From 17c09db6952a04020df93f8d3013501a4b0fd6b4 Mon Sep 17 00:00:00 2001
From: svrjs <webmaster@svrjs.org>
Date: Sun, 30 Jul 2023 02:24:20 +0200
Subject: [PATCH] Security updates

---
 index.js | 61 +++++++++++++++++++++++++++++++-------------------------
 mod.info |  2 +-
 2 files changed, 35 insertions(+), 28 deletions(-)

diff --git a/index.js b/index.js
index d35ed0e..9e946d1 100644
--- a/index.js
+++ b/index.js
@@ -4,13 +4,11 @@ var http = require("http");
 var url = require("url");
 var fs = require("fs");
 var path = require("path");
-var {
-  spawn
-} = require("child_process");
+var childProcess = require("child_process");
 var version = "UNKNOWN";
 try {
   version = JSON.parse(fs.readFileSync(__dirname + "/mod.info")).version;
-} catch(ex) {
+} catch (ex) {
   //Can"t determine version
 }
 var configJSONS = JSON.parse(fs.readFileSync("config.json")); //Read configuration JSON
@@ -25,10 +23,12 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
     }
     bheaders["Content-Type"] = "text/html" //HTML output
     if (!getCustomHeaders) bheaders["Server"] = "SVR.JS/" + configJSON.version + " (" + os.platform()[0].toUpperCase() + os.platform().slice(1) + ")"; //Add Server header
+    var abheaders = JSON.parse(JSON.stringify(bheaders));
+
     function executeCGI(fname, req, res, dh, nEnv) {
       var env = JSON.parse(JSON.stringify(process.env));
       var nEnvKeys = Object.keys(nEnv);
-      for(var i=0;i<nEnvKeys.length;i++) {
+      for (var i = 0; i < nEnvKeys.length; i++) {
         env[nEnvKeys[i]] = nEnv[nEnvKeys[i]];
       }
       var exttointerpreter = {
@@ -48,7 +48,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
       var exttointerpreteruser = {};
       try {
         exttointerpreteruser = JSON.parse(fs.readFileSync(__dirname + "/redbrick-interpreters.json"));
-      } catch(ex) {}
+      } catch (ex) {}
       var script = fs.readFileSync(fname).toString();
       var fl = script.replace(/[\r\n]+/g, "\n").split("\n")[0];
       if (fl[0] == undefined) fl[0] = "";
@@ -73,7 +73,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
           filename = (process.cwd() + (os.platform() == "win32" ? "\\" + fname.replace(/\//g, "\\") : "/" + fname)).replace(os.platform() == "win32" ? /\\+/ : /\/+/, os.platform() == "win32" ? "\\" : "/")
           args = [];
         }
-      } else if(fl.indexOf("\x7fELF") == 0 || fl.indexOf("MZ") == 0) {
+      } else if (fl.indexOf("\x7fELF") == 0 || fl.indexOf("MZ") == 0) {
         filename = (process.cwd() + (os.platform() == "win32" ? "\\" + fname.replace(/\//g, "\\") : "/" + fname)).replace(os.platform() == "win32" ? /\\+/ : /\/+/, os.platform() == "win32" ? "\\" : "/")
         args = [];
       } else {
@@ -91,9 +91,9 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
 
       var wd = fname.split("/");
       wd[0] = "";
-      wd[wd.length-1] = "";
+      wd[wd.length - 1] = "";
       wd = wd.join(os.platform() == "win32" ? "\\" : "/");
-      var interpreter = spawn(filename, args, {
+      var interpreter = childProcess.spawn(filename, args, {
         cwd: (process.cwd() + wd).replace(os.platform() == "win32" ? /\\+/ : /\/+/, os.platform() == "win32" ? "\\" : "/"),
         env: env
       });
@@ -144,12 +144,12 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
               bheaderso[headern] = headerv;
             }
           }
-          
-          if(code == 200 && (bheaderso["Location"] || bheaderso["location"])) {
+
+          if (code == 200 && (bheaderso["Location"] || bheaderso["location"])) {
             code = 302;
             msg = "Found";
           }
-          
+
           try {
             res.writeHead(code, msg, bheaderso);
             res.write(buffer.substr(headerendline + eol.length), "latin1");
@@ -168,22 +168,22 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
       }
       if (interpreter.stdout) {
         interpreter.stdout.on("data", dataHandler);
-        interpreter.stderr.on("data", function(data) {
-          stderr += data.toString()   
+        interpreter.stderr.on("data", function (data) {
+          stderr += data.toString()
         });
         req.pipe(interpreter.stdin);
         interpreter.on("exit", (code, signal) => {
-            if(!cned && (signal || code !== 0)) {
-              var ex = new Error("Process execution failed!" + (stderr ? " Reason: " + stderr.trim() : ""));
-              if (!callServerError) {
-                res.writeHead(500);
-                res.end(ex.stack);
-              } else {
-                callServerError(500, "RedBrick/" + version, ex);
-              }
+          if (!cned && (signal || code !== 0)) {
+            var ex = new Error("Process execution failed!" + (stderr ? " Reason: " + stderr.trim() : ""));
+            if (!callServerError) {
+              res.writeHead(500);
+              res.end(ex.stack);
             } else {
-              res.end();
+              callServerError(500, "RedBrick/" + version, ex);
             }
+          } else {
+            res.end();
+          }
         });
       }
     }
@@ -203,7 +203,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
       nEnv["REQUEST_METHOD"] = req.method;
       nEnv["GATEWAY_INTERFACE"] = "CGI/1.1";
       nEnv["REQUEST_URI"] = req.url;
-      nEnv["REMOTE_ADDR"] = (req.socket.realRemoteAddress ? req.socket.realRemoteAddress : ((req.headers["x-forwarded-for"] && configJSON.enableIPSpoofing) ? req.headers["x-forwarded-for"].split(",")[0].replace(/ /g,"") : req.socket.remoteAddress)).replace(/^::ffff:/i, "");
+      nEnv["REMOTE_ADDR"] = (req.socket.realRemoteAddress ? req.socket.realRemoteAddress : ((req.headers["x-forwarded-for"] && configJSON.enableIPSpoofing) ? req.headers["x-forwarded-for"].split(",")[0].replace(/ /g, "") : req.socket.remoteAddress)).replace(/^::ffff:/i, "");
       nEnv["REMOTE_PORT"] = (req.socket.realRemotePort ? req.socket.realRemotePort : req.socket.remoteAddress);
       nEnv["SCRIPT_NAME"] = a;
       nEnv["SCRIPT_FILENAME"] = (process.cwd() + (require("os").platform == "win32" ? a.replace(/\//g, "\\") : a)).replace((require("os").platform == "win32" ? /\\\\/g : /\/\//g), (require("os").platform == "win32" ? "\\" : "/"));
@@ -224,7 +224,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
           var invokeElseCallback = false;
           try {
             invokeElseCallback = !fs.statSync("." + href).isFile();
-          } catch(ex) { }
+          } catch (ex) {}
           if (invokeElseCallback) {
             elseCallback();
           } else {
@@ -253,7 +253,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
           function checkPath(pth, a) {
             var cpth = pth.split("/");
             if (cpth.length < 3) return false;
-            if(!a) b = [];
+            if (!a) b = [];
             else var b = a.split("/");
             var isFile = false;
             try {
@@ -286,7 +286,6 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
             }
           }
         }
-
       } catch (ex) {
         if (!callServerError) {
           res.writeHead(500, "Internal Server Error", abheaders);
@@ -296,6 +295,14 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
           callServerError(500, "RedBrick/" + version, ex);
         }
       }
+    } else if (href == "/redbrick-interpreters.json" && path.normalize(__dirname + "/../../..") == process.cwd()) {
+      if (!callServerError) {
+        res.writeHead(403, "Forbidden", abheaders);
+        res.write("<html><head><title>403 Forbidden</title></head><body><h1>403 Forbidden</h1><p>You don't have access to specific page.</p><p style=\"font-style: italic; font-weight: normal;\">SVR.JS " + configJSON.version + " (" + os.platform()[0].toUpperCase() + os.platform().slice(1) + "; Node.JS/" + process.version + ") RedBrick/" + version + " " + (req.headers.host == undefined ? "" : " on " + req.headers.host) + "</p></body></html>");
+        res.end();
+      } else {
+        callServerError(403, "RedBrick/" + version);
+      }
     } else {
       elseCallback();
     }
diff --git a/mod.info b/mod.info
index 3f975f9..38a2bf6 100755
--- a/mod.info
+++ b/mod.info
@@ -1,4 +1,4 @@
 {
   "name": "DorianTech RedBrick CGI engine for SVR.JS",
-  "version": "2.1.0"
+  "version": "2.1.1"
 }