A serious security bug in leancloud visitor counter [solved]

[LEAFERx]

I agree and want to create new issue

• Yes, I was on Hexo Docs page, especially on Templates, Variables, Helpers and Troubleshooting.
• Yes, I was on NexT Documentation Site.
• And yes, I already searched for current issues and this is not help to me.

---

I've found a very serious bug in the integrated leancloud visitor counter.
Using this bug, anyone can change the visitor data of the blogs that don't belong to him, and even have the ability to ruin other's whole database.

Steps to reproduce the behavior

I'm really not sure if i should write the reproduce steps here.
Need discussions. @ivan-nginx

NexT Version: 6.0.0 and those integrated with leancloud visitor counter

NexT Scheme:

All schemes

[ivan-nginx]

Where u want to discuss? Let's go in gitter at this weekend?

[sli1989]

you can add security DNS or host name in leancloud's Security settings？After setting up a Web security domain name, you can only call server resources through the JavaScript SDK under this domain name.

[ivan-nginx]

I don't know what's the trouble and where is bug, but yes, if this is security bug, it must be of course fixed.

[LEAFERx]

@sli1989 that's not the problem
there is another problem...

[LEAFERx]

Now i'm working on fixing it and have some progress
but the fix must be done in the leancloud's background controller manually
it can't be done in the next theme
i will write a blog about the solution after i fix it but .... how can we inform those who use this function
there's too many

[LEAFERx]

Fixes are done with a plugin.Chinese doc is on the way. English doc may be released in few days.

[ivan-nginx]

Implemented in #137 pull.

[LEAFERx]

bug fixed in #137 .

[sli1989]

Is there any problems? It's too much setting steps...

ERROR Plugin load failed: hexo-leancloud-counter-security
/builds/sli1989/sli1989.gitlab.io/node_modules/hexo-leancloud-counter-security/index.js:22
async function sync() {
      ^^^^^^^^
SyntaxError: Unexpected token function
    at createScript (vm.js:56:10)
    at Object.runInThisContext (vm.js:97:10)
    at /builds/sli1989/sli1989.gitlab.io/node_modules/hexo/lib/hexo/index.js:230:17
    at tryCatcher (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/util.js:16:23)
    at Promise._settlePromiseFromHandler (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:512:31)
    at Promise._settlePromise (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:569:18)
    at Promise._settlePromise0 (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:614:10)
    at Promise._settlePromises (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:693:18)
    at Promise._fulfill (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:638:18)
    at Promise._resolveCallback (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:432:57)
    at Promise._settlePromiseFromHandler (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:524:17)
    at Promise._settlePromise (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:569:18)
    at Promise._settlePromise0 (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:614:10)
    at Promise._settlePromises (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:693:18)
    at Promise._fulfill (/builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/promise.js:638:18)
    at /builds/sli1989/sli1989.gitlab.io/node_modules/bluebird/js/release/nodeback.js:42:21
    at /builds/sli1989/sli1989.gitlab.io/node_modules/graceful-fs/graceful-fs.js:78:16
    at tryToString (fs.js:456:3)
    at FSReqWrap.readFileAfterClose [as oncomplete] (fs.js:443:12)

[LEAFERx]

@sli1989 please tell me what's ur node version and hexo version
async is introduced in ES2017 so it may need a higher version node
If it is the problem i will update the doc

[sli1989]

image: node:6.10.2

`-- hexo-cli@1.1.0 
  +-- abbrev@1.1.1 
  +-- bluebird@3.5.1 
  +-- chalk@1.1.3 
  | +-- ansi-styles@2.2.1 
  | +-- escape-string-regexp@1.0.5 
  | +-- has-ansi@2.0.0 
  | | `-- ansi-regex@2.1.1 
  | +-- strip-ansi@3.0.1 
  | `-- supports-color@2.0.0 
  +-- command-exists@1.2.2 
  +-- hexo-fs@0.2.2 
  | +-- chokidar@1.7.0 
  | | +-- anymatch@1.3.2 
  | | | +-- micromatch@2.3.11 
  | | | | +-- arr-diff@2.0.0 
  | | | | | `-- arr-flatten@1.1.0 
  | | | | +-- array-unique@0.2.1 
  | | | | +-- braces@1.8.5 
  | | | | | +-- expand-range@1.8.2 
  | | | | | | `-- fill-range@2.2.3 
  | | | | | |   +-- is-number@2.1.0 
  | | | | | |   +-- isobject@2.1.0 
  | | | | | |   +-- randomatic@1.1.7 
  | | | | | |   | +-- is-number@3.0.0 
  | | | | | |   | | `-- kind-of@3.2.2 
  | | | | | |   | `-- kind-of@4.0.0 
  | | | | | |   `-- repeat-string@1.6.1 
  | | | | | +-- preserve@0.2.0 
  | | | | | `-- repeat-element@1.1.2 
  | | | | +-- expand-brackets@0.1.5 
  | | | | | `-- is-posix-bracket@0.1.1 
  | | | | +-- extglob@0.3.2 
  | | | | +-- filename-regex@2.0.1 
  | | | | +-- kind-of@3.2.2 
  | | | | | `-- is-buffer@1.1.6 
  | | | | +-- object.omit@2.0.1 
  | | | | | +-- for-own@0.1.5 
  | | | | | | `-- for-in@1.0.2 
  | | | | | `-- is-extendable@0.1.1 
  | | | | +-- parse-glob@3.0.4 
  | | | | | +-- glob-base@0.3.0 
  | | | | | `-- is-dotfile@1.0.3 
  | | | | `-- regex-cache@0.4.4 
  | | | |   `-- is-equal-shallow@0.1.3 
  | | | |     `-- is-primitive@2.0.0 
  | | | `-- normalize-path@2.1.1 
  | | |   `-- remove-trailing-separator@1.1.0 
  | | +-- async-each@1.0.1 
  | | +-- glob-parent@2.0.0 
  | | +-- inherits@2.0.3 
  | | +-- is-binary-path@1.0.1 
  | | | `-- binary-extensions@1.11.0 
  | | +-- is-glob@2.0.1 
  | | | `-- is-extglob@1.0.0 
  | | +-- path-is-absolute@1.0.1 
  | | `-- readdirp@2.1.0 
  | |   +-- minimatch@3.0.4 
  | |   | `-- brace-expansion@1.1.11 
  | |   |   +-- balanced-match@1.0.0 
  | |   |   `-- concat-map@0.0.1 
  | |   +-- readable-stream@2.3.5 
  | |   | +-- core-util-is@1.0.2 
  | |   | +-- isarray@1.0.0 
  | |   | +-- process-nextick-args@2.0.0 
  | |   | +-- safe-buffer@5.1.1 
  | |   | +-- string_decoder@1.0.3 
  | |   | `-- util-deprecate@1.0.2 
  | |   `-- set-immediate-shim@1.0.1 
  | `-- graceful-fs@4.1.11 
  +-- hexo-log@0.2.0 
  | `-- hexo-bunyan@1.0.0 
  |   +-- moment@2.21.0 
  |   +-- mv@2.1.1 
  |   | +-- mkdirp@0.5.1 
  |   | | `-- minimist@0.0.8 
  |   | +-- ncp@2.0.0 
  |   | `-- rimraf@2.4.5 
  |   |   `-- glob@6.0.4 
  |   |     +-- inflight@1.0.6 
  |   |     | `-- wrappy@1.0.2 
  |   |     `-- once@1.4.0 
  |   `-- safe-json-stringify@1.1.0 
  +-- hexo-util@0.6.3 
  | +-- camel-case@3.0.0 
  | | +-- no-case@2.3.2 
  | | | `-- lower-case@1.1.4 
  | | `-- upper-case@1.1.3 
  | +-- cross-spawn@4.0.2 
  | | +-- lru-cache@4.1.1 
  | | | +-- pseudomap@1.0.2 
  | | | `-- yallist@2.1.2 
  | | `-- which@1.3.0 
  | |   `-- isexe@2.0.0 
  | +-- highlight.js@9.12.0 
  | +-- html-entities@1.2.1 
  | `-- striptags@2.2.1 
  +-- minimist@1.2.0 
  +-- object-assign@4.1.1 
  +-- resolve@1.5.0 
  | `-- path-parse@1.0.5 
  `-- tildify@1.2.0 
    `-- os-homedir@1.0.2 

[tyoungcn]

I meet the same problem as sli1989, and my node version is v6.10.0 .

[LEAFERx]

@sli1989 @tyoungcn
solved in hexo-leancloud-counter-security@1.3.0

[ivan-nginx]

There are some not actually maked to production things:

• 1. I don't understand what in CN docs and want at least see EN (if anybody can to translate this, welcome). Added in Add EN doc for leancloud counter security #174.
• 2. I don't see what node plugin supported. And as Hexo at least support node v6, this plugin must support this too.
  
• 3. I don't understand what mean option betterPerformance: false in NexT config and can't find any instructions in plugin readme how to use this option.

So, i suggest for now it's beta feature and i make some changes in this commit (by default security option for now disabled).

[ivan-nginx]

@LEAFERx u can change back 29e2e59 commit and close this issue, i think.

[LEAFERx]

could u do this？i have no access to computer now

[ivan-nginx]

Solved.

All future reports for this plugin can be posted here.