Enforce config file permissions
This commit is contained in:
parent
9ce345d99d
commit
249098a587
@ -11,6 +11,8 @@ import {Type} from "./Utils";
|
||||
import LogRequestsComponent from "./components/LogRequestsComponent";
|
||||
import {ValidationBag} from "./db/Validator";
|
||||
import config from "config";
|
||||
import * as fs from "fs";
|
||||
import SecurityError from "./SecurityError";
|
||||
import TemplateError = lib.TemplateError;
|
||||
|
||||
export default abstract class Application {
|
||||
@ -177,6 +179,16 @@ export default abstract class Application {
|
||||
}
|
||||
|
||||
private async checkSecuritySettings(): Promise<void> {
|
||||
// Check config file permissions
|
||||
for (const file of fs.readdirSync('config')) {
|
||||
const stats = fs.lstatSync(file);
|
||||
if (stats.uid !== process.getuid())
|
||||
throw new SecurityError(file + ' is not owned by this process (' + process.getuid() + ').');
|
||||
if (stats.mode !== 400)
|
||||
throw new SecurityError(file + ' is not chmod 400.');
|
||||
}
|
||||
|
||||
// Check security fields
|
||||
for (const component of this.components) {
|
||||
await component.checkSecuritySettings();
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user