mirror of
https://github.com/MichMich/MagicMirror.git
synced 2026-06-13 19:25:43 +00:00
ca7b752025
This PR attempts to fix the unauthorized secret expansion vulnerability reported in [GHSA-q4gh-4ffp-5cg8](https://github.com/MagicMirrorOrg/MagicMirror/security/advisories/GHSA-q4gh-4ffp-5cg8). Previously, if a module sent a payload through the socket containing any `**SECRET_FOO**` placeholder, the server would unconditionally expand it with the real environment variable. This meant a manipulated module could theoretically extract secrets that belonged to other modules. To prevent this, the expansion logic is now much stricter and scoped to the individual module: * In `app.js`, we now store a copy of the redacted config (`global.configRedacted`) to keep track of which module uses which secrets. * In `node_helper.js`, before handling a socket notification, we build a specific "allow-list" (`Set`) of secrets that are actually present in the calling module's config. * `replaceSecretPlaceholder` in `server_functions.js` was updated to accept this `Set` and will now only expand placeholders that the module is explicitly authorized to know. Unlisted placeholders are safely ignored. I also updated the unit tests to cover the new allow-list behavior. Since this security stuff is tricky and gives me headaches all the time, I've added more comments than usual. I've tried several ways to make it a little simpler, but unfortunately, I couldn't come up with anything easier than that. I'd appreciate it if someone could take a critical look at the logic to make sure I didn't miss anything!
273 lines
9.3 KiB
JavaScript
273 lines
9.3 KiB
JavaScript
const dns = require("node:dns");
|
|
const fs = require("node:fs");
|
|
const path = require("node:path");
|
|
const ipaddr = require("ipaddr.js");
|
|
const undici = require("undici");
|
|
const Log = require("logger");
|
|
|
|
const startUp = new Date();
|
|
|
|
/**
|
|
* Gets the startup time.
|
|
* @param {Request} req - the request
|
|
* @param {Response} res - the result
|
|
*/
|
|
function getStartup (req, res) {
|
|
res.send(startUp);
|
|
}
|
|
|
|
/**
|
|
* Replace `**SECRET_ABC**` placeholders with the value of `process.env.SECRET_ABC`.
|
|
*
|
|
* If `allowedSecrets` is given, only those secret names are restored and every
|
|
* other placeholder is left untouched. Without it, all secrets are restored
|
|
* (used by the CORS proxy, which only runs on the trusted server side).
|
|
* @param {string} input - String that may contain `**SECRET_***` placeholders.
|
|
* @param {Set<string>} [allowedSecrets] - Secret names that may be restored.
|
|
* @returns {string} The input with the allowed placeholders replaced.
|
|
*/
|
|
function replaceSecretPlaceholder (input, allowedSecrets) {
|
|
if (global.config.cors === "allowAll") {
|
|
if (input.includes("**SECRET_")) {
|
|
Log.error("Replacing secrets doesn't work with CORS `allowAll`, you need to set `cors` to `disabled` or `allowWhitelist` in `config.js`");
|
|
}
|
|
return input;
|
|
}
|
|
return input.replaceAll(/\*\*(SECRET_[^*]+)\*\*/g, (placeholder, secretName) => {
|
|
// Block replacing secrets that are not explicitly allowed.
|
|
if (allowedSecrets && !allowedSecrets.has(secretName)) {
|
|
return placeholder;
|
|
}
|
|
|
|
// Load the real value from the environment. Fallback to placeholder if missing.
|
|
return process.env[secretName] || placeholder;
|
|
});
|
|
}
|
|
|
|
/**
|
|
* A method that forwards HTTP Get-methods to the internet to avoid CORS-errors.
|
|
*
|
|
* Example input request url: /cors?sendheaders=header1:value1,header2:value2&expectedheaders=header1,header2&url=http://www.test.com/path?param1=value1
|
|
*
|
|
* Only the url-param of the input request url is required. It must be the last parameter.
|
|
* @param {Request} req - the request
|
|
* @param {Response} res - the result
|
|
* @returns {Promise<void>} A promise that resolves when the response is sent
|
|
*/
|
|
async function cors (req, res) {
|
|
if (global.config.cors === "disabled") {
|
|
Log.error("CORS is disabled, you need to enable it in `config.js` by setting `cors` to `allowAll` or `allowWhitelist`");
|
|
return res.status(403).json({ error: "CORS proxy is disabled" });
|
|
}
|
|
let url;
|
|
try {
|
|
const urlRegEx = "url=(.+?)$";
|
|
|
|
const match = new RegExp(urlRegEx, "g").exec(req.url);
|
|
if (!match) {
|
|
url = `invalid url: ${req.url}`;
|
|
Log.error(url);
|
|
return res.status(400).send(url);
|
|
} else {
|
|
url = match[1];
|
|
if (typeof global.config !== "undefined") {
|
|
if (config.hideConfigSecrets) {
|
|
url = replaceSecretPlaceholder(url);
|
|
}
|
|
}
|
|
|
|
// Validate protocol before attempting connection (non-http/https are never allowed)
|
|
let parsed;
|
|
try {
|
|
parsed = new URL(url);
|
|
} catch {
|
|
Log.warn(`SSRF blocked (invalid URL): ${url}`);
|
|
return res.status(403).json({ error: "Forbidden: private or reserved addresses are not allowed" });
|
|
}
|
|
if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
|
|
Log.warn(`SSRF blocked (protocol): ${url}`);
|
|
return res.status(403).json({ error: "Forbidden: private or reserved addresses are not allowed" });
|
|
}
|
|
|
|
// Block localhost by hostname before even creating the dispatcher (no DNS needed).
|
|
if (parsed.hostname.toLowerCase() === "localhost") {
|
|
Log.warn(`SSRF blocked (localhost): ${url}`);
|
|
return res.status(403).json({ error: "Forbidden: private or reserved addresses are not allowed" });
|
|
}
|
|
|
|
// Whitelist check: if enabled, only allow explicitly listed domains
|
|
if (global.config.cors === "allowWhitelist" && !global.config.corsDomainWhitelist.includes(parsed.hostname.toLowerCase())) {
|
|
Log.warn(`CORS blocked (not in whitelist): ${url}`);
|
|
return res.status(403).json({ error: "Forbidden: domain not in corsDomainWhitelist" });
|
|
}
|
|
|
|
const headersToSend = getHeadersToSend(req.url);
|
|
const expectedReceivedHeaders = geExpectedReceivedHeaders(req.url);
|
|
Log.log(`cors url: ${url}`);
|
|
|
|
// Resolve DNS once and validate the IP. The validated IP is then pinned
|
|
// for the actual connection so fetch() cannot re-resolve to a different
|
|
// address. This prevents DNS rebinding / TOCTOU attacks (GHSA-xhvw-r95j-xm4v).
|
|
const { address, family } = await dns.promises.lookup(parsed.hostname);
|
|
if (ipaddr.process(address).range() !== "unicast") {
|
|
Log.warn(`SSRF blocked: ${url}`);
|
|
return res.status(403).json({ error: "Forbidden: private or reserved addresses are not allowed" });
|
|
}
|
|
|
|
// Pin the validated IP — fetch() reuses it instead of doing its own DNS lookup
|
|
const dispatcher = new undici.Agent({
|
|
connect: {
|
|
lookup: (_h, _o, cb) => {
|
|
const addresses = [{ address: address, family: family }];
|
|
process.nextTick(() => cb(null, addresses));
|
|
}
|
|
}
|
|
});
|
|
|
|
const response = await undici.fetch(url, { dispatcher, headers: headersToSend });
|
|
if (response.ok) {
|
|
for (const header of expectedReceivedHeaders) {
|
|
const headerValue = response.headers.get(header);
|
|
if (header) res.set(header, headerValue);
|
|
}
|
|
const arrayBuffer = await response.arrayBuffer();
|
|
res.send(Buffer.from(arrayBuffer));
|
|
} else {
|
|
throw new Error(`Response status: ${response.status}`);
|
|
}
|
|
}
|
|
} catch (error) {
|
|
if (process.env.mmTestMode !== "true") {
|
|
Log.error(`Error in CORS request: ${error}`);
|
|
}
|
|
res.status(500).json({ error: error.message });
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Gets headers and values to attach to the web request.
|
|
* @param {string} url - The url containing the headers and values to send.
|
|
* @returns {object} An object specifying name and value of the headers.
|
|
*/
|
|
function getHeadersToSend (url) {
|
|
const headersToSend = { "User-Agent": getUserAgent() };
|
|
const headersToSendMatch = new RegExp("sendheaders=(.+?)(&|$)", "g").exec(url);
|
|
if (headersToSendMatch) {
|
|
const headers = headersToSendMatch[1].split(",");
|
|
for (const header of headers) {
|
|
const keyValue = header.split(":");
|
|
if (keyValue.length !== 2) {
|
|
throw new Error(`Invalid format for header ${header}`);
|
|
}
|
|
headersToSend[keyValue[0]] = decodeURIComponent(keyValue[1]);
|
|
}
|
|
}
|
|
return headersToSend;
|
|
}
|
|
|
|
/**
|
|
* Gets the headers expected from the response.
|
|
* @param {string} url - The url containing the expected headers from the response.
|
|
* @returns {string[]} headers - The name of the expected headers.
|
|
*/
|
|
function geExpectedReceivedHeaders (url) {
|
|
const expectedReceivedHeaders = ["Content-Type"];
|
|
const expectedReceivedHeadersMatch = new RegExp("expectedheaders=(.+?)(&|$)", "g").exec(url);
|
|
if (expectedReceivedHeadersMatch) {
|
|
const headers = expectedReceivedHeadersMatch[1].split(",");
|
|
for (const header of headers) {
|
|
expectedReceivedHeaders.push(header);
|
|
}
|
|
}
|
|
return expectedReceivedHeaders;
|
|
}
|
|
|
|
/**
|
|
* Gets the HTML to display the magic mirror.
|
|
* @param {Request} req - the request
|
|
* @param {Response} res - the result
|
|
*/
|
|
function getHtml (req, res) {
|
|
let html = fs.readFileSync(path.resolve(`${global.root_path}/index.html`), { encoding: "utf8" });
|
|
html = html.replace("#VERSION#", global.version);
|
|
html = html.replace("#TESTMODE#", global.mmTestMode);
|
|
|
|
res.send(html);
|
|
}
|
|
|
|
/**
|
|
* Gets the MagicMirror version.
|
|
* @param {Request} req - the request
|
|
* @param {Response} res - the result
|
|
*/
|
|
function getVersion (req, res) {
|
|
res.send(global.version);
|
|
}
|
|
|
|
/**
|
|
* Gets the preferred `User-Agent`
|
|
* @returns {string} `User-Agent` to be used
|
|
*/
|
|
function getUserAgent () {
|
|
const defaultUserAgent = `Mozilla/5.0 (Node.js ${Number(process.version.match(/^v(\d+\.\d+)/)[1])}) MagicMirror/${global.version}`;
|
|
|
|
if (typeof global.config === "undefined") {
|
|
return defaultUserAgent;
|
|
}
|
|
|
|
switch (typeof global.config.userAgent) {
|
|
case "function":
|
|
return global.config.userAgent();
|
|
case "string":
|
|
return global.config.userAgent;
|
|
default:
|
|
return defaultUserAgent;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Gets environment variables needed in the browser.
|
|
* @returns {object} environment variables key: values
|
|
*/
|
|
function getEnvVarsAsObj () {
|
|
const obj = { modulesDir: `${global.config.foreignModulesDir}`, defaultModulesDir: `${global.config.defaultModulesDir}`, customCss: `${global.config.customCss}` };
|
|
if (process.env.MM_MODULES_DIR) {
|
|
obj.modulesDir = process.env.MM_MODULES_DIR.replace(`${global.root_path}/`, "");
|
|
}
|
|
if (process.env.MM_CUSTOMCSS_FILE) {
|
|
obj.customCss = process.env.MM_CUSTOMCSS_FILE.replace(`${global.root_path}/`, "");
|
|
}
|
|
|
|
return obj;
|
|
}
|
|
|
|
/**
|
|
* Gets environment variables needed in the browser.
|
|
* @param {Request} req - the request
|
|
* @param {Response} res - the result
|
|
*/
|
|
function getEnvVars (req, res) {
|
|
const obj = getEnvVarsAsObj();
|
|
res.send(obj);
|
|
}
|
|
|
|
/**
|
|
* Get the config file path from environment or default location
|
|
* @returns {string} The absolute config file path
|
|
*/
|
|
function getConfigFilePath () {
|
|
// Ensure root_path is set (for standalone contexts like watcher)
|
|
if (!global.root_path) {
|
|
global.root_path = path.resolve(`${__dirname}/../`);
|
|
}
|
|
|
|
// Check environment variable if global not set
|
|
if (!global.configuration_file && process.env.MM_CONFIG_FILE) {
|
|
global.configuration_file = process.env.MM_CONFIG_FILE;
|
|
}
|
|
|
|
return path.resolve(global.configuration_file || `${global.root_path}/config/config.js`);
|
|
}
|
|
|
|
module.exports = { cors, getHtml, getVersion, getStartup, getEnvVars, getEnvVarsAsObj, getUserAgent, getConfigFilePath, replaceSecretPlaceholder };
|