From f7b08c0bd931610c584d0c181b0af305e3684021 Mon Sep 17 00:00:00 2001 From: Elijah Bodden <106613755+Elijah-Bodden@users.noreply.github.com> Date: Thu, 28 Jul 2022 22:04:21 -0500 Subject: [PATCH] Fix potential severe XSS --- src/source/frontend/dist/lib/index.js | 58 +++++++++++++++++++-------- 1 file changed, 41 insertions(+), 17 deletions(-) diff --git a/src/source/frontend/dist/lib/index.js b/src/source/frontend/dist/lib/index.js index e0ea006..a1b69f9 100644 --- a/src/source/frontend/dist/lib/index.js +++ b/src/source/frontend/dist/lib/index.js @@ -1,12 +1,5 @@ /** @format */ -// Copyright 2022 Elijah Bodden - -// Use of this source code is governed by an MIT-style -// license that can be found in the LICENSE file or at -// https://opensource.org/licenses/MIT. - - "use strict"; var CONFIG = {} @@ -89,6 +82,16 @@ var defaultConfig = { moderateMapInstabilityTolerance : true, arbitraryPeerRouteTimeout : 100000000, routeAcceptHeuristic : async function (pkg) { + if (pkg.desiredPermissions==="advanced") { + eventStream.log("system", `Peer authentication requested by ${CONFIG.UI.renderUnfamiliarPublicAliases ? (hiddenAliasLookup[pkg.sender] ?? pkg.sender) : pkg.sender}`, "transient", ["align-center", "system-message-card-route-pending", "message-card-slim"], pkg.sender) + var accepted = true + try { + await eventHandler.acquireExpectedDispatch(`authenticationAuthorized|${pkg.sender}`, CONFIG.communication.arbitraryPeerRouteTimeout) + } catch { + accepted = false + } + return accepted + } return true } }, @@ -114,9 +117,30 @@ var defaultConfig = { invalidSDP : 100, }, configLoadFunction : async function() { - window.addEventListener("DOMContentLoaded", () => eventHandler.dispatch('DOMFunctional'), 1000) + window.addEventListener("DOMContentLoaded", () => eventHandler.dispatch("DOMFunctional")) await eventHandler.acquireExpectedDispatch("DOMFunctional") - return {} + await fillDefaults() + effectiveFirstVisit = true + if (!JSON.parse(window.localStorage.config ?? "{}")?.["communication.publicAlias"] || !JSON.parse(window.localStorage.config ?? "{}").rememberMe) { + await (async () => { + var contentDisabler = document.createElement("iframe") + contentDisabler.style.position = "absolute" + contentDisabler.style.left = contentDisabler.style.right = contentDisabler.style.top = contentDisabler.style.bottom = "0px" + contentDisabler.style.width = contentDisabler.style.height = "100%" + contentDisabler.style.border = "0px" + contentDisabler.style.zIndex = 100000 + document.querySelector("#init-blur-wrapper").style.visibility = "visible" + document.querySelector("#init-blur-wrapper").style.filter = "blur(3px) saturate(90%) brightness(90%)" + document.body.appendChild(contentDisabler) + const selectedHiddenAlias = await hiddenAliasPromptMenu() + document.querySelector("#init-blur-wrapper").replaceWith(...document.querySelector("#init-blur-wrapper").childNodes) + document.body.removeChild(contentDisabler) + exportToLS("communication.publicAlias", selectedHiddenAlias) + })() + } else { + document.querySelector("#init-blur-wrapper").replaceWith(...document.querySelector("#init-blur-wrapper").childNodes) + } + return JSON.parse(window.localStorage.config ?? "{}") } }, serverLink : { @@ -129,6 +153,7 @@ var defaultConfig = { } } +var effectiveFirstVisit = false const livePeers = {}; const authPeers = [] var serverHardRestart @@ -284,10 +309,10 @@ class eventHandlingMechanism { if (!hasResolved) reject( `Dispatch listener promise for the identifier ${dispatchIdentifier} timed out after ${ - timeout ?? CONFIG.constants.defaultEventHandlingMechanismTimeout + timeout ?? CONFIG?.constants?.defaultEventHandlingMechanismTimeout ?? 100000 }ms` ); - }, timeout ?? CONFIG.constants.defaultEventHandlingMechanismTimeout); + }, timeout ?? CONFIG?.constants?.defaultEventHandlingMechanismTimeout ?? 100000) }), reject: rejectGeneratedPromise, resolve: resolveGeneratedPromise, @@ -759,7 +784,7 @@ class peerConnection { switch (parsed[0]) { case "consumable": if (!this.peerData?.hiddenAlias) return - this.dispatchConsumableAuth(parsed[1].raw) + this.dispatchConsumableAuth(escapeHTML(parsed[1].raw)) break; case "gossip": gossipTransport.consumeGossip(parsed[1]); @@ -1490,15 +1515,14 @@ async function onPublicError(callback) { eventHandler.onReceipt("fatalError", callback) } -//#to be defined as needed: async function nonstandardParserDrain(type, args) { - + //#to be individually defined } function indicateRouteAccepted(node) { - + blinkStatus("success", node) } async function obviatePeerError(node) { - -} + blinkStatus("error", node) +} \ No newline at end of file