Security vulnerability patched and minor improvements (#1071)

Thank you so much @davide-acanfora!

src/lib/Server.js

@@ -1,10 +1,9 @@
 'use strict';
 
-const bcrypt = require('bcryptjs');
 const crypto = require('node:crypto');
 const { createServer } = require('node:http');
 const { stat, readFile } = require('node:fs/promises');
-const { join } = require('node:path');
+const { resolve, sep } = require('node:path');
 
 const expressSession = require('express-session');
 const debug = require('debug')('Server');
@@ -118,15 +117,6 @@ module.exports = class Server {
           return next();
         }
 
-        if (req.url.startsWith('/api/') && req.headers['authorization']) {
-          if (bcrypt.compareSync(req.headers['authorization'], bcrypt.hashSync(PASSWORD, 10))) {
-            return next();
-          }
-          return res.status(401).json({
-            error: 'Incorrect Password',
-          });
-        }
-
         return res.status(401).json({
           error: 'Not Logged In',
         });
@@ -212,15 +202,41 @@ module.exports = class Server {
         return { success: true };
       }));
 
+    const safePathJoin = (base, target) => {
+      // Manage web root (edge case)
+      if (target === '/') {
+        return `${base}${sep}`;
+      }
+
+      // Prepend './' to prevent absolute paths
+      const targetPath = `.${sep}${target}`;
+
+      // Resolve the absolute path
+      const resolvedPath = resolve(base, targetPath);
+
+      // Check if resolvedPath is a subpath of base
+      if (resolvedPath.startsWith(`${base}${sep}`)) {
+        return resolvedPath;
+      }
+
+      throw createError({
+        status: 400,
+        message: 'Bad Request',
+      });
+    };
+
     // Static assets
     const publicDir = '/app/www';
     app.use(
       defineEventHandler((event) => {
         return serveStatic(event, {
-          getContents: (id) => readFile(join(publicDir, id)),
+          getContents: (id) => {
+            return readFile(safePathJoin(publicDir, id));
+          },
           getMeta: async (id) => {
-            const stats = await stat(join(publicDir, id)).catch(() => {});
+            const filePath = safePathJoin(publicDir, id);
 
+            const stats = await stat(filePath).catch(() => {});
             if (!stats || !stats.isFile()) {
               return;
             }

src/lib/WireGuard.js

@@ -1,10 +1,9 @@
 'use strict';
 
-const fs = require('fs').promises;
+const fs = require('node:fs/promises');
 const path = require('path');
-
 const debug = require('debug')('WireGuard');
-const uuid = require('uuid');
+const crypto = require('node:crypto');
 const QRCode = require('qrcode');
 
 const Util = require('./Util');
@@ -248,7 +247,7 @@ Endpoint = ${WG_HOST}:${WG_PORT}`;
     }
 
     // Create Client
-    const id = uuid.v4();
+    const id = crypto.randomUUID();
     const client = {
       id,
       name,

src/package-lock.json

@@ -9,12 +9,10 @@
       "version": "1.0.1",
       "license": "GPL",
       "dependencies": {
-        "bcryptjs": "^2.4.3",
         "debug": "^4.3.4",
         "express-session": "^1.18.0",
         "h3": "^1.11.1",
-        "qrcode": "^1.5.3",
+        "qrcode": "^1.5.3"
-        "uuid": "^9.0.1"
       },
       "devDependencies": {
         "eslint-config-athom": "^3.1.3",
@@ -910,11 +908,6 @@
       "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
       "dev": true
     },
-    "node_modules/bcryptjs": {
-      "version": "2.4.3",
-      "resolved": "https://registry.npmjs.org/bcryptjs/-/bcryptjs-2.4.3.tgz",
-      "integrity": "sha512-V/Hy/X9Vt7f3BbPJEi8BdVFMByHi+jNXrYkW3huaybV/kQ0KJg0Y6PkEMbn+zeT+i+SiKZ/HMqJGIIt4LZDqNQ=="
-    },
     "node_modules/binary-extensions": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
@@ -4626,18 +4619,6 @@
       "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==",
       "dev": true
     },
-    "node_modules/uuid": {
-      "version": "9.0.1",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz",
-      "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
-      "funding": [
-        "https://github.com/sponsors/broofa",
-        "https://github.com/sponsors/ctavan"
-      ],
-      "bin": {
-        "uuid": "dist/bin/uuid"
-      }
-    },
     "node_modules/v8-compile-cache": {
       "version": "2.4.0",
       "resolved": "https://registry.npmjs.org/v8-compile-cache/-/v8-compile-cache-2.4.0.tgz",

src/package.json

@@ -13,12 +13,10 @@
   "author": "Emile Nijssen",
   "license": "GPL",
   "dependencies": {
-    "bcryptjs": "^2.4.3",
     "debug": "^4.3.4",
     "express-session": "^1.18.0",
     "h3": "^1.11.1",
-    "qrcode": "^1.5.3",
+    "qrcode": "^1.5.3"
-    "uuid": "^9.0.1"
   },
   "devDependencies": {
     "eslint-config-athom": "^3.1.3",

src/www/js/app.js

@@ -390,9 +390,6 @@ new Vue({
           return releasesArray[0];
         });
 
-      console.log(`Current Release: ${currentRelease}`);
-      console.log(`Latest Release: ${latestRelease.version}`);
-
       if (currentRelease >= latestRelease.version) return;
 
       this.currentRelease = currentRelease;