forks/amnezia-wg-easy
1
0
Fork 0
forked from mirrors/amnezia-wg-easy
Code Pull requests Activity

fixes: security stuff (#47)

Browse source 
Insecure randomness (high)
gravatar: md5 insecure hash algorithm (high)
Clear text transmission of sensitive cookie (medium)
This commit is contained in:
Philip H 2023-12-02 22:59:30 +01:00 committed by GitHub
parent 8d3e355591
commit 4c7d763d24
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/lib/Server.js
View file

@ -2,6 +2,7 @@
const path = require('path');
const bcrypt = require('bcryptjs');
const crypto = require('node:crypto');
const express = require('express');
const expressSession = require('express-session');
@ -27,9 +28,10 @@ module.exports = class Server {
.use('/', express.static(path.join(__dirname, '..', 'www')))
.use(express.json())
.use(expressSession({
secret: String(Math.random()),
secret: crypto.randomBytes(256).toString('hex'),
resave: true,
saveUninitialized: true,
secure: true,
}))
.get('/api/release', (Util.promisify(async () => {

2
src/www/js/app.js
View file

@ -131,7 +131,7 @@ new Vue({
const clients = await this.api.getClients();
this.clients = clients.map((client) => {
if (client.name.includes('@') && client.name.includes('.')) {
client.avatar = `https://www.gravatar.com/avatar/${md5(client.name)}?d=blank`;
client.avatar = `https://www.gravatar.com/avatar/${sha512(client.name)}?d=blank`;
}
if (!this.clientsPersist[client.id]) {