From db3b4b8c9698e7e7acd1f76cfad69fde15b6bb82 Mon Sep 17 00:00:00 2001 From: Joseph Huckaby Date: Fri, 10 May 2024 09:42:01 -0700 Subject: [PATCH] Version 0.9.49 - Bump `pixl-server-web` to v2.0.0 to prevent XSS reflection style attacks on APIs. - Misc fixes to remove legacy JSONP-style APIs. - Fixes #755 --- htdocs/js/app.js | 2 +- htdocs/js/pages/Login.class.js | 2 -- lib/api/config.js | 7 +++---- package-lock.json | 12 ++++++------ package.json | 4 ++-- 5 files changed, 12 insertions(+), 15 deletions(-) diff --git a/htdocs/js/app.js b/htdocs/js/app.js index 76915331..d983ba35 100755 --- a/htdocs/js/app.js +++ b/htdocs/js/app.js @@ -22,7 +22,7 @@ app.extend({ // receive config from server if (resp.code) { app.showProgress( 1.0, "Waiting for master server..." ); - setTimeout( function() { load_script( '/api/app/config?callback=app.receiveConfig' ); }, 1000 ); + setTimeout( function() { load_script( '/api/app/config' ); }, 1000 ); return; } delete resp.code; diff --git a/htdocs/js/pages/Login.class.js b/htdocs/js/pages/Login.class.js index 139bb358..41c2a8b3 100644 --- a/htdocs/js/pages/Login.class.js +++ b/htdocs/js/pages/Login.class.js @@ -31,8 +31,6 @@ Class.subclass( Page.Base, "Page.Login", { this.div.css({ 'padding-top':'75px', 'padding-bottom':'75px' }); var html = ''; - // html += ''; - // html += '
'; html += '
'; html += '
User Login
'; diff --git a/lib/api/config.js b/lib/api/config.js index eadeec9b..69184db3 100644 --- a/lib/api/config.js +++ b/lib/api/config.js @@ -15,9 +15,6 @@ module.exports = Class.create({ // send config to client var self = this; - // prevent XSS - args.query.callback = 'app.receiveConfig'; - // do not cache this API response this.forceNoCacheResponse(args); @@ -54,7 +51,9 @@ module.exports = Class.create({ }; } - callback(resp); + // wrap response in JavaScript + var payload = 'app.receiveConfig(' + JSON.stringify(resp) + ');' + "\n"; + callback( "200 OK", { 'Content-Type': 'text/javascript' }, payload ); } } ); diff --git a/package-lock.json b/package-lock.json index b19a1824..00aa79b1 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "Cronicle", - "version": "0.9.48", + "version": "0.9.49", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "Cronicle", - "version": "0.9.48", + "version": "0.9.49", "hasInstallScript": true, "license": "MIT", "dependencies": { @@ -35,7 +35,7 @@ "pixl-server-api": "^1.0.2", "pixl-server-storage": "^3.1.18", "pixl-server-user": "^1.0.22", - "pixl-server-web": "^1.3.30", + "pixl-server-web": "^2.0.0", "pixl-tools": "^1.1.1", "pixl-webapp": "^2.0.2", "shell-quote": "1.7.3", @@ -2341,9 +2341,9 @@ } }, "node_modules/pixl-server-web": { - "version": "1.3.30", - "resolved": "https://registry.npmjs.org/pixl-server-web/-/pixl-server-web-1.3.30.tgz", - "integrity": "sha512-Dz/q/695fuO/GohgsKfs1sZXHiizkMK2a/2EtH/gmMBDa2xWwAReKBQu7uHSDr1z3JZmkGauRQuUHzOIxmqtvA==", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/pixl-server-web/-/pixl-server-web-2.0.0.tgz", + "integrity": "sha512-d5iuZdX+VkLMY/oZ49+2BtIl6RIlwpX1fEjCofXDVGCl2wk0EEScWlMw+B6Uu5U8+sbEKW0BoqbzPiVw6f7kfA==", "dependencies": { "async": "3.2.2", "class-plus": "^1.0.0", diff --git a/package.json b/package.json index 70164b20..36e0a59e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "Cronicle", - "version": "0.9.48", + "version": "0.9.49", "description": "A simple, distributed task scheduler and runner with a web based UI.", "author": "Joseph Huckaby ", "homepage": "https://github.com/jhuckaby/Cronicle", @@ -52,7 +52,7 @@ "pixl-server-api": "^1.0.2", "pixl-server-storage": "^3.1.18", "pixl-server-user": "^1.0.22", - "pixl-server-web": "^1.3.30", + "pixl-server-web": "^2.0.0", "pixl-tools": "^1.1.1", "pixl-webapp": "^2.0.2", "shell-quote": "1.7.3",