Merge branch 'develop' into stable

HashBrownCMS · Jan 8, 2020 · b470452 · b470452
2 parents f9447f4 + d92456c
commit b470452
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 13 deletions.
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -8,7 +8,7 @@ services:
         image: node
         container_name: "hashbrown-cms--node"
         ports:
-            - "${NODE_PORT}:${NODE_PORT}"
+            - "${NODE_PORT:-8080}:${NODE_PORT:-8080}"
         depends_on:
             - mongodb
         networks:
@@ -17,7 +17,7 @@ services:
         command: "node /opt/hashbrown-cms/hashbrown.js"
         environment:
             - MONGODB_HOST=mongodb
-            - PORT=${NODE_PORT}
+            - NODE_PORT=${NODE_PORT:-8080}
         volumes:
             - "../:/opt/hashbrown-cms"
             - "./remote:/remote"

diff --git a/src/Server/Entity/Resource/Connection.js b/src/Server/Entity/Resource/Connection.js
@@ -50,7 +50,18 @@ class Connection extends require('Common/Entity/Resource/Connection') {
 
         return params;
     }
-
+
+    /**
+     * Cleans up a string, for preventing exploits
+     *
+     * @param {String} string
+     *
+     * @return {String} Cleaned string
+     */
+    cleanUpString(string) {
+        return Path.basename(decodeURIComponent(string));
+    }
+
     /**
      *  Unpublishes content
      *
@@ -113,6 +124,9 @@ class Connection extends require('Common/Entity/Resource/Connection') {
         checkParam(content,  'content', HashBrown.Entity.Resource.Content);
         checkParam(language, 'language', String);
 
+        id = this.cleanUpString(id);
+        language = this.cleanUpString(language);
+
         if(!this.processor || typeof this.processor.process !== 'function') {
             throw new Error('This Connection has no processor defined');
         }
@@ -147,6 +161,9 @@ class Connection extends require('Common/Entity/Resource/Connection') {
         checkParam(id, 'id', String);
         checkParam(language, 'language', String);
 
+        id = this.cleanUpString(id);
+        language = this.cleanUpString(language);
+
         if(!this.deployer || typeof this.deployer.removeFile !== 'function') {
             throw new Error('This Connection has no deployer defined');
         }
@@ -216,8 +233,7 @@ class Connection extends require('Common/Entity/Resource/Connection') {
             throw new Error('This connection has no deployer defined');
         }
 
-        // Prevent parent dir exploit
-        id = Path.basename(decodeURIComponent(id));
+        id = this.cleanUpString(id);
 
         let files = await this.deployer.getFolder(this.deployer.getPath('media', id + '/'), 1);
 
@@ -259,10 +275,10 @@ class Connection extends require('Common/Entity/Resource/Connection') {
         checkParam(id, 'id', String);
         checkParam(name, 'name', String);
 
-        let media = await this.getMedia(id);
+        id = this.cleanUpString(id);
+        name = this.cleanUpString(name);
 
-        // Prevent parent dir exploit
-        name = Path.basename(decodeURIComponent(name));
+        let media = await this.getMedia(id);
 
         await this.deployer.renameFile(media.path, name);
 
@@ -283,8 +299,8 @@ class Connection extends require('Common/Entity/Resource/Connection') {
         checkParam(name, 'name', String);
         checkParam(base64, 'base64', String);
 
-        // Prevent parent dir exploit
-        name = Path.basename(decodeURIComponent(name));
+        id = this.cleanUpString(id);
+        name = this.cleanUpString(name);
 
         try {
             await this.removeMedia(id)
@@ -302,6 +318,8 @@ class Connection extends require('Common/Entity/Resource/Connection') {
      */
     async removeMedia(id) {
         checkParam(id, 'id', String);
+
+        id = this.cleanUpString(id);
 
         if(!this.deployer || typeof this.deployer.removeFolder !== 'function') {
             throw new Error('This Connection has no deployer defined');

diff --git a/src/Server/index.js b/src/Server/index.js
@@ -56,7 +56,7 @@ async function main() {
     await HashBrown.Service.PluginService.init(app);
 
     // Start HTTP server
-    let port = process.env.PORT || 8080;
+    let port = process.env.NODE_PORT || process.env.PORT || 8080;
     let server = HTTP.createServer(app).listen(port);
 
     debug.log('HTTP server restarted on port ' + port, 'HashBrown');

diff --git a/style/utilities.scss b/style/utilities.scss
@@ -9,6 +9,7 @@
     pointer-events: none;
 
     &::before, &::after {
+        pointer-events: none;
         position: absolute;
         display: block;
         font-family: 'FontAwesome';

diff --git a/style/widget/media.scss b/style/widget/media.scss
@@ -29,8 +29,6 @@
         min-width: 6rem;
         min-height: 6rem;
 
-        @include spinner;
-
         &.readonly {
             border-radius: var(--border-radius-small);
         }