Prevent users from specifying an unexpected executable as Chromium (#3348)

This commit is contained in:
Louis Lam 2023-07-08 15:52:09 +08:00 committed by GitHub
parent 19873e5b9e
commit 3b9c95a8a8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -7,9 +7,60 @@ const childProcess = require("child_process");
const path = require("path"); const path = require("path");
const Database = require("../database"); const Database = require("../database");
const jwt = require("jsonwebtoken"); const jwt = require("jsonwebtoken");
const config = require("../config");
let browser = null; let browser = null;
let allowedList = [];
let lastAutoDetectChromeExecutable = null;
if (process.platform === "win32") {
allowedList.push(process.env.LOCALAPPDATA + "\\Google\\Chrome\\Application\\chrome.exe");
allowedList.push(process.env.PROGRAMFILES + "\\Google\\Chrome\\Application\\chrome.exe");
allowedList.push(process.env["ProgramFiles(x86)"] + "\\Google\\Chrome\\Application\\chrome.exe");
// Allow Chromium too
allowedList.push(process.env.LOCALAPPDATA + "\\Chromium\\Application\\chrome.exe");
allowedList.push(process.env.PROGRAMFILES + "\\Chromium\\Application\\chrome.exe");
allowedList.push(process.env["ProgramFiles(x86)"] + "\\Chromium\\Application\\chrome.exe");
// For Loop A to Z
for (let i = 65; i <= 90; i++) {
let drive = String.fromCharCode(i);
allowedList.push(drive + ":\\Program Files\\Google\\Chrome\\Application\\chrome.exe");
allowedList.push(drive + ":\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe");
}
} else if (process.platform === "linux") {
allowedList = [
"chromium",
"chromium-browser",
"google-chrome",
"/usr/bin/chromium",
"/usr/bin/chromium-browser",
"/usr/bin/google-chrome",
];
} else if (process.platform === "darwin") {
// TODO: Generated by GitHub Copilot, but not sure if it's correct
allowedList = [
"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome",
"/Applications/Chromium.app/Contents/MacOS/Chromium",
];
}
log.debug("chrome", allowedList);
async function isAllowedChromeExecutable(executablePath) {
console.log(config.args);
if (config.args["allow-all-chrome-exec"] || process.env.UPTIME_KUMA_ALLOW_ALL_CHROME_EXEC === "1") {
return true;
}
// Check if the executablePath is in the list of allowed executables
return allowedList.includes(executablePath);
}
async function getBrowser() { async function getBrowser() {
if (!browser) { if (!browser) {
let executablePath = await Settings.get("chromeExecutable"); let executablePath = await Settings.get("chromeExecutable");
@ -27,6 +78,7 @@ async function getBrowser() {
async function prepareChromeExecutable(executablePath) { async function prepareChromeExecutable(executablePath) {
// Special code for using the playwright_chromium // Special code for using the playwright_chromium
if (typeof executablePath === "string" && executablePath.toLocaleLowerCase() === "#playwright_chromium") { if (typeof executablePath === "string" && executablePath.toLocaleLowerCase() === "#playwright_chromium") {
// Set to undefined = use playwright_chromium
executablePath = undefined; executablePath = undefined;
} else if (!executablePath) { } else if (!executablePath) {
if (process.env.UPTIME_KUMA_IS_CONTAINER) { if (process.env.UPTIME_KUMA_IS_CONTAINER) {
@ -56,30 +108,30 @@ async function prepareChromeExecutable(executablePath) {
}); });
} }
} else if (process.platform === "win32") { } else {
executablePath = findChrome([ executablePath = findChrome(allowedList);
"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", }
"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", } else {
"D:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", // User specified a path
"D:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", // Check if the executablePath is in the list of allowed
"E:\\Program Files\\Google\\Chrome\\Application\\chrome.exe", if (!await isAllowedChromeExecutable(executablePath)) {
"E:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", throw new Error("This Chromium executable path is not allowed by default. If you are sure this is safe, please add an environment variable UPTIME_KUMA_ALLOW_ALL_CHROME_EXEC=1 to allow it.");
]);
} else if (process.platform === "linux") {
executablePath = findChrome([
"chromium-browser",
"chromium",
"google-chrome",
]);
} }
// TODO: Mac??
} }
return executablePath; return executablePath;
} }
function findChrome(executables) { function findChrome(executables) {
// Use the last working executable, so we don't have to search for it again
if (lastAutoDetectChromeExecutable) {
if (commandExistsSync(lastAutoDetectChromeExecutable)) {
return lastAutoDetectChromeExecutable;
}
}
for (let executable of executables) { for (let executable of executables) {
if (commandExistsSync(executable)) { if (commandExistsSync(executable)) {
lastAutoDetectChromeExecutable = executable;
return executable; return executable;
} }
} }