feat: discard the IP address that resolves from the SVR.JS domain configuration property

This commit is contained in:
Dorian Niemiec 2024-12-17 19:54:22 +01:00
parent da7beddc61
commit 5e9d175c40

View file

@ -2,6 +2,7 @@ disableEndElseCallbackExecute = true; //Without "var", else it will not work!!!
var mysql = require("mysql");
var gnuplot = require("gnuplot"); //There is an OS command injection vulnerability in the "gnuplot" npm package, but since the statistics display part of the application doesn't involve user input, the application isn't affected by it.
var dns = require("dns");
if (!customvar1 && !customvar2) {
try {
@ -296,6 +297,9 @@ if (href == "/") {
}));
return;
}
var requestIP = (req.socket.realRemoteAddress ? req.socket.realRemoteAddress : req.socket.remoteAddress).replace(/^::ffff:/i, "");
function finalCallback() {
connection.connect(function (err) {
if (err) {
serverconsole.errmessage("There was an error while processing the request!");
@ -309,7 +313,6 @@ if (href == "/") {
if (connection.end) connection.end();
return;
}
var requestIP = (req.socket.realRemoteAddress ? req.socket.realRemoteAddress : req.socket.remoteAddress).replace(/^::ffff:/i, "");
connection.query("INSERT INTO entries (ip, time, version, runtime, runtime_version) VALUES (" + mysql.escape(requestIP) + ", NOW(), " + mysql.escape(parsedJsonData.version) + ", " + mysql.escape(parsedJsonData.runtime) + ", " + mysql.escape(parsedJsonData.runtimeVersion) + ");", function (error, results, fields) {
if (error) {
serverconsole.errmessage("There was an error while processing the request!");
@ -349,6 +352,56 @@ if (href == "/") {
});
});
});
}
if (typeof configJSON == "undefined" || !configJSON.domain) {
finalCallback();
} else {
try {
dns.resolve4(configJSON.domain, function (err, addresses) {
if (err || !addresses || addresses.length == 0 || !addresses.find(function (address) {
return requestIP == address;
})) {
dns.resolve6(configJSON.domain, function (err, addresses) {
if (err || !addresses || addresses.length == 0 || !addresses.find(function (address) {
return requestIP == address;
})) {
finalCallback();
} else {
res.writeHead(200, headers);
res.end(JSON.stringify({
"status": 200,
"message": "The statistics are added successfully."
}));
}
});
} else {
res.writeHead(200, headers);
res.end(JSON.stringify({
"status": 200,
"message": "The statistics are added successfully."
}));
}
});
} catch (err) {
try {
dns.resolve6(configJSON.domain, function (err, addresses) {
if (err || !addresses || addresses.length == 0 || !addresses.find(function (address) {
return requestIP == address;
})) {
finalCallback();
} else {
res.writeHead(200, headers);
res.end(JSON.stringify({
"status": 200,
"message": "The statistics are added successfully."
}));
}
});
} catch (err) {
finalCallback();
}
}
}
} catch (err) {
serverconsole.errmessage("There was an error while processing the request!");
serverconsole.errmessage("Stack:");