Merge pull request #42 from undefined-hestudio/main

1.4.3

Author: undefined-hestudio

CHANGELOG

@@ -1,3 +1,8 @@
+### 1.4.3
+1. server: Upgraded dependency library to fix CVE-2024-45296.
+2. debug: Enhanced password hash validation.
+3. debug: Passwords are not allowed in GET mode, please use POST instead.
+
 ### 1.4.2 
 1. server: Support Nodejs 22 LTS version.
 2. server(docker): Use optimized docker build sources to reduce image size.

get.js

@@ -1,5 +1,5 @@
 require("dotenv").config();
-const VERSION = "1.4.2";
+const VERSION = "1.4.3";
 
 const express = require("express");
 const schedule = require("node-schedule");
@@ -427,22 +427,31 @@ if (typeof hbwgConfig.external === "object") {
       hbwgConfig.apiconfig.debug.url = "/debug";
     else hbwgConfig.apiconfig.debug.url = String(hbwgConfig.external.debug.url);
 
-    if (hbwgConfig.external.debug.passwd) {
-      const hash = crypto.createHash("sha256");
-      hash.update(hbwgConfig.external.debug.passwd);
-      hbwgConfig.DebugPasswd = hash.digest("hex");
-    }
-
     if (hbwgConfig.external.debug.method) {
       if (hbwgConfig.external.debug.method === "POST")
         hbwgConfig.apiconfig.debug.method = "POST";
       else if (hbwgConfig.external.debug.method === "GET")
         hbwgConfig.apiconfig.debug.method = "GET";
-      else if (!hbwgConfig.external.debug.method) hbwgConfig.apiconfig.debug.method = "GET";
       else {
         logerr("Debug method is wrong! Can only be POST or GET.");
         process.exit(1);
       }
+    } else hbwgConfig.apiconfig.debug.method = "GET";
+
+    if (hbwgConfig.external.debug.passwd) {
+      if (hbwgConfig.apiconfig.debug.method === "GET") {
+        logerr(
+          "Passwords are not allowed in GET mode, please use POST instead."
+        );
+        process.exit(1);
+      } else {
+        const hash = crypto.createHash("sha256");
+        hash.update(hbwgConfig.external.debug.passwd);
+        hash.update(VERSION);
+        hash.update(String(process.pid));
+        hash.update(__dirname);
+        hbwgConfig.DebugPasswd = hash.digest("hex");
+      }
     }
   }
 }
@@ -532,6 +541,9 @@ if (hbwgConfig.apiconfig.debug.url) {
         const passwd = req.body.passwd;
         if (typeof passwd === "undefined") hash.update("");
         else hash.update(passwd);
+        hash.update(VERSION);
+        hash.update(String(process.pid));
+        hash.update(__dirname);
         if (hash.digest("hex") == hbwgConfig.DebugPasswd) {
           postback(ip, `${hbwgConfig.apiconfig.debug.url}?passwd=***`);
           ShowDebug();
@@ -553,24 +565,8 @@ if (hbwgConfig.apiconfig.debug.url) {
         res.setHeader("Content-Type", "text/html");
         res.send(GetDebugInfo());
       };
-      if (hbwgConfig.DebugPasswd) {
-        const hash = crypto.createHash("sha256");
-        const passwd = req.query.passwd;
-        if (typeof passwd === "undefined") hash.update("");
-        else hash.update(passwd);
-        if (hash.digest("hex") == hbwgConfig.DebugPasswd) {
-          getback(ip, `${hbwgConfig.apiconfig.debug.url}?passwd=***`);
-          ShowDebug();
-        } else {
-          getback(ip, `${hbwgConfig.apiconfig.debug.url}?passwd=***`);
-          logwarn("Password is wrong!");
-          res.setHeader("Content-Type", "text/html");
-          res.status(403).send('<script>alert("Password is wrong!")</script>');
-        }
-      } else {
-        getback(ip, `${hbwgConfig.apiconfig.debug.url}`);
-        ShowDebug();
-      }
+      getback(ip, `${hbwgConfig.apiconfig.debug.url}`);
+      ShowDebug();
     });
   }
 }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "hestudio-bingwallpaper-get",
-  "version": "1.4.2",
+  "version": "1.4.3",
   "description": "A Bing wallpaper API interface that can directly image output images.",
   "main": "get.js",
   "scripts": {
@@ -29,15 +29,12 @@
     "api"
   ],
   "displayName": "heStudio BingWallpaper Get",
-  "os": [
-    "linux"
-  ],
   "publisher": "undefined",
   "dependencies": {
     "body-parser": "^1.20.3",
     "dayjs": "^1.11.13",
-    "dotenv": "^16.4.5",
-    "express": "^4.21.1",
+    "dotenv": "^16.4.7",
+    "express": "^4.21.2",
     "node-schedule": "^2.1.1",
     "uglify-js": "^3.19.3"
   },
@@ -48,8 +45,8 @@
     "node": ">=18.0.0"
   },
   "devDependencies": {
-    "@eslint/js": "^9.15.0",
+    "@eslint/js": "^9.16.0",
     "eslint": "~9.15.0",
-    "globals": "^15.12.0"
+    "globals": "^15.13.0"
   }
 }