Merge pull request #4373 from brunnre8/permissions

2021-12-01 14:18:10 -08:00 · 2021-12-01 14:18:10 -08:00 · 35d8f4e212
commit 35d8f4e212
parent 3c70fab7c6 0ff9703a28
2 changed files with 53 additions and 2 deletions
--- a/src/helper.js
+++ b/src/helper.js
@ -158,6 +158,34 @@ function setHome(newPath) {
 	// Load theme color from the web manifest
 	const manifest = JSON.parse(fs.readFileSync(manifestPath, "utf8"));
 	this.config.themeColor = manifest.theme_color;
+
+	// log dir probably shouldn't be world accessible.
+	// Create it with the desired permission bits if it doesn't exist yet.
+	let logsStat = undefined;
+
+	try {
+		logsStat = fs.statSync(userLogsPath);
+	} catch {
+		// ignored on purpose, node v14.17.0 will give us {throwIfNoEntry: false}
+	}
+
+	if (!logsStat) {
+		try {
+			fs.mkdirSync(userLogsPath, {recursive: true, mode: 0o750});
+		} catch (e) {
+			log.error("Unable to create logs directory", e);
+		}
+	} else if (logsStat && logsStat.mode & 0o001) {
+		log.warn(
+			"contents of",
+			userLogsPath,
+			"can be accessed by any user, the log files may be exposed"
+		);
+
+		if (os.platform() !== "win32") {
+			log.warn(`run \`chmod o-x ${userLogsPath}\` to correct it`);
+		}
+	}
 }

 function getHomePath() {
--- a/src/plugins/webpush.js
+++ b/src/plugins/webpush.js
@ -11,7 +11,28 @@ class WebPush {
 	constructor() {
 		const vapidPath = path.join(Helper.getHomePath(), "vapid.json");

-		if (fs.existsSync(vapidPath)) {
+		let vapidStat = undefined;
+
+		try {
+			vapidStat = fs.statSync(vapidPath);
+		} catch {
+			// ignored on purpose, node v14.17.0 will give us {throwIfNoEntry: false}
+		}
+
+		if (vapidStat) {
+			const isWorldReadable = (vapidStat.mode & 0o004) !== 0;
+
+			if (isWorldReadable) {
+				log.warn(
+					vapidPath,
+					"is world readable. The file contains secrets. Please fix the permissions"
+				);
+
+				if (require("os").platform() !== "win32") {
+					log.warn(`run \`chmod o= ${vapidPath}\` to correct it`);
+				}
+			}
+
 			const data = fs.readFileSync(vapidPath, "utf-8");
 			const parsedData = JSON.parse(data);

@ -29,7 +50,9 @@ class WebPush {
 		if (!this.vapidKeys) {
 			this.vapidKeys = WebPushAPI.generateVAPIDKeys();

-			fs.writeFileSync(vapidPath, JSON.stringify(this.vapidKeys, null, "\t"));
+			fs.writeFileSync(vapidPath, JSON.stringify(this.vapidKeys, null, "\t"), {
+				mode: 0o600,
+			});

 			log.info("New VAPID key pair has been generated for use with push subscription.");
 		}