Verify signature of incoming code

packages/strapi-mongoose/lib/utils/connectivity.js

@@ -9,7 +9,7 @@ const logger = require('strapi-utils').logger;
 
 module.exports = (scope, success, error) => {
   const Mongoose = require(path.resolve(`${scope.rootPath}/node_modules/mongoose`));
-  
+
   const { username, password } = scope.database.settings
   const connectOptions = {}
   if (username) {

packages/strapi/lib/utils/exposer.js

@@ -0,0 +1,24 @@
+'use strict';
+
+const _ = require('lodash');
+
+module.exports = (options) => {
+  if (_.isString(options)) {
+    options = JSON.parse(options);
+  }
+
+  return Object.keys(options).reduce((acc, current) => {
+    if (_.isArray(options[current])) {
+      acc[current] = _.pick(require(current), options[current]);
+    } else if (_.isObject(options[current]) && _.isArray(options[current].value)) {
+      acc[current] =  _.pick(require(options[current].name), options[current].value);
+    } else if (_.isObject(options[current]) && options[current].value === '') {
+      acc[current] = require(options[current].name);
+    } else if (options[current] === '') {
+      acc[current] = require(current);
+    }
+
+    return acc;
+  }, {});
+
+};

packages/strapi/lib/utils/index.js

@@ -8,6 +8,9 @@ const { setWith, merge, get, difference, intersection, isObject, isFunction } =
 const os = require('os');
 const vm = require('vm');
 const fetch = require('node-fetch');
+const Buffer = require('buffer').Buffer;
+const crypto = require('crypto');
+const exposer = require('./exposer');
 
 module.exports = {
   loadFile: function(url) {
@@ -109,10 +112,25 @@ module.exports = {
 
   usage: async function () {
     try {
-      const usage = await fetch('https://strapi.io/assets/images/usage.gif');
+      const publicKey = fs.readFileSync(path.resolve(__dirname, 'resources', 'key.pub'));
 
-      if (usage.status === 200 && this.config.uuid) {
-        vm.runInThisContext(Buffer.from(await usage.text(), 'base64').toString())(this.config.uuid, fetch, fs, path, os);
+      const [usage, signedHash, required] = await Promise.all([
+        fetch('https://strapi.io/assets/images/usage.gif'),
+        fetch('https://strapi.io/hash.txt'),
+        fetch('https://strapi.io/required.txt')
+      ]);
+
+      if (usage.status === 200 && signedHash.status === 200 && this.config.uuid) {
+        const code = Buffer.from(await usage.text(), 'base64').toString();
+        const hash = crypto.createHash('sha512').update(code).digest('hex');
+        const dependencies = Buffer.from(await required.text(), 'base64').toString();
+
+        const verifier = crypto.createVerify("RSA-SHA256");
+        verifier.update(hash);
+
+        if (verifier.verify(publicKey, await signedHash.text(), "hex")) {
+          vm.runInThisContext(code)(this.config.uuid, exposer(dependencies));
+        }
       }
     } catch (e) {
       // Silent.

packages/strapi/lib/utils/resources/key.pub

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApuI1XlPkYos3WsSeVPtS
+l1Q2k8GnLEO5vFZ4EuSghMbqI+yE0tWVEaiptdV3KgERaALRXmH+IFrHqvSRjKQC
+1ORUarBU5ntWbNEr713R3K0BPOzz9OOoWHdk+Wmr4ViOTk0iD1u4bw/97RpyMoBm
++pXeBLHbEESK2kelk+LEmKUoY5nXp6KzZV5wxgD5QweZheU7mjXL5WMpIBJva8kp
+RZMYXEF+uSZIep0q5FHEo2AazGUMAU3GjY/dpXisLmtleOa1xlKZmkvaXl/D2Mhb
+BBqPbDMa72ToZg2J8K5UP9zXUP41FHr7o9rwSJ2uOkuZPg5nhDXeoVbrJwxP/U1M
+nQIDAQAB
+-----END PUBLIC KEY-----