new experimental feature: shenanigans

- will allow server operates to intentionally enable bugs/exploits for fun shenanigans
2022-12-01 09:09:03 -05:00
parent b437d99f91
commit 55cbf592ee
6 changed files with 85 additions and 16 deletions
--- a/zefie_wtvp_minisrv/app.js
+++ b/zefie_wtvp_minisrv/app.js
@@ -2009,6 +2009,10 @@ if (minisrv_config.config.user_accounts.max_users_per_account > 99) {
    minisrv_config.config.user_accounts.max_users_per_account = 99;
 }

+// shenanigans
+if (minisrv_config.config.shenanigans) console.log(" * WARNING: Shenanigans level", minisrv_config.config.shenanigans, "enabled");
+else console.log(" * Shenanigans disabled");
+
 process.on('uncaughtException', function (err) {
    console.error((err && err.stack) ? err.stack : err);
 });
--- a/zefie_wtvp_minisrv/includes/ServiceVault/wtv-tricks/access.js
+++ b/zefie_wtvp_minisrv/includes/ServiceVault/wtv-tricks/access.js
@@ -1,14 +1,16 @@
 var minisrv_service_file = true;

-// Allow URL access outside our trusted minisrv
+if (wtvshared.shenanigans.checkShenanigan(wtvshared.shenanigans.shenanigans.ENABLE_TRICKS_URLACCESS)) {
+    // Allow URL access outside our trusted minisrv
+    if (request_headers.query.url) var url = request_headers.query.url;
+    else var url = "client:showalert?message=Please%20provide%20a%20%3Furl%3D%20with%20the%20url%20you%20would%20like%20to%20access.&buttonlabel1=Okay&buttonacction1=client:donothing"

-if (request_headers.query.url) var url = request_headers.query.url;
-else var url = "client:showalert?message=Please%20provide%20a%20%3Furl%3D%20with%20the%20url%20you%20would%20like%20to%20access.&buttonlabel1=Okay&buttonacction1=client:donothing"
-
-headers = `300 OK
-wtv-visit: ${url}
-Location: ${url}
-Content-type: text/html`
-
-
-data = '';
+    headers = `300 OK
+    wtv-visit: ${url}
+    Location: ${url}
+    Content-type: text/html`
+} else {
+    var err = wtvshared.doErrorPage(403, "Access Denied");
+    headers = err[0];
+    data = err[1];
+}
--- a/zefie_wtvp_minisrv/includes/classes/WTVShared.js
+++ b/zefie_wtvp_minisrv/includes/classes/WTVShared.js
@@ -2,6 +2,7 @@
 * Shared functions across all classes and apps
 */
 const CryptoJS = require('crypto-js');
+const WTVShenanigans = require('./WTVShenanigans.js');

 class WTVShared {

@@ -15,12 +16,14 @@ class WTVShared {
    parentDirectory = process.cwd()
    extend = require('util')._extend;
    debug = require('debug')('WTVShared')
+    shenanigans = null;

    minisrv_config = [];
    
    constructor(minisrv_config, quiet = false) {
        if (minisrv_config == null) this.minisrv_config = this.readMiniSrvConfig(true, !quiet);
        else this.minisrv_config = minisrv_config;
+        this.shenanigans = new WTVShenanigans(this.minisrv_config);
       
        if (!String.prototype.reverse) {
            String.prototype.reverse = function () {
@@ -194,6 +197,11 @@ class WTVShared {
    }

    htmlEntitize(string, process_newline = false) {
+        if (this.shenanigans.checkShenanigan(this.shenanigans.shenanigans.DISABLE_HTML_ENTITIZER)) {
+            // shenanigans level matches, don't encode
+            return string;
+        }
+
        string = this.html_entities.encode(string).replace(/&apos;/g, "'");

        if (process_newline) string = string.replace(/\n/gi, "<br>").replace(/\r/gi, "");
@@ -222,6 +230,11 @@ class WTVShared {
        });
        self.debug("sanitizeSignature", "allowed protocols:", allowedProtocols);

+        if (this.shenanigans.checkShenanigan(this.shenanigans.shenanigans.DISABLE_HTML_SANITIZER)) {
+            // shenanigans level matches, don't filter
+            return string;
+        }
+
        const clean = this.sanitizeHtml(string, {
            allowedTags: ['a', 'audioscope', 'b', 'bgsound', 'big', 'blackface', 'blockquote', 'bq', 'br', 'caption', 'center', 'cite', 'c', 'dd', 'dfn', 'div', 'dl', 'dt', 'em', 'fn', 'font', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'html', 'i', 'img', 'label', 'li', 'listing', 'marquee', 'nobr', 'ol', 'p', 'plaintext', 'pre', 's', 'samp', 'small', 'shadow', 'span', 'strike', 'strong', 'sub', 'sup', 'tbody', 'table', 'td', 'th', 'tr', 'tt', 'u', 'ul'],
            disallowedTagsMode: 'discard',
--- a/zefie_wtvp_minisrv/includes/classes/WTVShenanigans.js
+++ b/zefie_wtvp_minisrv/includes/classes/WTVShenanigans.js
@@ -0,0 +1,42 @@
+class WTVShenanigans {
+    minisrv_config = null;
+    shenanigans = {
+        // PLEASE NOTE: anything that is broken with any shenigan level besides "false" is NOT a bug!!!! 
+
+        "NO_SHENANIGANS": false, // no shenanigans, minisrv as intended, most secure option
+        "ENABLE_TRICKS_URLACCESS": 1, // allows users to use wtv-tricks:/access?url=
+        "DISABLE_HTML_ENTITIZER": 4, // disables HTML Entitizer, allowing things such as HTML in email/usenet subjects
+        "DISABLE_HTML_SANITIZER": 5 // disables HTML Sanitizer, allowing all sorts of chaos in email/usenet posts and signatures
+    }
+
+    constructor(minisrv_config) {
+        this.minisrv_config = minisrv_config;
+    }
+
+    getShenanigansLevel() {
+        return this.minisrv_config.config.shenanigans;
+    }
+
+    checkShenanigan(value) {
+        var level = this.getShenanigansLevel();
+
+        // shenanigans are disabled, don't iterate
+        if (level === false) return false;
+
+        var retval = false;
+        var shenanigans = this.shenanigans;
+
+        // shenanigans are enabled, so check if the requested shenanigan is within the level enabled
+        Object.keys(shenanigans).forEach((k) => {
+            if (shenanigans[k] == value) {
+                if (level >= shenanigans[k]) {
+                    retval = true;
+                    return false;
+                }
+            }
+        });
+
+        return retval;
+    }
+}
+module.exports = WTVShenanigans;
--- a/zefie_wtvp_minisrv/includes/config.json
+++ b/zefie_wtvp_minisrv/includes/config.json
@@ -95,7 +95,12 @@
      "wtv-head-waiter:/images/signin_new_mail.gif",
      "wtv-head-waiter:/images/signin_no_mail.gif",
      "wtv-log:/log"
-    ]
+    ],
+    /* shenanigans: this allows you to intentionally enable old minisrv bugs, as well as official WebTV Networks exploits 
+       Each level of shenanigans includes the previous level (eg 5 will also disable filters like 4)
+       See WTVShenanigans.js for more info.
+    */
+    "shenanigans": false
  },
  "services": {
    // service definitions
@@ -300,10 +305,10 @@
      "force_https": false,
      "https_cert": {
        /* self-signed, can be replaced with another cert */
-        // "domain": "mycooldomain.com",
-        "cert": "%ServiceDeps%/https/selfsigned_cert.pem",
-        "key": "%ServiceDeps%/https/selfsigned_key.pem"
-      }
+    // "domain": "mycooldomain.com",
+    "cert": "%ServiceDeps%/https/selfsigned_cert.pem",
+    "key": "%ServiceDeps%/https/selfsigned_key.pem"
+  }
    }
  },
  "favorites": {
--- a/zefie_wtvp_minisrv/zefie_wtvp_minisrv.njsproj
+++ b/zefie_wtvp_minisrv/zefie_wtvp_minisrv.njsproj
@@ -50,6 +50,9 @@
    <Content Include="includes\classes\WTVRegister.js" />
    <Content Include="includes\classes\WTVSec.js" />
    <Content Include="includes\classes\WTVShared.js" />
+    <Content Include="includes\classes\WTVShenanigans.js">
+      <SubType>Code</SubType>
+    </Content>
    <Content Include="includes\ServiceDeps\https\selfsigned_cert.pem" />
    <Content Include="includes\ServiceDeps\https\selfsigned_key.pem" />
    <Content Include="includes\ServiceDeps\templates\wtv-guide\glossary.json" />