Merge branch 'wg-easy:master' into master

src/lib/Server.js

@@ -1,10 +1,9 @@
 'use strict';
 
-const bcrypt = require('bcryptjs');
 const crypto = require('node:crypto');
 const { createServer } = require('node:http');
 const { stat, readFile } = require('node:fs/promises');
-const { join } = require('node:path');
+const { resolve, sep } = require('node:path');
 
 const expressSession = require('express-session');
 const debug = require('debug')('Server');
@@ -118,15 +117,6 @@ module.exports = class Server {
           return next();
         }
 
-        if (req.url.startsWith('/api/') && req.headers['authorization']) {
-          if (bcrypt.compareSync(req.headers['authorization'], bcrypt.hashSync(PASSWORD, 10))) {
-            return next();
-          }
-          return res.status(401).json({
-            error: 'Incorrect Password',
-          });
-        }
-
         return res.status(401).json({
           error: 'Not Logged In',
         });
@@ -212,15 +202,41 @@ module.exports = class Server {
         return { success: true };
       }));
 
+    const safePathJoin = (base, target) => {
+      // Manage web root (edge case)
+      if (target === '/') {
+        return `${base}${sep}`;
+      }
+
+      // Prepend './' to prevent absolute paths
+      const targetPath = `.${sep}${target}`;
+
+      // Resolve the absolute path
+      const resolvedPath = resolve(base, targetPath);
+
+      // Check if resolvedPath is a subpath of base
+      if (resolvedPath.startsWith(`${base}${sep}`)) {
+        return resolvedPath;
+      }
+
+      throw createError({
+        status: 400,
+        message: 'Bad Request',
+      });
+    };
+
     // Static assets
     const publicDir = '/app/www';
     app.use(
       defineEventHandler((event) => {
         return serveStatic(event, {
-          getContents: (id) => readFile(join(publicDir, id)),
+          getContents: (id) => {
+            return readFile(safePathJoin(publicDir, id));
+          },
           getMeta: async (id) => {
-            const stats = await stat(join(publicDir, id)).catch(() => {});
+            const filePath = safePathJoin(publicDir, id);
 
+            const stats = await stat(filePath).catch(() => {});
             if (!stats || !stats.isFile()) {
               return;
             }

src/lib/WireGuard.js

@@ -1,10 +1,9 @@
 'use strict';
 
-const fs = require('fs').promises;
+const fs = require('node:fs/promises');
 const path = require('path');
-
 const debug = require('debug')('WireGuard');
-const uuid = require('uuid');
+const crypto = require('node:crypto');
 const QRCode = require('qrcode');
 
 const Util = require('./Util');
@@ -248,7 +247,7 @@ Endpoint = ${WG_HOST}:${WG_PORT}`;
     }
 
     // Create Client
-    const id = uuid.v4();
+    const id = crypto.randomUUID();
     const client = {
       id,
       name,

src/package.json

@@ -13,16 +13,14 @@
   "author": "Emile Nijssen",
   "license": "GPL",
   "dependencies": {
-    "bcryptjs": "^2.4.3",
     "debug": "^4.3.4",
     "express-session": "^1.18.0",
     "h3": "^1.11.1",
-    "qrcode": "^1.5.3",
-    "uuid": "^9.0.1"
+    "qrcode": "^1.5.3"
   },
   "devDependencies": {
     "eslint-config-athom": "^3.1.3",
-    "nodemon": "^3.1.0",
+    "nodemon": "^3.1.1",
     "tailwindcss": "^3.4.3"
   },
   "nodemonConfig": {

src/www/js/app.js

@@ -390,9 +390,6 @@ new Vue({
           return releasesArray[0];
         });
 
-      console.log(`Current Release: ${currentRelease}`);
-      console.log(`Latest Release: ${latestRelease.version}`);
-
       if (currentRelease >= latestRelease.version) return;
 
       this.currentRelease = currentRelease;