ashpie/swaf
1
0
Fork 0
Code Issues 22 Pull Requests Releases 11 Wiki Activity

Fix config file security check access path

Browse Source
This commit is contained in:
Alice Gaudon 2020-07-15 15:22:04 +02:00
parent 74f8b48d27
commit 583a5a92de
2 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
package.json
View File

@ -1,6 +1,6 @@
{
"name": "wms-core",
"version": "0.16.0",
"version": "0.16.1",
"description": "Node web framework",
"repository": "git@gitlab.com:ArisuOngaku/wms-core.git",
"author": "Alice Gaudon <alice@gaudon.pro>",

11
src/Application.ts
View File

@ -13,6 +13,7 @@ import {ValidationBag} from "./db/Validator";
import config from "config";
import * as fs from "fs";
import SecurityError from "./SecurityError";
import * as path from "path";
import TemplateError = lib.TemplateError;
export default abstract class Application {
@ -180,12 +181,14 @@ export default abstract class Application {
private async checkSecuritySettings(): Promise<void> {
// Check config file permissions
for (const file of fs.readdirSync('config')) {
const stats = fs.lstatSync(file);
const configDir = 'config';
for (const file of fs.readdirSync(configDir)) {
const fullPath = path.resolve(configDir, file);
const stats = fs.lstatSync(fullPath);
if (stats.uid !== process.getuid())
throw new SecurityError(file + ' is not owned by this process (' + process.getuid() + ').');
throw new SecurityError(fullPath + ' is not owned by this process (' + process.getuid() + ').');
if (stats.mode !== 400)
throw new SecurityError(file + ' is not chmod 400.');
throw new SecurityError(fullPath + ' is not chmod 400.');
}
// Check security fields