new experimental feature: shenanigans
- will allow server operates to intentionally enable bugs/exploits for fun shenanigans
This commit is contained in:
zefie
@@ -2,6 +2,7 @@
|
||||
* Shared functions across all classes and apps
|
||||
*/
|
||||
const CryptoJS = require('crypto-js');
|
||||
const WTVShenanigans = require('./WTVShenanigans.js');
|
||||
|
||||
class WTVShared {
|
||||
|
||||
@@ -15,12 +16,14 @@ class WTVShared {
|
||||
parentDirectory = process.cwd()
|
||||
extend = require('util')._extend;
|
||||
debug = require('debug')('WTVShared')
|
||||
shenanigans = null;
|
||||
|
||||
minisrv_config = [];
|
||||
|
||||
constructor(minisrv_config, quiet = false) {
|
||||
if (minisrv_config == null) this.minisrv_config = this.readMiniSrvConfig(true, !quiet);
|
||||
else this.minisrv_config = minisrv_config;
|
||||
this.shenanigans = new WTVShenanigans(this.minisrv_config);
|
||||
|
||||
if (!String.prototype.reverse) {
|
||||
String.prototype.reverse = function () {
|
||||
@@ -194,6 +197,11 @@ class WTVShared {
|
||||
}
|
||||
|
||||
htmlEntitize(string, process_newline = false) {
|
||||
if (this.shenanigans.checkShenanigan(this.shenanigans.shenanigans.DISABLE_HTML_ENTITIZER)) {
|
||||
// shenanigans level matches, don't encode
|
||||
return string;
|
||||
}
|
||||
|
||||
string = this.html_entities.encode(string).replace(/'/g, "'");
|
||||
|
||||
if (process_newline) string = string.replace(/\n/gi, "<br>").replace(/\r/gi, "");
|
||||
@@ -222,6 +230,11 @@ class WTVShared {
|
||||
});
|
||||
self.debug("sanitizeSignature", "allowed protocols:", allowedProtocols);
|
||||
|
||||
if (this.shenanigans.checkShenanigan(this.shenanigans.shenanigans.DISABLE_HTML_SANITIZER)) {
|
||||
// shenanigans level matches, don't filter
|
||||
return string;
|
||||
}
|
||||
|
||||
const clean = this.sanitizeHtml(string, {
|
||||
allowedTags: ['a', 'audioscope', 'b', 'bgsound', 'big', 'blackface', 'blockquote', 'bq', 'br', 'caption', 'center', 'cite', 'c', 'dd', 'dfn', 'div', 'dl', 'dt', 'em', 'fn', 'font', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'html', 'i', 'img', 'label', 'li', 'listing', 'marquee', 'nobr', 'ol', 'p', 'plaintext', 'pre', 's', 'samp', 'small', 'shadow', 'span', 'strike', 'strong', 'sub', 'sup', 'tbody', 'table', 'td', 'th', 'tr', 'tt', 'u', 'ul'],
|
||||
disallowedTagsMode: 'discard',
|
||||
|
||||
42
zefie_wtvp_minisrv/includes/classes/WTVShenanigans.js
Normal file
42
zefie_wtvp_minisrv/includes/classes/WTVShenanigans.js
Normal file
@@ -0,0 +1,42 @@
|
||||
class WTVShenanigans {
|
||||
minisrv_config = null;
|
||||
shenanigans = {
|
||||
// PLEASE NOTE: anything that is broken with any shenigan level besides "false" is NOT a bug!!!!
|
||||
|
||||
"NO_SHENANIGANS": false, // no shenanigans, minisrv as intended, most secure option
|
||||
"ENABLE_TRICKS_URLACCESS": 1, // allows users to use wtv-tricks:/access?url=
|
||||
"DISABLE_HTML_ENTITIZER": 4, // disables HTML Entitizer, allowing things such as HTML in email/usenet subjects
|
||||
"DISABLE_HTML_SANITIZER": 5 // disables HTML Sanitizer, allowing all sorts of chaos in email/usenet posts and signatures
|
||||
}
|
||||
|
||||
constructor(minisrv_config) {
|
||||
this.minisrv_config = minisrv_config;
|
||||
}
|
||||
|
||||
getShenanigansLevel() {
|
||||
return this.minisrv_config.config.shenanigans;
|
||||
}
|
||||
|
||||
checkShenanigan(value) {
|
||||
var level = this.getShenanigansLevel();
|
||||
|
||||
// shenanigans are disabled, don't iterate
|
||||
if (level === false) return false;
|
||||
|
||||
var retval = false;
|
||||
var shenanigans = this.shenanigans;
|
||||
|
||||
// shenanigans are enabled, so check if the requested shenanigan is within the level enabled
|
||||
Object.keys(shenanigans).forEach((k) => {
|
||||
if (shenanigans[k] == value) {
|
||||
if (level >= shenanigans[k]) {
|
||||
retval = true;
|
||||
return false;
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
return retval;
|
||||
}
|
||||
}
|
||||
module.exports = WTVShenanigans;
|
||||
Reference in New Issue
Block a user