From 103f53c8d2963584e41bcf46ccc6fe0fabf179ca Mon Sep 17 00:00:00 2001
From: Jesse Chan <jc@linux.com>
Date: Sun, 23 Aug 2020 12:52:10 +0800
Subject: [PATCH] security: ensures that server secret is not served to user

This will also prohibit some weak secrets like "123456" and
former default "flood".
---
 server/bin/enforce-prerequisites.js | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/server/bin/enforce-prerequisites.js b/server/bin/enforce-prerequisites.js
index 6d5bed4d5..2a9c2f9a1 100644
--- a/server/bin/enforce-prerequisites.js
+++ b/server/bin/enforce-prerequisites.js
@@ -1,6 +1,9 @@
 const fs = require('fs');
+const glob = require('glob');
 const path = require('path');
 
+const {secret} = require('../../config');
+
 const staticAssets = [path.join(__dirname, '../assets/index.html')];
 
 const configFiles = [path.join(__dirname, '../../config.js')];
@@ -17,6 +20,20 @@ const doFilesExist = (files) => {
   }
 };
 
+const grepRecursive = (folder, match) => {
+  return glob.sync(folder.concat('/**/*')).some((file) => {
+    try {
+      if (!fs.lstatSync(file).isDirectory()) {
+        return fs.readFileSync(file, {encoding: 'utf8'}).includes(match);
+      }
+      return false;
+    } catch (error) {
+      console.error(`Error reading file: ${file}\n${error}`);
+      return false;
+    }
+  });
+};
+
 const enforcePrerequisites = () =>
   new Promise((resolve, reject) => {
     if (!doFilesExist(configFiles)) {
@@ -33,6 +50,12 @@ const enforcePrerequisites = () =>
       return;
     }
 
+    // Ensures that server secret is not served to user
+    if (grepRecursive(path.join(__dirname, '../assets'), secret)) {
+      reject(new Error(`Secret is included in static assets. Please ensure that secret is unique.`));
+      return;
+    }
+
     return resolve();
   });