Browse Source

SECURITY: Stop leaking code information when not in DANGER_ADMIN.

master
Zed A. Shaw 2 weeks ago
parent
commit
a3947ee367
  1. 16
      api/devtools/djenterator.js
  2. 30
      api/devtools/info.js
  3. 20
      services/api.js

16
api/devtools/djenterator.js

@ -1,6 +1,6 @@
import logging from '../../lib/logging.js';
import { API } from '../../lib/api.js';
import glob from "glob";
import glob from "fast-glob";
import path from "path";
const log = logging.create("/api/devtools/djenterator.js");
@ -9,12 +9,10 @@ const log = logging.create("/api/devtools/djenterator.js");
export const get = async (req, res) => {
const api = new API(req, res);
glob.glob("./static/djenterator/**/!(*.vars)", (error, files) => {
if(error) {
log.error(error);
return api.error(500, error.message || "Internal Server Error");
} else {
return api.reply(200, files.map(f => path.basename(f)));
}
});
if(process.env.DANGER_ADMIN) {
const files = glob.sync("./static/djenterator/**/!(*.vars)");
return api.reply(200, files.map(f => path.basename(f)));
} else {
return api.error(404, {message: "Not Found"});
}
}

30
api/devtools/info.js

@ -3,20 +3,24 @@ import fs from 'fs';
export const get = async (req, res) => {
// the devtools module contains all of the errors from the service/api.js for api and sockets
// but to get at the svelte errors we have to read debug/errors/svelte.json
if(process.env.DANGER_ADMIN) {
// the devtools module contains all of the errors from the service/api.js for api and sockets
// but to get at the svelte errors we have to read debug/errors/svelte.json
let svelte_errors = [];
let svelte_errors = [];
try {
svelte_errors = JSON.parse(fs.readFileSync("debug/errors/svelte.json"));
} catch(error) {
// probably no errors written yet
console.error(error);
}
try {
svelte_errors = JSON.parse(fs.readFileSync("debug/errors/svelte.json"));
} catch(error) {
// probably no errors written yet
console.error(error);
}
return res.status(200).json({
api: devtools.api,
sockets: devtools.sockets,
errors: devtools.errors.concat(svelte_errors)});
return res.status(200).json({
api: devtools.api,
sockets: devtools.sockets,
errors: devtools.errors.concat(svelte_errors)});
} else {
return res.status(404).json({ message: "Not Found."});
}
}

20
services/api.js

@ -127,12 +127,14 @@ await dynamic_load("./api/**/[A-Za-z]*.js", (file_name, route, func_name) => {
login: func.login === true
};
if(devtools.api[route_path] == undefined) {
// new thing so set up its data initially
devtools.api[route_path] = { name: route_path, functions: [func_info] };
} else {
// seen this so just add to the functions list
devtools.api[route_path].functions.push(func_info);
if(process.env.DANGER_ADMIN) {
if(devtools.api[route_path] == undefined) {
// new thing so set up its data initially
devtools.api[route_path] = { name: route_path, functions: [func_info] };
} else {
// seen this so just add to the functions list
devtools.api[route_path].functions.push(func_info);
}
}
if(func.authenticated) {
@ -163,8 +165,10 @@ await dynamic_load("./socket/**/[A-Za-z]*.js", (file_name, route, func_name) =>
socket_routes[target_name] = func
devtools.sockets[target_name] = {
route_path, target_name, file_name, code: func.toString()
if(process.env.DANGER_ADMIN) {
devtools.sockets[target_name] = {
route_path, target_name, file_name, code: func.toString()
}
}
});

Loading…
Cancel
Save