mike/systeminformation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

inetLatency() ineChecksite() schema validation

Browse Source
This commit is contained in:
Sebastian Hildebrandt 2021-03-16 12:01:39 +01:00
parent 5a6e509f4a
commit 1ff90056d3
8 changed files with 26 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -77,6 +77,7 @@ For major (breaking) changes - **version 4, 3 and 2** - see end of page.
| Version | Date | Comment |
| -------------- | -------------- | -------- |
| 5.6.7 | 2021-03-16 | `inetLatency()` `ineChecksite()` schema validation |
| 5.6.6 | 2021-03-16 | code refactoring |
| 5.6.5 | 2021-03-15 | `cpuTemperature()` fix (linux) |
| 5.6.4 | 2021-03-15 | `sanitizeShellString()` and other security improvements |

5
docs/history.html
View File

@ -56,6 +56,11 @@
</tr>
</thead>
<tbody>
<tr>
<th scope="row">5.6.8</th>
<td>2021-03-16</td>
<td><span class="code">inetLatency()</span> <span class="code">inetChecksite()</span> schema avlidation</td>
</tr>
<tr>
<th scope="row">5.6.6</th>
<td>2021-03-16</td>

2
docs/index.html
View File

@ -170,7 +170,7 @@
<img class="logo" src="assets/logo.png">
<div class="title">systeminformation</div>
<div class="subtitle"><span id="typed"></span>&nbsp;</div>
<div class="version">New Version: <span id="version">5.6.6</span></div>
<div class="version">New Version: <span id="version">5.6.7</span></div>
<button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
</div>
<div class="down">

3
docs/security.html
View File

@ -43,6 +43,9 @@
<div class="col-12 sectionheader">
<div class="title">Security Advisories</div>
<div class="text">
<h2>Passing User Paramters to Systeminformation</h2>
<p><span class="bold">Be aware</span> to not use <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span> with arbitrary untrusted user input! We are doing a lot of input sanitation for those functions in this package but we cannot handle all cases!</p>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 5.6.4 and &lt; 4.34.17<br>

10
docs/v4/history.html
View File

@ -83,6 +83,16 @@
</tr>
</thead>
<tbody>
<tr>
<th scope="row">4.34.19</th>
<td>2021-03-16</td>
<td><span class="code">inetLatency()</span> <span class="code">inetChecksite()</span> schema avlidation</td>
</tr>
<tr>
<th scope="row">4.34.18</th>
<td>2021-03-16</td>
<td>code refactoring</td>
</tr>
<tr>
<th scope="row">4.34.17</th>
<td>2021-03-14</td>

2
docs/v4/index.html
View File

@ -170,7 +170,7 @@
<div class="title">systeminformation </div>
<div class="subtitle"><span id="typed"></span>&nbsp;</div>
<div class="version larger">Version 4 documentation</div>
<div class="version">Current Version: <span id="version">4.34.17</span></div>
<div class="version">Current Version: <span id="version">4.34.19</span></div>
<button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
</div>
<div class="down">

3
docs/v4/security.html
View File

@ -42,6 +42,9 @@
<div class="col-12 sectionheader">
<div class="title">Security Advisories</div>
<div class="text">
<h2>Passing User Paramters to Systeminformation</h2>
<p><span class="bold">Be aware</span> to not use <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span> with arbitrary untrusted user input! We are doing a lot of input sanitation for those functions in this package but we cannot handle all cases!</p>
<h2>Command Injection Vulnerability</h2>
<p><span class="bold">Affected versions:</span>
&lt; 4.34.17<br>

4
lib/internet.js
View File

@ -58,7 +58,7 @@ function inetChecksite(url, callback) {
try {
if (urlSanitized && !util.isPrototypePolluted()) {
urlSanitized.__proto__.startsWith = util.stringStartWith;
if (urlSanitized.startsWith('file:')) {
if (urlSanitized.startsWith('file:') || urlSanitized.startsWith('gopher:') || urlSanitized.startsWith('telnet:') || urlSanitized.startsWith('mailto:') || urlSanitized.startsWith('news:') || urlSanitized.startsWith('nntp:')) {
if (callback) { callback(result); }
return resolve(result);
}
@ -153,7 +153,7 @@ function inetLatency(host, callback) {
}
}
hostSanitized.__proto__.startsWith = util.stringStartWith;
if (hostSanitized.startsWith('file:')) {
if (hostSanitized.startsWith('file:') || hostSanitized.startsWith('gopher:') || hostSanitized.startsWith('telnet:') || hostSanitized.startsWith('mailto:') || hostSanitized.startsWith('news:') || hostSanitized.startsWith('nntp:')) {
if (callback) { callback(null); }
return resolve(null);
}