mike/systeminformation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security update (prototype pollution prevention)

Browse Source
This commit is contained in:
Sebastian Hildebrandt 2020-11-25 06:58:06 +01:00
parent 73dce8d717
commit 11103a447a
3 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/internet.js
View File

@ -35,14 +35,14 @@ function inetChecksite(url, callback) {
process.nextTick(() => {
let urlSanitized = '';
const s = util.sanitizeShellString(url);
for (i = 0; i <= 2000; i++) {
for (let i = 0; i <= 2000; i++) {
if (!(s[i] === undefined ||
s[i] === ' ' ||
s[i] === '{' ||
s[i] === '}')) {
const sl = s[i].toLowerCase();
if (sl[0] && !sl[1]) {
urlSanitized = urlSanitized + sl[i];
urlSanitized = urlSanitized + sl[0];
}
}
}

14
lib/network.js
View File

@ -1134,13 +1134,13 @@ function networkStatsSingle(iface) {
// skip header line
// use the second line because it is tied to the NIC instead of the ipv4 or ipv6 address
stats = lines[1].replace(/ +/g, ' ').split(' ');
rx_bytes = parseInt(stats[6]);
rx_dropped = parseInt(stats[11]);
rx_errors = parseInt(stats[5]);
tx_bytes = parseInt(stats[9]);
tx_dropped = parseInt(stats[11]);
tx_errors = parseInt(stats[8]);
const offset = stats.length > 11 ? 1 : 0;
rx_bytes = parseInt(stats[offset + 5]);
rx_dropped = parseInt(stats[offset + 10]);
rx_errors = parseInt(stats[offset + 4]);
tx_bytes = parseInt(stats[offset + 8]);
tx_dropped = parseInt(stats[offset + 10]);
tx_errors = parseInt(stats[offset + 7]);
result = calcNetworkSpeed(ifaceSanitized, rx_bytes, tx_bytes, result.operstate, rx_dropped, rx_errors, tx_dropped, tx_errors);
}
}

8
lib/util.js
View File

@ -492,7 +492,7 @@ function countLines(lines, startingWith) {
function sanitizeShellString(str) {
const s = str || '';
let result = '';
for (i = 0; i <= 2000; i++) {
for (let i = 0; i <= 2000; i++) {
if (!(s[i] === undefined ||
s[i] === '>' ||
s[i] === '<' ||
@ -520,7 +520,7 @@ function sanitizeShellString(str) {
}
function isPrototypePolluted() {
s = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
const s = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
let notPolluted = true;
let st = '';
notPolluted = notPolluted || !(s.length === 62)
@ -528,7 +528,7 @@ function isPrototypePolluted() {
if (typeof ms === 'number' && ms > 1600000000000) {
const l = ms % 100 + 15;
let c = 0;
for (i = 0; i < l; i++) {
for (let i = 0; i < l; i++) {
const r = Math.random() * 61.99999999 + 1;
const rs = parseInt(Math.floor(r).toString(), 10)
const rs2 = parseInt(r.toString().split('.')[0], 10);
@ -561,7 +561,7 @@ function isPrototypePolluted() {
// lower
const stl = st.toLowerCase();
notPolluted = notPolluted && (stl.length === l) && stl[l - 1] && !(stl[l])
for (i = 0; i < l; i++) {
for (let i = 0; i < l; i++) {
const s1 = st[i];
const s2 = stl[i];
const s1l = s1.toLowerCase();