Merge pull request #4373 from brunnre8/permissions

This commit is contained in:
Max Leiter 2021-12-01 14:18:10 -08:00 committed by GitHub
commit 35d8f4e212
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 53 additions and 2 deletions

View File

@ -158,6 +158,34 @@ function setHome(newPath) {
// Load theme color from the web manifest
const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"));
this.config.themeColor = manifest.theme_color;
// log dir probably shouldn't be world accessible.
// Create it with the desired permission bits if it doesn't exist yet.
let logsStat = undefined;
try {
logsStat = fs.statSync(userLogsPath);
} catch {
// ignored on purpose, node v14.17.0 will give us {throwIfNoEntry: false}
}
if (!logsStat) {
try {
fs.mkdirSync(userLogsPath, {recursive: true, mode: 0o750});
} catch (e) {
log.error("Unable to create logs directory", e);
}
} else if (logsStat && logsStat.mode & 0o001) {
log.warn(
"contents of",
userLogsPath,
"can be accessed by any user, the log files may be exposed"
);
if (os.platform() !== "win32") {
log.warn(`run \`chmod o-x ${userLogsPath}\` to correct it`);
}
}
}
function getHomePath() {

View File

@ -11,7 +11,28 @@ class WebPush {
constructor() {
const vapidPath = path.join(Helper.getHomePath(), "vapid.json");
if (fs.existsSync(vapidPath)) {
let vapidStat = undefined;
try {
vapidStat = fs.statSync(vapidPath);
} catch {
// ignored on purpose, node v14.17.0 will give us {throwIfNoEntry: false}
}
if (vapidStat) {
const isWorldReadable = (vapidStat.mode & 0o004) !== 0;
if (isWorldReadable) {
log.warn(
vapidPath,
"is world readable. The file contains secrets. Please fix the permissions"
);
if (require("os").platform() !== "win32") {
log.warn(`run \`chmod o= ${vapidPath}\` to correct it`);
}
}
const data = fs.readFileSync(vapidPath, "utf-8");
const parsedData = JSON.parse(data);
@ -29,7 +50,9 @@ class WebPush {
if (!this.vapidKeys) {
this.vapidKeys = WebPushAPI.generateVAPIDKeys();
fs.writeFileSync(vapidPath, JSON.stringify(this.vapidKeys, null, "\t"));
fs.writeFileSync(vapidPath, JSON.stringify(this.vapidKeys, null, "\t"), {
mode: 0o600,
});
log.info("New VAPID key pair has been generated for use with push subscription.");
}