless assignment before merge; needs field testing --- lib/router.js | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/router.js b/lib/router.js index 932263298..8604356fe 100644 --- a/lib/router.js +++ b/lib/router.js @@ -14,11 +14,9 @@ module.exports = function (app) { const auth = new Auth(); // constructor must be called to do the job when router is initialized */ - let Sqreen; - if (Globals.use_sqreen()) { try { - Sqreen = require('sqreen'); + require('sqreen'); } catch (s) { console.log(s); }