New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A serious security bug in leancloud visitor counter #25

Closed
LEAFERx opened this Issue Jan 12, 2018 · 17 comments

Comments

Projects
None yet
4 participants
@LEAFERx
Copy link
Member

LEAFERx commented Jan 12, 2018

I agree and want to create new issue


I've found a very serious bug in the integrated leancloud visitor counter.
Using this bug, anyone can change the visitor data of the blogs that don't belong to him, and even have the ability to ruin other's whole database.

Steps to reproduce the behavior

I'm really not sure if i should write the reproduce steps here.
Need discussions. @ivan-nginx

NexT Version: 6.0.0 and those integrated with leancloud visitor counter

NexT Scheme:

All schemes

@ivan-nginx

This comment has been minimized.

Copy link
Member

ivan-nginx commented Jan 12, 2018

Where u want to discuss? Let's go in gitter at this weekend?

@sli1989

This comment has been minimized.

Copy link
Collaborator

sli1989 commented Jan 12, 2018

you can add security DNS or host name in leancloud's Security settings?After setting up a Web security domain name, you can only call server resources through the JavaScript SDK under this domain name.

@ivan-nginx

This comment has been minimized.

Copy link
Member

ivan-nginx commented Jan 12, 2018

I don't know what's the trouble and where is bug, but yes, if this is security bug, it must be of course fixed.

@LEAFERx

This comment has been minimized.

Copy link
Member Author

LEAFERx commented Jan 12, 2018

@sli1989 that's not the problem
there is another problem...

@ivan-nginx ivan-nginx added the Bug label Jan 12, 2018

@LEAFERx

This comment has been minimized.

Copy link
Member Author

LEAFERx commented Jan 12, 2018

Now i'm working on fixing it and have some progress
but the fix must be done in the leancloud's background controller manually
it can't be done in the next theme
i will write a blog about the solution after i fix it but .... how can we inform those who use this function
there's too many

@ivan-nginx ivan-nginx referenced this issue Jan 22, 2018

Open

NexT v7.x Roadmap #67

22 of 74 tasks complete
@LEAFERx

This comment has been minimized.

Copy link
Member Author

LEAFERx commented Feb 12, 2018

Fixes are done with a plugin.Chinese doc is on the way. English doc may be released in few days.

@LEAFERx LEAFERx referenced this issue Feb 12, 2018

Merged

fix leancloud counter security bug #137

6 of 13 tasks complete
@ivan-nginx

This comment has been minimized.

Copy link
Member

ivan-nginx commented Feb 15, 2018

Implemented in #137 pull.

@LEAFERx

This comment has been minimized.

Copy link
Member Author

LEAFERx commented Feb 28, 2018

bug fixed in #137 .

@LEAFERx LEAFERx closed this Feb 28, 2018

@sli1989

This comment has been minimized.

Copy link
Collaborator

sli1989 commented Mar 6, 2018

Is there any problems? It's too much setting steps...

ERROR Plugin load failed: hexo-leancloud-counter-security
/builds/sli1989/sli1989.gitlab.io/node_modules/hexo-leancloud-counter-security/index.js:22
async function sync() {
      ^^^^^^^^
SyntaxError: Unexpected token function
    at createScript (vm.js:56:10)
    at Object.runInThisContext (vm.js:97:10)
    at /builds/sli1989/sli1989.gitlab.io/node_modules/hexo/lib/hexo/index.js:230:17
    at tryCatcher (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/util.js:16:23)
    at Promise._settlePromiseFromHandler (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:512:31)
    at Promise._settlePromise (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:569:18)
    at Promise._settlePromise0 (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:614:10)
    at Promise._settlePromises (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:693:18)
    at Promise._fulfill (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:638:18)
    at Promise._resolveCallback (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:432:57)
    at Promise._settlePromiseFromHandler (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:524:17)
    at Promise._settlePromise (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:569:18)
    at Promise._settlePromise0 (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:614:10)
    at Promise._settlePromises (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:693:18)
    at Promise._fulfill (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:638:18)
    at /builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/nodeback.js:42:21
    at /builds/sli1989/sli1989.gitlab.io/node_modules/graceful-fs/graceful-fs.js:78:16
    at tryToString (fs.js:456:3)
    at FSReqWrap.readFileAfterClose [as oncomplete] (fs.js:443:12)
@LEAFERx

This comment has been minimized.

Copy link
Member Author

LEAFERx commented Mar 6, 2018

@sli1989 please tell me what's ur node version and hexo version
async is introduced in ES2017 so it may need a higher version node
If it is the problem i will update the doc

@sli1989

This comment has been minimized.

Copy link
Collaborator

sli1989 commented Mar 6, 2018

image: node:6.10.2

`-- hexo-cli@1.1.0 
  +-- abbrev@1.1.1 
  +-- bluebird@3.5.1 
  +-- chalk@1.1.3 
  | +-- ansi-styles@2.2.1 
  | +-- escape-string-regexp@1.0.5 
  | +-- has-ansi@2.0.0 
  | | `-- ansi-regex@2.1.1 
  | +-- strip-ansi@3.0.1 
  | `-- supports-color@2.0.0 
  +-- command-exists@1.2.2 
  +-- hexo-fs@0.2.2 
  | +-- chokidar@1.7.0 
  | | +-- anymatch@1.3.2 
  | | | +-- micromatch@2.3.11 
  | | | | +-- arr-diff@2.0.0 
  | | | | | `-- arr-flatten@1.1.0 
  | | | | +-- array-unique@0.2.1 
  | | | | +-- braces@1.8.5 
  | | | | | +-- expand-range@1.8.2 
  | | | | | | `-- fill-range@2.2.3 
  | | | | | |   +-- is-number@2.1.0 
  | | | | | |   +-- isobject@2.1.0 
  | | | | | |   +-- randomatic@1.1.7 
  | | | | | |   | +-- is-number@3.0.0 
  | | | | | |   | | `-- kind-of@3.2.2 
  | | | | | |   | `-- kind-of@4.0.0 
  | | | | | |   `-- repeat-string@1.6.1 
  | | | | | +-- preserve@0.2.0 
  | | | | | `-- repeat-element@1.1.2 
  | | | | +-- expand-brackets@0.1.5 
  | | | | | `-- is-posix-bracket@0.1.1 
  | | | | +-- extglob@0.3.2 
  | | | | +-- filename-regex@2.0.1 
  | | | | +-- kind-of@3.2.2 
  | | | | | `-- is-buffer@1.1.6 
  | | | | +-- object.omit@2.0.1 
  | | | | | +-- for-own@0.1.5 
  | | | | | | `-- for-in@1.0.2 
  | | | | | `-- is-extendable@0.1.1 
  | | | | +-- parse-glob@3.0.4 
  | | | | | +-- glob-base@0.3.0 
  | | | | | `-- is-dotfile@1.0.3 
  | | | | `-- regex-cache@0.4.4 
  | | | |   `-- is-equal-shallow@0.1.3 
  | | | |     `-- is-primitive@2.0.0 
  | | | `-- normalize-path@2.1.1 
  | | |   `-- remove-trailing-separator@1.1.0 
  | | +-- async-each@1.0.1 
  | | +-- glob-parent@2.0.0 
  | | +-- inherits@2.0.3 
  | | +-- is-binary-path@1.0.1 
  | | | `-- binary-extensions@1.11.0 
  | | +-- is-glob@2.0.1 
  | | | `-- is-extglob@1.0.0 
  | | +-- path-is-absolute@1.0.1 
  | | `-- readdirp@2.1.0 
  | |   +-- minimatch@3.0.4 
  | |   | `-- brace-expansion@1.1.11 
  | |   |   +-- balanced-match@1.0.0 
  | |   |   `-- concat-map@0.0.1 
  | |   +-- readable-stream@2.3.5 
  | |   | +-- core-util-is@1.0.2 
  | |   | +-- isarray@1.0.0 
  | |   | +-- process-nextick-args@2.0.0 
  | |   | +-- safe-buffer@5.1.1 
  | |   | +-- string_decoder@1.0.3 
  | |   | `-- util-deprecate@1.0.2 
  | |   `-- set-immediate-shim@1.0.1 
  | `-- graceful-fs@4.1.11 
  +-- hexo-log@0.2.0 
  | `-- hexo-bunyan@1.0.0 
  |   +-- moment@2.21.0 
  |   +-- mv@2.1.1 
  |   | +-- mkdirp@0.5.1 
  |   | | `-- minimist@0.0.8 
  |   | +-- ncp@2.0.0 
  |   | `-- rimraf@2.4.5 
  |   |   `-- glob@6.0.4 
  |   |     +-- inflight@1.0.6 
  |   |     | `-- wrappy@1.0.2 
  |   |     `-- once@1.4.0 
  |   `-- safe-json-stringify@1.1.0 
  +-- hexo-util@0.6.3 
  | +-- camel-case@3.0.0 
  | | +-- no-case@2.3.2 
  | | | `-- lower-case@1.1.4 
  | | `-- upper-case@1.1.3 
  | +-- cross-spawn@4.0.2 
  | | +-- lru-cache@4.1.1 
  | | | +-- pseudomap@1.0.2 
  | | | `-- yallist@2.1.2 
  | | `-- which@1.3.0 
  | |   `-- isexe@2.0.0 
  | +-- highlight.js@9.12.0 
  | +-- html-entities@1.2.1 
  | `-- striptags@2.2.1 
  +-- minimist@1.2.0 
  +-- object-assign@4.1.1 
  +-- resolve@1.5.0 
  | `-- path-parse@1.0.5 
  `-- tildify@1.2.0 
    `-- os-homedir@1.0.2 
@tyoungcn

This comment has been minimized.

Copy link

tyoungcn commented Mar 14, 2018

I meet the same problem as sli1989, and my node version is v6.10.0 .

@LEAFERx

This comment has been minimized.

Copy link
Member Author

LEAFERx commented Mar 15, 2018

@sli1989 @tyoungcn
solved in hexo-leancloud-counter-security@1.3.0

@ivan-nginx

This comment has been minimized.

Copy link
Member

ivan-nginx commented Mar 15, 2018

There are some not actually maked to production things:

  • 1. I don't understand what in CN docs and want at least see EN (if anybody can to translate this, welcome). Added in #174.
  • 2. I don't see what node plugin supported. And as Hexo at least support node v6, this plugin must support this too.
    image
  • 3. I don't understand what mean option betterPerformance: false in NexT config and can't find any instructions in plugin readme how to use this option.

So, i suggest for now it's beta feature and i make some changes in this commit (by default security option for now disabled).

@LEAFERx LEAFERx referenced this issue Mar 15, 2018

Merged

Add EN doc for leancloud counter security #174

6 of 13 tasks complete
@ivan-nginx

This comment has been minimized.

Copy link
Member

ivan-nginx commented Mar 18, 2018

@LEAFERx u can change back 29e2e59 commit and close this issue, i think.

@LEAFERx

This comment has been minimized.

Copy link
Member Author

LEAFERx commented Mar 18, 2018

could u do this?i have no access to computer now

@ivan-nginx

This comment has been minimized.

Copy link
Member

ivan-nginx commented Mar 25, 2018

Solved.

All future reports for this plugin can be posted here.

@ivan-nginx ivan-nginx closed this Mar 25, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment