Merged hotfix-0.9.2 into develop

master
Keith Irwin 2018-08-15 23:34:29 +00:00
commit e95db0eb2c
No known key found for this signature in database
GPG Key ID: 378933C743E2BBC0
9 changed files with 2729 additions and 2023 deletions

View File

@ -6,6 +6,8 @@
* Fixed CSP rules
* Improved debugging output
* Tried to fix scrollwheel
* Fixed security audited npm packages
* Patched [CVE-2017-16117](https://github.com/dodo/node-slug/issues/82) on [node-slug](https://github.com/dodo/node-slug)
###### v0.9.0
* [#121](https://github.com/Tracman-org/Server/issues/121) Fixed various security holes

View File

@ -6,7 +6,6 @@ node.js application to display a sharable map with user's location.
[![Travis Build Status](https://travis-ci.org/Tracman-org/Server.svg?branch=develop)](https://travis-ci.org/Tracman-org/Server)
[![Coverage Status](https://coveralls.io/repos/github/Tracman-org/Server/badge.svg?branch=master)](https://coveralls.io/github/Tracman-org/Server?branch=master)
[![JavaScript Style Guide](https://img.shields.io/badge/code_style-standard-brightgreen.svg)](https://standardjs.com)
[![Snyk Vulnerabilities](https://snyk.io/test/github/Tracman-org/Server/badge.svg)](https://snyk.io/test/github/Tracman-org/Servr)
## Installation
@ -61,12 +60,14 @@ Tracman will be updated according to [this branching model](http://nvie.com/post
* Fixed CSP rules
* Improved debugging output
* Tried to fix scrollwheel
* Fixed security audited npm packages
* [#121](https://github.com/Tracman-org/Server/issues/121) Fixed various security holes
* [#68](https://github.com/Tracman-org/Server/issues/68) Added tests, mostly for authentication
* [#120](https://github.com/Tracman-org/Server/issues/120) Split config/routes/settings.js into two files
* Removed express validator and replaced with homegrown function
* Fixed showing welcome message on every login
* Removed naked domains
* Patched [CVE-2017-16117](https://github.com/dodo/node-slug/issues/82) on [node-slug](https://github.com/dodo/node-slug)
###### v0.8.x
* Hotfixed service worker bugs

View File

@ -5,10 +5,13 @@ const mail = require('../mail.js')
const User = require('../models.js').user
const crypto = require('crypto')
const moment = require('moment')
const slugify = require('slug')
const sanitize = require('mongo-sanitize')
const debug = require('debug')('tracman-routes-auth')
const env = require('../env/env.js')
// Trim slug to patch CVE-2017-16117
const slugify = function(s) {
return require('slug')(s.slice(0,99))
}
module.exports = (app, passport) => {
@ -317,14 +320,14 @@ module.exports = (app, passport) => {
to: mail.to(user),
subject: 'Reset your Tracman password',
text: mail.text(
`Hi, \n\nDid you request to reset your Tracman password? \
`Did you request to reset your Tracman password? \
If so, follow this link to do so:\
\n${env.url}/account/password/${token}\n\n\
This link will expire at ${expiration_time_string}. \n\n\
If you didn't initiate this request, just ignore this email. \n\n`
),
html: mail.html(
`<p>Hi, </p><p>Did you request to reset your Tracman password? \
`<p>Did you request to reset your Tracman password? \
If so, follow this link to do so:<br>\
<a href="${env.url}/account/password/${token}">\
${env.url}/account/password/${token}</a>. \

View File

@ -1,9 +1,12 @@
'use strict'
const router = require('express').Router()
const slug = require('slug')
const xss = require('xss')
const User = require('../models.js').user
// Trim slug to patch CVE-2017-16117
const slug = function(s) {
return require('slug')(s.slice(0,99))
}
module.exports = router

View File

@ -1,14 +1,16 @@
'use strict'
const slug = require('slug')
const xss = require('xss')
const mw = require('../middleware.js')
const User = require('../models.js').user
const mail = require('../mail.js')
const env = require('../env/env.js')
const sanitize = require('mongo-sanitize')
const debug = require('debug')('tracman-routes-settings')
const router = require('express').Router()
// Trim slug to patch CVE-2017-16117
const slug = function(s) {
return require('slug')(s.slice(0,99))
}
// Settings form
router.route('/')

View File

@ -27,7 +27,7 @@ module.exports = {
init: (io) => {
io.on('connection', (socket) => {
debug(`${socket.ip} connected.`)
debug(`${socket.ip||socket.id} connected.`)
// Set a few variables
socket.ip = socket.client.request.headers['x-real-ip'];

4716
package-lock.json generated

File diff suppressed because it is too large Load Diff

View File

@ -20,19 +20,19 @@
"minifier": "^0.8.1",
"moment": "^2.22.2",
"mongo-sanitize": "^1.0.0",
"mongoose": "^4.13.14",
"mongoose": "^4.13.15",
"mongoose-unique-validator": "^1.0.6",
"nodemailer": "^4.6.7",
"nunjucks": "^3.1.3",
"passport": "^0.3.2",
"passport-facebook": "^2.1.1",
"passport-facebook-token": "^3.3.0",
"passport-google-id-token": "^0.4.3",
"passport-google-id-token": "^0.4.5",
"passport-google-oauth20": "^1.0.0",
"passport-local": "^1.0.0",
"passport-twitter": "^1.0.4",
"passport-twitter-token": "^1.3.0",
"request": "^2.87.0",
"request": "^2.88.0",
"slug": "^0.9.1",
"socket.io": "^2.1.1",
"socket.io-client": "^2.1.1",
@ -50,7 +50,7 @@
"less": "^3.0.1",
"less-plugin-clean-css": "^1.5.1",
"mocha": "^4.0.1",
"mocha-froth": "^0.2.1",
"mocha-froth": "^0.2.10",
"nodemon": "^1.18.3",
"nsp": "^3.2.1",
"standard": "^10.0.3",

View File

@ -93,6 +93,7 @@ let ready_promise_list = []
'https://maxcdn.bootstrapcdn.com/font-awesome/4.5.0/fonts/fontawesome-webfont.woff2',
],
'img-src': ["'self'",
'data:', // For icons on map
'https://www.google-analytics.com',
'https://maps.gstatic.com',
'https://*.googleapis.com',