GHSA-59g8-h59f-8hjp and additional clean up related to GHSA-9jr9-8ff3-m894

btopro · btopro · commit ddb9351c6d64 · 2025-07-21T12:57:36.000-04:00
diff --git a/nodemon.json b/nodemon.json
@@ -8,5 +8,6 @@
     "_sites",
     "_sites/*/**",
     "_sites/*/pages/**",
-    "_sites/*/site.json"]
+    "_sites/*/site.json"
+  ]
 }
diff --git a/src/app.js b/src/app.js
@@ -15,10 +15,35 @@ const server = require('http').Server(app);
 // HAXcms core settings
 process.env.haxcms_middleware = "node-express";
 const { HAXCMS, systemStructureContext } = require('./lib/HAXCMS.js');
+// default helmet policies for CSP
+const helmetPolicies = {
+  contentSecurityPolicy: {
+    directives: {
+      scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "'wasm-unsafe-eval'", "www.youtube.com"],
+      styleSrc: ["'self'", "'unsafe-inline'", "data:", "https:"],
+      mediaSrc: ["'self'", "data:", "https:"],
+      imgSrc: ["'self'", "data:", "https:"],
+      connectSrc: ["'self'", "https:", "ws:"],
+      defaultSrc: ["'self'", "data:", "https:"],
+      objectSrc: ["'none'"],
+      fontSrc: ["'self'", "data:", "fonts.gstatic.com"],
+    },
+  },
+//  crossOriginResourcePolicy: false,
+//  crossOriginEmbedderPolicy: 'require-corp',
+//  crossOriginOpenerPolicy: 'same-origin',
+  referrerPolicy: {
+    policy: ["origin", "unsafe-url"],
+  },
+};
+
 // flag in local development that disables security
 // this way you launch from local and don't need a U/P relationship
 if (process.env.HAXCMS_DISABLE_JWT_CHECKS || argv._.includes('HAXCMS_DISABLE_JWT_CHECKS')) {
   HAXCMS.HAXCMS_DISABLE_JWT_CHECKS = true;
+  // disable security policies that would otherwise block local development
+  // also enables webcontainer environments which is what our playground runs
+  helmetPolicies.contentSecurityPolicy = false;
 }
 // routes with all requires
 const { RoutesMap, OpenRoutes } = require('./lib/RoutesMap.js');
@@ -48,15 +73,7 @@ if (process.env.NODE_ENV === "development") {
   );
 }
 app.use(express.urlencoded({limit: '50mb',  extended: false, parameterLimit: 50000 }));
-app.use(helmet({
-  contentSecurityPolicy: false,
-//  crossOriginResourcePolicy: false,
-//  crossOriginEmbedderPolicy: 'require-corp',
-//  crossOriginOpenerPolicy: 'same-origin',
-  referrerPolicy: {
-    policy: ["origin", "unsafe-url"],
-  },
-}));
+app.use(helmet(helmetPolicies));
 app.use(cookieParser());
 //pre-flight requests
 app.options('*', function(req, res, next) {
diff --git a/src/lib/HAXCMS.js b/src/lib/HAXCMS.js
@@ -1911,7 +1911,8 @@ class HAXCMSClass {
       }
       cleanTitle = cleanTitle.replace(/ /g, '-').toLowerCase();
       cleanTitle = cleanTitle.replace('/[^\w\-\/\s]+/u', '-');
-      cleanTitle = cleanTitle.replace('/--+/u', '-');
+      cleanTitle = cleanTitle.replace('/--+/u',
+         '-');
       // ensure we don't return an empty title or it could break downstream things
       if (cleanTitle == '') {
           cleanTitle = 'blank';
@@ -2339,90 +2340,6 @@ class HAXCMSClass {
       }
       this.saveUserDataFile();
     }
-    /**
-     * Set and validate config
-     */
-    async setConfig(values)
-    {
-        if ((values.apis)) {
-          for (var key in values.apis) {
-            let val = values.apis[key];
-            this.config.appStore.apiKeys[key] = val;
-          }
-        }
-        if (!(this.config.site)) {
-          this.config.site = {};
-        }
-        if (!(this.config.site.git)) {
-          this.config.site.git = {};
-        }
-        if (values.publishing) {
-          for (var key in values.publishing) {
-            let val = values.publishing[key];
-            this.config.site.git[key] = val;
-          }
-        }
-        // test for a password in order to do the git hook up this one time
-        if (
-          (this.config.site.git.email) &&
-          (this.config.site.git.pass)
-        ) {
-          email = this.config.site.git.email;
-          pass = this.config.site.git.pass;
-          // ensure we never save the password, this is just a 1 time pass through
-          delete this.config.site.git.pass;
-        }
-        // save config to the file
-        this.saveConfigFile();
-        // see if we need to set a github key for publishing
-        // this is a one time thing that helps with the workflow
-        if (
-          (email) &&
-          (pass) &&
-          !(this.config.site.git.keySet) &&
-          (this.config.site.git.vendor) &&
-          this.config.site.git.vendor == 'github'
-        ) {
-            let json = {};
-            json.title = 'HAXCMS Publishing key';
-            json.key = this.getSSHKey();                
-            let response = fetch('https://api.github.com/user/keys',
-              {
-                method: "POST",
-                body: {
-                'auth': [email, pass],
-                'body': JSON.stringify(json)
-                },
-              }
-            );
-            // we did it, now store that it worked so we can skip all this setup in the future
-            if (response.getStatusCode() == 201) {
-                this.config.site.git.keySet = true;
-                this.saveConfigFile();
-                try {
-                  // set global config for username / email if we can
-                  const gitRepo = new GitPlus({
-                    dir: this.siteDirectory,
-                    cliVersion: await this.gitTest()
-                  });
-                  gitRepo.gitExec(
-                      'config --global user.name "' +
-                          this.config.site.git.user +
-                          '"'
-                  );
-                  gitRepo.gitExec(
-                      'config --global user.email "' +
-                          this.config.site.git.email +
-                          '"'
-                  );
-                }
-                catch(e){}
-            }
-
-            return response.getStatusCode();
-        }
-        return 'saved';
-    }
     /**
      * Write configuration to the config file
      */
diff --git a/src/lib/RoutesMap.js b/src/lib/RoutesMap.js
@@ -21,10 +21,6 @@ const RoutesMap = {
     saveNode: require('../routes/saveNode.js'),
     deleteNode: require('../routes/deleteNode.js'),
     saveFile: require('../routes/saveFile.js'),
-
-    getConfig: require('../routes/getConfig.js'),
-    setConfig: require('../routes/setConfig.js'),
-    getNodeFields: require('../routes/getNodeFields.js'),
   },
   get: {
     logout: require('../routes/logout.js'),
diff --git a/src/routes/connectionSettings.js b/src/routes/connectionSettings.js
@@ -47,9 +47,6 @@ async function connectionSettings(req, res) {
     saveNodePath: `${baseAPIPath}saveNode`,
     saveManifestPath: `${baseAPIPath}saveManifest`,
     saveOutlinePath: `${baseAPIPath}saveOutline`,
-    setConfigPath:`${baseAPIPath}setConfig`,
-    getConfigPath: `${baseAPIPath}getConfig`,
-    getNodeFieldsPath: `${baseAPIPath}getNodeFields`,
     getSiteFieldsPath: `${baseAPIPath}formLoad?haxcms_form_id=siteSettings`,
     createNodePath: `${baseAPIPath}createNode`,
     getUserDataPath: `${baseAPIPath}getUserData`,
diff --git a/src/routes/createSite.js b/src/routes/createSite.js
@@ -52,7 +52,7 @@ const HAXCMSFile = require('../lib/HAXCMSFile.js');
    * )
    */
 async function createSite(req, res) {
-  if (HAXCMS.validateRequestToken()) {
+  if (HAXCMS.validateRequestToken(req.body.token)) {
     let domain = null;
     // woohoo we can edit this thing!
     if (req.body['site']['domain'] && req.body['site']['domain'] != null && req.body['site']['domain'] != '') {
@@ -216,7 +216,7 @@ async function createSite(req, res) {
     });
   }
   else {
-      res.send(403);
+      res.sendStatus(403);
   }
 }
 module.exports = createSite;
diff --git a/src/routes/formLoad.js b/src/routes/formLoad.js
@@ -18,7 +18,7 @@ const { HAXCMS } = require('../lib/HAXCMS.js');
    * )
    */
   async function formLoad(req, res) {
-    if (HAXCMS.validateRequestToken(null, 'form')) {
+    if (HAXCMS.validateRequestToken(req.body.token, 'form')) {
       let context = {
         'site':[],
         'node': [],
diff --git a/src/routes/getConfig.js b/src/routes/getConfig.js
diff --git a/src/routes/getNodeFields.js b/src/routes/getNodeFields.js
diff --git a/src/routes/setConfig.js b/src/routes/setConfig.js

Original file line number	Diff line number	Diff line change
`@@ -8,5 +8,6 @@`
`8`	`8`	`"_sites",`
`9`	`9`	`"_sites//*",`
`10`	`10`	`"_sites//pages/*",`
`11`		`- "_sites/*/site.json"]`
	`11`	`+ "_sites/*/site.json"`
	`12`	`+ ]`
`12`	`13`	`}`
Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ const HAXCMSFile = require('../lib/HAXCMSFile.js');`
`52`	`52`	`* )`
`53`	`53`	`*/`
`54`	`54`	`async function createSite(req, res) {`
`55`		`- if (HAXCMS.validateRequestToken()) {`
	`55`	`+ if (HAXCMS.validateRequestToken(req.body.token)) {`
`56`	`56`	`let domain = null;`
`57`	`57`	`// woohoo we can edit this thing!`
`58`	`58`	`if (req.body['site']['domain'] && req.body['site']['domain'] != null && req.body['site']['domain'] != '') {`
`@@ -216,7 +216,7 @@ async function createSite(req, res) {`
`216`	`216`	`});`
`217`	`217`	`}`
`218`	`218`	`else {`
`219`		`- res.send(403);`
	`219`	`+ res.sendStatus(403);`
`220`	`220`	`}`
`221`	`221`	`}`
`222`	`222`	`module.exports = createSite;`