kenmirrors/MagicMirror
1
0
Fork 0
mirror of https://github.com/MichMich/MagicMirror.git synced 2025-12-05 04:21:40 +00:00
Code Issues Projects Releases Wiki Activity

refactor: replace express-ipfilter with lightweight custom middleware (#3917)

Browse Source 
This fixes security issue
[CVE-2023-42282](https://github.com/advisories/GHSA-78xj-cgh5-2h22),
which is not very likely to be exploitable in MagicMirror² setups, but
still should be fixed.

The [express-ipfilter](https://www.npmjs.com/package/express-ipfilter)
package depends on the obviously unmaintained
[ip](https://github.com/indutny/node-ip) package, which has known
security vulnerabilities. Since no fix is available, this commit
replaces both dependencies with a custom middleware using the better
maintained [ipaddr.js](https://www.npmjs.com/package/ipaddr.js) library.

Changes:
- Add new `js/ip_access_control.js` with lightweight middleware
- Remove `express-ipfilter` dependency, add `ipaddr.js`
- Update `js/server.js` to use new middleware
- In addition, I have formulated the descriptions of the corresponding
tests a little more clearly.
This commit is contained in:
Kristjan ESPERANTO
2025-10-18 19:56:55 +02:00
committed by GitHub
parent 9ff716f4ab
commit 37d1a3ae8f
6 changed files with 93 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
tests/e2e/ipWhitelist_spec.js
View File

@@ -1,7 +1,7 @@
const helpers = require("./helpers/global-setup");
describe("ipWhitelist directive configuration", () => {
describe("Set ipWhitelist without access", () => {
describe("When IP is not in whitelist", () => {
beforeAll(async () => {
await helpers.startApplication("tests/configs/noIpWhiteList.js");
});
@@ -9,13 +9,13 @@ describe("ipWhitelist directive configuration", () => {
await helpers.stopApplication();
});
it("should return 403", async () => {
it("should reject request with 403 (Forbidden)", async () => {
const res = await fetch("http://localhost:8181");
expect(res.status).toBe(403);
});
});
describe("Set ipWhitelist []", () => {
describe("When whitelist is empty (allow all IPs)", () => {
beforeAll(async () => {
await helpers.startApplication("tests/configs/empty_ipWhiteList.js");
});
@@ -23,7 +23,7 @@ describe("ipWhitelist directive configuration", () => {
await helpers.stopApplication();
});
it("should return 200", async () => {
it("should allow request with 200 (OK)", async () => {
const res = await fetch("http://localhost:8282");
expect(res.status).toBe(200);
});