MagicMirror

mirror of https://github.com/MichMich/MagicMirror.git synced 2026-04-26 15:52:23 +00:00

Go to file

Kristjan ESPERANTO 96c18ec8b0 fix(cors): prevent SSRF via DNS rebinding (#4090 )

PR #4084 blocked SSRF by checking the IP before `fetch()` — but
`fetch()` resolves DNS again on its own. With DNS rebinding (TTL=0,
alternating IPs) an attacker can slip a private IP through between check
and connection.

Fix: resolve DNS once, validate, pin the validated IP for the
connection.

No second DNS query → no rebinding window. `isPrivateTarget()` is gone,
code is shorter than before.

Not a likely attack for a typical MagicMirror setup, but it doesn't add
complexity so there's no reason not to close the gap.

2026-04-04 20:40:14 +02:00

.github

ci(codeql): also scan develop branch on push and PR (#4086 )

2026-04-04 16:39:53 +02:00

.husky

Switch to 'npx' for lint-staged in pre-commit hook (#3658 )

2024-12-22 07:26:01 +01:00

clientonly

refactor(clientonly): modernize code structure and add comprehensive tests (#4022 )

2026-01-28 20:48:47 +01:00

config

move custom.css from css to config (#4020 )

2026-01-28 10:50:25 +01:00

css

move custom.css from css to config (#4020 )

2026-01-28 10:50:25 +01:00

defaultmodules

fix(newsfeed): prevent duplicate parse error callback when using pipeline (#4083 )

2026-04-03 12:09:24 +02:00

fix(cors): prevent SSRF via DNS rebinding (#4090 )

2026-04-04 20:40:14 +02:00

modules

move default modules from /modules/default to /defaultmodules (#4019 )

2026-01-27 08:37:52 +01:00

serveronly

refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080 )

2026-04-02 08:56:27 +02:00

tests

fix(cors): prevent SSRF via DNS rebinding (#4090 )

2026-04-04 20:40:14 +02:00

translations

fix(newsfeed): fix full article view and add framing check (#4039 )

2026-03-01 00:32:42 +01:00

.editorconfig

Add prettier, configs and editorconfig

2020-05-07 14:09:22 +02:00

.gitattributes

Release 2.24.0 (#3141 )

2023-07-01 21:17:31 +02:00

.gitignore

move custom.css from css to config (#4020 )

2026-01-28 10:50:25 +01:00

.markdownlint.json

Add linting for markdown files (#3646 )

2024-12-07 10:12:28 +01:00

.npmrc

Update .npmrc (#3399 )

2024-03-16 13:06:27 +01:00

.prettierignore

Switch to ESLint v9 and flat config (#3558 )

2024-09-25 21:05:11 +02:00

CHANGELOG.md

[core] auto create release notes with every push on develop (#3985 )

2025-12-10 11:56:31 -06:00

Collaboration.md

update Collaboration.md and dependencies (#4001 )

2026-01-08 10:14:47 +01:00

cspell.config.json

replace template_spec test with config_variables test (#4034 )

2026-02-09 20:35:54 +01:00

eslint.config.mjs

refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080 )

2026-04-02 08:56:27 +02:00

favicon.svg

refactor: unify favicon for index.html and Electron (#4006 )

2026-01-05 10:51:43 +01:00

index.html

change loading config.js, allow variables in config.js and try to protect sensitive data (#4029 )

2026-02-06 00:21:35 +01:00

jsconfig.json

Run prettier over ALL files once

2020-05-11 22:22:32 +02:00

LICENSE.md

Prepare 2.34.0-develop

2025-09-30 18:14:08 +02:00

module-types.ts

Release v2.25.0 (#3214 )

2023-10-01 20:13:41 +02:00

package-lock.json

chore: update dependencies (#4088 )

2026-04-04 15:01:27 +02:00

package.json

chore: update dependencies (#4088 )

2026-04-04 15:01:27 +02:00

prettier.config.mjs

Add Prettier plugin for Nunjuck templates (#3887 )

2025-09-11 13:10:53 +02:00

README.md

Add dark theme logo (#4026 )

2026-02-01 08:22:46 +01:00

stylelint.config.mjs

[linter] Review linter setup (#3783 )

2025-05-12 23:40:05 +02:00

vitest.config.mjs

chore: update ESLint and plugins, simplify config, apply new rules (#4052 )

2026-03-07 08:34:28 -07:00

README.md

MagicMirror² is an open source modular smart mirror platform. With a growing list of installable modules, the MagicMirror² allows you to convert your hallway or bathroom mirror into your personal assistant. MagicMirror² is built by the creator of the original MagicMirror with the incredible help of a growing community of contributors.

MagicMirror² focuses on a modular plugin system and uses Electron as an application wrapper. So no more web server or browser installs necessary!

Documentation

For the full documentation including installation instructions, please visit our dedicated documentation website: https://docs.magicmirror.builders.

Contributing Guidelines

Contributions of all kinds are welcome, not only in the form of code but also with regards to

bug reports
documentation
translations

For the full contribution guidelines, check out: https://docs.magicmirror.builders/about/contributing.html

Enjoying MagicMirror? Consider a donation!

MagicMirror² is Open Source and free. That doesn't mean we don't need any money.

Please consider a donation to help us cover the ongoing costs like webservers and email services. If we receive enough donations we might even be able to free up some working hours and spend some extra time improving the MagicMirror² core.

To donate, please follow this link.

Description

MagicMirror² is an open source modular smart mirror platform. With a growing list of installable modules, the MagicMirror² allows you to convert your hallway or bathroom mirror into your personal assistant.

domotics javascript magicmirror mirror raspberry-pi smarthome

Readme 108 MiB

Languages

JavaScript 83.6%

HTML 8.9%

CSS 5.8%

Nunjucks 1.6%

TypeScript 0.1%

README.md

Documentation

Links

Contributing Guidelines

Enjoying MagicMirror? Consider a donation!