Browse Source

XSS Override (#193)

XSS Override
pull/175/head^2
Cian Butler 6 years ago
committed by GitHub
parent
commit
de637bb70e
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
  1. 6
      index.js
  2. 2
      package.json
  3. 6
      src/server/index.ts
  4. 1
      src/server/interfaces.ts
  5. 18
      src/server/server.ts

6
index.js

@ -94,6 +94,12 @@ if (require.main === module) {
type: 'string',
default: process.env.COMMAND || 'login',
},
bypasshelmet: {
demand: false,
description: 'disable helmet from placing security restrictions',
type: 'boolean',
default: false,
},
help: {
demand: false,
alias: 'h',

2
package.json

@ -94,7 +94,7 @@
"eslint-plugin-typescript": "^1.0.0-rc.1",
"file-loader": "^3.0.1",
"husky": "^1.3.1",
"lint-staged": "^6.1.1",
"lint-staged": "~8.2.0",
"mini-css-extract-plugin": "^0.5.0",
"node-sass": "^4.11.0",
"nodemon": "^1.14.10",

6
src/server/index.ts

@ -17,6 +17,7 @@ export interface Options {
port: number;
title: string;
command?: string;
bypasshelmet?: boolean;
}
interface CLI extends Options {
@ -38,6 +39,7 @@ export default class Server {
command,
sslkey,
sslcert,
bypasshelmet,
}: Options): Promise<void> {
wetty
.on('exit', ({ code, msg }: { code: number; msg: string }) => {
@ -56,11 +58,11 @@ export default class Server {
host: sshhost,
auth: sshauth,
port: sshport,
title: title,
title,
pass: sshpass,
key: sshkey,
},
{ base, host, port, title },
{ base, host, port, title, bypasshelmet },
command,
{ key: sslkey, cert: sslcert }
);

1
src/server/interfaces.ts

@ -21,4 +21,5 @@ export interface Server {
port: number;
host: string;
base: string;
bypasshelmet: boolean;
}

18
src/server/server.ts

@ -17,7 +17,7 @@ const distDir = path.join(__dirname, 'client');
const trim = (str: string): string => str.replace(/\/*$/, '');
export default function createServer(
{ base, port, host, title }: Server,
{ base, port, host, title, bypasshelmet }: Server,
{ key, cert }: SSLBuffer
): SocketIO.Server {
const basePath = trim(base);
@ -49,7 +49,7 @@ export default function createServer(
</div>
<div id="options">
<a class="toggler"
href="#"
href="#"
alt="Toggle options"><i class="fas fa-cogs"></i></a>
<textarea class="editor"></textarea>
</div>
@ -61,7 +61,6 @@ export default function createServer(
const app = express();
app
.use(morgan('combined', { stream: logger.stream }))
.use(helmet())
.use(compression())
.use(favicon(path.join(distDir, 'favicon.ico')))
.use(`${basePath}/public`, express.static(distDir))
@ -73,9 +72,16 @@ export default function createServer(
)
res.redirect(301, req.url.slice(0, -1));
else next();
})
.get(basePath, html)
.get(`${basePath}/ssh/:user`, html);
});
// Allow helmet to be bypassed.
// Unfortunately, order matters with middleware
// which is why this is thrown in the middle
if (!bypasshelmet) {
app.use(helmet());
}
app.get(basePath, html).get(`${basePath}/ssh/:user`, html);
return socket(
!isUndefined(key) && !isUndefined(cert)

Loading…
Cancel
Save