From 6cfae01a0d3727c517afe512fc8fec1d99acf875 Mon Sep 17 00:00:00 2001 From: Louis Lam Date: Fri, 20 Dec 2024 15:02:22 +0800 Subject: [PATCH] Merge commit from fork * [V1 Only] Change dev server's data path to ./data/v1 * Fix GHSA-2qgm-m29m-cj2h --- package-lock.json | 4 ++-- package.json | 2 +- server/monitor-types/real-browser-monitor-type.js | 8 ++++++++ 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 0803208a..52910f05 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "uptime-kuma", - "version": "1.23.14", + "version": "1.23.15", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "uptime-kuma", - "version": "1.23.14", + "version": "1.23.15", "license": "MIT", "dependencies": { "@grpc/grpc-js": "~1.8.22", diff --git a/package.json b/package.json index 96f0c9b6..7045175f 100644 --- a/package.json +++ b/package.json @@ -24,7 +24,7 @@ "start-frontend-devcontainer": "cross-env NODE_ENV=development DEVCONTAINER=1 vite --host --config ./config/vite.config.js", "start": "npm run start-server", "start-server": "node server/server.js", - "start-server-dev": "cross-env NODE_ENV=development node server/server.js", + "start-server-dev": "cross-env NODE_ENV=development node server/server.js --data-dir=./data/v1/", "build": "vite build --config ./config/vite.config.js", "test": "node test/prepare-test-server.js && npm run jest-backend", "test-with-build": "npm run build && npm test", diff --git a/server/monitor-types/real-browser-monitor-type.js b/server/monitor-types/real-browser-monitor-type.js index ae814fa2..eee1399f 100644 --- a/server/monitor-types/real-browser-monitor-type.js +++ b/server/monitor-types/real-browser-monitor-type.js @@ -193,6 +193,14 @@ class RealBrowserMonitorType extends MonitorType { const context = await browser.newContext(); const page = await context.newPage(); + // Prevent Local File Inclusion + // Accept only http:// and https:// + // https://github.com/louislam/uptime-kuma/security/advisories/GHSA-2qgm-m29m-cj2h + let url = new URL(monitor.url); + if (url.protocol !== "http:" && url.protocol !== "https:") { + throw new Error("Invalid url protocol, only http and https are allowed."); + } + const res = await page.goto(monitor.url, { waitUntil: "networkidle", timeout: monitor.interval * 1000 * 0.8,