mirror of
https://github.com/MichMich/MagicMirror.git
synced 2026-05-09 22:28:33 +00:00
fb41d24ef5
## Release Notes Thanks to: @cgillinger, @khassel, @KristjanESPERANTO, @sonnyb9 > ⚠️ This release needs nodejs version >=22.21.1 <23 || >=24 (no change to previous release) [Compare to previous Release v2.35.0](https://github.com/MagicMirrorOrg/MagicMirror/compare/v2.35.0...v2.36.0) This release falls outside the quarterly schedule. We opted for an early release due to: - Security fix for the internal cors proxy - API change of the weather provider smi - Several bug fixes ### Breaking Changes The cors proxy is now disabled by default. If required, it must be explicitly enabled in the `config.js` file. See the [documentation](https://docs.magicmirror.builders/configuration/cors.html). ### ⚠️ Security You can find several publicly accessible MagicMirror² instances. This should never be done. Doing so makes your entire configuration, including secrets and API keys, publicly visible. Furthermore, it allows attackers to target the host; this is only prevented beginning with this release. Public MagicMirror² instances should always run behind a reverse proxy with authentication. ### [core] - Prepare Release 2.36.0 (#4126) - Allow HTTPFetcher to pass through 304 responses (#4120) - fix(http-fetcher): fall back to reloadInterval after retries exhausted (#4113) - config endpoint must handle functions in module configs (#4106) - fix replaceSecretPlaceholder (#4104) - restrict replaceSecretPlaceholder to cors with allowWhitelist (#4102) - fix: prevent crash when config is undefined in socket handler (#4096) - fix cors function for alpine linux (#4091) - fix(cors): prevent SSRF via DNS rebinding (#4090) - add option to disable or restrict cors endpoint (#4087) - fix: prevent SSRF via /cors endpoint by blocking private/reserved IPs (#4084) - chore: add permissions section to enforce pull-request rules workflow (#4079) - update version for develop ### [dependencies] - update dependencies (#4124) - chore: update dependencies (#4088) - refactor: enable ESLint rule "no-unused-vars" and handle related issues (#4080) ### [modules/newsfeed] - fix(newsfeed): prevent duplicate parse error callback when using pipeline (#4083) ### [modules/updatenotification] - fix(updatenotification): harden git command execution + simplify checkUpdates (#4115) - fix(tests): correct import path for git_helper module in updatenotification tests (#4078) ### [modules/weather] - fix(weather): use nearest openmeteo hourly data (#4123) - fix(weather): avoid loading state after reconnect (#4121) - weather: fix UV index display and add WeatherFlow precipitation (#4108) - fix(weather): restore OpenWeatherMap v2.5 support (#4101) - fix(weather): use stable instanceId to prevent duplicate fetchers (#4092) - SMHI: migrate to SNOW1gv1 API (replace deprecated PMP3gv2) (#4082) ### [testing] - ci(actions): set explicit token permissions (#4114) - fix(http_fetcher): use undici.fetch when dispatcher is present (#4097) - ci(codeql): also scan develop branch on push and PR (#4086) - refactor: replace implicit global config with explicit global.config (#4085) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: sam detweiler <sdetweil@gmail.com> Co-authored-by: Kristjan ESPERANTO <35647502+KristjanESPERANTO@users.noreply.github.com> Co-authored-by: Veeck <github@veeck.de> Co-authored-by: veeck <gitkraken@veeck.de> Co-authored-by: Magnus <34011212+MagMar94@users.noreply.github.com> Co-authored-by: Ikko Eltociear Ashimine <eltociear@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: DevIncomin <56730075+Developer-Incoming@users.noreply.github.com> Co-authored-by: Nathan <n8nyoung@gmail.com> Co-authored-by: mixasgr <mixasgr@users.noreply.github.com> Co-authored-by: Savvas Adamtziloglou <savvas-gr@greeklug.gr> Co-authored-by: Konstantinos <geraki@gmail.com> Co-authored-by: OWL4C <124401812+OWL4C@users.noreply.github.com> Co-authored-by: BugHaver <43462320+bughaver@users.noreply.github.com> Co-authored-by: BugHaver <43462320+lsaadeh@users.noreply.github.com> Co-authored-by: Bugsounet - Cédric <github@bugsounet.fr> Co-authored-by: Koen Konst <koenspero@gmail.com> Co-authored-by: Koen Konst <c.h.konst@avisi.nl> Co-authored-by: dathbe <github@beffa.us> Co-authored-by: Marcel <m-idler@users.noreply.github.com> Co-authored-by: Kevin G. <crazylegstoo@gmail.com> Co-authored-by: Jboucly <33218155+jboucly@users.noreply.github.com> Co-authored-by: Jboucly <contact@jboucly.fr> Co-authored-by: Jarno <54169345+jarnoml@users.noreply.github.com> Co-authored-by: Jordan Welch <JordanHWelch@gmail.com> Co-authored-by: Blackspirits <blackspirits@gmail.com> Co-authored-by: Samed Ozdemir <samed@xsor.io> Co-authored-by: in-voker <58696565+in-voker@users.noreply.github.com> Co-authored-by: Andrés Vanegas Jiménez <142350+angeldeejay@users.noreply.github.com> Co-authored-by: cgillinger <christian.gillinger@gmail.com> Co-authored-by: Sonny B <43247590+sonnyb9@users.noreply.github.com> Co-authored-by: sonnyb9 <sonnyb9@users.noreply.github.com>
305 lines
11 KiB
JavaScript
305 lines
11 KiB
JavaScript
// Tests use vi.spyOn on shared module objects (dns, undici).
|
|
// vi.spyOn modifies the object property directly on the cached module instance, so it
|
|
// is intercepted by server_functions.js regardless of the Module.prototype.require override
|
|
// in vitest-setup.js. restoreAllMocks:true auto-restores spies, but may reuse the same
|
|
// spy instance — mockClear() is called explicitly in beforeEach to reset call history.
|
|
const dns = require("node:dns");
|
|
const undici = require("undici");
|
|
const { cors, getUserAgent, replaceSecretPlaceholder } = require("#server_functions");
|
|
|
|
describe("server_functions tests", () => {
|
|
describe("The replaceSecretPlaceholder method with cors=allowWhitelist", () => {
|
|
beforeEach(() => {
|
|
global.config = { cors: "allowWhitelist" };
|
|
});
|
|
|
|
it("Calls string without secret placeholder", () => {
|
|
const teststring = "test string without secret placeholder";
|
|
const result = replaceSecretPlaceholder(teststring);
|
|
expect(result).toBe(teststring);
|
|
});
|
|
|
|
it("Calls string with 2 secret placeholders", () => {
|
|
const teststring = "test string with secret1=**SECRET_ONE** and secret2=**SECRET_TWO**";
|
|
process.env.SECRET_ONE = "secret1";
|
|
process.env.SECRET_TWO = "secret2";
|
|
const resultstring = `test string with secret1=${process.env.SECRET_ONE} and secret2=${process.env.SECRET_TWO}`;
|
|
const result = replaceSecretPlaceholder(teststring);
|
|
expect(result).toBe(resultstring);
|
|
});
|
|
});
|
|
|
|
describe("The replaceSecretPlaceholder method with cors=allowAll", () => {
|
|
beforeEach(() => {
|
|
global.config = { cors: "allowAll" };
|
|
});
|
|
|
|
it("Calls string without secret placeholder", () => {
|
|
const teststring = "test string without secret placeholder";
|
|
const result = replaceSecretPlaceholder(teststring);
|
|
expect(result).toBe(teststring);
|
|
});
|
|
|
|
it("Calls string with 2 secret placeholders", () => {
|
|
const teststring = "test string with secret1=**SECRET_ONE** and secret2=**SECRET_TWO**";
|
|
const result = replaceSecretPlaceholder(teststring);
|
|
expect(result).toBe(teststring);
|
|
});
|
|
});
|
|
|
|
describe("The cors method", () => {
|
|
let fetchSpy;
|
|
let fetchResponseHeadersGet;
|
|
let fetchResponseArrayBuffer;
|
|
let corsResponse;
|
|
let request;
|
|
|
|
beforeEach(() => {
|
|
global.config = { cors: "allowAll" };
|
|
fetchResponseHeadersGet = vi.fn(() => {});
|
|
fetchResponseArrayBuffer = vi.fn(() => {});
|
|
|
|
// Mock DNS to return a public IP (SSRF check must pass for these tests)
|
|
vi.spyOn(dns.promises, "lookup").mockResolvedValue({ address: "93.184.216.34", family: 4 });
|
|
|
|
// vi.spyOn may return the same spy instance across tests when restoreAllMocks
|
|
// restores-but-reuses; mockClear() explicitly resets call history each time.
|
|
fetchSpy = vi.spyOn(undici, "fetch");
|
|
fetchSpy.mockClear();
|
|
fetchSpy.mockImplementation(() => Promise.resolve({
|
|
headers: { get: fetchResponseHeadersGet },
|
|
arrayBuffer: fetchResponseArrayBuffer,
|
|
ok: true
|
|
}));
|
|
|
|
corsResponse = {
|
|
set: vi.fn(() => {}),
|
|
send: vi.fn(() => {}),
|
|
status: vi.fn(function (code) {
|
|
this.statusCode = code;
|
|
return this;
|
|
}),
|
|
json: vi.fn(() => {})
|
|
};
|
|
|
|
request = {
|
|
url: "/cors?url=http://www.test.com"
|
|
};
|
|
});
|
|
|
|
it("Calls correct URL once", async () => {
|
|
const urlToCall = "http://www.test.com/path?param1=value1";
|
|
request.url = `/cors?url=${urlToCall}`;
|
|
|
|
await cors(request, corsResponse);
|
|
|
|
expect(fetchSpy.mock.calls).toHaveLength(1);
|
|
expect(fetchSpy.mock.calls[0][0]).toBe(urlToCall);
|
|
});
|
|
|
|
it("Forwards Content-Type if json", async () => {
|
|
fetchResponseHeadersGet.mockImplementation(() => "json");
|
|
|
|
await cors(request, corsResponse);
|
|
|
|
expect(fetchResponseHeadersGet.mock.calls).toHaveLength(1);
|
|
expect(fetchResponseHeadersGet.mock.calls[0][0]).toBe("Content-Type");
|
|
|
|
expect(corsResponse.set.mock.calls).toHaveLength(1);
|
|
expect(corsResponse.set.mock.calls[0][0]).toBe("Content-Type");
|
|
expect(corsResponse.set.mock.calls[0][1]).toBe("json");
|
|
});
|
|
|
|
it("Forwards Content-Type if xml", async () => {
|
|
fetchResponseHeadersGet.mockImplementation(() => "xml");
|
|
|
|
await cors(request, corsResponse);
|
|
|
|
expect(fetchResponseHeadersGet.mock.calls).toHaveLength(1);
|
|
expect(fetchResponseHeadersGet.mock.calls[0][0]).toBe("Content-Type");
|
|
|
|
expect(corsResponse.set.mock.calls).toHaveLength(1);
|
|
expect(corsResponse.set.mock.calls[0][0]).toBe("Content-Type");
|
|
expect(corsResponse.set.mock.calls[0][1]).toBe("xml");
|
|
});
|
|
|
|
it("Sends correct data from response", async () => {
|
|
const responseData = "some data";
|
|
const encoder = new TextEncoder();
|
|
const arrayBuffer = encoder.encode(responseData).buffer;
|
|
fetchResponseArrayBuffer.mockImplementation(() => arrayBuffer);
|
|
|
|
let sentData;
|
|
corsResponse.send = vi.fn((input) => {
|
|
sentData = input;
|
|
});
|
|
|
|
await cors(request, corsResponse);
|
|
|
|
expect(fetchResponseArrayBuffer.mock.calls).toHaveLength(1);
|
|
expect(sentData).toEqual(Buffer.from(arrayBuffer));
|
|
});
|
|
|
|
it("Sends error data from response", async () => {
|
|
const error = new Error("error data");
|
|
fetchResponseArrayBuffer.mockImplementation(() => {
|
|
throw error;
|
|
});
|
|
|
|
await cors(request, corsResponse);
|
|
|
|
expect(fetchResponseArrayBuffer.mock.calls).toHaveLength(1);
|
|
expect(corsResponse.status).toHaveBeenCalledWith(500);
|
|
expect(corsResponse.json).toHaveBeenCalledWith({ error: error.message });
|
|
});
|
|
|
|
it("Fetches with user agent by default", async () => {
|
|
await cors(request, corsResponse);
|
|
|
|
expect(fetchSpy.mock.calls).toHaveLength(1);
|
|
expect(fetchSpy.mock.calls[0][1]).toHaveProperty("headers");
|
|
expect(fetchSpy.mock.calls[0][1].headers).toHaveProperty("User-Agent");
|
|
});
|
|
|
|
it("Fetches with specified headers", async () => {
|
|
const headersParam = "sendheaders=header1:value1,header2:value2";
|
|
const urlParam = "http://www.test.com/path?param1=value1";
|
|
request.url = `/cors?${headersParam}&url=${urlParam}`;
|
|
|
|
await cors(request, corsResponse);
|
|
|
|
expect(fetchSpy.mock.calls).toHaveLength(1);
|
|
expect(fetchSpy.mock.calls[0][1]).toHaveProperty("headers");
|
|
expect(fetchSpy.mock.calls[0][1].headers).toHaveProperty("header1", "value1");
|
|
expect(fetchSpy.mock.calls[0][1].headers).toHaveProperty("header2", "value2");
|
|
});
|
|
|
|
it("Sends specified headers", async () => {
|
|
fetchResponseHeadersGet.mockImplementation((input) => input.replace("header", "value"));
|
|
|
|
const expectedheaders = "expectedheaders=header1,header2";
|
|
const urlParam = "http://www.test.com/path?param1=value1";
|
|
request.url = `/cors?${expectedheaders}&url=${urlParam}`;
|
|
|
|
await cors(request, corsResponse);
|
|
|
|
expect(fetchSpy.mock.calls).toHaveLength(1);
|
|
expect(fetchSpy.mock.calls[0][1]).toHaveProperty("headers");
|
|
expect(corsResponse.set.mock.calls).toHaveLength(3);
|
|
expect(corsResponse.set.mock.calls[0][0]).toBe("Content-Type");
|
|
expect(corsResponse.set.mock.calls[1][0]).toBe("header1");
|
|
expect(corsResponse.set.mock.calls[1][1]).toBe("value1");
|
|
expect(corsResponse.set.mock.calls[2][0]).toBe("header2");
|
|
expect(corsResponse.set.mock.calls[2][1]).toBe("value2");
|
|
});
|
|
|
|
it("Gets User-Agent from configuration", () => {
|
|
const previousConfig = global.config;
|
|
global.config = {};
|
|
let userAgent;
|
|
|
|
userAgent = getUserAgent();
|
|
expect(userAgent).toContain("Mozilla/5.0 (Node.js ");
|
|
|
|
global.config.userAgent = "Mozilla/5.0 (Foo)";
|
|
userAgent = getUserAgent();
|
|
expect(userAgent).toBe("Mozilla/5.0 (Foo)");
|
|
|
|
global.config.userAgent = () => "Mozilla/5.0 (Bar)";
|
|
userAgent = getUserAgent();
|
|
expect(userAgent).toBe("Mozilla/5.0 (Bar)");
|
|
|
|
global.config = previousConfig;
|
|
});
|
|
});
|
|
|
|
describe("The cors method blocks SSRF (DNS rebinding safe)", () => {
|
|
let response;
|
|
|
|
beforeEach(() => {
|
|
response = {
|
|
set: vi.fn(),
|
|
send: vi.fn(),
|
|
status: vi.fn(function () { return this; }),
|
|
json: vi.fn()
|
|
};
|
|
});
|
|
|
|
it("Blocks localhost hostname without DNS", async () => {
|
|
await cors({ url: "/cors?url=http://localhost/path" }, response);
|
|
expect(response.status).toHaveBeenCalledWith(403);
|
|
expect(response.json).toHaveBeenCalledWith({ error: "Forbidden: private or reserved addresses are not allowed" });
|
|
});
|
|
|
|
it("Blocks non-http protocols", async () => {
|
|
await cors({ url: "/cors?url=ftp://example.com/file" }, response);
|
|
expect(response.status).toHaveBeenCalledWith(403);
|
|
});
|
|
|
|
it("Blocks invalid URLs", async () => {
|
|
await cors({ url: "/cors?url=not_a_valid_url" }, response);
|
|
expect(response.status).toHaveBeenCalledWith(403);
|
|
});
|
|
|
|
it("Blocks loopback addresses (127.0.0.1)", async () => {
|
|
vi.spyOn(dns.promises, "lookup").mockResolvedValue({ address: "127.0.0.1", family: 4 });
|
|
await cors({ url: "/cors?url=http://example.com/" }, response);
|
|
expect(response.status).toHaveBeenCalledWith(403);
|
|
});
|
|
|
|
it("Blocks RFC 1918 private addresses (192.168.x.x)", async () => {
|
|
vi.spyOn(dns.promises, "lookup").mockResolvedValue({ address: "192.168.1.1", family: 4 });
|
|
await cors({ url: "/cors?url=http://example.com/" }, response);
|
|
expect(response.status).toHaveBeenCalledWith(403);
|
|
});
|
|
|
|
it("Blocks link-local / cloud metadata addresses (169.254.169.254)", async () => {
|
|
vi.spyOn(dns.promises, "lookup").mockResolvedValue({ address: "169.254.169.254", family: 4 });
|
|
await cors({ url: "/cors?url=http://example.com/" }, response);
|
|
expect(response.status).toHaveBeenCalledWith(403);
|
|
});
|
|
|
|
it("Allows public unicast addresses", async () => {
|
|
vi.spyOn(dns.promises, "lookup").mockResolvedValue({ address: "93.184.216.34", family: 4 });
|
|
vi.spyOn(global, "fetch").mockResolvedValue({
|
|
ok: true,
|
|
headers: { get: vi.fn() },
|
|
arrayBuffer: vi.fn(() => new ArrayBuffer(0))
|
|
});
|
|
await cors({ url: "/cors?url=http://example.com/" }, response);
|
|
expect(response.status).not.toHaveBeenCalledWith(403);
|
|
});
|
|
});
|
|
|
|
describe("cors method with allowWhitelist", () => {
|
|
let response;
|
|
|
|
beforeEach(() => {
|
|
response = {
|
|
set: vi.fn(),
|
|
send: vi.fn(),
|
|
status: vi.fn(function () { return this; }),
|
|
json: vi.fn()
|
|
};
|
|
vi.spyOn(dns.promises, "lookup").mockResolvedValue({ address: "93.184.216.34", family: 4 });
|
|
vi.spyOn(global, "fetch").mockResolvedValue({
|
|
ok: true,
|
|
headers: { get: vi.fn() },
|
|
arrayBuffer: vi.fn(() => new ArrayBuffer(0))
|
|
});
|
|
});
|
|
|
|
it("Blocks domains not in whitelist", async () => {
|
|
global.config = { cors: "allowWhitelist", corsDomainWhitelist: [] };
|
|
await cors({ url: "/cors?url=http://example.com/api" }, response);
|
|
expect(response.status).toHaveBeenCalledWith(403);
|
|
});
|
|
|
|
it("Allows domains in whitelist", async () => {
|
|
global.config = { cors: "allowWhitelist", corsDomainWhitelist: ["example.com"] };
|
|
await cors({ url: "/cors?url=http://example.com/api" }, response);
|
|
expect(response.status).not.toHaveBeenCalledWith(403);
|
|
});
|
|
});
|
|
});
|