From 8827da6478e5e1083238bc3c93b02f72541fdf2a Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Thu, 5 Mar 2015 22:07:45 +0000 Subject: [PATCH] fix XSS vulnerability on error pages --- lib/insecure-server.js | 4 ++-- lib/vhost-sni-server.js | 34 +++++++++++++++++++++------------- 2 files changed, 23 insertions(+), 15 deletions(-) diff --git a/lib/insecure-server.js b/lib/insecure-server.js index 2654b1e..9be997b 100644 --- a/lib/insecure-server.js +++ b/lib/insecure-server.js @@ -42,11 +42,11 @@ module.exports.create = function (securePort, insecurePort, redirects) { + '\n' + '\n' + ' \n' - + ' \n' + + ' \n' + '\n' + '\n' + '

You requested an insecure resource. Please use this instead: \n' - + ' ' + newLocation + '

\n' + + ' ' + encodeURI(newLocation) + '

\n' + '\n' + '\n' ; diff --git a/lib/vhost-sni-server.js b/lib/vhost-sni-server.js index c9fec1d..2193940 100644 --- a/lib/vhost-sni-server.js +++ b/lib/vhost-sni-server.js @@ -45,13 +45,13 @@ module.exports.create = function (securePort, certsPath, vhostsdir) { + "" + "
"
         + ""
-        + "Method: " + req.method
+        + "Method: " + encodeURI(req.method)
         + '\n'
-        + "Hostname: " + domaininfo.hostname
+        + "Hostname: " + encodeURI(domaininfo.hostname)
         + '\n'
-        + "App: " + (domaininfo.pathname ? (domaininfo.pathname + '/') : '')
+        + "App: " + encodeURI(domaininfo.pathname ? (domaininfo.pathname + '/') : '')
         + '\n'
-        + "Route: " + req.url//.replace(/^\//, '')
+        + "Route: " + encodeURI(req.url)//.replace(/^\//, '')
         + '\n'
           // TODO better sanatization
         + 'Error: '  + (err.message || err.toString()).replace(/"
                     + ""
                     + "Cannot "
-                    + req.method
+                    + encodeURI(req.method)
                     + " 'https://"
-                    + domaininfo.hostname
+                    + encodeURI(domaininfo.hostname)
                     + '/' 
-                    + (domaininfo.pathname ? (domaininfo.pathname + '/') : '')
-                    + req.url.replace(/^\//, '')
+                    + encodeURI(domaininfo.pathname ? (domaininfo.pathname + '/') : '')
+                    + encodeURI(req.url.replace(/^\//, ''))
                     + "'"
                     + "
" + "
" - + "Domain: " + domaininfo.hostname + + "Domain: " + encodeURI(domaininfo.hostname) + "
" - + "App: " + domaininfo.pathname + + "App: " + encodeURI(domaininfo.pathname) + "
" - + "Route : " + req.url + + "Route : " + encodeURI(req.url) + "" + "" ); @@ -182,10 +182,15 @@ module.exports.create = function (securePort, certsPath, vhostsdir) { appContext = localAppWrapped; appContext(req, res, next); } catch(e) { - console.error('[ERROR] ' + domaininfo.hostname + ':' + securePort + '/' + domaininfo.pathname); + console.error('[ERROR] ' + + domaininfo.hostname + ':' + securePort + + '/' + domaininfo.pathname + ); console.error(e); + // TODO this may not work in web apps (due to 500), probably okay + res.writeHead(500); res.end('{ "error": { "message": "[ERROR] could not load ' - + domaininfo.hostname + ':' + securePort + '/' + domaininfo.pathname + + encodeURI(domaininfo.hostname) + ':' + securePort + '/' + encodeURI(domaininfo.pathname) + 'or default error app." } }'); } }); @@ -224,6 +229,7 @@ module.exports.create = function (securePort, certsPath, vhostsdir) { console.error(err); console.error(msg); return function (req, res) { + res.writeHead(500); res.end('{ "error": { "message": "' + msg + '" } }'); } } @@ -392,6 +398,8 @@ module.exports.create = function (securePort, certsPath, vhostsdir) { key: localDummyCerts.key , cert: localDummyCerts.cert , ca: localDummyCerts.ca + // changes from default: disallow RC4 + , ciphers: "ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL" }; function addSniWorkaroundCallback() {