Security updates

This commit is contained in:
svrjs 2023-07-30 02:24:20 +02:00
parent 7cebf8d001
commit 17c09db695
2 changed files with 35 additions and 28 deletions

View file

@ -4,13 +4,11 @@ var http = require("http");
var url = require("url"); var url = require("url");
var fs = require("fs"); var fs = require("fs");
var path = require("path"); var path = require("path");
var { var childProcess = require("child_process");
spawn
} = require("child_process");
var version = "UNKNOWN"; var version = "UNKNOWN";
try { try {
version = JSON.parse(fs.readFileSync(__dirname + "/mod.info")).version; version = JSON.parse(fs.readFileSync(__dirname + "/mod.info")).version;
} catch(ex) { } catch (ex) {
//Can"t determine version //Can"t determine version
} }
var configJSONS = JSON.parse(fs.readFileSync("config.json")); //Read configuration JSON var configJSONS = JSON.parse(fs.readFileSync("config.json")); //Read configuration JSON
@ -25,10 +23,12 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
} }
bheaders["Content-Type"] = "text/html" //HTML output bheaders["Content-Type"] = "text/html" //HTML output
if (!getCustomHeaders) bheaders["Server"] = "SVR.JS/" + configJSON.version + " (" + os.platform()[0].toUpperCase() + os.platform().slice(1) + ")"; //Add Server header if (!getCustomHeaders) bheaders["Server"] = "SVR.JS/" + configJSON.version + " (" + os.platform()[0].toUpperCase() + os.platform().slice(1) + ")"; //Add Server header
var abheaders = JSON.parse(JSON.stringify(bheaders));
function executeCGI(fname, req, res, dh, nEnv) { function executeCGI(fname, req, res, dh, nEnv) {
var env = JSON.parse(JSON.stringify(process.env)); var env = JSON.parse(JSON.stringify(process.env));
var nEnvKeys = Object.keys(nEnv); var nEnvKeys = Object.keys(nEnv);
for(var i=0;i<nEnvKeys.length;i++) { for (var i = 0; i < nEnvKeys.length; i++) {
env[nEnvKeys[i]] = nEnv[nEnvKeys[i]]; env[nEnvKeys[i]] = nEnv[nEnvKeys[i]];
} }
var exttointerpreter = { var exttointerpreter = {
@ -48,7 +48,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
var exttointerpreteruser = {}; var exttointerpreteruser = {};
try { try {
exttointerpreteruser = JSON.parse(fs.readFileSync(__dirname + "/redbrick-interpreters.json")); exttointerpreteruser = JSON.parse(fs.readFileSync(__dirname + "/redbrick-interpreters.json"));
} catch(ex) {} } catch (ex) {}
var script = fs.readFileSync(fname).toString(); var script = fs.readFileSync(fname).toString();
var fl = script.replace(/[\r\n]+/g, "\n").split("\n")[0]; var fl = script.replace(/[\r\n]+/g, "\n").split("\n")[0];
if (fl[0] == undefined) fl[0] = ""; if (fl[0] == undefined) fl[0] = "";
@ -73,7 +73,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
filename = (process.cwd() + (os.platform() == "win32" ? "\\" + fname.replace(/\//g, "\\") : "/" + fname)).replace(os.platform() == "win32" ? /\\+/ : /\/+/, os.platform() == "win32" ? "\\" : "/") filename = (process.cwd() + (os.platform() == "win32" ? "\\" + fname.replace(/\//g, "\\") : "/" + fname)).replace(os.platform() == "win32" ? /\\+/ : /\/+/, os.platform() == "win32" ? "\\" : "/")
args = []; args = [];
} }
} else if(fl.indexOf("\x7fELF") == 0 || fl.indexOf("MZ") == 0) { } else if (fl.indexOf("\x7fELF") == 0 || fl.indexOf("MZ") == 0) {
filename = (process.cwd() + (os.platform() == "win32" ? "\\" + fname.replace(/\//g, "\\") : "/" + fname)).replace(os.platform() == "win32" ? /\\+/ : /\/+/, os.platform() == "win32" ? "\\" : "/") filename = (process.cwd() + (os.platform() == "win32" ? "\\" + fname.replace(/\//g, "\\") : "/" + fname)).replace(os.platform() == "win32" ? /\\+/ : /\/+/, os.platform() == "win32" ? "\\" : "/")
args = []; args = [];
} else { } else {
@ -91,9 +91,9 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
var wd = fname.split("/"); var wd = fname.split("/");
wd[0] = ""; wd[0] = "";
wd[wd.length-1] = ""; wd[wd.length - 1] = "";
wd = wd.join(os.platform() == "win32" ? "\\" : "/"); wd = wd.join(os.platform() == "win32" ? "\\" : "/");
var interpreter = spawn(filename, args, { var interpreter = childProcess.spawn(filename, args, {
cwd: (process.cwd() + wd).replace(os.platform() == "win32" ? /\\+/ : /\/+/, os.platform() == "win32" ? "\\" : "/"), cwd: (process.cwd() + wd).replace(os.platform() == "win32" ? /\\+/ : /\/+/, os.platform() == "win32" ? "\\" : "/"),
env: env env: env
}); });
@ -145,7 +145,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
} }
} }
if(code == 200 && (bheaderso["Location"] || bheaderso["location"])) { if (code == 200 && (bheaderso["Location"] || bheaderso["location"])) {
code = 302; code = 302;
msg = "Found"; msg = "Found";
} }
@ -168,12 +168,12 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
} }
if (interpreter.stdout) { if (interpreter.stdout) {
interpreter.stdout.on("data", dataHandler); interpreter.stdout.on("data", dataHandler);
interpreter.stderr.on("data", function(data) { interpreter.stderr.on("data", function (data) {
stderr += data.toString() stderr += data.toString()
}); });
req.pipe(interpreter.stdin); req.pipe(interpreter.stdin);
interpreter.on("exit", (code, signal) => { interpreter.on("exit", (code, signal) => {
if(!cned && (signal || code !== 0)) { if (!cned && (signal || code !== 0)) {
var ex = new Error("Process execution failed!" + (stderr ? " Reason: " + stderr.trim() : "")); var ex = new Error("Process execution failed!" + (stderr ? " Reason: " + stderr.trim() : ""));
if (!callServerError) { if (!callServerError) {
res.writeHead(500); res.writeHead(500);
@ -203,7 +203,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
nEnv["REQUEST_METHOD"] = req.method; nEnv["REQUEST_METHOD"] = req.method;
nEnv["GATEWAY_INTERFACE"] = "CGI/1.1"; nEnv["GATEWAY_INTERFACE"] = "CGI/1.1";
nEnv["REQUEST_URI"] = req.url; nEnv["REQUEST_URI"] = req.url;
nEnv["REMOTE_ADDR"] = (req.socket.realRemoteAddress ? req.socket.realRemoteAddress : ((req.headers["x-forwarded-for"] && configJSON.enableIPSpoofing) ? req.headers["x-forwarded-for"].split(",")[0].replace(/ /g,"") : req.socket.remoteAddress)).replace(/^::ffff:/i, ""); nEnv["REMOTE_ADDR"] = (req.socket.realRemoteAddress ? req.socket.realRemoteAddress : ((req.headers["x-forwarded-for"] && configJSON.enableIPSpoofing) ? req.headers["x-forwarded-for"].split(",")[0].replace(/ /g, "") : req.socket.remoteAddress)).replace(/^::ffff:/i, "");
nEnv["REMOTE_PORT"] = (req.socket.realRemotePort ? req.socket.realRemotePort : req.socket.remoteAddress); nEnv["REMOTE_PORT"] = (req.socket.realRemotePort ? req.socket.realRemotePort : req.socket.remoteAddress);
nEnv["SCRIPT_NAME"] = a; nEnv["SCRIPT_NAME"] = a;
nEnv["SCRIPT_FILENAME"] = (process.cwd() + (require("os").platform == "win32" ? a.replace(/\//g, "\\") : a)).replace((require("os").platform == "win32" ? /\\\\/g : /\/\//g), (require("os").platform == "win32" ? "\\" : "/")); nEnv["SCRIPT_FILENAME"] = (process.cwd() + (require("os").platform == "win32" ? a.replace(/\//g, "\\") : a)).replace((require("os").platform == "win32" ? /\\\\/g : /\/\//g), (require("os").platform == "win32" ? "\\" : "/"));
@ -224,7 +224,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
var invokeElseCallback = false; var invokeElseCallback = false;
try { try {
invokeElseCallback = !fs.statSync("." + href).isFile(); invokeElseCallback = !fs.statSync("." + href).isFile();
} catch(ex) { } } catch (ex) {}
if (invokeElseCallback) { if (invokeElseCallback) {
elseCallback(); elseCallback();
} else { } else {
@ -253,7 +253,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
function checkPath(pth, a) { function checkPath(pth, a) {
var cpth = pth.split("/"); var cpth = pth.split("/");
if (cpth.length < 3) return false; if (cpth.length < 3) return false;
if(!a) b = []; if (!a) b = [];
else var b = a.split("/"); else var b = a.split("/");
var isFile = false; var isFile = false;
try { try {
@ -286,7 +286,6 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
} }
} }
} }
} catch (ex) { } catch (ex) {
if (!callServerError) { if (!callServerError) {
res.writeHead(500, "Internal Server Error", abheaders); res.writeHead(500, "Internal Server Error", abheaders);
@ -296,6 +295,14 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
callServerError(500, "RedBrick/" + version, ex); callServerError(500, "RedBrick/" + version, ex);
} }
} }
} else if (href == "/redbrick-interpreters.json" && path.normalize(__dirname + "/../../..") == process.cwd()) {
if (!callServerError) {
res.writeHead(403, "Forbidden", abheaders);
res.write("<html><head><title>403 Forbidden</title></head><body><h1>403 Forbidden</h1><p>You don't have access to specific page.</p><p style=\"font-style: italic; font-weight: normal;\">SVR.JS " + configJSON.version + " (" + os.platform()[0].toUpperCase() + os.platform().slice(1) + "; Node.JS/" + process.version + ") RedBrick/" + version + " " + (req.headers.host == undefined ? "" : " on " + req.headers.host) + "</p></body></html>");
res.end();
} else {
callServerError(403, "RedBrick/" + version);
}
} else { } else {
elseCallback(); elseCallback();
} }

View file

@ -1,4 +1,4 @@
{ {
"name": "DorianTech RedBrick CGI engine for SVR.JS", "name": "DorianTech RedBrick CGI engine for SVR.JS",
"version": "2.1.0" "version": "2.1.1"
} }