Закрыта дыра безопасности

client/api/misc.js

@@ -14,7 +14,8 @@ class Misc {
 
         try {
             await wsc.open();
-            return await wsc.message(wsc.send(Object.assign({action: 'get-config'}, query)));
+            const config = await wsc.message(wsc.send(Object.assign({action: 'get-config'}, query)));
+            return config;
         } catch (e) {
             console.error(e);
         }

server/config/base.js

@@ -21,7 +21,8 @@ module.exports = {
     maxTempPublicDirSize: 512*1024*1024,//512Мб
     maxUploadPublicDirSize: 200*1024*1024,//100Мб
 
-    useExternalBookConverter: false,    
+    useExternalBookConverter: false,
+    webConfigParams: ['name', 'version', 'mode', 'maxUploadFileSize', 'useExternalBookConverter', 'branch'],
 
     db: [
         {

server/controllers/MiscController.js

@@ -3,8 +3,11 @@ const _ = require('lodash');
 
 class MiscController extends BaseController {
     async getConfig(req, res) {
-        if (Array.isArray(req.body.params))
+        if (Array.isArray(req.body.params)) {
-            return _.pick(this.config, req.body.params);
+            const paramsSet = new Set(req.body.params);
+
+            return _.pick(this.config, this.config.webConfigParams.filter(x => paramsSet.has(x)));
+        }
         //bad request
         res.status(400).send({error: 'params is not an array'});
         return false;

server/controllers/WebSocketController.js

@@ -98,7 +98,9 @@ class WebSocketController {
 
     async getConfig(req, ws) {
         if (Array.isArray(req.params)) {
-            this.send(_.pick(this.config, req.params), req, ws);
+            const paramsSet = new Set(req.params);
+
+            this.send(_.pick(this.config, this.config.webConfigParams.filter(x => paramsSet.has(x))), req, ws);
         } else {
             throw new Error('params is not an array');
         }