deadcxap/liberama
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Закрыта дыра безопасности

Browse Source
This commit is contained in:
Book Pauk
2020-02-11 13:02:43 +07:00
parent 2484568b21
commit 1bcd902817
4 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
server/controllers/MiscController.js
View File

@@ -3,8 +3,11 @@ const _ = require('lodash');
class MiscController extends BaseController {
async getConfig(req, res) {
if (Array.isArray(req.body.params))
return _.pick(this.config, req.body.params);
if (Array.isArray(req.body.params)) {
const paramsSet = new Set(req.body.params);
return _.pick(this.config, this.config.webConfigParams.filter(x => paramsSet.has(x)));
}
//bad request
res.status(400).send({error: 'params is not an array'});
return false;

4
server/controllers/WebSocketController.js
View File

@@ -98,7 +98,9 @@ class WebSocketController {
async getConfig(req, ws) {
if (Array.isArray(req.params)) {
this.send(_.pick(this.config, req.params), req, ws);
const paramsSet = new Set(req.params);
this.send(_.pick(this.config, this.config.webConfigParams.filter(x => paramsSet.has(x))), req, ws);
} else {
throw new Error('params is not an array');
}