external/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-03-09 15:40:18 +00:00
Code Issues Releases Wiki Activity

Added URL args validation.

Browse source
This commit is contained in:
Ylian Saint-Hilaire 2020-06-21 01:45:24 -07:00
parent 16b25b04b0
commit a7ea8fead5
6 changed files with 22 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

4
common.js
View file

@ -157,10 +157,12 @@ module.exports.unEscapeAllLinksFieldName = function (docs) { for (var i in docs)
module.exports.validateString = function (str, minlen, maxlen) { return ((str != null) && (typeof str == 'string') && ((minlen == null) || (str.length >= minlen)) && ((maxlen == null) || (str.length <= maxlen))); };
module.exports.validateInt = function (int, minval, maxval) { return ((int != null) && (typeof int == 'number') && ((minval == null) || (int >= minval)) && ((maxval == null) || (int <= maxval))); };
module.exports.validateArray = function (array, minlen, maxlen) { return ((array != null) && Array.isArray(array) && ((minlen == null) || (array.length >= minlen)) && ((maxlen == null) || (array.length <= maxlen))); };
module.exports.validateStrArray = function (array, minlen, maxlen) { if (((array != null) && Array.isArray(array)) == false) return false; for (var i in array) { if ((typeof array[i] != 'string') && ((minlen == null) || (array[i].length >= minlen)) && ((maxlen == null) || (array[i].length <= maxlen))) return false; } return true; };
module.exports.validateStrArray = function (array, minlen, maxlen) { if (((array != null) && Array.isArray(array)) == false) return false; for (var i in array) { if ( (typeof array[i] != 'string') || ((minlen != null) && (array[i].length < minlen)) || ((maxlen != null) && (array[i].length > maxlen))) return false; } return true; };
module.exports.validateObject = function (obj) { return ((obj != null) && (typeof obj == 'object')); };
module.exports.validateEmail = function (email, minlen, maxlen) { if (module.exports.validateString(email, minlen, maxlen) == false) return false; var emailReg = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/; return emailReg.test(email); };
module.exports.validateUsername = function (username, minlen, maxlen) { return (module.exports.validateString(username, minlen, maxlen) && (username.indexOf(' ') == -1) && (username.indexOf('"') == -1) && (username.indexOf(',') == -1)); };
module.exports.isAlphaNumeric = function (str) { return (str.match(/^[A-Za-z0-9]+$/) != null); };
module.exports.validateAlphaNumericArray = function (array, minlen, maxlen) { if (((array != null) && Array.isArray(array)) == false) return false; for (var i in array) { if ((typeof array[i] != 'string') || (module.exports.isAlphaNumeric(array[i]) == false) || ((minlen != null) && (array[i].length < minlen)) || ((maxlen != null) && (array[i].length > maxlen)) ) return false; } return true; };
// Check password requirements
module.exports.checkPasswordRequirements = function(password, requirements) {

1
meshcentral.js
View file

@ -1044,6 +1044,7 @@ function CreateMeshCentralServer(config, args) {
if (obj.config.domains[i].dns == null) { obj.config.domains[i].url = (i == '') ? '/' : ('/' + i + '/'); } else { obj.config.domains[i].url = '/'; }
obj.config.domains[i].id = i;
if (typeof obj.config.domains[i].loginkey == 'string') { obj.config.domains[i].loginkey = [obj.config.domains[i].loginkey]; }
if ((obj.config.domains[i].loginkey != null) && (obj.common.validateAlphaNumericArray(obj.config.domains[i].loginkey, 1, 128) == false)) { console.log("ERROR: Invalid login key, must be alpha-numeric string with no spaces."); process.exit(); return; }
if (typeof obj.config.domains[i].userallowedip == 'string') { if (obj.config.domains[i].userallowedip == '') { obj.config.domains[i].userallowedip = null; } else { obj.config.domains[i].userallowedip = obj.config.domains[i].userallowedip.split(','); } }
if (typeof obj.config.domains[i].userblockedip == 'string') { if (obj.config.domains[i].userblockedip == '') { obj.config.domains[i].userblockedip = null; } else { obj.config.domains[i].userblockedip = obj.config.domains[i].userblockedip.split(','); } }
if (typeof obj.config.domains[i].agentallowedip == 'string') { if (obj.config.domains[i].agentallowedip == '') { obj.config.domains[i].agentallowedip = null; } else { obj.config.domains[i].agentallowedip = obj.config.domains[i].agentallowedip.split(','); } }

5
public/scripts/common-0.0.1.js
View file

@ -107,4 +107,7 @@ function random(max) { return Math.floor(Math.random() * max); }
function trademarks(x) { return x.replace(/\(R\)/g, '&reg;').replace(/\(TM\)/g, '&trade;'); }
// Pad a number with zeros on the left
function zeroPad(num, c) { if (c == null) { c = 2; } var s = "00000000" + num; return s.substr(s.length - c); }
function zeroPad(num, c) { if (c == null) { c = 2; } var s = "00000000" + num; return s.substr(s.length - c); }
// String validation
function isAlphaNumeric(str) { return (str.match(/^[A-Za-z0-9]+$/) != null); };

5
views/default-mobile.handlebars
View file

@ -735,7 +735,10 @@
for (var i in webState) { localStorage.setItem(i, webState[i]); }
if (!webState.loctag) { delete localStorage.removeItem('loctag'); }
var args = parseUriArgs(), urlargs = args;
var urlargs = parseUriArgs();
if (urlargs.key && (isAlphaNumeric(urlargs.key) == false)) { delete urlargs.key; }
if (urlargs.locale && (isAlphaNumeric(urlargs.locale) == false)) { delete urlargs.locale; }
var args = urlargs;
var debugLevel = parseInt('{{{debuglevel}}}');
var features = parseInt('{{{features}}}');
var sessionTime = parseInt('{{{sessiontime}}}');

11
views/default.handlebars
View file

@ -1273,8 +1273,10 @@
if (top != self && (loc == null || top.active == false)) { top.location = self.location; return; }
}
// Fetch URL arguments
// Fetch URL arguments & do sanitation
urlargs = parseUriArgs();
if (urlargs.key && (isAlphaNumeric(urlargs.key) == false)) { delete urlargs.key; }
if (urlargs.locale && (isAlphaNumeric(urlargs.locale) == false)) { delete urlargs.locale; }
delete urlargs.viewmode;
delete urlargs.gotonode;
delete urlargs.gotomesh;
@ -1282,12 +1284,13 @@
delete urlargs.gotougrp;
// Fix links if a loginKey is used
if (urlargs.key) {
Q('termsLinkFooter').href += '?key=' + urlargs.key;
}
if (urlargs.key) { Q('termsLinkFooter').href += '?key=' + urlargs.key; }
// Check if we are in debug mode
args = parseUriArgs();
if (args.key && (isAlphaNumeric(args.key) == false)) { delete args.key; }
if (args.locale && (isAlphaNumeric(args.locale) == false)) { delete args.locale; }
if (!args.locale) { var x = getstore('loctag', 0); if ((x != null) && (x != '*')) { args.locale = x; } }
debugmode = args.debug;

4
views/messenger.handlebars
View file

@ -42,9 +42,11 @@
<input id="uploadFileInput" type="file" multiple style="display:none">
<script type="text/javascript" onunload="onUnLoad()">
var userInputFocus = 0;
var args = parseUriArgs();
var socket = null; // Websocket object
var state = 0; // Connection state. 0 = Disconnected, 1 = Connecting, 2 = Connected.
var args = parseUriArgs();
if (args.key && (isAlphaNumeric(args.key) == false)) { delete args.key; }
if (args.locale && (isAlphaNumeric(args.locale) == false)) { delete args.locale; }
// WebRTC sessions and data, audio and video channels
var random = Math.random(); // Selected random, larger value initiates WebRTC.