Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-09-22 01:50:48 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Try to fix some security issues. Part 2.

Browse source 
Thanks to responsible security disclosure contributors and xet7 !
This commit is contained in:
Lauri Ojansivu 2023-02-20 16:48:02 -05:00
parent e34cfad06b
commit 382168a5b4
9 changed files with 2198 additions and 3712 deletions
Download patch file Download diff file Expand all files Collapse all files

2
client/components/activities/activities.js
View file

@ -1,4 +1,4 @@
import DOMPurify from 'isomorphic-dompurify'; import DOMPurify from 'dompurify';
import { TAPi18n } from '/imports/i18n'; import { TAPi18n } from '/imports/i18n';
const activitiesPerPage = 500; const activitiesPerPage = 500;

2
client/components/cards/attachments.js
View file

@ -1,5 +1,5 @@
import { ObjectID } from 'bson'; import { ObjectID } from 'bson';
import DOMPurify from 'isomorphic-dompurify'; import DOMPurify from 'dompurify';
const filesize = require('filesize'); const filesize = require('filesize');
const prettyMilliseconds = require('pretty-ms'); const prettyMilliseconds = require('pretty-ms');

2
client/components/main/editor.js
View file

@ -283,7 +283,7 @@ BlazeComponent.extendComponent({
} }
}).register('editor'); }).register('editor');
import DOMPurify from 'isomorphic-dompurify'; import DOMPurify from 'dompurify';
// Additional safeAttrValue function to allow for other specific protocols // Additional safeAttrValue function to allow for other specific protocols
// See https://github.com/leizongmin/js-xss/issues/52#issuecomment-241354114 // See https://github.com/leizongmin/js-xss/issues/52#issuecomment-241354114

1
models/attachments.js
View file

@ -151,6 +151,7 @@ if (Meteor.isServer) {
check(fileObjId, String); check(fileObjId, String);
check(newName, String); check(newName, String);
// If new name is same as sanitized name, does not have XSS, allow rename file // If new name is same as sanitized name, does not have XSS, allow rename file
// Using isomorphic-dompurify that is isometric so it works also serverside.
if (newName === DOMPurify.sanitize(newName)) { if (newName === DOMPurify.sanitize(newName)) {
const fileObj = Attachments.findOne({_id: fileObjId}); const fileObj = Attachments.findOne({_id: fileObjId});
rename(fileObj, newName, fileStoreStrategyFactory); rename(fileObj, newName, fileStoreStrategyFactory);

5895
package-lock.json generated
View file

File diff suppressed because it is too large Load diff

3
package.json
View file

@ -31,6 +31,7 @@
"bcryptjs": "^2.4.3", "bcryptjs": "^2.4.3",
"bson": "^4.5.2", "bson": "^4.5.2",
"bunyan": "^1.8.15", "bunyan": "^1.8.15",
"canvas": "^2.11.0",
"core-js": "^3.18.2", "core-js": "^3.18.2",
"dompurify": "^2.4.1", "dompurify": "^2.4.1",
"es6-promise": "^4.2.4", "es6-promise": "^4.2.4",
@ -51,7 +52,7 @@
"markdown-it-emoji": "^2.0.0", "markdown-it-emoji": "^2.0.0",
"markdown-it-mathjax3": "^4.3.1", "markdown-it-mathjax3": "^4.3.1",
"meteor-accounts-t9n": "^2.6.0", "meteor-accounts-t9n": "^2.6.0",
"meteor-node-stubs": "^1.1.0", "meteor-node-stubs": "^1.2.5",
"moment": "^2.29.4", "moment": "^2.29.4",
"nodemailer": "^6.6.3", "nodemailer": "^6.6.3",
"os": "^0.1.2", "os": "^0.1.2",

1
packages/markdown/src/template-integration.js
View file

@ -65,6 +65,7 @@ if (Package.ui) {
text = Blaze._toText(self.templateContentBlock, HTML.TEXTMODE.STRING); text = Blaze._toText(self.templateContentBlock, HTML.TEXTMODE.STRING);
} }
// Using isomorphic-dompurify that is isometric so it works also serverside
return HTML.Raw(DOMPurify.sanitize(Markdown.render(text), {ALLOW_UNKNOWN_PROTOCOLS: true})); return HTML.Raw(DOMPurify.sanitize(Markdown.render(text), {ALLOW_UNKNOWN_PROTOCOLS: true}));
})); }));
} }

2
rebuild-wekan.sh
View file

@ -91,7 +91,7 @@ do
#sudo chown -R $(id -u):$(id -g) $HOME/.npm $HOME/.meteor #sudo chown -R $(id -u):$(id -g) $HOME/.npm $HOME/.meteor
rm -rf .build/bundle node_modules .meteor/local .build rm -rf .build/bundle node_modules .meteor/local .build
meteor npm install meteor npm install
meteor build .build --directory meteor build .build --directory --platforms=web.browser
rm -rf .build/bundle/programs/web.browser.legacy rm -rf .build/bundle/programs/web.browser.legacy
(cd .build/bundle/programs/server && rm -rf node_modules && chmod u+w *.json && meteor npm install) (cd .build/bundle/programs/server && rm -rf node_modules && chmod u+w *.json && meteor npm install)
(cd .build/bundle/programs/server/node_modules/fibers && node build.js) (cd .build/bundle/programs/server/node_modules/fibers && node build.js)

2
releases/rebuild-release.sh
View file

@ -9,7 +9,7 @@ sudo chown -R $(id -u):$(id -g) $HOME/.npm $HOME/.meteor
rm -rf node_modules rm -rf node_modules
meteor npm install meteor npm install
rm -rf .build rm -rf .build
METEOR_PROFILE=100 meteor build .build --directory METEOR_PROFILE=100 meteor build .build --directory --platforms=web.browser
# Remove legacy webbroser bundle, so that Wekan works also at Android Firefox, iOS Safari, etc. # Remove legacy webbroser bundle, so that Wekan works also at Android Firefox, iOS Safari, etc.
rm -rf .build/bundle/programs/web.browser.legacy rm -rf .build/bundle/programs/web.browser.legacy
cd .build/bundle/programs/server cd .build/bundle/programs/server