jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

shell: exec encoding is utf8 by default and no shell

Browse Source 
explicitly mark calls that require the shell
This commit is contained in:
Girish Ramakrishnan
2024-02-21 17:16:33 +01:00
parent 23cac99fe9
commit 14c9260ab0
14 changed files with 54 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/reverseproxy.js
View File

@@ -75,7 +75,7 @@ function nginxLocation(s) {
async function getCertificateDates(cert) {
assert.strictEqual(typeof cert, 'string');
const [error, result] = await safe(shell.promises.exec('getCertificateDates', 'openssl x509 -startdate -enddate -subject -noout', { input: cert, encoding: 'utf8' }));
const [error, result] = await safe(shell.promises.exec('getCertificateDates', 'openssl x509 -startdate -enddate -subject -noout', { input: cert }));
if (error) return { startDate: null, endDate: null } ; // some error
const lines = result.trim().split('\n');
@@ -103,7 +103,7 @@ async function isOcspEnabled(certFilePath) {
// We used to check for the must-staple in the cert using openssl x509 -text -noout -in ${certFilePath} | grep -q status_request
// however, we cannot set the must-staple because first request to nginx fails because of it's OCSP caching behavior
const [error, result] = await safe(shell.promises.exec('isOscpEnabled', `openssl x509 -in ${certFilePath} -noout -ocsp_uri`, { encoding: 'utf8' }));
const [error, result] = await safe(shell.promises.exec('isOscpEnabled', `openssl x509 -in ${certFilePath} -noout -ocsp_uri`, {}));
return !error && result.length > 0; // no error and has uri
}
@@ -112,7 +112,7 @@ async function providerMatches(domainObject, cert) {
assert.strictEqual(typeof domainObject, 'object');
assert.strictEqual(typeof cert, 'string');
const [error, subjectAndIssuer] = await safe(shell.promises.exec('providerMatches', 'openssl x509 -noout -subject -issuer', { encoding: 'utf8', input: cert }));
const [error, subjectAndIssuer] = await safe(shell.promises.exec('providerMatches', 'openssl x509 -noout -subject -issuer', { input: cert }));
if (error) return false; // something bad happenned
const subject = subjectAndIssuer.match(/^subject=(.*)$/m)[1];
@@ -153,21 +153,21 @@ async function validateCertificate(subdomain, domain, certificate) {
// -checkhost checks for SAN or CN exclusively. SAN takes precedence and if present, ignores the CN.
const fqdn = dns.fqdn(subdomain, domain);
const [checkHostError, checkHostOutput] = await safe(shell.promises.exec('validateCertificate', `openssl x509 -noout -checkhost "${fqdn}"`, { encoding: 'utf8', input: cert }));
const [checkHostError, checkHostOutput] = await safe(shell.promises.exec('validateCertificate', `openssl x509 -noout -checkhost "${fqdn}"`, { input: cert }));
console.log(checkHostError, checkHostOutput);
if (checkHostError) throw new BoxError(BoxError.BAD_FIELD, 'Could not validate certificate');
if (checkHostOutput.indexOf('does match certificate') === -1) throw new BoxError(BoxError.BAD_FIELD, `Certificate is not valid for this domain. Expecting ${fqdn}`);
// check if public key in the cert and private key matches. pkey below works for RSA and ECDSA keys
const [pubKeyError1, pubKeyFromCert] = await safe(shell.promises.exec('validateCertificate', 'openssl x509 -noout -pubkey', { encoding: 'utf8', input: cert }));
const [pubKeyError1, pubKeyFromCert] = await safe(shell.promises.exec('validateCertificate', 'openssl x509 -noout -pubkey', { input: cert }));
if (pubKeyError1) throw new BoxError(BoxError.BAD_FIELD, 'Could not get public key from cert');
const [pubKeyError2, pubKeyFromKey] = await safe(shell.promises.exec('validateCertificate', 'openssl pkey -pubout', { encoding: 'utf8', input: key }));
const [pubKeyError2, pubKeyFromKey] = await safe(shell.promises.exec('validateCertificate', 'openssl pkey -pubout', { input: key }));
if (pubKeyError2) throw new BoxError(BoxError.BAD_FIELD, 'Could not get public key from private key');
if (pubKeyFromCert !== pubKeyFromKey) throw new BoxError(BoxError.BAD_FIELD, 'Public key does not match the certificate.');
// check expiration
const [error] = await safe(shell.promises.exec('validateCertificate', 'openssl x509 -checkend 0', { encoding: 'utf8', input: cert }));
const [error] = await safe(shell.promises.exec('validateCertificate', 'openssl x509 -checkend 0', { input: cert }));
if (error) throw new BoxError(BoxError.BAD_FIELD, 'Certificate has expired');
return null;