add protection against requesting direct service files

zefie_wtvp_minisrv/ServiceVault/http_pc/get.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (request_headers.query.url) {
     if (request_headers.query.url.indexOf(":/") > 0) {
         var service_request = request_headers.query.url.split(":/")[0];

zefie_wtvp_minisrv/ServiceVault/http_pc/index.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Content-Type: text/html`
 

zefie_wtvp_minisrv/ServiceVault/wtv-1800/noflash.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (socket.ssid != null && !ssid_sessions[socket.ssid].get("wtvsec_login")) {
 	var wtvsec_login = new WTVSec(minisrv_config);
 	wtvsec_login.IssueChallenge();

zefie_wtvp_minisrv/ServiceVault/wtv-1800/offer-open-isp-suggest.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 var gourl = "wtv-1800:/finish-prereg?";
 if (request_headers.query.relogin) gourl += "relogin=true";
 

zefie_wtvp_minisrv/ServiceVault/wtv-1800/preregister.js

@@ -1,45 +1,47 @@
-	var gourl = "wtv-head-waiter:/login?";
+var minisrv_service_file = true;
 
-	if (socket.ssid) {
-		if (ssid_sessions[socket.ssid].loadSessionData() == true) {
-			console.log(" * Loaded session data from disk for", wtvshared.filterSSID(socket.ssid))
-			ssid_sessions[socket.ssid].setSessionData("registered", (ssid_sessions[socket.ssid].getSessionData("registered") == true) ? true : false);
-		} else {
-			ssid_sessions[socket.ssid].session_data = {};
-			ssid_sessions[socket.ssid].setSessionData("registered", false);
-		}
-		if (ssid_sessions[socket.ssid].data_store) {
-			if (ssid_sessions[socket.ssid].data_store.sockets) {
-				var i = 0;
-				ssid_sessions[socket.ssid].data_store.sockets.forEach(function (k) {
-					if (typeof k != "undefined") {
-						if (k != socket) {
-							k.destroy();
-							ssid_sessions[socket.ssid].data_store.sockets.delete(k);
-							i++;
-						}
-					}
-				});
-				if (i > 0 && minisrv_config.config.debug_flags.debug) console.log(" # Closed", i, "previous sockets for", wtvshared.filterSSID(socket.ssid));
-			}
-		}
-		if (ssid_sessions[socket.ssid].data_store.wtvsec_login) {
-			if (minisrv_config.config.debug_flags.debug) console.log(" # Recreating primary WTVSec login instance for", wtvshared.filterSSID(socket.ssid));
-			delete ssid_sessions[socket.ssid].data_store.wtvsec_login;
-		}
+var gourl = "wtv-head-waiter:/login?";
 
-		ssid_sessions[socket.ssid].data_store.wtvsec_login = new WTVSec(minisrv_config);
-		ssid_sessions[socket.ssid].data_store.wtvsec_login.IssueChallenge();
-		ssid_sessions[socket.ssid].data_store.wtvsec_login.set_incarnation(request_headers["wtv-incarnation"] || 1);
+if (socket.ssid) {
+	if (ssid_sessions[socket.ssid].loadSessionData() == true) {
+		console.log(" * Loaded session data from disk for", wtvshared.filterSSID(socket.ssid))
+		ssid_sessions[socket.ssid].setSessionData("registered", (ssid_sessions[socket.ssid].getSessionData("registered") == true) ? true : false);
 	} else {
-		console.log(" * Something bad happened (we don't know the client ssid???)");
-		var errpage = doErrorPage(400)
-		headers = errpage[0];
-		data = errpage[1];
+		ssid_sessions[socket.ssid].session_data = {};
+		ssid_sessions[socket.ssid].setSessionData("registered", false);
+	}
+	if (ssid_sessions[socket.ssid].data_store) {
+		if (ssid_sessions[socket.ssid].data_store.sockets) {
+			var i = 0;
+			ssid_sessions[socket.ssid].data_store.sockets.forEach(function (k) {
+				if (typeof k != "undefined") {
+					if (k != socket) {
+						k.destroy();
+						ssid_sessions[socket.ssid].data_store.sockets.delete(k);
+						i++;
+					}
+				}
+			});
+			if (i > 0 && minisrv_config.config.debug_flags.debug) console.log(" # Closed", i, "previous sockets for", wtvshared.filterSSID(socket.ssid));
+		}
+	}
+	if (ssid_sessions[socket.ssid].data_store.wtvsec_login) {
+		if (minisrv_config.config.debug_flags.debug) console.log(" # Recreating primary WTVSec login instance for", wtvshared.filterSSID(socket.ssid));
+		delete ssid_sessions[socket.ssid].data_store.wtvsec_login;
 	}
 
-	if (request_headers.query.relogin && ssid_sessions[socket.ssid].getSessionData("registered")) gourl += "relogin=true";
-	if (request_headers.query.reconnect && ssid_sessions[socket.ssid].getSessionData("registered")) gourl += "reconnect=true";
+	ssid_sessions[socket.ssid].data_store.wtvsec_login = new WTVSec(minisrv_config);
+	ssid_sessions[socket.ssid].data_store.wtvsec_login.IssueChallenge();
+	ssid_sessions[socket.ssid].data_store.wtvsec_login.set_incarnation(request_headers["wtv-incarnation"] || 1);
+} else {
+	console.log(" * Something bad happened (we don't know the client ssid???)");
+	var errpage = doErrorPage(400)
+	headers = errpage[0];
+	data = errpage[1];
+}
+
+if (request_headers.query.relogin && ssid_sessions[socket.ssid].getSessionData("registered")) gourl += "relogin=true";
+if (request_headers.query.reconnect && ssid_sessions[socket.ssid].getSessionData("registered")) gourl += "reconnect=true";
 
 if (ssid_sessions[socket.ssid].data_store.wtvsec_login) {
 	var prereg_contype = "text/html";

zefie_wtvp_minisrv/ServiceVault/wtv-chat/MakeChatPage.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = "200 OK";
 if (request_headers.query.nick) headers += "\n" + ssid_sessions[socket.ssid].setIRCNick(request_headers.query.nick);
 headers += "\nContent-Type: text/html";

zefie_wtvp_minisrv/ServiceVault/wtv-chat/home.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 var irc_nick = "";
 headers = "200 OK";
 if (request_headers.query.nick) headers += "\n" + ssid_sessions[socket.ssid].setIRCNick(request_headers.query.nick);

zefie_wtvp_minisrv/ServiceVault/wtv-cookie/add.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (socket.ssid) {
     if (request_headers.post_data) {
         if (ssid_sessions[socket.ssid]) {

zefie_wtvp_minisrv/ServiceVault/wtv-cookie/get.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (request_headers.post_data) {
     if (request_headers.query.domain && request_headers.query.path) {
         if (socket.ssid) {

zefie_wtvp_minisrv/ServiceVault/wtv-cookie/list.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (socket.ssid) {
     if (ssid_sessions[socket.ssid]) {
 

zefie_wtvp_minisrv/ServiceVault/wtv-cookie/reset.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (socket.ssid) {
     if (ssid_sessions[socket.ssid]) {
         ssid_sessions[socket.ssid].resetCookies();

zefie_wtvp_minisrv/ServiceVault/wtv-disk/delete-group.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (request_headers.query.group) {
     const WTVDownloadList = require("./WTVDownloadList.js");
     var wtvdl = new WTVDownloadList(minisrv_config, service_name);

zefie_wtvp_minisrv/ServiceVault/wtv-disk/sync.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 const WTVDownloadList = require("./WTVDownloadList.js");
 var wtvdl = new WTVDownloadList(minisrv_config, service_name);
 

zefie_wtvp_minisrv/ServiceVault/wtv-disk/userstore.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (request_headers.post_data) {
     if (request_headers.query.partialPath || request_headers.query.path) {
         if (socket.ssid) {

zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/content/content-serve.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 const WTVFlashrom = require("./WTVFlashrom.js");
 request_is_async = true;
 

zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/current-noflash.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 const WTVFlashrom = require("./WTVFlashrom.js");
 request_is_async = true;
 

zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/get-by-path.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 const WTVFlashrom = require("./WTVFlashrom.js");
 request_is_async = true;
 

zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/get-lc2-page.js

@@ -93,7 +93,9 @@ data += `
 nexturl="${flashrom_info.next_rompath}"
 errorurl="${service_name}:/lc2-download-failed?"
 `
-		if (!flashrom_info.is_last_part) data += `blockurl = "${flashrom_info.rompath}"`;
+		if (!var minisrv_service_file = true;
+
+flashrom_info.is_last_part) data += `blockurl = "${flashrom_info.rompath}"`;
 
 		data += `
 lastblock="${flashrom_info.is_last_part}"

zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/initiate-lc2-download.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (request_headers.query.path) {
 var url = service_name + ":/get-lc2-page?path=" + request_headers.query.path;
 var romtype = ssid_sessions[socket.ssid].get("wtv-client-rom-type");

zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/lc2-download-complete.js

@@ -42,7 +42,9 @@ Updating complete
 <td colspan=12 width=560 height=10 valign=top align=left>
 <img src="${service_name}:/ROMCache/S40H1.gif" width=560 height=6>
 <tr>
-<td width=104 height=10 valign=top align=left>
+<td width=104 height=10 valign=top align=left>var minisrv_service_file = true;
+
+
 <td width=20 valign=top align=left>
 <td width=67 valign=top align=left>
 <td width=20 valign=top align=left>

zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/lc2-download-failed.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 var error = '';
 if (request_headers.query.error) {
     switch (request_headers.query.error) {

zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/noflash.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 const WTVFlashrom = require("./WTVFlashrom.js");
 request_is_async = true;
 

zefie_wtvp_minisrv/ServiceVault/wtv-flashrom/willie.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 // willie is just a graphical frontend to a list of ROMs
 // the rest of the scripts should work if you manually link to a ROM, and actually have it.
 

zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/finalize-security.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 var challenge_response, challenge_header = '';
 var gourl;
 

zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login-stage-two.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 var challenge_response, challenge_header = '';
 var gourl;
 

zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/login.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 var challenge_response, challenge_header = "";
 
 var gourl = "wtv-head-waiter:/login-stage-two?";

zefie_wtvp_minisrv/ServiceVault/wtv-head-waiter/relogin.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 var gourl = "wtv-1800:/preregister?";
 if (request_headers.query.relogin) gourl += "relogin=true";
 else if (request_headers.query.reconnect) gourl += "reconnect=true";

zefie_wtvp_minisrv/ServiceVault/wtv-home/home.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers =`200 OK
 Connection: Keep-Alive
 wtv-expire-all: wtv-home:/splash

zefie_wtvp_minisrv/ServiceVault/wtv-home/splash.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Connection: Keep-Alive
 wtv-expire-all: wtv-

zefie_wtvp_minisrv/ServiceVault/wtv-log/log.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 // write posted log data to disk. should be decrypted by this point (if it was encrypted) if the crypto stream didn't break
 
 request_is_async = true;

zefie_wtvp_minisrv/ServiceVault/wtv-music/get-playlist.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Content-Type: text/html`;
 

zefie_wtvp_minisrv/ServiceVault/wtv-register/BeMyGuest.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (minisrv_config.config.allow_guests) {
     headers = `300 Moved
 Connection: Close

zefie_wtvp_minisrv/ServiceVault/wtv-register/FinishRegistration.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `300 Moved
 Connection: Close
 wtv-noback-all: wtv-register:

zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateAccountInfo.js

@@ -1,4 +1,4 @@
-
+var minisrv_service_file = true;
 
 if (!request_headers.query.registering) {
     var errpage = doErrorPage(400);

zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateAgreement.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (!request_headers.query.registering) {
     var errpage = doErrorPage(400);
     headers = errpage[0];

zefie_wtvp_minisrv/ServiceVault/wtv-register/ValidateReviewAccountInfo.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 if (!request_headers.query.registering ||
     !request_headers.query.subscriber_name ||
     !request_headers.query.subscriber_username ||

zefie_wtvp_minisrv/ServiceVault/wtv-register/register.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Content-Type: text/html`;
 

zefie_wtvp_minisrv/ServiceVault/wtv-register/splash.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Connection: Keep-Alive
 wtv-expire-all: wtv-

zefie_wtvp_minisrv/ServiceVault/wtv-setup/get.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 wtv-backgroundmusic-load-playlist: wtv-music:/get-playlist
 wtv-printer-model: -1,-1

zefie_wtvp_minisrv/ServiceVault/wtv-tricks/access.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 // Allow URL access outside our trusted minisrv
 
 if (request_headers.query.url) var url = request_headers.query.url;

zefie_wtvp_minisrv/ServiceVault/wtv-tricks/blastbacklist.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 wtv-expire-all: wtv-
 wtv-expire-all: http

zefie_wtvp_minisrv/ServiceVault/wtv-tricks/go-offline.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 wtv-noback-all: wtv-
 wtv-expire-all: wtv-

zefie_wtvp_minisrv/ServiceVault/wtv-tricks/info.js

@@ -1,3 +1,4 @@
+var minisrv_service_file = true;
 
 var client_caps = null;
 

zefie_wtvp_minisrv/ServiceVault/wtv-tricks/register.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Content-Type: text/html`;
 

zefie_wtvp_minisrv/ServiceVault/wtv-tricks/tricks.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Content-Type: text/html`
 

zefie_wtvp_minisrv/ServiceVault/wtv-tricks/unregister.js

@@ -1,3 +1,5 @@
+var minisrv_service_file = true;
+
 headers = `200 OK
 Content-Type: text/html`;
 

zefie_wtvp_minisrv/WTVShared.js

@@ -199,6 +199,37 @@ class WTVShared {
         return path.reverse().split(".")[0].reverse();
     }
 
+    getLineFromFile(filename, line_no, callback) {
+        var stream = this.fs.createReadStream(filename, {
+            flags: 'r',
+            encoding: 'utf-8',
+            fd: null,
+            bufferSize: 64 * 1024
+        });
+
+
+        var fileData = '';
+        stream.on('data', function (data) {
+            fileData += data;
+
+            // The next lines should be improved
+            var lines = fileData.split("\n");
+
+            if (lines.length >= +line_no) {
+                stream.destroy();
+                callback(null, lines[+line_no]);
+            }
+        });
+
+        stream.on('error', function () {
+            callback('Error', null);
+        });
+
+        stream.on('end', function () {
+            callback('File end reached without finding line', null);
+        });
+    }
+
     /**
      * Strips bad things from paths
      * @param {string} base Base path

zefie_wtvp_minisrv/app.js

@@ -102,6 +102,17 @@ function doErrorPage(code, data = null, pc_mode = false) {
     return new Array(headers, data);
 }
 
+async function sendRawFile(socket, path) {
+    if (!minisrv_config.config.debug_flags.quiet) console.log(" * Found " + path + " to handle request (Direct File Mode) [Socket " + socket.id + "]");
+    var contypes = wtvmime.getContentType(path);
+    var headers = "200 OK\n"
+    headers += "Content-Type: " + contypes[0] + "\n";
+    headers += "wtv-modern-content-type" + contypes[1];
+    fs.readFile(path, null, function (err, data) {
+        sendToClient(socket, headers, data);
+    });
+}
+
 async function processPath(socket, service_vault_file_path, request_headers = new Array(), service_name) {
     var headers, data = null;
     var request_is_async = false;
@@ -120,9 +131,9 @@ async function processPath(socket, service_vault_file_path, request_headers = ne
                 else minisrv_catchall = minisrv_config.config.catchall_file_name || null;
                 if (minisrv_catchall) {
                     if (service_path_request_file == minisrv_catchall) {
+                        request_is_async = true;
                         var errpage = doErrorPage(401, "Access Denied");
-                        headers = errpage[0];
-                        data = errpage[1];
+                        sendToClient(socket, errpage[0], errpage[1]);
                         return;
                     }
                 }                
@@ -136,18 +147,50 @@ async function processPath(socket, service_vault_file_path, request_headers = ne
             }
 
             if (file_exists && !is_dir) {
-                // file exists, read it and return it
+                // file exists, read it and return it 
                 service_vault_found = true;
                 request_is_async = true;
-                if (!minisrv_config.config.debug_flags.quiet) console.log(" * Found " + service_vault_file_path + " to handle request (Direct File Mode) [Socket " + socket.id + "]");
                 request_headers.service_file_path = service_vault_file_path;
-                var contypes = wtvmime.getContentType(service_vault_file_path);
-                headers = "200 OK\n"
-                headers += "Content-Type: " + contypes[0] + "\n";
-                headers += "wtv-modern-content-type" + contypes[1];
-                fs.readFile(service_vault_file_path, null, function (err, data) {
-                    sendToClient(socket, headers, data);
-                });
+                request_headers.raw_file = true;
+
+                // service parsed files, we might not want to expose our service source files so we can protect them with a flag on the first line
+                if (wtvshared.getFileExt(service_vault_file_path).toLowerCase() == "js" || wtvshared.getFileExt(service_vault_file_path).toLowerCase() == "txt") {
+                    if (wtvshared.getFileExt(service_vault_file_path).toLowerCase() == "js") {
+                        wtvshared.getLineFromFile(service_vault_file_path, 0, function (status, line) {
+                            if (!status) {
+                                if (line.match(/minisrv\_service\_file.*true/i)) {
+                                    var errpage = doErrorPage(403, "Access Denied");
+                                    sendToClient(socket, errpage[0], errpage[1]);
+                                } else {
+                                    sendRawFile(socket, service_vault_file_path);
+                                }
+                            } else {
+                                var errpage = doErrorPage(400);
+                                sendToClient(socket, errpage[0], errpage[1]);
+                            }
+                        });
+                    }
+
+                    if (wtvshared.getFileExt(service_vault_file_path).toLowerCase() == "txt") {
+                        wtvshared.getLineFromFile(service_vault_file_path, 0, function (status, line) {
+                            if (!status) {
+                                if (line.match(/^#!minisrv/i)) {
+                                    var errpage = doErrorPage(403, "Access Denied");
+                                    sendToClient(socket, errpage[0], errpage[1]);
+                                } else {
+                                    sendRawFile(socket, service_vault_file_path);
+                                }
+                            } else {
+                                var errpage = doErrorPage(400);
+                                sendToClient(socket, errpage[0], errpage[1]);
+                            }
+                        });
+                    }
+                } else {
+                    // not a potential service file, so save to send
+                    sendRawFile(socket, service_vault_file_path);
+                }
+
             } else if (fs.existsSync(service_vault_file_path + ".txt")) {
                 // raw text format, entire payload expected (headers and content)
                 service_vault_found = true;
@@ -595,7 +638,7 @@ async function sendToClient(socket, headers_obj, data) {
     if (socket_sessions[socket.id]) {
         if (socket_sessions[socket.id].request_headers) {
             if (socket_sessions[socket.id].request_headers.service_file_path) {
-                if (wtvshared.getFileExt(socket_sessions[socket.id].request_headers.service_file_path).toLowerCase() !== "js") {
+                if (wtvshared.getFileExt(socket_sessions[socket.id].request_headers.service_file_path).toLowerCase() !== "js" || socket_sessions[socket.id].request_headers.raw_file === true) {
                     var last_modified = wtvshared.getFileLastModifiedUTCString(socket_sessions[socket.id].request_headers.service_file_path);
                     if (last_modified) headers_obj["Last-Modified"] = last_modified;
                 }