From d084f1eb1e4dd67730f832966c9ddc86c7d18167 Mon Sep 17 00:00:00 2001 From: kwaroran Date: Mon, 29 May 2023 17:37:28 +0900 Subject: [PATCH] [fix] node server secutity --- server.bat | 6 +++--- server/node/server.cjs | 34 +++++++++++++++++++++++++++++++++- src/ts/storage/nodeStorage.ts | 21 +++++++++++++++------ 3 files changed, 51 insertions(+), 10 deletions(-) diff --git a/server.bat b/server.bat index 5041f2e7..8003d3b4 100644 --- a/server.bat +++ b/server.bat @@ -1,3 +1,3 @@ -npm install -npm run build -npm run runserver \ No newline at end of file +call npm install +call npm run build +call npm run runserver \ No newline at end of file diff --git a/server/node/server.cjs b/server/node/server.cjs index 54807175..82e4fbe9 100644 --- a/server/node/server.cjs +++ b/server/node/server.cjs @@ -5,7 +5,7 @@ const htmlparser = require('node-html-parser'); const { existsSync, mkdirSync, readFileSync, writeFileSync } = require('fs'); const bodyParser = require('body-parser'); const fs = require('fs/promises') - +const crypto = require('crypto') app.use(express.static(path.join(process.cwd(), 'dist'), {index: false})); app.use(bodyParser.json({ limit: 100000000 })); @@ -21,6 +21,10 @@ const passwordPath = path.join(process.cwd(), 'save', '__password') if(existsSync(passwordPath)){ password = readFileSync(passwordPath, 'utf-8') } +const hexRegex = /^[0-9a-fA-F]+$/; +function isHex(str) { + return hexRegex.test(str.toUpperCase().trim()) || str === '__password'; +} app.get('/', async (req, res, next) => { console.log("connected") @@ -82,6 +86,16 @@ app.get('/api/password', async(req, res)=> { } }) +app.post('/api/crypto', async (req, res) => { + try { + const hash = crypto.createHash('sha256') + hash.update(Buffer.from(req.body.data, 'utf-8')) + res.send(hash.digest('hex')) + } catch (error) { + next(error) + } +}) + app.post('/api/set_password', async (req, res) => { if(password === ''){ @@ -108,6 +122,12 @@ app.get('/api/read', async (req, res, next) => { return; } + if(!isHex(filePath)){ + res.status(400).send({ + error:'Invaild Path' + }); + return; + } try { if(!existsSync(path.join(savePath, filePath))){ res.send({ @@ -142,6 +162,12 @@ app.get('/api/remove', async (req, res, next) => { }); return; } + if(!isHex(filePath)){ + res.status(400).send({ + error:'Invaild Path' + }); + return; + } try { await fs.rm(path.join(savePath, filePath)); @@ -190,6 +216,12 @@ app.post('/api/write', async (req, res, next) => { }); return; } + if(!isHex(filePath)){ + res.status(400).send({ + error:'Invaild Path' + }); + return; + } try { await fs.writeFile(path.join(savePath, filePath), fileContent); diff --git a/src/ts/storage/nodeStorage.ts b/src/ts/storage/nodeStorage.ts index 8f458006..22647642 100644 --- a/src/ts/storage/nodeStorage.ts +++ b/src/ts/storage/nodeStorage.ts @@ -25,7 +25,6 @@ export class NodeStorage{ if(data.error){ throw data.error } - } async getItem(key:string):Promise { await this.checkAuth() @@ -125,6 +124,9 @@ export class NodeStorage{ } } } + else{ + authChecked = true + } } } @@ -133,8 +135,15 @@ export class NodeStorage{ } async function digestPassword(message:string) { - const encoder = new TextEncoder(); - const data = encoder.encode(message); - const hash = Buffer.from(await crypto.subtle.digest("SHA-256", data)).toString('hex'); - return hash; - } \ No newline at end of file + const crypt = await (await fetch('/api/crypto', { + body: JSON.stringify({ + data: message + }), + headers: { + 'content-type': 'application/json' + }, + method: "POST" + })).text() + + return crypt; +} \ No newline at end of file