fix XSS vulnerability on error pages
This commit is contained in:
AJ ONeal
parent
0ae9e5a069
commit
8827da6478
|
|
@ -42,11 +42,11 @@ module.exports.create = function (securePort, insecurePort, redirects) {
|
||||||
+ '<html>\n'
|
+ '<html>\n'
|
||||||
+ '<head>\n'
|
+ '<head>\n'
|
||||||
+ ' <style>* { background-color: white; color: white; text-decoration: none; }</style>\n'
|
+ ' <style>* { background-color: white; color: white; text-decoration: none; }</style>\n'
|
||||||
+ ' <META http-equiv="refresh" content="0;URL=' + newLocation + '">\n'
|
+ ' <META http-equiv="refresh" content="0;URL=' + encodeURI(newLocation) + '">\n'
|
||||||
+ '</head>\n'
|
+ '</head>\n'
|
||||||
+ '<body style="display: none;">\n'
|
+ '<body style="display: none;">\n'
|
||||||
+ ' <p>You requested an insecure resource. Please use this instead: \n'
|
+ ' <p>You requested an insecure resource. Please use this instead: \n'
|
||||||
+ ' <a href="' + newLocation + '">' + newLocation + '</a></p>\n'
|
+ ' <a href="' + encodeURI(newLocation) + '">' + encodeURI(newLocation) + '</a></p>\n'
|
||||||
+ '</body>\n'
|
+ '</body>\n'
|
||||||
+ '</html>\n'
|
+ '</html>\n'
|
||||||
;
|
;
|
||||||
|
|
|
||||||
|
|
@ -45,13 +45,13 @@ module.exports.create = function (securePort, certsPath, vhostsdir) {
|
||||||
+ "<body>"
|
+ "<body>"
|
||||||
+ "<pre>"
|
+ "<pre>"
|
||||||
+ "<code>"
|
+ "<code>"
|
||||||
+ "Method: " + req.method
|
+ "Method: " + encodeURI(req.method)
|
||||||
+ '\n'
|
+ '\n'
|
||||||
+ "Hostname: " + domaininfo.hostname
|
+ "Hostname: " + encodeURI(domaininfo.hostname)
|
||||||
+ '\n'
|
+ '\n'
|
||||||
+ "App: " + (domaininfo.pathname ? (domaininfo.pathname + '/') : '')
|
+ "App: " + encodeURI(domaininfo.pathname ? (domaininfo.pathname + '/') : '')
|
||||||
+ '\n'
|
+ '\n'
|
||||||
+ "Route: " + req.url//.replace(/^\//, '')
|
+ "Route: " + encodeURI(req.url)//.replace(/^\//, '')
|
||||||
+ '\n'
|
+ '\n'
|
||||||
// TODO better sanatization
|
// TODO better sanatization
|
||||||
+ 'Error: ' + (err.message || err.toString()).replace(/</g, '<')
|
+ 'Error: ' + (err.message || err.toString()).replace(/</g, '<')
|
||||||
|
|
@ -151,20 +151,20 @@ module.exports.create = function (securePort, certsPath, vhostsdir) {
|
||||||
+ "</head>"
|
+ "</head>"
|
||||||
+ "<body>"
|
+ "<body>"
|
||||||
+ "Cannot "
|
+ "Cannot "
|
||||||
+ req.method
|
+ encodeURI(req.method)
|
||||||
+ " 'https://"
|
+ " 'https://"
|
||||||
+ domaininfo.hostname
|
+ encodeURI(domaininfo.hostname)
|
||||||
+ '/'
|
+ '/'
|
||||||
+ (domaininfo.pathname ? (domaininfo.pathname + '/') : '')
|
+ encodeURI(domaininfo.pathname ? (domaininfo.pathname + '/') : '')
|
||||||
+ req.url.replace(/^\//, '')
|
+ encodeURI(req.url.replace(/^\//, ''))
|
||||||
+ "'"
|
+ "'"
|
||||||
+ "<br/>"
|
+ "<br/>"
|
||||||
+ "<br/>"
|
+ "<br/>"
|
||||||
+ "Domain: " + domaininfo.hostname
|
+ "Domain: " + encodeURI(domaininfo.hostname)
|
||||||
+ "<br/>"
|
+ "<br/>"
|
||||||
+ "App: " + domaininfo.pathname
|
+ "App: " + encodeURI(domaininfo.pathname)
|
||||||
+ "<br/>"
|
+ "<br/>"
|
||||||
+ "Route : " + req.url
|
+ "Route : " + encodeURI(req.url)
|
||||||
+ "</body>"
|
+ "</body>"
|
||||||
+ "</html>"
|
+ "</html>"
|
||||||
);
|
);
|
||||||
|
|
@ -182,10 +182,15 @@ module.exports.create = function (securePort, certsPath, vhostsdir) {
|
||||||
appContext = localAppWrapped;
|
appContext = localAppWrapped;
|
||||||
appContext(req, res, next);
|
appContext(req, res, next);
|
||||||
} catch(e) {
|
} catch(e) {
|
||||||
console.error('[ERROR] ' + domaininfo.hostname + ':' + securePort + '/' + domaininfo.pathname);
|
console.error('[ERROR] '
|
||||||
|
+ domaininfo.hostname + ':' + securePort
|
||||||
|
+ '/' + domaininfo.pathname
|
||||||
|
);
|
||||||
console.error(e);
|
console.error(e);
|
||||||
|
// TODO this may not work in web apps (due to 500), probably okay
|
||||||
|
res.writeHead(500);
|
||||||
res.end('{ "error": { "message": "[ERROR] could not load '
|
res.end('{ "error": { "message": "[ERROR] could not load '
|
||||||
+ domaininfo.hostname + ':' + securePort + '/' + domaininfo.pathname
|
+ encodeURI(domaininfo.hostname) + ':' + securePort + '/' + encodeURI(domaininfo.pathname)
|
||||||
+ 'or default error app." } }');
|
+ 'or default error app." } }');
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
@ -224,6 +229,7 @@ module.exports.create = function (securePort, certsPath, vhostsdir) {
|
||||||
console.error(err);
|
console.error(err);
|
||||||
console.error(msg);
|
console.error(msg);
|
||||||
return function (req, res) {
|
return function (req, res) {
|
||||||
|
res.writeHead(500);
|
||||||
res.end('{ "error": { "message": "' + msg + '" } }');
|
res.end('{ "error": { "message": "' + msg + '" } }');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -392,6 +398,8 @@ module.exports.create = function (securePort, certsPath, vhostsdir) {
|
||||||
key: localDummyCerts.key
|
key: localDummyCerts.key
|
||||||
, cert: localDummyCerts.cert
|
, cert: localDummyCerts.cert
|
||||||
, ca: localDummyCerts.ca
|
, ca: localDummyCerts.ca
|
||||||
|
// changes from default: disallow RC4
|
||||||
|
, ciphers: "ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL"
|
||||||
};
|
};
|
||||||
|
|
||||||
function addSniWorkaroundCallback() {
|
function addSniWorkaroundCallback() {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue