DorianNiemiecSVRJS/svrjs
Archived
1
0
Fork 0
forked from svrjs/svrjs
Code Pull requests Activity

SVR.JS now refuses to start with misconfigured SNI in order to prevent ReDoS vulnerabilities.

Browse source
This commit is contained in:
Dorian Niemiec 2023-12-15 00:05:22 +01:00
parent 179ebf6a7f
commit 63f8e98add
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
svr.js
View file

@ -1282,6 +1282,7 @@ if (!fs.existsSync(__dirname + "/config.json")) {
} }
var certificateError = null; var certificateError = null;
var sniReDos = false;
// Load SNI // Load SNI
if (secure) { if (secure) {
@ -1291,6 +1292,9 @@ if (secure) {
var sniNames = Object.keys(sni); var sniNames = Object.keys(sni);
var sniCredentials = []; var sniCredentials = [];
sniNames.forEach(function (sniName) { sniNames.forEach(function (sniName) {
if(typeof sniName === "string" && sniName.match(/\*[^*.]*\*[^*.]*(?:\.|$)/)) {
sniReDos = true;
}
sniCredentials.push({ sniCredentials.push({
name: sniName, name: sniName,
cert: fs.readFileSync((sni[sniName].cert[0] != "/" && !sni[sniName].cert.match(/^[A-Z0-9]:\\/)) ? __dirname + "/" + sni[sniName].cert : sni[sniName].cert).toString(), cert: fs.readFileSync((sni[sniName].cert[0] != "/" && !sni[sniName].cert.match(/^[A-Z0-9]:\\/)) ? __dirname + "/" + sni[sniName].cert : sni[sniName].cert).toString(),
@ -4892,6 +4896,7 @@ function start(init) {
} }
if (certificateError) throw new Error("There was a problem with SSL certificate/private key: " + certificateError.message); if (certificateError) throw new Error("There was a problem with SSL certificate/private key: " + certificateError.message);
if (wwwrootError) throw new Error("There was a problem with your web root: " + wwwrootError.message); if (wwwrootError) throw new Error("There was a problem with your web root: " + wwwrootError.message);
if (sniReDos) throw new Error("Refusing to start, because the current SNI configuration would make the server vulnerable to ReDoS.");
} }
// Information about starting the server // Information about starting the server