mirror of
https://github.com/MichMich/MagicMirror.git
synced 2026-06-13 22:36:09 +00:00
ca7b752025
This PR attempts to fix the unauthorized secret expansion vulnerability reported in [GHSA-q4gh-4ffp-5cg8](https://github.com/MagicMirrorOrg/MagicMirror/security/advisories/GHSA-q4gh-4ffp-5cg8). Previously, if a module sent a payload through the socket containing any `**SECRET_FOO**` placeholder, the server would unconditionally expand it with the real environment variable. This meant a manipulated module could theoretically extract secrets that belonged to other modules. To prevent this, the expansion logic is now much stricter and scoped to the individual module: * In `app.js`, we now store a copy of the redacted config (`global.configRedacted`) to keep track of which module uses which secrets. * In `node_helper.js`, before handling a socket notification, we build a specific "allow-list" (`Set`) of secrets that are actually present in the calling module's config. * `replaceSecretPlaceholder` in `server_functions.js` was updated to accept this `Set` and will now only expand placeholders that the module is explicitly authorized to know. Unlisted placeholders are safely ignored. I also updated the unit tests to cover the new allow-list behavior. Since this security stuff is tricky and gives me headaches all the time, I've added more comments than usual. I've tried several ways to make it a little simpler, but unfortunately, I couldn't come up with anything easier than that. I'd appreciate it if someone could take a critical look at the logic to make sure I didn't miss anything!