jazzymc/homarr
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix: issues found in security audit (#1668)

Browse Source
This commit is contained in:
Meier Lukas
2024-12-15 21:16:42 +01:00
committed by GitHub
parent 032509e462
commit 922101dcbd
15 changed files with 70 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
packages/api/src/router/board.ts
View File

@@ -575,11 +575,14 @@ export const boardRouter = createTRPCRouter({
);
});
}),
importOldmarrConfig: protectedProcedure.input(importJsonFileSchema).mutation(async ({ input, ctx }) => {
const content = await input.file.text();
const oldmarr = oldmarrConfigSchema.parse(JSON.parse(content));
await importOldmarrAsync(ctx.db, oldmarr, input.configuration);
}),
importOldmarrConfig: permissionRequiredProcedure
.requiresPermission("board-create")
.input(importJsonFileSchema)
.mutation(async ({ input, ctx }) => {
const content = await input.file.text();
const oldmarr = oldmarrConfigSchema.parse(JSON.parse(content));
await importOldmarrAsync(ctx.db, oldmarr, input.configuration);
}),
});
const noBoardWithSimilarNameAsync = async (db: Database, name: string, ignoredIds: string[] = []) => {

11
packages/api/src/router/invite.ts
View File

@@ -6,11 +6,12 @@ import { invites } from "@homarr/db/schema/sqlite";
import { selectInviteSchema } from "@homarr/db/validationSchemas";
import { z } from "@homarr/validation";
import { createTRPCRouter, protectedProcedure } from "../trpc";
import { createTRPCRouter, permissionRequiredProcedure } from "../trpc";
import { throwIfCredentialsDisabled } from "./invite/checks";
export const inviteRouter = createTRPCRouter({
getAll: protectedProcedure
getAll: permissionRequiredProcedure
.requiresPermission("admin")
.output(
z.array(
selectInviteSchema
@@ -40,7 +41,8 @@ export const inviteRouter = createTRPCRouter({
},
});
}),
createInvite: protectedProcedure
createInvite: permissionRequiredProcedure
.requiresPermission("admin")
.input(
z.object({
expirationDate: z.date(),
@@ -65,7 +67,8 @@ export const inviteRouter = createTRPCRouter({
token,
};
}),
deleteInvite: protectedProcedure
deleteInvite: permissionRequiredProcedure
.requiresPermission("admin")
.input(
z.object({
id: z.string(),

7
packages/api/src/router/serverSettings.ts
View File

@@ -3,17 +3,18 @@ import type { ServerSettings } from "@homarr/server-settings";
import { defaultServerSettingsKeys } from "@homarr/server-settings";
import { validation, z } from "@homarr/validation";
import { createTRPCRouter, onboardingProcedure, protectedProcedure, publicProcedure } from "../trpc";
import { createTRPCRouter, onboardingProcedure, permissionRequiredProcedure, publicProcedure } from "../trpc";
import { nextOnboardingStepAsync } from "./onboard/onboard-queries";
export const serverSettingsRouter = createTRPCRouter({
getCulture: publicProcedure.query(async ({ ctx }) => {
return await getServerSettingByKeyAsync(ctx.db, "culture");
}),
getAll: protectedProcedure.query(async ({ ctx }) => {
getAll: permissionRequiredProcedure.requiresPermission("admin").query(async ({ ctx }) => {
return await getServerSettingsAsync(ctx.db);
}),
saveSettings: protectedProcedure
saveSettings: permissionRequiredProcedure
.requiresPermission("admin")
.input(
z.object({
settingsKey: z.enum(defaultServerSettingsKeys),

2
packages/api/src/router/test/invite.spec.ts
View File

@@ -11,7 +11,7 @@ import { inviteRouter } from "../invite";
const defaultSession = {
user: {
id: createId(),
permissions: [],
permissions: ["admin"],
colorScheme: "light",
},
expires: new Date().toISOString(),

2
packages/api/src/router/test/serverSettings.spec.ts
View File

@@ -15,7 +15,7 @@ vi.mock("@homarr/auth", () => ({ auth: () => ({}) as Session }));
const defaultSession = {
user: {
id: createId(),
permissions: [],
permissions: ["admin"],
colorScheme: "light",
},
expires: new Date().toISOString(),

4
packages/api/src/router/update-checker.ts
View File

@@ -1,9 +1,9 @@
import { updateCheckerRequestHandler } from "@homarr/request-handler/update-checker";
import { createTRPCRouter, protectedProcedure } from "../trpc";
import { createTRPCRouter, permissionRequiredProcedure } from "../trpc";
export const updateCheckerRouter = createTRPCRouter({
getAvailableUpdates: protectedProcedure.query(async () => {
getAvailableUpdates: permissionRequiredProcedure.requiresPermission("admin").query(async () => {
const handler = updateCheckerRequestHandler.handler({});
const data = await handler.getCachedOrUpdatedDataAsync({});
return data.data.availableUpdates;

6
packages/api/src/router/widgets/dns-hole.ts
View File

@@ -10,7 +10,7 @@ import { controlsInputSchema } from "@homarr/integrations/types";
import { dnsHoleRequestHandler } from "@homarr/request-handler/dns-hole";
import { createManyIntegrationMiddleware, createOneIntegrationMiddleware } from "../../middlewares/integration";
import { createTRPCRouter, publicProcedure } from "../../trpc";
import { createTRPCRouter, protectedProcedure, publicProcedure } from "../../trpc";
export const dnsHoleRouter = createTRPCRouter({
summary: publicProcedure
@@ -62,7 +62,7 @@ export const dnsHoleRouter = createTRPCRouter({
});
}),
enable: publicProcedure
enable: protectedProcedure
.unstable_concat(createOneIntegrationMiddleware("interact", ...getIntegrationKindsByCategory("dnsHole")))
.mutation(async ({ ctx: { integration } }) => {
const client = integrationCreator(integration);
@@ -75,7 +75,7 @@ export const dnsHoleRouter = createTRPCRouter({
});
}),
disable: publicProcedure
disable: protectedProcedure
.input(controlsInputSchema)
.unstable_concat(createOneIntegrationMiddleware("interact", ...getIntegrationKindsByCategory("dnsHole")))
.mutation(async ({ ctx: { integration }, input }) => {

4
packages/api/src/router/widgets/indexer-manager.ts
View File

@@ -9,7 +9,7 @@ import { indexerManagerRequestHandler } from "@homarr/request-handler/indexer-ma
import type { IntegrationAction } from "../../middlewares/integration";
import { createManyIntegrationMiddleware } from "../../middlewares/integration";
import { createTRPCRouter, publicProcedure } from "../../trpc";
import { createTRPCRouter, protectedProcedure, publicProcedure } from "../../trpc";
const createIndexerManagerIntegrationMiddleware = (action: IntegrationAction) =>
createManyIntegrationMiddleware(action, ...getIntegrationKindsByCategory("indexerManager"));
@@ -54,7 +54,7 @@ export const indexerManagerRouter = createTRPCRouter({
};
});
}),
testAllIndexers: publicProcedure
testAllIndexers: protectedProcedure
.unstable_concat(createIndexerManagerIntegrationMiddleware("interact"))
.mutation(async ({ ctx }) => {
await Promise.all(

4
packages/api/src/router/widgets/notebook.ts
View File

@@ -5,10 +5,10 @@ import { eq } from "@homarr/db";
import { items } from "@homarr/db/schema/sqlite";
import { z } from "@homarr/validation";
import { createTRPCRouter, publicProcedure } from "../../trpc";
import { createTRPCRouter, protectedProcedure } from "../../trpc";
export const notebookRouter = createTRPCRouter({
updateContent: publicProcedure
updateContent: protectedProcedure
.input(
z.object({
itemId: z.string(),

6
packages/api/src/router/widgets/smart-home.ts
View File

@@ -7,7 +7,7 @@ import { z } from "@homarr/validation";
import type { IntegrationAction } from "../../middlewares/integration";
import { createOneIntegrationMiddleware } from "../../middlewares/integration";
import { createTRPCRouter, publicProcedure } from "../../trpc";
import { createTRPCRouter, protectedProcedure, publicProcedure } from "../../trpc";
const createSmartHomeIntegrationMiddleware = (action: IntegrationAction) =>
createOneIntegrationMiddleware(action, ...getIntegrationKindsByCategory("smartHomeServer"));
@@ -41,7 +41,7 @@ export const smartHomeRouter = createTRPCRouter({
};
});
}),
switchEntity: publicProcedure
switchEntity: protectedProcedure
.unstable_concat(createSmartHomeIntegrationMiddleware("interact"))
.input(z.object({ entityId: z.string() }))
.mutation(async ({ ctx: { integration }, input }) => {
@@ -53,7 +53,7 @@ export const smartHomeRouter = createTRPCRouter({
return success;
}),
executeAutomation: publicProcedure
executeAutomation: protectedProcedure
.unstable_concat(createSmartHomeIntegrationMiddleware("interact"))
.input(z.object({ automationId: z.string() }))
.mutation(async ({ ctx: { integration }, input }) => {