DorianNiemiecSVRJS/svrjs
Archived
1
0
Fork 0
forked from svrjs/svrjs
Code Pull requests Activity

Mitigiate source-code leakage through hidden files in temp folder. Also change default enableRemoteLogBrowsing to false.

Browse source
This commit is contained in:
Dorian Niemiec 2023-09-09 00:36:24 +02:00
parent 6066f77fae
commit 53560a7bcd
3 changed files with 12 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
config.json
View file

@ -3,7 +3,7 @@
"port": 80, "port": 80,
"pubport": 80, "pubport": 80,
"page404": "404.html", "page404": "404.html",
"timestamp": 1694196507492, "timestamp": 1694212357224,
"blacklist": [], "blacklist": [],
"nonStandardCodes": [], "nonStandardCodes": [],
"enableCompression": true, "enableCompression": true,
@ -14,7 +14,7 @@
"enableDirectoryListingWithDefaultHead": false, "enableDirectoryListingWithDefaultHead": false,
"serverAdministratorEmail": "[no contact information]", "serverAdministratorEmail": "[no contact information]",
"stackHidden": false, "stackHidden": false,
"enableRemoteLogBrowsing": true, "enableRemoteLogBrowsing": false,
"exposeServerVersion": true, "exposeServerVersion": true,
"disableServerSideScriptExpose": true, "disableServerSideScriptExpose": true,
"rewriteMap": [ "rewriteMap": [
@ -102,4 +102,4 @@
"errorPages": [], "errorPages": [],
"useWebRootServerSideScript": true, "useWebRootServerSideScript": true,
"exposeModsInErrorPages": true "exposeModsInErrorPages": true
} }

2
index.html
View file

@ -40,7 +40,7 @@
&nbsp;&nbsp;"enableDirectoryListingWithDefaultHead": false,<br/> &nbsp;&nbsp;"enableDirectoryListingWithDefaultHead": false,<br/>
&nbsp;&nbsp;"serverAdministratorEmail": "[no contact information]",<br/> &nbsp;&nbsp;"serverAdministratorEmail": "[no contact information]",<br/>
&nbsp;&nbsp;"stackHidden": false,<br/> &nbsp;&nbsp;"stackHidden": false,<br/>
&nbsp;&nbsp;"enableRemoteLogBrowsing": true,<br/> &nbsp;&nbsp;"enableRemoteLogBrowsing": false,<br/>
&nbsp;&nbsp;"exposeServerVersion": true,<br/> &nbsp;&nbsp;"exposeServerVersion": true,<br/>
&nbsp;&nbsp;"disableServerSideScriptExpose": true,<br/> &nbsp;&nbsp;"disableServerSideScriptExpose": true,<br/>
&nbsp;&nbsp;"rewriteMap": [<br/> &nbsp;&nbsp;"rewriteMap": [<br/>

13
svr.js
View file

@ -1793,11 +1793,10 @@ if (useWebRootServerSideScript) {
} else { } else {
forbiddenPaths.serverSideScripts.push(getInitializePath("./serverSideScript.js")); forbiddenPaths.serverSideScripts.push(getInitializePath("./serverSideScript.js"));
} }
forbiddenPaths.serverSideScripts.push(getInitializePath("./temp/serverSideScript.js"));
forbiddenPaths.serverSideScriptDirectories = []; forbiddenPaths.serverSideScriptDirectories = [];
forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./temp/modloader"));
forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./node_modules")); forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./node_modules"));
forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./mods")); forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./mods"));
forbiddenPaths.temp = getInitializePath("./temp");
forbiddenPaths.log = getInitializePath("./log"); forbiddenPaths.log = getInitializePath("./log");
// Create server // Create server
@ -4283,7 +4282,11 @@ if (!cluster.isPrimary) {
callServerError(403); callServerError(403);
serverconsole.errmessage("Access to configuration file/certificates is denied."); serverconsole.errmessage("Access to configuration file/certificates is denied.");
return; return;
} else if (isIndexOfForbiddenPath(decodedHref, "log") && !isProxy && (configJSON.enableLogging || configJSON.enableLogging == undefined) && !(configJSON.enableRemoteLogBrowsing || configJSON.enableRemoteLogBrowsing == undefined)) { } else if (isForbiddenPath(decodedHref, "temp") && !isProxy) {
callServerError(403);
serverconsole.errmessage("Access to temporary folder is denied.");
return;
} else if (isIndexOfForbiddenPath(decodedHref, "log") && !isProxy && (configJSON.enableLogging || configJSON.enableLogging == undefined) && !configJSON.enableRemoteLogBrowsing) {
callServerError(403); callServerError(403);
serverconsole.errmessage("Access to log files is denied."); serverconsole.errmessage("Access to log files is denied.");
return; return;
@ -5498,7 +5501,7 @@ function saveConfig() {
if (configJSONobj.enableDirectoryListingWithDefaultHead === undefined) configJSONobj.enableDirectoryListingWithDefaultHead = false; if (configJSONobj.enableDirectoryListingWithDefaultHead === undefined) configJSONobj.enableDirectoryListingWithDefaultHead = false;
if (configJSONobj.serverAdministratorEmail === undefined) configJSONobj.serverAdministratorEmail = "[no contact information]"; if (configJSONobj.serverAdministratorEmail === undefined) configJSONobj.serverAdministratorEmail = "[no contact information]";
if (configJSONobj.stackHidden === undefined) configJSONobj.stackHidden = false; if (configJSONobj.stackHidden === undefined) configJSONobj.stackHidden = false;
if (configJSONobj.enableRemoteLogBrowsing === undefined) configJSONobj.enableRemoteLogBrowsing = true; if (configJSONobj.enableRemoteLogBrowsing === undefined) configJSONobj.enableRemoteLogBrowsing = false;
if (configJSONobj.exposeServerVersion === undefined) configJSONobj.exposeServerVersion = true; if (configJSONobj.exposeServerVersion === undefined) configJSONobj.exposeServerVersion = true;
if (configJSONobj.disableServerSideScriptExpose === undefined) configJSONobj.disableServerSideScriptExpose = true; if (configJSONobj.disableServerSideScriptExpose === undefined) configJSONobj.disableServerSideScriptExpose = true;
if (configJSONobj.allowStatus === undefined) configJSONobj.allowStatus = true; if (configJSONobj.allowStatus === undefined) configJSONobj.allowStatus = true;
@ -5514,7 +5517,7 @@ function saveConfig() {
if (configJSONobj.errorPages === undefined) configJSONobj.errorPages = []; if (configJSONobj.errorPages === undefined) configJSONobj.errorPages = [];
if (configJSONobj.useWebRootServerSideScript === undefined) configJSONobj.useWebRootServerSideScript = true; if (configJSONobj.useWebRootServerSideScript === undefined) configJSONobj.useWebRootServerSideScript = true;
if (configJSONobj.exposeModsInErrorPages === undefined) configJSONobj.exposeModsInErrorPages = true; if (configJSONobj.exposeModsInErrorPages === undefined) configJSONobj.exposeModsInErrorPages = true;
var configString = JSON.stringify(configJSONobj, null, 2); var configString = JSON.stringify(configJSONobj, null, 2);
fs.writeFileSync(__dirname + "/config.json", configString); fs.writeFileSync(__dirname + "/config.json", configString);
break; break;