security update (prototype pollution prevention)

CHANGELOG.md

@@ -30,6 +30,8 @@ For major (breaking) changes - version 3 and 2 see end of page.
 
 | Version        | Date           | Comment  |
 | -------------- | -------------- | -------- |
+| 4.30.2         | 2020-11-25     | security update (prototype pollution prevention) |
+| 4.30.1         | 2020-11-12     | updated docs |
 | 4.30.0         | 2020-11-12     | `get()` possibility to provide params |
 | 4.29.3         | 2020-11-09     | `blockdevices()` catch errors adapted for just one line |
 | 4.29.2         | 2020-11-09     | `blockdevices()` catch errors |

docs/history.html

@@ -83,6 +83,16 @@
                   </tr>
                 </thead>
                 <tbody>
+                  <tr>
+                    <th scope="row">4.30.2</th>
+                    <td>2020-11-25</td>
+                    <td>security update (prototype pollution prevention)</td>
+                  </tr>
+                  <tr>
+                    <th scope="row">4.30.1</th>
+                    <td>2020-11-12</td>
+                    <td>updated docs</td>
+                  </tr>
                   <tr>
                     <th scope="row">4.30.0</th>
                     <td>2020-11-11</td>

docs/index.html

@@ -168,7 +168,7 @@
       <img class="logo" src="assets/logo.png">
       <div class="title">systeminformation</div>
       <div class="subtitle"><span id="typed"></span></div>
-      <div class="version">Current Version: <span id="version">4.30.0</span></div>
+      <div class="version">Current Version: <span id="version">4.30.2</span></div>
       <button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
     </div>
     <div class="down">

lib/internet.js

@@ -33,21 +33,26 @@ function inetChecksite(url, callback) {
 
   return new Promise((resolve) => {
     process.nextTick(() => {
-
+      let urlSanitized = '';
-      let urlSanitized = util.sanitizeShellString(url).toLowerCase();
+      const s = util.sanitizeShellString(url);
-      urlSanitized = urlSanitized.replace(/ /g, '');
+      for (i = 0; i <= 2000; i++) {
-      urlSanitized = urlSanitized.replace(/\$/g, '');
+        if (!(s[i] === undefined ||
-      urlSanitized = urlSanitized.replace(/\(/g, '');
+          s[i] === ' ' ||
-      urlSanitized = urlSanitized.replace(/\)/g, '');
+          s[i] === '{' ||
-      urlSanitized = urlSanitized.replace(/{/g, '');
+          s[i] === '}')) {
-      urlSanitized = urlSanitized.replace(/}/g, '');
+          const sl = s[i].toLowerCase();
+          if (sl[0] && !sl[1]) {
+            urlSanitized = urlSanitized + sl[i];
+          }
+        }
+      }
       let result = {
         url: urlSanitized,
         ok: false,
         status: 404,
         ms: -1
       };
-      if (urlSanitized) {
+      if (urlSanitized && !util.isPrototypePolluted()) {
         let t = Date.now();
         if (_linux || _freebsd || _openbsd || _netbsd || _darwin || _sunos) {
           let args = ' -I --connect-timeout 5 -m 5 ' + urlSanitized + ' 2>/dev/null | head -n 1 | cut -d " " -f2';
@@ -114,7 +119,7 @@ function inetLatency(host, callback) {
   }
 
   host = host || '8.8.8.8';
-  const hostSanitized = util.sanitizeShellString(host);
+  const hostSanitized = util.isPrototypePolluted() ? '8.8.8.8' : util.sanitizeShellString(host);
 
   return new Promise((resolve) => {
     process.nextTick(() => {

lib/network.js

@@ -1041,7 +1041,7 @@ function networkStatsSingle(iface) {
   return new Promise((resolve) => {
     process.nextTick(() => {
 
-      const ifaceSanitized = util.sanitizeShellString(iface);
+      const ifaceSanitized = util.isPrototypePolluted() ? '---' : util.sanitizeShellString(iface);
 
       let result = {
         iface: ifaceSanitized,

lib/processes.js

@@ -103,6 +103,9 @@ function services(srv, callback) {
         if (srvString === '') {
           srvString = '*';
         }
+        if (util.isPrototypePolluted() && srvString !== '*') {
+          srvString = '------';
+        }
         let srvs = srvString.split('|');
         let result = [];
         let dataSrv = [];
@@ -837,7 +840,7 @@ function processLoad(proc, callback) {
 
   return new Promise((resolve) => {
     process.nextTick(() => {
-      const procSanitized = util.sanitizeShellString(proc);
+      const procSanitized = util.isPrototypePolluted() ? '' : util.sanitizeShellString(proc);
 
       let result = {
         'proc': procSanitized,

lib/util.js

@@ -490,29 +490,87 @@ function countLines(lines, startingWith) {
 }
 
 function sanitizeShellString(str) {
-  let result = str || '';
+  const s = str || '';
-  result = result.replace(/>/g, '');
+  let result = '';
-  result = result.replace(/</g, '');
+  for (i = 0; i <= 2000; i++) {
-  result = result.replace(/\*/g, '');
+    if (!(s[i] === undefined ||
-  result = result.replace(/\?/g, '');
+      s[i] === '>' ||
-  result = result.replace(/\[/g, '');
+      s[i] === '<' ||
-  result = result.replace(/\]/g, '');
+      s[i] === '*' ||
-  result = result.replace(/\|/g, '');
+      s[i] === '?' ||
-  result = result.replace(/\`/g, '');
+      s[i] === '[' ||
-  result = result.replace(/\$/g, '');
+      s[i] === ']' ||
-  result = result.replace(/;/g, '');
+      s[i] === '|' ||
-  result = result.replace(/&/g, '');
+      s[i] === '˚' ||
-  result = result.replace(/\)/g, '');
+      s[i] === '$' ||
-  result = result.replace(/\(/g, '');
+      s[i] === ';' ||
-  result = result.replace(/\$/g, '');
+      s[i] === '&' ||
-  result = result.replace(/#/g, '');
+      s[i] === '(' ||
-  result = result.replace(/\\/g, '');
+      s[i] === ')' ||
-  result = result.replace(/\t/g, '');
+      s[i] === ']' ||
-  result = result.replace(/\n/g, '');
+      s[i] === '#' ||
-  result = result.replace(/\"/g, '');
+      s[i] === '\\' ||
+      s[i] === '\t' ||
+      s[i] === '\n' ||
+      s[i] === '"')) {
+      result = result + s[i];
+    }
+  }
   return result;
 }
 
+function isPrototypePolluted() {
+  s = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
+  let notPolluted = true;
+  let st = '';
+  notPolluted = notPolluted || !(s.length === 62)
+  const ms = Date.now();
+  if (typeof ms === 'number' && ms > 1600000000000) {
+    const l = ms % 100 + 15;
+    let c = 0;
+    for (i = 0; i < l; i++) {
+      const r = Math.random() * 61.99999999 + 1;
+      const rs = parseInt(Math.floor(r).toString(), 10)
+      const rs2 = parseInt(r.toString().split('.')[0], 10);
+      const q = Math.random() * 61.99999999 + 1;
+      const qs = parseInt(Math.floor(q).toString(), 10)
+      const qs2 = parseInt(q.toString().split('.')[0], 10);
+      notPolluted = notPolluted && !(r === q);
+      notPolluted = notPolluted && rs === rs2 && qs === qs2;
+      st += s[rs - 1];
+    }
+    notPolluted = notPolluted && st.length === l;
+    // string manipulation
+    let p = Math.random() * l * 0.9999999999;
+    let stm = st.substr(0, p) + ' ' + st.substr(p, 2000);
+    let sto = stm.replace(/ /g, '');
+    notPolluted = notPolluted && st === sto;
+    p = Math.random() * l * 0.9999999999;
+    stm = st.substr(0, p) + '{' + st.substr(p, 2000);
+    sto = stm.replace(/{/g, '');
+    notPolluted = notPolluted && st === sto;
+    p = Math.random() * l * 0.9999999999;
+    stm = st.substr(0, p) + '*' + st.substr(p, 2000);
+    sto = stm.replace(/\*/g, '');
+    notPolluted = notPolluted && st === sto;
+    p = Math.random() * l * 0.9999999999;
+    stm = st.substr(0, p) + '$' + st.substr(p, 2000);
+    sto = stm.replace(/\$/g, '');
+    notPolluted = notPolluted && st === sto;
+
+    // lower
+    const stl = st.toLowerCase();
+    notPolluted = notPolluted && (stl.length === l) && stl[l - 1] && !(stl[l])
+    for (i = 0; i < l; i++) {
+      const s1 = st[i];
+      const s2 = stl[i];
+      const s1l = s1.toLowerCase();
+      notPolluted = notPolluted && s1l[0] === s2 && s1l[0] && !(s1l[1]);
+    }
+  }
+  return !notPolluted;
+}
+
 function hex2bin(hex) {
   return ("00000000" + (parseInt(hex, 16)).toString(2)).substr(-8);
 }
@@ -747,4 +805,5 @@ exports.noop = noop;
 exports.isRaspberry = isRaspberry;
 exports.isRaspbian = isRaspbian;
 exports.sanitizeShellString = sanitizeShellString;
+exports.isPrototypePolluted = isPrototypePolluted;
 exports.decodePiCpuinfo = decodePiCpuinfo;