svrjs/svrjs-statistics-server
Archived
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: discard the IP address that resolves from the SVR.JS domain configuration property

Browse source
This commit is contained in:
Dorian Niemiec 2024-12-17 19:54:22 +01:00
parent da7beddc61
commit 5e9d175c40
1 changed files with 82 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

111
backend/serverSideScript.js
View file

@ -2,6 +2,7 @@ disableEndElseCallbackExecute = true; //Without "var", else it will not work!!!
var mysql = require("mysql");
var gnuplot = require("gnuplot"); //There is an OS command injection vulnerability in the "gnuplot" npm package, but since the statistics display part of the application doesn't involve user input, the application isn't affected by it.
var dns = require("dns");
if (!customvar1 && !customvar2) {
try {
@ -296,25 +297,14 @@ if (href == "/") {
}));
return;
}
connection.connect(function (err) {
if (err) {
serverconsole.errmessage("There was an error while processing the request!");
serverconsole.errmessage("Stack:");
serverconsole.errmessage(err.stack);
res.writeHead(500, headers);
res.end(JSON.stringify({
"status": 500,
"message": "An unexpected error occurred."
}));
if (connection.end) connection.end();
return;
}
var requestIP = (req.socket.realRemoteAddress ? req.socket.realRemoteAddress : req.socket.remoteAddress).replace(/^::ffff:/i, "");
connection.query("INSERT INTO entries (ip, time, version, runtime, runtime_version) VALUES (" + mysql.escape(requestIP) + ", NOW(), " + mysql.escape(parsedJsonData.version) + ", " + mysql.escape(parsedJsonData.runtime) + ", " + mysql.escape(parsedJsonData.runtimeVersion) + ");", function (error, results, fields) {
if (error) {
var requestIP = (req.socket.realRemoteAddress ? req.socket.realRemoteAddress : req.socket.remoteAddress).replace(/^::ffff:/i, "");
function finalCallback() {
connection.connect(function (err) {
if (err) {
serverconsole.errmessage("There was an error while processing the request!");
serverconsole.errmessage("Stack:");
serverconsole.errmessage(error.stack);
serverconsole.errmessage(err.stack);
res.writeHead(500, headers);
res.end(JSON.stringify({
"status": 500,
@ -323,11 +313,7 @@ if (href == "/") {
if (connection.end) connection.end();
return;
}
var entriesToInsert = [];
parsedJsonData.mods.forEach(function (mod) {
entriesToInsert.push("(" + mysql.escape(results.insertId) + ", " + mysql.escape(mod.name) + ", " + mysql.escape(mod.version) + ")");
});
connection.query(entriesToInsert.length > 0 ? ("INSERT INTO entries_mods (entry_id, name, version) VALUES " + entriesToInsert.join(", ") + ";") : "SELECT 1;", function (error, results, fields) {
connection.query("INSERT INTO entries (ip, time, version, runtime, runtime_version) VALUES (" + mysql.escape(requestIP) + ", NOW(), " + mysql.escape(parsedJsonData.version) + ", " + mysql.escape(parsedJsonData.runtime) + ", " + mysql.escape(parsedJsonData.runtimeVersion) + ");", function (error, results, fields) {
if (error) {
serverconsole.errmessage("There was an error while processing the request!");
serverconsole.errmessage("Stack:");
@ -340,15 +326,82 @@ if (href == "/") {
if (connection.end) connection.end();
return;
}
res.writeHead(200, headers);
res.end(JSON.stringify({
"status": 200,
"message": "The statistics are added successfully."
}));
if (connection.end) connection.end();
var entriesToInsert = [];
parsedJsonData.mods.forEach(function (mod) {
entriesToInsert.push("(" + mysql.escape(results.insertId) + ", " + mysql.escape(mod.name) + ", " + mysql.escape(mod.version) + ")");
});
connection.query(entriesToInsert.length > 0 ? ("INSERT INTO entries_mods (entry_id, name, version) VALUES " + entriesToInsert.join(", ") + ";") : "SELECT 1;", function (error, results, fields) {
if (error) {
serverconsole.errmessage("There was an error while processing the request!");
serverconsole.errmessage("Stack:");
serverconsole.errmessage(error.stack);
res.writeHead(500, headers);
res.end(JSON.stringify({
"status": 500,
"message": "An unexpected error occurred."
}));
if (connection.end) connection.end();
return;
}
res.writeHead(200, headers);
res.end(JSON.stringify({
"status": 200,
"message": "The statistics are added successfully."
}));
if (connection.end) connection.end();
});
});
});
});
}
if (typeof configJSON == "undefined" || !configJSON.domain) {
finalCallback();
} else {
try {
dns.resolve4(configJSON.domain, function (err, addresses) {
if (err || !addresses || addresses.length == 0 || !addresses.find(function (address) {
return requestIP == address;
})) {
dns.resolve6(configJSON.domain, function (err, addresses) {
if (err || !addresses || addresses.length == 0 || !addresses.find(function (address) {
return requestIP == address;
})) {
finalCallback();
} else {
res.writeHead(200, headers);
res.end(JSON.stringify({
"status": 200,
"message": "The statistics are added successfully."
}));
}
});
} else {
res.writeHead(200, headers);
res.end(JSON.stringify({
"status": 200,
"message": "The statistics are added successfully."
}));
}
});
} catch (err) {
try {
dns.resolve6(configJSON.domain, function (err, addresses) {
if (err || !addresses || addresses.length == 0 || !addresses.find(function (address) {
return requestIP == address;
})) {
finalCallback();
} else {
res.writeHead(200, headers);
res.end(JSON.stringify({
"status": 200,
"message": "The statistics are added successfully."
}));
}
});
} catch (err) {
finalCallback();
}
}
}
} catch (err) {
serverconsole.errmessage("There was an error while processing the request!");
serverconsole.errmessage("Stack:");