From 55cbf592ee4551bab4ed87faf944f69417c1c437 Mon Sep 17 00:00:00 2001 From: zefie Date: Thu, 1 Dec 2022 09:09:03 -0500 Subject: [PATCH] new experimental feature: shenanigans - will allow server operates to intentionally enable bugs/exploits for fun shenanigans --- zefie_wtvp_minisrv/app.js | 4 ++ .../ServiceVault/wtv-tricks/access.js | 24 ++++++----- .../includes/classes/WTVShared.js | 13 ++++++ .../includes/classes/WTVShenanigans.js | 42 +++++++++++++++++++ zefie_wtvp_minisrv/includes/config.json | 15 ++++--- zefie_wtvp_minisrv/zefie_wtvp_minisrv.njsproj | 3 ++ 6 files changed, 85 insertions(+), 16 deletions(-) create mode 100644 zefie_wtvp_minisrv/includes/classes/WTVShenanigans.js diff --git a/zefie_wtvp_minisrv/app.js b/zefie_wtvp_minisrv/app.js index 863da1f7..91a25539 100644 --- a/zefie_wtvp_minisrv/app.js +++ b/zefie_wtvp_minisrv/app.js @@ -2009,6 +2009,10 @@ if (minisrv_config.config.user_accounts.max_users_per_account > 99) { minisrv_config.config.user_accounts.max_users_per_account = 99; } +// shenanigans +if (minisrv_config.config.shenanigans) console.log(" * WARNING: Shenanigans level", minisrv_config.config.shenanigans, "enabled"); +else console.log(" * Shenanigans disabled"); + process.on('uncaughtException', function (err) { console.error((err && err.stack) ? err.stack : err); }); diff --git a/zefie_wtvp_minisrv/includes/ServiceVault/wtv-tricks/access.js b/zefie_wtvp_minisrv/includes/ServiceVault/wtv-tricks/access.js index 3d4bb2a9..309ababd 100644 --- a/zefie_wtvp_minisrv/includes/ServiceVault/wtv-tricks/access.js +++ b/zefie_wtvp_minisrv/includes/ServiceVault/wtv-tricks/access.js @@ -1,14 +1,16 @@ var minisrv_service_file = true; -// Allow URL access outside our trusted minisrv +if (wtvshared.shenanigans.checkShenanigan(wtvshared.shenanigans.shenanigans.ENABLE_TRICKS_URLACCESS)) { + // Allow URL access outside our trusted minisrv + if (request_headers.query.url) var url = request_headers.query.url; + else var url = "client:showalert?message=Please%20provide%20a%20%3Furl%3D%20with%20the%20url%20you%20would%20like%20to%20access.&buttonlabel1=Okay&buttonacction1=client:donothing" -if (request_headers.query.url) var url = request_headers.query.url; -else var url = "client:showalert?message=Please%20provide%20a%20%3Furl%3D%20with%20the%20url%20you%20would%20like%20to%20access.&buttonlabel1=Okay&buttonacction1=client:donothing" - -headers = `300 OK -wtv-visit: ${url} -Location: ${url} -Content-type: text/html` - - -data = ''; \ No newline at end of file + headers = `300 OK + wtv-visit: ${url} + Location: ${url} + Content-type: text/html` +} else { + var err = wtvshared.doErrorPage(403, "Access Denied"); + headers = err[0]; + data = err[1]; +} \ No newline at end of file diff --git a/zefie_wtvp_minisrv/includes/classes/WTVShared.js b/zefie_wtvp_minisrv/includes/classes/WTVShared.js index 0934265c..aed51f44 100644 --- a/zefie_wtvp_minisrv/includes/classes/WTVShared.js +++ b/zefie_wtvp_minisrv/includes/classes/WTVShared.js @@ -2,6 +2,7 @@ * Shared functions across all classes and apps */ const CryptoJS = require('crypto-js'); +const WTVShenanigans = require('./WTVShenanigans.js'); class WTVShared { @@ -15,12 +16,14 @@ class WTVShared { parentDirectory = process.cwd() extend = require('util')._extend; debug = require('debug')('WTVShared') + shenanigans = null; minisrv_config = []; constructor(minisrv_config, quiet = false) { if (minisrv_config == null) this.minisrv_config = this.readMiniSrvConfig(true, !quiet); else this.minisrv_config = minisrv_config; + this.shenanigans = new WTVShenanigans(this.minisrv_config); if (!String.prototype.reverse) { String.prototype.reverse = function () { @@ -194,6 +197,11 @@ class WTVShared { } htmlEntitize(string, process_newline = false) { + if (this.shenanigans.checkShenanigan(this.shenanigans.shenanigans.DISABLE_HTML_ENTITIZER)) { + // shenanigans level matches, don't encode + return string; + } + string = this.html_entities.encode(string).replace(/'/g, "'"); if (process_newline) string = string.replace(/\n/gi, "
").replace(/\r/gi, ""); @@ -222,6 +230,11 @@ class WTVShared { }); self.debug("sanitizeSignature", "allowed protocols:", allowedProtocols); + if (this.shenanigans.checkShenanigan(this.shenanigans.shenanigans.DISABLE_HTML_SANITIZER)) { + // shenanigans level matches, don't filter + return string; + } + const clean = this.sanitizeHtml(string, { allowedTags: ['a', 'audioscope', 'b', 'bgsound', 'big', 'blackface', 'blockquote', 'bq', 'br', 'caption', 'center', 'cite', 'c', 'dd', 'dfn', 'div', 'dl', 'dt', 'em', 'fn', 'font', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'html', 'i', 'img', 'label', 'li', 'listing', 'marquee', 'nobr', 'ol', 'p', 'plaintext', 'pre', 's', 'samp', 'small', 'shadow', 'span', 'strike', 'strong', 'sub', 'sup', 'tbody', 'table', 'td', 'th', 'tr', 'tt', 'u', 'ul'], disallowedTagsMode: 'discard', diff --git a/zefie_wtvp_minisrv/includes/classes/WTVShenanigans.js b/zefie_wtvp_minisrv/includes/classes/WTVShenanigans.js new file mode 100644 index 00000000..90ee8903 --- /dev/null +++ b/zefie_wtvp_minisrv/includes/classes/WTVShenanigans.js @@ -0,0 +1,42 @@ +class WTVShenanigans { + minisrv_config = null; + shenanigans = { + // PLEASE NOTE: anything that is broken with any shenigan level besides "false" is NOT a bug!!!! + + "NO_SHENANIGANS": false, // no shenanigans, minisrv as intended, most secure option + "ENABLE_TRICKS_URLACCESS": 1, // allows users to use wtv-tricks:/access?url= + "DISABLE_HTML_ENTITIZER": 4, // disables HTML Entitizer, allowing things such as HTML in email/usenet subjects + "DISABLE_HTML_SANITIZER": 5 // disables HTML Sanitizer, allowing all sorts of chaos in email/usenet posts and signatures + } + + constructor(minisrv_config) { + this.minisrv_config = minisrv_config; + } + + getShenanigansLevel() { + return this.minisrv_config.config.shenanigans; + } + + checkShenanigan(value) { + var level = this.getShenanigansLevel(); + + // shenanigans are disabled, don't iterate + if (level === false) return false; + + var retval = false; + var shenanigans = this.shenanigans; + + // shenanigans are enabled, so check if the requested shenanigan is within the level enabled + Object.keys(shenanigans).forEach((k) => { + if (shenanigans[k] == value) { + if (level >= shenanigans[k]) { + retval = true; + return false; + } + } + }); + + return retval; + } +} +module.exports = WTVShenanigans; \ No newline at end of file diff --git a/zefie_wtvp_minisrv/includes/config.json b/zefie_wtvp_minisrv/includes/config.json index 91d60e76..c39bcf59 100644 --- a/zefie_wtvp_minisrv/includes/config.json +++ b/zefie_wtvp_minisrv/includes/config.json @@ -95,7 +95,12 @@ "wtv-head-waiter:/images/signin_new_mail.gif", "wtv-head-waiter:/images/signin_no_mail.gif", "wtv-log:/log" - ] + ], + /* shenanigans: this allows you to intentionally enable old minisrv bugs, as well as official WebTV Networks exploits + Each level of shenanigans includes the previous level (eg 5 will also disable filters like 4) + See WTVShenanigans.js for more info. + */ + "shenanigans": false }, "services": { // service definitions @@ -300,10 +305,10 @@ "force_https": false, "https_cert": { /* self-signed, can be replaced with another cert */ - // "domain": "mycooldomain.com", - "cert": "%ServiceDeps%/https/selfsigned_cert.pem", - "key": "%ServiceDeps%/https/selfsigned_key.pem" - } + // "domain": "mycooldomain.com", + "cert": "%ServiceDeps%/https/selfsigned_cert.pem", + "key": "%ServiceDeps%/https/selfsigned_key.pem" + } } }, "favorites": { diff --git a/zefie_wtvp_minisrv/zefie_wtvp_minisrv.njsproj b/zefie_wtvp_minisrv/zefie_wtvp_minisrv.njsproj index 631311da..4a99e229 100644 --- a/zefie_wtvp_minisrv/zefie_wtvp_minisrv.njsproj +++ b/zefie_wtvp_minisrv/zefie_wtvp_minisrv.njsproj @@ -50,6 +50,9 @@ + + Code +