mirror of
https://github.com/MichMich/MagicMirror.git
synced 2026-05-24 13:13:35 +00:00
Release 2.36.0 (#4127)
## Release Notes Thanks to: @cgillinger, @khassel, @KristjanESPERANTO, @sonnyb9 > ⚠️ This release needs nodejs version >=22.21.1 <23 || >=24 (no change to previous release) [Compare to previous Release v2.35.0](https://github.com/MagicMirrorOrg/MagicMirror/compare/v2.35.0...v2.36.0) This release falls outside the quarterly schedule. We opted for an early release due to: - Security fix for the internal cors proxy - API change of the weather provider smi - Several bug fixes ### Breaking Changes The cors proxy is now disabled by default. If required, it must be explicitly enabled in the `config.js` file. See the [documentation](https://docs.magicmirror.builders/configuration/cors.html). ### ⚠️ Security You can find several publicly accessible MagicMirror² instances. This should never be done. Doing so makes your entire configuration, including secrets and API keys, publicly visible. Furthermore, it allows attackers to target the host; this is only prevented beginning with this release. Public MagicMirror² instances should always run behind a reverse proxy with authentication. ### [core] - Prepare Release 2.36.0 (#4126) - Allow HTTPFetcher to pass through 304 responses (#4120) - fix(http-fetcher): fall back to reloadInterval after retries exhausted (#4113) - config endpoint must handle functions in module configs (#4106) - fix replaceSecretPlaceholder (#4104) - restrict replaceSecretPlaceholder to cors with allowWhitelist (#4102) - fix: prevent crash when config is undefined in socket handler (#4096) - fix cors function for alpine linux (#4091) - fix(cors): prevent SSRF via DNS rebinding (#4090) - add option to disable or restrict cors endpoint (#4087) - fix: prevent SSRF via /cors endpoint by blocking private/reserved IPs (#4084) - chore: add permissions section to enforce pull-request rules workflow (#4079) - update version for develop ### [dependencies] - update dependencies (#4124) - chore: update dependencies (#4088) - refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080) ### [modules/newsfeed] - fix(newsfeed): prevent duplicate parse error callback when using pipeline (#4083) ### [modules/updatenotification] - fix(updatenotification): harden git command execution + simplify checkUpdates (#4115) - fix(tests): correct import path for git_helper module in updatenotification tests (#4078) ### [modules/weather] - fix(weather): use nearest openmeteo hourly data (#4123) - fix(weather): avoid loading state after reconnect (#4121) - weather: fix UV index display and add WeatherFlow precipitation (#4108) - fix(weather): restore OpenWeatherMap v2.5 support (#4101) - fix(weather): use stable instanceId to prevent duplicate fetchers (#4092) - SMHI: migrate to SNOW1gv1 API (replace deprecated PMP3gv2) (#4082) ### [testing] - ci(actions): set explicit token permissions (#4114) - fix(http_fetcher): use undici.fetch when dispatcher is present (#4097) - ci(codeql): also scan develop branch on push and PR (#4086) - refactor: replace implicit global config with explicit global.config (#4085) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: sam detweiler <sdetweil@gmail.com> Co-authored-by: Kristjan ESPERANTO <35647502+KristjanESPERANTO@users.noreply.github.com> Co-authored-by: Veeck <github@veeck.de> Co-authored-by: veeck <gitkraken@veeck.de> Co-authored-by: Magnus <34011212+MagMar94@users.noreply.github.com> Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: DevIncomin <56730075+Developer-Incoming@users.noreply.github.com> Co-authored-by: Nathan <n8nyoung@gmail.com> Co-authored-by: mixasgr <mixasgr@users.noreply.github.com> Co-authored-by: Savvas Adamtziloglou <savvas-gr@greeklug.gr> Co-authored-by: Konstantinos <geraki@gmail.com> Co-authored-by: OWL4C <124401812+OWL4C@users.noreply.github.com> Co-authored-by: BugHaver <43462320+bughaver@users.noreply.github.com> Co-authored-by: BugHaver <43462320+lsaadeh@users.noreply.github.com> Co-authored-by: Bugsounet - Cédric <github@bugsounet.fr> Co-authored-by: Koen Konst <koenspero@gmail.com> Co-authored-by: Koen Konst <c.h.konst@avisi.nl> Co-authored-by: dathbe <github@beffa.us> Co-authored-by: Marcel <m-idler@users.noreply.github.com> Co-authored-by: Kevin G. <crazylegstoo@gmail.com> Co-authored-by: Jboucly <33218155+jboucly@users.noreply.github.com> Co-authored-by: Jboucly <contact@jboucly.fr> Co-authored-by: Jarno <54169345+jarnoml@users.noreply.github.com> Co-authored-by: Jordan Welch <JordanHWelch@gmail.com> Co-authored-by: Blackspirits <blackspirits@gmail.com> Co-authored-by: Samed Ozdemir <samed@xsor.io> Co-authored-by: in-voker <58696565+in-voker@users.noreply.github.com> Co-authored-by: Andrés Vanegas Jiménez <142350+angeldeejay@users.noreply.github.com> Co-authored-by: cgillinger <christian.gillinger@gmail.com> Co-authored-by: Sonny B <43247590+sonnyb9@users.noreply.github.com> Co-authored-by: sonnyb9 <sonnyb9@users.noreply.github.com>
This commit is contained in:
Karsten Hassel
GitHub
@@ -1,5 +1,8 @@
|
||||
const dns = require("node:dns");
|
||||
const fs = require("node:fs");
|
||||
const path = require("node:path");
|
||||
const ipaddr = require("ipaddr.js");
|
||||
const undici = require("undici");
|
||||
const Log = require("logger");
|
||||
|
||||
const startUp = new Date();
|
||||
@@ -19,9 +22,16 @@ function getStartup (req, res) {
|
||||
* @returns {string} the input with real variable content
|
||||
*/
|
||||
function replaceSecretPlaceholder (input) {
|
||||
return input.replaceAll(/\*\*(SECRET_[^*]+)\*\*/g, (match, group) => {
|
||||
return process.env[group];
|
||||
});
|
||||
if (global.config.cors !== "allowAll") {
|
||||
return input.replaceAll(/\*\*(SECRET_[^*]+)\*\*/g, (match, group) => {
|
||||
return process.env[group];
|
||||
});
|
||||
} else {
|
||||
if (input.includes("**SECRET_")) {
|
||||
Log.error("Replacing secrets doesn't work with CORS `allowAll`, you need to set `cors` to `disabled` or `allowWhitelist` in `config.js`");
|
||||
}
|
||||
return input;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -35,9 +45,13 @@ function replaceSecretPlaceholder (input) {
|
||||
* @returns {Promise<void>} A promise that resolves when the response is sent
|
||||
*/
|
||||
async function cors (req, res) {
|
||||
if (global.config.cors === "disabled") {
|
||||
Log.error("CORS is disabled, you need to enable it in `config.js` by setting `cors` to `allowAll` or `allowWhitelist`");
|
||||
return res.status(403).json({ error: "CORS proxy is disabled" });
|
||||
}
|
||||
let url;
|
||||
try {
|
||||
const urlRegEx = "url=(.+?)$";
|
||||
let url;
|
||||
|
||||
const match = new RegExp(urlRegEx, "g").exec(req.url);
|
||||
if (!match) {
|
||||
@@ -46,17 +60,61 @@ async function cors (req, res) {
|
||||
return res.status(400).send(url);
|
||||
} else {
|
||||
url = match[1];
|
||||
if (typeof config !== "undefined") {
|
||||
if (typeof global.config !== "undefined") {
|
||||
if (config.hideConfigSecrets) {
|
||||
url = replaceSecretPlaceholder(url);
|
||||
}
|
||||
}
|
||||
|
||||
// Validate protocol before attempting connection (non-http/https are never allowed)
|
||||
let parsed;
|
||||
try {
|
||||
parsed = new URL(url);
|
||||
} catch {
|
||||
Log.warn(`SSRF blocked (invalid URL): ${url}`);
|
||||
return res.status(403).json({ error: "Forbidden: private or reserved addresses are not allowed" });
|
||||
}
|
||||
if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
|
||||
Log.warn(`SSRF blocked (protocol): ${url}`);
|
||||
return res.status(403).json({ error: "Forbidden: private or reserved addresses are not allowed" });
|
||||
}
|
||||
|
||||
// Block localhost by hostname before even creating the dispatcher (no DNS needed).
|
||||
if (parsed.hostname.toLowerCase() === "localhost") {
|
||||
Log.warn(`SSRF blocked (localhost): ${url}`);
|
||||
return res.status(403).json({ error: "Forbidden: private or reserved addresses are not allowed" });
|
||||
}
|
||||
|
||||
// Whitelist check: if enabled, only allow explicitly listed domains
|
||||
if (global.config.cors === "allowWhitelist" && !global.config.corsDomainWhitelist.includes(parsed.hostname.toLowerCase())) {
|
||||
Log.warn(`CORS blocked (not in whitelist): ${url}`);
|
||||
return res.status(403).json({ error: "Forbidden: domain not in corsDomainWhitelist" });
|
||||
}
|
||||
|
||||
const headersToSend = getHeadersToSend(req.url);
|
||||
const expectedReceivedHeaders = geExpectedReceivedHeaders(req.url);
|
||||
Log.log(`cors url: ${url}`);
|
||||
|
||||
const response = await fetch(url, { headers: headersToSend });
|
||||
// Resolve DNS once and validate the IP. The validated IP is then pinned
|
||||
// for the actual connection so fetch() cannot re-resolve to a different
|
||||
// address. This prevents DNS rebinding / TOCTOU attacks (GHSA-xhvw-r95j-xm4v).
|
||||
const { address, family } = await dns.promises.lookup(parsed.hostname);
|
||||
if (ipaddr.process(address).range() !== "unicast") {
|
||||
Log.warn(`SSRF blocked: ${url}`);
|
||||
return res.status(403).json({ error: "Forbidden: private or reserved addresses are not allowed" });
|
||||
}
|
||||
|
||||
// Pin the validated IP — fetch() reuses it instead of doing its own DNS lookup
|
||||
const dispatcher = new undici.Agent({
|
||||
connect: {
|
||||
lookup: (_h, _o, cb) => {
|
||||
const addresses = [{ address: address, family: family }];
|
||||
process.nextTick(() => cb(null, addresses));
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
const response = await undici.fetch(url, { dispatcher, headers: headersToSend });
|
||||
if (response.ok) {
|
||||
for (const header of expectedReceivedHeaders) {
|
||||
const headerValue = response.headers.get(header);
|
||||
@@ -69,7 +127,6 @@ async function cors (req, res) {
|
||||
}
|
||||
}
|
||||
} catch (error) {
|
||||
// Only log errors in non-test environments to keep test output clean
|
||||
if (process.env.mmTestMode !== "true") {
|
||||
Log.error(`Error in CORS request: ${error}`);
|
||||
}
|
||||
@@ -144,15 +201,15 @@ function getVersion (req, res) {
|
||||
function getUserAgent () {
|
||||
const defaultUserAgent = `Mozilla/5.0 (Node.js ${Number(process.version.match(/^v(\d+\.\d+)/)[1])}) MagicMirror/${global.version}`;
|
||||
|
||||
if (typeof config === "undefined") {
|
||||
if (typeof global.config === "undefined") {
|
||||
return defaultUserAgent;
|
||||
}
|
||||
|
||||
switch (typeof config.userAgent) {
|
||||
switch (typeof global.config.userAgent) {
|
||||
case "function":
|
||||
return config.userAgent();
|
||||
return global.config.userAgent();
|
||||
case "string":
|
||||
return config.userAgent;
|
||||
return global.config.userAgent;
|
||||
default:
|
||||
return defaultUserAgent;
|
||||
}
|
||||
@@ -163,7 +220,7 @@ function getUserAgent () {
|
||||
* @returns {object} environment variables key: values
|
||||
*/
|
||||
function getEnvVarsAsObj () {
|
||||
const obj = { modulesDir: `${config.foreignModulesDir}`, defaultModulesDir: `${config.defaultModulesDir}`, customCss: `${config.customCss}` };
|
||||
const obj = { modulesDir: `${global.config.foreignModulesDir}`, defaultModulesDir: `${global.config.defaultModulesDir}`, customCss: `${global.config.customCss}` };
|
||||
if (process.env.MM_MODULES_DIR) {
|
||||
obj.modulesDir = process.env.MM_MODULES_DIR.replace(`${global.root_path}/`, "");
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user