Merge pull request #4373 from brunnre8/permissions
This commit is contained in:
commit
35d8f4e212
@ -158,6 +158,34 @@ function setHome(newPath) {
|
||||
// Load theme color from the web manifest
|
||||
const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"));
|
||||
this.config.themeColor = manifest.theme_color;
|
||||
|
||||
// log dir probably shouldn't be world accessible.
|
||||
// Create it with the desired permission bits if it doesn't exist yet.
|
||||
let logsStat = undefined;
|
||||
|
||||
try {
|
||||
logsStat = fs.statSync(userLogsPath);
|
||||
} catch {
|
||||
// ignored on purpose, node v14.17.0 will give us {throwIfNoEntry: false}
|
||||
}
|
||||
|
||||
if (!logsStat) {
|
||||
try {
|
||||
fs.mkdirSync(userLogsPath, {recursive: true, mode: 0o750});
|
||||
} catch (e) {
|
||||
log.error("Unable to create logs directory", e);
|
||||
}
|
||||
} else if (logsStat && logsStat.mode & 0o001) {
|
||||
log.warn(
|
||||
"contents of",
|
||||
userLogsPath,
|
||||
"can be accessed by any user, the log files may be exposed"
|
||||
);
|
||||
|
||||
if (os.platform() !== "win32") {
|
||||
log.warn(`run \`chmod o-x ${userLogsPath}\` to correct it`);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function getHomePath() {
|
||||
|
@ -11,7 +11,28 @@ class WebPush {
|
||||
constructor() {
|
||||
const vapidPath = path.join(Helper.getHomePath(), "vapid.json");
|
||||
|
||||
if (fs.existsSync(vapidPath)) {
|
||||
let vapidStat = undefined;
|
||||
|
||||
try {
|
||||
vapidStat = fs.statSync(vapidPath);
|
||||
} catch {
|
||||
// ignored on purpose, node v14.17.0 will give us {throwIfNoEntry: false}
|
||||
}
|
||||
|
||||
if (vapidStat) {
|
||||
const isWorldReadable = (vapidStat.mode & 0o004) !== 0;
|
||||
|
||||
if (isWorldReadable) {
|
||||
log.warn(
|
||||
vapidPath,
|
||||
"is world readable. The file contains secrets. Please fix the permissions"
|
||||
);
|
||||
|
||||
if (require("os").platform() !== "win32") {
|
||||
log.warn(`run \`chmod o= ${vapidPath}\` to correct it`);
|
||||
}
|
||||
}
|
||||
|
||||
const data = fs.readFileSync(vapidPath, "utf-8");
|
||||
const parsedData = JSON.parse(data);
|
||||
|
||||
@ -29,7 +50,9 @@ class WebPush {
|
||||
if (!this.vapidKeys) {
|
||||
this.vapidKeys = WebPushAPI.generateVAPIDKeys();
|
||||
|
||||
fs.writeFileSync(vapidPath, JSON.stringify(this.vapidKeys, null, "\t"));
|
||||
fs.writeFileSync(vapidPath, JSON.stringify(this.vapidKeys, null, "\t"), {
|
||||
mode: 0o600,
|
||||
});
|
||||
|
||||
log.info("New VAPID key pair has been generated for use with push subscription.");
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user