Enforce config file permissions
This commit is contained in:
parent
9ce345d99d
commit
249098a587
@ -11,6 +11,8 @@ import {Type} from "./Utils";
|
|||||||
import LogRequestsComponent from "./components/LogRequestsComponent";
|
import LogRequestsComponent from "./components/LogRequestsComponent";
|
||||||
import {ValidationBag} from "./db/Validator";
|
import {ValidationBag} from "./db/Validator";
|
||||||
import config from "config";
|
import config from "config";
|
||||||
|
import * as fs from "fs";
|
||||||
|
import SecurityError from "./SecurityError";
|
||||||
import TemplateError = lib.TemplateError;
|
import TemplateError = lib.TemplateError;
|
||||||
|
|
||||||
export default abstract class Application {
|
export default abstract class Application {
|
||||||
@ -177,6 +179,16 @@ export default abstract class Application {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private async checkSecuritySettings(): Promise<void> {
|
private async checkSecuritySettings(): Promise<void> {
|
||||||
|
// Check config file permissions
|
||||||
|
for (const file of fs.readdirSync('config')) {
|
||||||
|
const stats = fs.lstatSync(file);
|
||||||
|
if (stats.uid !== process.getuid())
|
||||||
|
throw new SecurityError(file + ' is not owned by this process (' + process.getuid() + ').');
|
||||||
|
if (stats.mode !== 400)
|
||||||
|
throw new SecurityError(file + ' is not chmod 400.');
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check security fields
|
||||||
for (const component of this.components) {
|
for (const component of this.components) {
|
||||||
await component.checkSecuritySettings();
|
await component.checkSecuritySettings();
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user