https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894

Author: btopro

package.json

@@ -10,6 +10,7 @@
   "scripts": {
     "dev:build": "npm run build && nodemon dist/app.js",
     "dev": "nodemon src/app.js",
+    "dev:nologin": "nodemon src/local.js",
     "start": "open http://localhost:3000 && npm run dev",
     "build": "rm -rf dist && babel src --out-dir dist --copy-files --include-dotfiles && chmod 774 dist/local.js && chmod 774 dist/app.js && chmod 774 dist/cli.js",
     "release": "npm run build && commit-and-tag-version && git push --follow-tags origin main && npm publish",

src/app.js

@@ -22,7 +22,7 @@ var helmetPolicies = {
       scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "'wasm-unsafe-eval'", "www.youtube.com"],
       styleSrc: ["'self'", "'unsafe-inline'", "data:", "https:"],
       mediaSrc: ["'self'", "data:", "https:"],
-      imgSrc: ["'self'", "data:", "https:"],
+      imgSrc: ["'self'", "data:", "https:", "http:", "blob:"],
       connectSrc: ["'self'", "https:", "ws:"],
       defaultSrc: ["'self'", "data:", "https:"],
       objectSrc: ["'none'"],

src/lib/HAXCMS.js

@@ -1957,19 +1957,31 @@ class HAXCMSClass {
    */
   validateRequestToken(token = null, value = '', query = {})
     {
-        if (this.isCLI() || this.HAXCMS_DISABLE_JWT_CHECKS) {
-            return true;
-        }
-        // default token is POST
-        if (token == null && query['token']) {
-          token = query['token'];
-        }
-        if (token != null) {
-          if (token == this.getRequestToken(value)) {
-            return true;
-          }
+      if (this.isCLI() || this.HAXCMS_DISABLE_JWT_CHECKS) {
+          return true;
+      }
+      // default token is POST
+      if (token == null && query['token']) {
+        token = query['token'];
+      }
+      if (token != null) {
+        if (token == this.getRequestToken(value)) {
+          return true;
         }
-        return false;
+      }
+      return false;
+    }
+    /**
+     * Get the active user name based on the session
+     * or the super user if the session is not set
+     */
+    getActiveUserName() {
+      if (this.user.name != null && this.user.name != '') {
+        return this.user.name;
+      }
+      else if (this.superUser.name) {
+        return this.superUser.name;
+      }
     }
     getRequestToken(value = '')
     {
@@ -1980,7 +1992,7 @@ class HAXCMSClass {
       var buf1 = crypto.createHmac("sha256", "0").update(data).digest();
       var buf2 = Buffer.from(key);
       // generate the hash
-      return Buffer.concat([buf1, buf2]).toString('base64');
+      return Buffer.concat([buf1, buf2]).toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
     }
     /**
      * load form and spitting out HAXschema + values in our standard transmission method
@@ -2462,7 +2474,7 @@ class HAXCMSClass {
     /**
      * Generate a valid HAX App store specification schema for connecting to this site via JSON.
      */
-    siteConnectionJSON()
+    siteConnectionJSON(siteToken = '')
     {
         return {
       "details": {
@@ -2479,7 +2491,7 @@ class HAXCMSClass {
         "operations": {
           "browse": {
             "method": "GET",
-            "endPoint": this.systemRequestBase + "listFiles",
+            "endPoint": this.systemRequestBase + "listFiles?site_token=" + siteToken,
             "pagination": {
               "style": "link",
               "props": {
@@ -2518,7 +2530,7 @@ class HAXCMSClass {
           },
           "add": {
             "method": "POST",
-            "endPoint": this.systemRequestBase + "saveFile",
+            "endPoint": this.systemRequestBase + "saveFile?site_token=" + siteToken,
             "acceptsGizmoTypes": [
               "audio",
               "image",

src/openapi/spec.json

@@ -242,7 +242,7 @@
                 "operationId": "Operations::generateAppStore",
                 "parameters": [
                     {
-                        "name": "app-store-token",
+                        "name": "appstore_token",
                         "in": "query",
                         "description": "security token for appstore",
                         "required": true,

src/openapi/spec.yaml

@@ -167,7 +167,7 @@ paths:
       operationId: 'Operations::generateAppStore'
       parameters:
         -
-          name: app-store-token
+          name: appstore_token
           in: query
           description: 'security token for appstore'
           required: true

src/routes/archiveSite.js

@@ -36,22 +36,26 @@ const { HAXCMS } = require('../lib/HAXCMS.js');
    * )
    */
   async function archiveSite(req, res) {
-    let site = await HAXCMS.loadSite(req.body['site']['name']);
-    if (site.name) {
-      // create archived directory in this tree if it doesn't exist already
-      if (!fs.existsSync(HAXCMS.HAXCMS_ROOT + HAXCMS.archivedDirectory)) {
-        fs.mkdirSync(HAXCMS.HAXCMS_ROOT + HAXCMS.archivedDirectory);
+    if (req.query['user_token'] && HAXCMS.validateRequestToken(req.query['user_token'], HAXCMS.getActiveUserName())) {
+      let site = await HAXCMS.loadSite(req.body['site']['name']);
+      if (site.name) {
+        // create archived directory in this tree if it doesn't exist already
+        if (!fs.existsSync(HAXCMS.HAXCMS_ROOT + HAXCMS.archivedDirectory)) {
+          fs.mkdirSync(HAXCMS.HAXCMS_ROOT + HAXCMS.archivedDirectory);
+        }
+        await fs.rename(
+          HAXCMS.HAXCMS_ROOT + HAXCMS.sitesDirectory + '/' + site.manifest.metadata.site.name,
+          HAXCMS.HAXCMS_ROOT + HAXCMS.archivedDirectory + '/' + site.manifest.metadata.site.name);
+        res.send({
+          'name': site.name,
+          'detail': 'Site archived',
+        });
       }
-      await fs.rename(
-        HAXCMS.HAXCMS_ROOT + HAXCMS.sitesDirectory + '/' + site.manifest.metadata.site.name,
-        HAXCMS.HAXCMS_ROOT + HAXCMS.archivedDirectory + '/' + site.manifest.metadata.site.name);
-      res.send({
-        'name': site.name,
-        'detail': 'Site archived',
-      });
-    }
-    else {
-      res.sendStatus(500);
+      else {
+        res.sendStatus(500);
+      }
+    } else {
+      res.sendStatus(403);
     }
   }
   module.exports = archiveSite;

src/routes/cloneSite.js

@@ -35,48 +35,52 @@ const { HAXCMS } = require('../lib/HAXCMS.js');
    * )
    */
   async function cloneSite(req, res) {
-    let site = await HAXCMS.loadSite(req.body['site']['name']);
-    let originalPathForReplacement = HAXCMS.sitesDirectory + site.manifest.metadata.site.name + "/files/";
+    if (req.query['user_token'] && HAXCMS.validateRequestToken(req.query['user_token'], HAXCMS.getActiveUserName())) {
+      let site = await HAXCMS.loadSite(req.body['site']['name']);
+      let originalPathForReplacement = HAXCMS.sitesDirectory + site.manifest.metadata.site.name + "/files/";
 
-    let cloneName = HAXCMS.getUniqueName(site.name);
-    // ensure the path to the new folder is valid
-    await HAXCMS.recurseCopy(
-        HAXCMS.HAXCMS_ROOT + HAXCMS.sitesDirectory + '/' + site.name,
-        HAXCMS.HAXCMS_ROOT + HAXCMS.sitesDirectory + '/' + cloneName
-    );
-    // we need to then load and rewrite the site name var or it will conflict given the name change
-    let newSite = await HAXCMS.loadSite(cloneName);
-    newSite.manifest.metadata.site.name = cloneName;
-    newSite.manifest.id =  HAXCMS.generateUUID();
-    // loop through all items and rewrite the path to files as we cloned it
-    for (var delta in newSite.manifest.items) {
-      let item = newSite.manifest.items[delta];
-      if (item.metadata.files) {
-        for (var delta2 in item.metadata.files) {
-          if (newSite.manifest.items[delta].metadata.files[delta2].path) {
-            newSite.manifest.items[delta].metadata.files[delta2].path = newSite.manifest.items[delta].metadata.files[delta2].path.replace(
-              originalPathForReplacement,
-              '/sites/' + cloneName + '/files/',
-            );
-          }
-          if (newSite.manifest.items[delta].metadata.files[delta2].fullUrl) {
-            newSite.manifest.items[delta].metadata.files[delta2].fullUrl = newSite.manifest.items[delta].metadata.files[delta2].fullUrl.replace(
-              originalPathForReplacement,
-              '/sites/' + cloneName + '/files/',
-            );
+      let cloneName = HAXCMS.getUniqueName(site.name);
+      // ensure the path to the new folder is valid
+      await HAXCMS.recurseCopy(
+          HAXCMS.HAXCMS_ROOT + HAXCMS.sitesDirectory + '/' + site.name,
+          HAXCMS.HAXCMS_ROOT + HAXCMS.sitesDirectory + '/' + cloneName
+      );
+      // we need to then load and rewrite the site name var or it will conflict given the name change
+      let newSite = await HAXCMS.loadSite(cloneName);
+      newSite.manifest.metadata.site.name = cloneName;
+      newSite.manifest.id =  HAXCMS.generateUUID();
+      // loop through all items and rewrite the path to files as we cloned it
+      for (var delta in newSite.manifest.items) {
+        let item = newSite.manifest.items[delta];
+        if (item.metadata.files) {
+          for (var delta2 in item.metadata.files) {
+            if (newSite.manifest.items[delta].metadata.files[delta2].path) {
+              newSite.manifest.items[delta].metadata.files[delta2].path = newSite.manifest.items[delta].metadata.files[delta2].path.replace(
+                originalPathForReplacement,
+                '/sites/' + cloneName + '/files/',
+              );
+            }
+            if (newSite.manifest.items[delta].metadata.files[delta2].fullUrl) {
+              newSite.manifest.items[delta].metadata.files[delta2].fullUrl = newSite.manifest.items[delta].metadata.files[delta2].fullUrl.replace(
+                originalPathForReplacement,
+                '/sites/' + cloneName + '/files/',
+              );
+            }
           }
         }
       }
-    }
 
-    await newSite.save();
-    res.send({
-      'link':
-        HAXCMS.basePath +
-        HAXCMS.sitesDirectory +
-        '/' +
-        cloneName,
-      'name': cloneName
-    });
+      await newSite.save();
+      res.send({
+        'link':
+          HAXCMS.basePath +
+          HAXCMS.sitesDirectory +
+          '/' +
+          cloneName,
+        'name': cloneName
+      });
+    } else {
+      res.sendStatus(403);
+    }
   }
-  module.exports = cloneSite;
+module.exports = cloneSite;

src/routes/connectionSettings.js

@@ -22,48 +22,62 @@ async function connectionSettings(req, res) {
   if (req.headers && req.headers.referer && !req.headers.referer.includes('/sites/')) {
     baseAPIPath = HAXCMS.systemRequestBase;
   }
+  var sitename = '';
   // express gives this up on requests but doesn't know it ahead of time
   if (req.headers && req.headers.referer) {
     let details = new url.URL(req.headers.referer);
     HAXCMS.protocol = details.protocol.replace(':', '');
     HAXCMS.domain = details.host;
     HAXCMS.request_url = details;
+
+    const sitepath = req.headers.referer.replace(`${HAXCMS.protocol}://${HAXCMS.domain}${HAXCMS.basePath}${HAXCMS.sitesDirectory}/`, '');
+    const siteparts = sitepath.split('/');
+    // should always be at the base here
+    sitename = siteparts[0];
   }
+  const siteToken = HAXCMS.getRequestToken(HAXCMS.getActiveUserName() + ':' + sitename);
+  // user token is just the name of the logged in user
+  const userToken = HAXCMS.getRequestToken(HAXCMS.getActiveUserName());
   const returnData = JSON.stringify({
     token: HAXCMS.getRequestToken(),
+    login: `${baseAPIPath}login`,
+    refreshUrl: `${baseAPIPath}refreshAccessToken`,
+    logout: `${baseAPIPath}logout`,
+    connectionSettings: `${baseAPIPath}connectionSettings`,
+    // enables redirecting back to site root if JWT really is dead
+    redirectUrl: HAXCMS.basePath,
+    saveNodePath: `${baseAPIPath}saveNode?site_token=${siteToken}`,
+    saveManifestPath: `${baseAPIPath}saveManifest?site_token=${siteToken}`,
+    saveOutlinePath: `${baseAPIPath}saveOutline?site_token=${siteToken}`,
+    getSiteFieldsPath: `${baseAPIPath}formLoad?haxcms_form_id=siteSettings`,
+    // form token to validate form submissions as unique to the session
     getFormToken: HAXCMS.getRequestToken('form'),
+    createNodePath: `${baseAPIPath}createNode?site_token=${siteToken}`,
+    deleteNodePath: `${baseAPIPath}deleteNode?site_token=${siteToken}`,
+
+    getUserDataPath: `${baseAPIPath}getUserData?user_token=${userToken}`,
+    createSite: `${baseAPIPath}createSite?user_token=${userToken}`,
+    downloadSite: `${baseAPIPath}downloadSite?user_token=${userToken}`,
+    archiveSite: `${baseAPIPath}archiveSite?user_token=${userToken}`,
+    copySite: `${baseAPIPath}cloneSite?user_token=${userToken}`,
+    getSitesList: `${baseAPIPath}listSites?user_token=${userToken}`,
     appStore: {
       url: `${baseAPIPath}generateAppStore`,
       params: {
-        "app-store-token": HAXCMS.getRequestToken('appstore'),
+        'appstore_token': HAXCMS.getRequestToken('appstore'),
+        'site_token': siteToken,
+        'siteName': sitename,
       }
     },
     themes: themes,
-    connectionSettings: `${baseAPIPath}connectionSettings`,
-    login: `${baseAPIPath}login`,
-    refreshUrl: `${baseAPIPath}refreshAccessToken`,
-    logout: `${baseAPIPath}logout`,
-    redirectUrl: HAXCMS.basePath,
-    saveNodePath: `${baseAPIPath}saveNode`,
-    saveManifestPath: `${baseAPIPath}saveManifest`,
-    saveOutlinePath: `${baseAPIPath}saveOutline`,
-    getSiteFieldsPath: `${baseAPIPath}formLoad?haxcms_form_id=siteSettings`,
-    createNodePath: `${baseAPIPath}createNode`,
-    getUserDataPath: `${baseAPIPath}getUserData`,
-    deleteNodePath: `${baseAPIPath}deleteNode`,
-    createSite: `${baseAPIPath}createSite`,
-    downloadSite: `${baseAPIPath}downloadSite`,
-    archiveSite: `${baseAPIPath}archiveSite`,
-    copySite: `${baseAPIPath}cloneSite`,
-    getSitesList: `${baseAPIPath}listSites`,
   });
-  let after;
+  let after='';
   if (HAXCMS.HAXCMS_DISABLE_JWT_CHECKS) {
     after = `window.appSettings.jwt = "${HAXCMS.getJWT(HAXCMS.superUser.name)}"`;
   }
   res.send(`// force vercel calls to go from production
     window.MicroFrontendRegistryConfig = window.MicroFrontendRegistryConfig || {};
-    window.MicroFrontendRegistryConfig.base = "https://haxapi.vercel.app";window.appSettings =${returnData};${after}`);
+    window.MicroFrontendRegistryConfig.base = "https://open-apis.hax.cloud";window.appSettings =${returnData};${after}`);
 }
 
 module.exports = connectionSettings;