kenmirrors/MagicMirror
1
0
Fork 0
mirror of https://github.com/MichMich/MagicMirror.git synced 2026-04-25 23:32:10 +00:00
Code Issues Projects Releases Wiki Activity
Files
96c18ec8b07eee36da3b35716caa074a84f40de3
MagicMirror/js
History
Kristjan ESPERANTO 96c18ec8b0 fix(cors): prevent SSRF via DNS rebinding (#4090) 
PR #4084 blocked SSRF by checking the IP before `fetch()` — but
`fetch()` resolves DNS again on its own. With DNS rebinding (TTL=0,
alternating IPs) an attacker can slip a private IP through between check
and connection.

Fix: resolve DNS once, validate, pin the validated IP for the
connection.

No second DNS query → no rebinding window. `isPrivateTarget()` is gone,
code is shorter than before.

Not a likely attack for a typical MagicMirror setup, but it doesn't add
complexity so there's no reason not to close the gap.
2026-04-04 20:40:14 +02:00
..
alias-resolver.js
chore: update ESLint and plugins, simplify config, apply new rules (#4052)
2026-03-07 08:34:28 -07:00
animateCSS.js
refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080)
2026-04-02 08:56:27 +02:00
app.js
refactor: replace implicit global config with explicit global.config (#4085)
2026-04-03 17:56:11 +02:00
check_config.js
change loading config.js, allow variables in config.js and try to protect sensitive data (#4029)
2026-02-06 00:21:35 +01:00
class.js
Bump stylistic-eslint (#3520)
2024-08-12 22:52:43 +02:00
defaults.js
add option to disable or restrict cors endpoint (#4087)
2026-04-04 11:55:13 +02:00
deprecated.js
remove kioskmode (#4027)
2026-02-06 00:09:59 +01:00
electron.js
refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080)
2026-04-02 08:56:27 +02:00
http_fetcher.js
refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080)
2026-04-02 08:56:27 +02:00
ip_access_control.js
refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080)
2026-04-02 08:56:27 +02:00
loader.js
refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080)
2026-04-02 08:56:27 +02:00
logger.js
refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080)
2026-04-02 08:56:27 +02:00
main.js
refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080)
2026-04-02 08:56:27 +02:00
module.js
chore: upgrade ESLint to v10 and fix newly surfaced issues (#4057)
2026-03-12 11:58:26 +01:00
node_helper.js
allow environment variables in cors urls (#4033)
2026-02-08 16:18:56 +01:00
releasenotes.js
[core] auto create release notes with every push on develop (#3985)
2025-12-10 11:56:31 -06:00
server_functions.js
fix(cors): prevent SSRF via DNS rebinding (#4090)
2026-04-04 20:40:14 +02:00
server.js
refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080)
2026-04-02 08:56:27 +02:00
socketclient.js
refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080)
2026-04-02 08:56:27 +02:00
systeminformation.js
fix systeminformation not displaying electron version (#4012)
2026-01-11 23:17:01 +01:00
translator.js
refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080)
2026-04-02 08:56:27 +02:00
utils.js
refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080)
2026-04-02 08:56:27 +02:00
vendor.js
simplify install and maintaining dependencies (#3795)
2025-06-01 17:03:11 +02:00