Skip to content

Commit

Permalink
security: ensures that server secret is not served to user
Browse files Browse the repository at this point in the history
This will also prohibit some weak secrets like "123456" and
former default "flood".
  • Loading branch information
jesec committed Aug 23, 2020
1 parent 042cb4c commit 103f53c
Showing 1 changed file with 23 additions and 0 deletions.
23 changes: 23 additions & 0 deletions server/bin/enforce-prerequisites.js
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
const fs = require('fs');
const glob = require('glob');
const path = require('path');

const {secret} = require('../../config');

const staticAssets = [path.join(__dirname, '../assets/index.html')];

const configFiles = [path.join(__dirname, '../../config.js')];
Expand All @@ -17,6 +20,20 @@ const doFilesExist = (files) => {
}
};

const grepRecursive = (folder, match) => {
return glob.sync(folder.concat('/**/*')).some((file) => {
try {
if (!fs.lstatSync(file).isDirectory()) {
return fs.readFileSync(file, {encoding: 'utf8'}).includes(match);
}
return false;
} catch (error) {
console.error(`Error reading file: ${file}\n${error}`);
return false;
}
});
};

const enforcePrerequisites = () =>
new Promise((resolve, reject) => {
if (!doFilesExist(configFiles)) {
Expand All @@ -33,6 +50,12 @@ const enforcePrerequisites = () =>
return;
}

// Ensures that server secret is not served to user
if (grepRecursive(path.join(__dirname, '../assets'), secret)) {
reject(new Error(`Secret is included in static assets. Please ensure that secret is unique.`));
return;
}

return resolve();
});

Expand Down

0 comments on commit 103f53c

Please sign in to comment.