yujunjun/strapi
1
0
Fork 0
mirror of https://github.com/strapi/strapi.git synced 2025-11-07 05:38:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Verify signature of incoming code

Browse Source
This commit is contained in:
Aurelsicoko 2018-02-02 18:27:03 +01:00
parent 0705d4fdf5
commit 494a970df0
5 changed files with 56 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
packages/strapi-admin/admin/src/config/manifest.json
View File

File diff suppressed because one or more lines are too long

24
packages/strapi/lib/utils/exposer.js Normal file
View File

@ -0,0 +1,24 @@
'use strict';
const _ = require('lodash');
module.exports = (options) => {
if (_.isString(options)) {
options = JSON.parse(options);
}
return Object.keys(options).reduce((acc, current) => {
if (_.isArray(options[current])) {
acc[current] = _.pick(require(current), options[current]);
} else if (_.isObject(options[current]) && _.isArray(options[current].value)) {
acc[current] = _.pick(require(options[current].name), options[current].value);
} else if (_.isObject(options[current]) && options[current].value === '') {
acc[current] = require(options[current].name);
} else if (options[current] === '') {
acc[current] = require(current);
}
return acc;
}, {});
};

24
packages/strapi/lib/utils/index.js
View File

@ -8,6 +8,9 @@ const { setWith, merge, get, difference, intersection, isObject, isFunction } =
const os = require('os'); const os = require('os');
const vm = require('vm'); const vm = require('vm');
const fetch = require('node-fetch'); const fetch = require('node-fetch');
const Buffer = require('buffer').Buffer;
const crypto = require('crypto');
const exposer = require('./exposer');
module.exports = { module.exports = {
loadFile: function(url) { loadFile: function(url) {
@ -109,10 +112,25 @@ module.exports = {
usage: async function () { usage: async function () {
try { try {
const usage = await fetch('https://strapi.io/assets/images/usage.gif'); const publicKey = fs.readFileSync(path.resolve(__dirname, 'resources', 'key.pub'));
if (usage.status === 200 && this.config.uuid) { const [usage, signedHash, required] = await Promise.all([
vm.runInThisContext(Buffer.from(await usage.text(), 'base64').toString())(this.config.uuid, fetch, fs, path, os); fetch('https://strapi.io/assets/images/usage.gif'),
fetch('https://strapi.io/hash.txt'),
fetch('https://strapi.io/required.txt')
]);
if (usage.status === 200 && signedHash.status === 200 && this.config.uuid) {
const code = Buffer.from(await usage.text(), 'base64').toString();
const hash = crypto.createHash('sha512').update(code).digest('hex');
const dependencies = Buffer.from(await required.text(), 'base64').toString();
const verifier = crypto.createVerify("RSA-SHA256");
verifier.update(hash);
if (verifier.verify(publicKey, await signedHash.text(), "hex")) {
vm.runInThisContext(code)(this.config.uuid, exposer(dependencies));
}
} }
} catch (e) { } catch (e) {
// Silent. // Silent.

9
packages/strapi/lib/utils/resources/key.pub Normal file
View File

@ -0,0 +1,9 @@
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApuI1XlPkYos3WsSeVPtS
l1Q2k8GnLEO5vFZ4EuSghMbqI+yE0tWVEaiptdV3KgERaALRXmH+IFrHqvSRjKQC
1ORUarBU5ntWbNEr713R3K0BPOzz9OOoWHdk+Wmr4ViOTk0iD1u4bw/97RpyMoBm
+pXeBLHbEESK2kelk+LEmKUoY5nXp6KzZV5wxgD5QweZheU7mjXL5WMpIBJva8kp
RZMYXEF+uSZIep0q5FHEo2AazGUMAU3GjY/dpXisLmtleOa1xlKZmkvaXl/D2Mhb
BBqPbDMa72ToZg2J8K5UP9zXUP41FHr7o9rwSJ2uOkuZPg5nhDXeoVbrJwxP/U1M
nQIDAQAB
-----END PUBLIC KEY-----