svrjs/svrjs-shortener
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Activity Actions

Improve referrer security and make it configurable

Browse source
This commit is contained in:
Dorian Niemiec 2024-05-12 18:49:38 +02:00
parent 5da867a2fb
commit acb3aaffa0
2 changed files with 5 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
backend/serverSideScript.js
View file

@ -23,6 +23,7 @@ if(customvar2) {
var mongoURL = customvar1.mongoURL; var mongoURL = customvar1.mongoURL;
var dbname = customvar1.dbname; var dbname = customvar1.dbname;
var defaultURL = customvar1.defaultURL; var defaultURL = customvar1.defaultURL;
var hasRefererSecurity = (customvar1.enableRefererSecurity === undefined) ? true : customvar1.enableRefererSecurity;
function antiXSS(string) { function antiXSS(string) {
return string.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;").replace(/'/g,"&apos;"); return string.replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;").replace(/'/g,"&apos;");
@ -100,10 +101,10 @@ if (href.match(/^\/admin\/?$/)) {
return; return;
} }
var baseURL = (req.socket.encrypted ? "https" : "http") + "://" + (req.headers.host ? req.headers.host : req.socket.localAddress); var baseURL = (req.socket.encrypted ? "https" : "http") + "://" + (req.headers.host ? req.headers.host : req.socket.localAddress);
if(req.headers.referer && (req.headers.referer + "/").substring(0,baseURL.length + 1) != (baseURL + "/")) { if(hasRefererSecurity && (req.headers.referer + "/").substring(0,baseURL.length + 1) != (baseURL + "/")) {
formatTemplate("index.html", { formatTemplate("index.html", {
"url": "", "url": "",
"shorturl": "<b>CSRF detected</b>" "shorturl": "<b>Invalid referrer (CSRF?)</b>"
}, function(data) { }, function(data) {
res.writeHead(400, {"Content-Type": "text/html; charset=utf-8"}); res.writeHead(400, {"Content-Type": "text/html; charset=utf-8"});
res.end(data); res.end(data);

3
backend/shortener-config.json
View file

@ -1,5 +1,6 @@
{ {
"mongoURL": "mongodb://localhost/shortenerdb", "mongoURL": "mongodb://localhost/shortenerdb",
"database": "shortenerdb", "database": "shortenerdb",
"defaultURL": "https://svrjs.org" "defaultURL": "https://svrjs.org",
"enableRefererSecurity": true
} }