Security updates

This commit is contained in:
svrjs 2023-07-30 02:24:20 +02:00
parent 7cebf8d001
commit 17c09db695
2 changed files with 35 additions and 28 deletions

View file

@ -4,13 +4,11 @@ var http = require("http");
var url = require("url");
var fs = require("fs");
var path = require("path");
var {
spawn
} = require("child_process");
var childProcess = require("child_process");
var version = "UNKNOWN";
try {
version = JSON.parse(fs.readFileSync(__dirname + "/mod.info")).version;
} catch(ex) {
} catch (ex) {
//Can"t determine version
}
var configJSONS = JSON.parse(fs.readFileSync("config.json")); //Read configuration JSON
@ -25,10 +23,12 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
}
bheaders["Content-Type"] = "text/html" //HTML output
if (!getCustomHeaders) bheaders["Server"] = "SVR.JS/" + configJSON.version + " (" + os.platform()[0].toUpperCase() + os.platform().slice(1) + ")"; //Add Server header
var abheaders = JSON.parse(JSON.stringify(bheaders));
function executeCGI(fname, req, res, dh, nEnv) {
var env = JSON.parse(JSON.stringify(process.env));
var nEnvKeys = Object.keys(nEnv);
for(var i=0;i<nEnvKeys.length;i++) {
for (var i = 0; i < nEnvKeys.length; i++) {
env[nEnvKeys[i]] = nEnv[nEnvKeys[i]];
}
var exttointerpreter = {
@ -48,7 +48,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
var exttointerpreteruser = {};
try {
exttointerpreteruser = JSON.parse(fs.readFileSync(__dirname + "/redbrick-interpreters.json"));
} catch(ex) {}
} catch (ex) {}
var script = fs.readFileSync(fname).toString();
var fl = script.replace(/[\r\n]+/g, "\n").split("\n")[0];
if (fl[0] == undefined) fl[0] = "";
@ -73,7 +73,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
filename = (process.cwd() + (os.platform() == "win32" ? "\\" + fname.replace(/\//g, "\\") : "/" + fname)).replace(os.platform() == "win32" ? /\\+/ : /\/+/, os.platform() == "win32" ? "\\" : "/")
args = [];
}
} else if(fl.indexOf("\x7fELF") == 0 || fl.indexOf("MZ") == 0) {
} else if (fl.indexOf("\x7fELF") == 0 || fl.indexOf("MZ") == 0) {
filename = (process.cwd() + (os.platform() == "win32" ? "\\" + fname.replace(/\//g, "\\") : "/" + fname)).replace(os.platform() == "win32" ? /\\+/ : /\/+/, os.platform() == "win32" ? "\\" : "/")
args = [];
} else {
@ -91,9 +91,9 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
var wd = fname.split("/");
wd[0] = "";
wd[wd.length-1] = "";
wd[wd.length - 1] = "";
wd = wd.join(os.platform() == "win32" ? "\\" : "/");
var interpreter = spawn(filename, args, {
var interpreter = childProcess.spawn(filename, args, {
cwd: (process.cwd() + wd).replace(os.platform() == "win32" ? /\\+/ : /\/+/, os.platform() == "win32" ? "\\" : "/"),
env: env
});
@ -145,7 +145,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
}
}
if(code == 200 && (bheaderso["Location"] || bheaderso["location"])) {
if (code == 200 && (bheaderso["Location"] || bheaderso["location"])) {
code = 302;
msg = "Found";
}
@ -168,22 +168,22 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
}
if (interpreter.stdout) {
interpreter.stdout.on("data", dataHandler);
interpreter.stderr.on("data", function(data) {
interpreter.stderr.on("data", function (data) {
stderr += data.toString()
});
req.pipe(interpreter.stdin);
interpreter.on("exit", (code, signal) => {
if(!cned && (signal || code !== 0)) {
var ex = new Error("Process execution failed!" + (stderr ? " Reason: " + stderr.trim() : ""));
if (!callServerError) {
res.writeHead(500);
res.end(ex.stack);
} else {
callServerError(500, "RedBrick/" + version, ex);
}
if (!cned && (signal || code !== 0)) {
var ex = new Error("Process execution failed!" + (stderr ? " Reason: " + stderr.trim() : ""));
if (!callServerError) {
res.writeHead(500);
res.end(ex.stack);
} else {
res.end();
callServerError(500, "RedBrick/" + version, ex);
}
} else {
res.end();
}
});
}
}
@ -203,7 +203,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
nEnv["REQUEST_METHOD"] = req.method;
nEnv["GATEWAY_INTERFACE"] = "CGI/1.1";
nEnv["REQUEST_URI"] = req.url;
nEnv["REMOTE_ADDR"] = (req.socket.realRemoteAddress ? req.socket.realRemoteAddress : ((req.headers["x-forwarded-for"] && configJSON.enableIPSpoofing) ? req.headers["x-forwarded-for"].split(",")[0].replace(/ /g,"") : req.socket.remoteAddress)).replace(/^::ffff:/i, "");
nEnv["REMOTE_ADDR"] = (req.socket.realRemoteAddress ? req.socket.realRemoteAddress : ((req.headers["x-forwarded-for"] && configJSON.enableIPSpoofing) ? req.headers["x-forwarded-for"].split(",")[0].replace(/ /g, "") : req.socket.remoteAddress)).replace(/^::ffff:/i, "");
nEnv["REMOTE_PORT"] = (req.socket.realRemotePort ? req.socket.realRemotePort : req.socket.remoteAddress);
nEnv["SCRIPT_NAME"] = a;
nEnv["SCRIPT_FILENAME"] = (process.cwd() + (require("os").platform == "win32" ? a.replace(/\//g, "\\") : a)).replace((require("os").platform == "win32" ? /\\\\/g : /\/\//g), (require("os").platform == "win32" ? "\\" : "/"));
@ -224,7 +224,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
var invokeElseCallback = false;
try {
invokeElseCallback = !fs.statSync("." + href).isFile();
} catch(ex) { }
} catch (ex) {}
if (invokeElseCallback) {
elseCallback();
} else {
@ -253,7 +253,7 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
function checkPath(pth, a) {
var cpth = pth.split("/");
if (cpth.length < 3) return false;
if(!a) b = [];
if (!a) b = [];
else var b = a.split("/");
var isFile = false;
try {
@ -286,7 +286,6 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
}
}
}
} catch (ex) {
if (!callServerError) {
res.writeHead(500, "Internal Server Error", abheaders);
@ -296,6 +295,14 @@ Mod.prototype.callback = function callback(req, res, serverconsole, responseEnd,
callServerError(500, "RedBrick/" + version, ex);
}
}
} else if (href == "/redbrick-interpreters.json" && path.normalize(__dirname + "/../../..") == process.cwd()) {
if (!callServerError) {
res.writeHead(403, "Forbidden", abheaders);
res.write("<html><head><title>403 Forbidden</title></head><body><h1>403 Forbidden</h1><p>You don't have access to specific page.</p><p style=\"font-style: italic; font-weight: normal;\">SVR.JS " + configJSON.version + " (" + os.platform()[0].toUpperCase() + os.platform().slice(1) + "; Node.JS/" + process.version + ") RedBrick/" + version + " " + (req.headers.host == undefined ? "" : " on " + req.headers.host) + "</p></body></html>");
res.end();
} else {
callServerError(403, "RedBrick/" + version);
}
} else {
elseCallback();
}

View file

@ -1,4 +1,4 @@
{
"name": "DorianTech RedBrick CGI engine for SVR.JS",
"version": "2.1.0"
"version": "2.1.1"
}