mirror of
https://github.com/karl0ss/homepage.git
synced 2025-04-29 12:03:41 +01:00
Security: Sanitize widget api keys from response
Closes https://github.com/gethomepage/homepage/security/advisories/GHSA-cjgf-vhj6-8cx4
This commit is contained in:
parent
36e77e1fe3
commit
f0d7cf3ce6
@ -1,9 +1,11 @@
|
||||
import cachedFetch from "utils/proxy/cached-fetch";
|
||||
import { getSettings } from "utils/config/config";
|
||||
import { getPrivateWidgetOptions } from "utils/config/widget-helpers";
|
||||
|
||||
export default async function handler(req, res) {
|
||||
const { latitude, longitude, units, provider, cache, lang } = req.query;
|
||||
let { apiKey } = req.query;
|
||||
const { latitude, longitude, units, provider, cache, lang, index } = req.query;
|
||||
const privateWidgetOptions = await getPrivateWidgetOptions("openweathermap", index);
|
||||
let { apiKey } = privateWidgetOptions;
|
||||
|
||||
if (!apiKey && !provider) {
|
||||
return res.status(400).json({ error: "Missing API key or provider" });
|
||||
|
@ -1,9 +1,11 @@
|
||||
import cachedFetch from "utils/proxy/cached-fetch";
|
||||
import { getSettings } from "utils/config/config";
|
||||
import { getPrivateWidgetOptions } from "utils/config/widget-helpers";
|
||||
|
||||
export default async function handler(req, res) {
|
||||
const { latitude, longitude, provider, cache, lang } = req.query;
|
||||
let { apiKey } = req.query;
|
||||
const { latitude, longitude, provider, cache, lang, index } = req.query;
|
||||
const privateWidgetOptions = await getPrivateWidgetOptions("weatherapi", index);
|
||||
let { apiKey } = privateWidgetOptions;
|
||||
|
||||
if (!apiKey && !provider) {
|
||||
return res.status(400).json({ error: "Missing API key or provider" });
|
||||
|
@ -32,7 +32,7 @@ export async function cleanWidgetGroups(widgets) {
|
||||
const optionKeys = Object.keys(sanitizedOptions);
|
||||
|
||||
// delete private options from the sanitized options
|
||||
["username", "password", "key"].forEach((pO) => {
|
||||
["username", "password", "key", "apiKey"].forEach((pO) => {
|
||||
if (optionKeys.includes(pO)) {
|
||||
delete sanitizedOptions[pO];
|
||||
}
|
||||
@ -57,7 +57,7 @@ export async function getPrivateWidgetOptions(type, widgetIndex) {
|
||||
const widgets = await widgetsFromConfig();
|
||||
|
||||
const privateOptions = widgets.map((widget) => {
|
||||
const { index, url, username, password, key } = widget.options;
|
||||
const { index, url, username, password, key, apiKey } = widget.options;
|
||||
|
||||
return {
|
||||
type: widget.type,
|
||||
@ -67,6 +67,7 @@ export async function getPrivateWidgetOptions(type, widgetIndex) {
|
||||
username,
|
||||
password,
|
||||
key,
|
||||
apiKey,
|
||||
},
|
||||
};
|
||||
});
|
||||
|
Loading…
x
Reference in New Issue
Block a user