Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
179 lines (124 sloc) 6.09 KB

Fix LeanCloud Counter Plugin Security Vulnerability

Before you make the config, please upgrade your NexT version to v6.0.6 or greater.

Please note the difference between site config file and theme config file


Sign up to LeanCloud and create an app

  • Go to LeanCloud website leancloud.app and sign up to LeanCloud. Then login.

  • Click 1 to enter the console:

    1

  • Then click 1 to create an app:

    2

  • Type your app name in 1 in the pop up window(eg. "test"), then choose 2, which means developer's plan, and then click 3 to create the app:

    3

Create Counter class and enable plugin in NexT

  • Click 1 (app name) to enter the app manage page:

    4

  • then click 1 to create a class for counter:

    5

  • Type Counter in the pop up window in 1, check 2, then click 3:

    6

  • Click 1 to enter the app setting, then click 2:

    8

  • Paste App ID and App Key to theme config file _config.yml like this:

    leancloud_visitors:
      enable: true
      app_id: <<your app id>>
      app_key: <<your app key>>
      # Dependencies: https://github.com/theme-next/hexo-leancloud-counter-security
      security: true
      betterPerformance: false
  • Set domain whitelist: Click 1, then type your domain into 2 (protocol, domain and port should be exactly the same):

9

Deploy web engine to avoid your data being changed illegally

  • Click 1 -> 2 -> 3 by order

    10

  • Click 1:

    11

  • In the pop up window, click 1 to choose type Hook, then choosebeforeUpdate in 2, choose Counter in 3. Paste code below into 4, then click 5 to save it:

    var query = new AV.Query("Counter");
    if (request.object.updatedKeys.indexOf('time') !== -1) {
        return query.get(request.object.id).then(function (obj) {
            if (obj.get("time") > request.object.get("time")) {
                throw new AV.Cloud.Error('Invalid update!');
            }
            return request.object.save();
        });
    }

    12

  • Click 1 to deploy after the message in the red rect shows up:

    13

  • Click 1 in the pop up:

    14

  • Click 1 to close the pop up window after the message in the red rect shows up:

    15

Set access control for your database

  • Open theme config file _config.yml, set leancloud_visitors: security to true:

    leancloud_visitors:
      enable: true
      app_id: <<your app id>>
      app_key: <<your app key>>
      # Dependencies: https://github.com/theme-next/hexo-leancloud-counter-security
      security: true
      betterPerformance: false

    Explaination for betterPerformance: Because the Leancloud developer's plan has limits in requst thread amount and running time, counter number may be very slow to load in some times. If set betterPerformance to true, counter number will be displayed quickly by assuming the request is accepted normally.

  • Open cmd then switch to root path of site, type commands to install hexo-leancloud-counter-security plugin:

    npm install hexo-leancloud-counter-security
    
  • Open site config file _config.yml, add those config:

    leancloud_counter_security:
      enable_sync: true
      app_id: <<your app id>>
      app_key: <<your app key>
      username:
      password:
  • Type command:

    hexo lc-counter register <<username>> <<password>>
    

    or

    hexo lc-counter r <<username>> <<password>>
    

    Change <<username>> and <<password>> to your own username and password (no need to be the same as leancloud account). They will be used in the hexo deploying.

    • Open site config file _config.yml, change <<username>> and <<password>>to those you set above:
    leancloud_counter_security:
      enable_sync: true
      app_id: <<your app id>>
      app_key: <<your app key>
      username: <<your username>> # will be asked while deploying if be left blank
      password: <<your password>> # recommend to leave it blank for security, will be asked while deploying if be left blank
  • Add the deployer in the deploy of site config file _config.yml:

    deploy:
      - type: git
        repo: // your repo
        ...
      - type: leancloud_counter_security_sync
  • Return to the LeanCloud console. Click 1 -> 2, check if there is a record added in the _User (the img below is using username "admin" for example):

    16

  • Click 1 -> 2 -> 3 by order:

    17

  • Click 1 (add_fields), then choose 2: Do as below "create" setting(choose the user you create):

    18

  • click 1 (create), then choose 2, type the username in 3, then click 4 -> 5:

    19

    Now your page should be similar to this img after finishing the step.

    20

  • Click 1 (delete), then choose 2:

21

Now the bug is fixed.


See detailed version here: https://leaferx.online/2018/03/16/lc-security-en/

You can’t perform that action at this time.