From d137107ac908526d43966607149fbaf00cfcedf0 Mon Sep 17 00:00:00 2001 From: Jesse Chan Date: Sat, 22 Aug 2020 23:18:40 +0800 Subject: [PATCH] config: deal with "secret" security hazard If you provide a default, people WILL use it. It is a security hazard if people use the default private psk to sign auth messages. Flood usuaully has privileges to files. A potential intruder may download files inside Flood and that will lead to arbitrary remote code execution, not to mention rTorrent's rich and powerful script interface. This change makes sure there is NO default and build shall NOT pass before user provides a secret. Bug: Flood-UI/flood#589 --- .github/workflows/build.yml | 2 ++ .github/workflows/check-compiled-i18n.yml | 2 ++ .github/workflows/check-source-formatting.yml | 2 ++ .github/workflows/check-types.yml | 2 ++ .github/workflows/lint.yml | 2 ++ config.docker.js | 3 ++- config.template.js | 8 +++++--- 7 files changed, 17 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 318fcaff..4fb01ee6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,3 +25,5 @@ jobs: - run: cp config.template.js config.js - run: npm install - run: npm run build + env: + FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }} diff --git a/.github/workflows/check-compiled-i18n.yml b/.github/workflows/check-compiled-i18n.yml index 1d5cbf19..bb9fa7ef 100644 --- a/.github/workflows/check-compiled-i18n.yml +++ b/.github/workflows/check-compiled-i18n.yml @@ -25,3 +25,5 @@ jobs: - run: cp config.template.js config.js - run: npm install - run: npm run check-compiled-i18n + env: + FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }} diff --git a/.github/workflows/check-source-formatting.yml b/.github/workflows/check-source-formatting.yml index abbc538d..15a1c879 100644 --- a/.github/workflows/check-source-formatting.yml +++ b/.github/workflows/check-source-formatting.yml @@ -25,3 +25,5 @@ jobs: - run: cp config.template.js config.js - run: npm install - run: npm run check-source-formatting + env: + FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }} diff --git a/.github/workflows/check-types.yml b/.github/workflows/check-types.yml index 5517adee..faf851d3 100644 --- a/.github/workflows/check-types.yml +++ b/.github/workflows/check-types.yml @@ -25,3 +25,5 @@ jobs: - run: cp config.template.js config.js - run: npm install - run: npm run check-types + env: + FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index cd6b7655..e25dfc6b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -25,3 +25,5 @@ jobs: - run: cp config.template.js config.js - run: npm install - run: npm run lint + env: + FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }} diff --git a/config.docker.js b/config.docker.js index 94bde3aa..251b375e 100644 --- a/config.docker.js +++ b/config.docker.js @@ -5,7 +5,8 @@ const CONFIG = { floodServerPort: 3000, maxHistoryStates: 30, pollInterval: 1000 * 5, - secret: process.env.FLOOD_SECRET || 'flood', + // eslint-disable-next-line no-undef + secret: process.env.FLOOD_SECRET || CHANGE_ME, scgi: { host: process.env.RTORRENT_SCGI_HOST || 'localhost', port: process.env.RTORRENT_SCGI_PORT || 5000, diff --git a/config.template.js b/config.template.js index c3b9a0d4..deb5a408 100644 --- a/config.template.js +++ b/config.template.js @@ -51,9 +51,11 @@ const CONFIG = { maxHistoryStates: 30, // How often (in milliseconds) Flood will request the torrent list from. torrentClientPollInterval: 1000 * 2, - // A unique secret for signing messages with JWT (see https://jwt.io). Change - // this to something unique and hard to guess. - secret: 'flood', + // A unique secret for signing messages with JWT (see https://jwt.io). + // Change this to something unique and hard to guess. + // You can use 'uuidgen' or 'cat /proc/sys/kernel/random/uuid' or 'uuidgenerator.net'. + // eslint-disable-next-line no-undef + secret: process.env.FLOOD_SECRET || CHANGE_ME, // Configuration for SSL, if using SSL with the Flood service directly. ssl: false, sslKey: '/absolute/path/to/key/',