Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-11-17 19:21:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

closes #5394

Browse Source 
dont allow socket.emits during maintenance mode
This commit is contained in:
barisusakli
2017-02-03 19:02:38 +03:00
parent 06bf631445
commit a15aaaf389
7 changed files with 210 additions and 221 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
src/middleware/maintenance.js
View File

@@ -12,33 +12,7 @@ module.exports = function (middleware) {
} }
var url = req.url.replace(nconf.get('relative_path'), ''); var url = req.url.replace(nconf.get('relative_path'), '');
var allowedRoutes = [ if (url.startsWith('/login') || url.startsWith('/api/login')) {
'^/ping',
'^/sping',
'^/login',
'^/stylesheet.css',
'^/favicon',
'^/nodebb.min.js',
'^/vendor/fontawesome/fonts/fontawesome-webfont.woff',
'^/src/(modules|client)/[\\w/]+.js',
'^/templates/[\\w/]+.tpl',
'^/api/login',
'^/api/widgets/render',
'^/public/language',
'^/uploads/system/site-logo.png'
];
var isAllowed = function (url) {
for(var x = 0,numAllowed = allowedRoutes.length,route; x < numAllowed; x++) {
route = new RegExp(allowedRoutes[x]);
if (route.test(url)) {
return true;
}
}
return false;
};
if (isAllowed(url)) {
return next(); return next();
} }

4
src/middleware/ratelimit.js
View File

@@ -3,7 +3,7 @@
'use strict'; 'use strict';
var winston = require('winston'); var winston = require('winston');
var ratelimit = {}; var ratelimit = module.exports;
var allowedCalls = 100; var allowedCalls = 100;
var timeframe = 10000; var timeframe = 10000;
@@ -31,5 +31,3 @@ ratelimit.isFlooding = function (socket) {
socket.lastCallTime = now; socket.lastCallTime = now;
return false; return false;
}; };
module.exports = ratelimit;

3
src/routes/api.js
View File

@@ -29,12 +29,13 @@ module.exports = function (app, middleware, controllers) {
var multipart = require('connect-multiparty'); var multipart = require('connect-multiparty');
var multipartMiddleware = multipart(); var multipartMiddleware = multipart();
var middlewares = [multipartMiddleware, middleware.validateFiles, middleware.applyCSRF]; var middlewares = [middleware.maintenanceMode, multipartMiddleware, middleware.validateFiles, middleware.applyCSRF];
router.post('/post/upload', middlewares, uploadsController.uploadPost); router.post('/post/upload', middlewares, uploadsController.uploadPost);
router.post('/topic/thumb/upload', middlewares, uploadsController.uploadThumb); router.post('/topic/thumb/upload', middlewares, uploadsController.uploadThumb);
router.post('/user/:userslug/uploadpicture', middlewares.concat([middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadPicture); router.post('/user/:userslug/uploadpicture', middlewares.concat([middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadPicture);
router.post('/user/:userslug/uploadcover', middlewares.concat([middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadCoverPicture); router.post('/user/:userslug/uploadcover', middlewares.concat([middleware.authenticate, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions]), controllers.accounts.edit.uploadCoverPicture);
router.post('/groups/uploadpicture', middlewares.concat([middleware.authenticate]), controllers.groups.uploadCover); router.post('/groups/uploadpicture', middlewares.concat([middleware.authenticate]), controllers.groups.uploadCover);
}; };

16
src/routes/feeds.js
View File

@@ -365,12 +365,12 @@ function sendFeed(feed, res) {
} }
module.exports = function (app, middleware, controllers) { module.exports = function (app, middleware, controllers) {
app.get('/topic/:topic_id.rss', generateForTopic); app.get('/topic/:topic_id.rss', middleware.maintenanceMode, generateForTopic);
app.get('/category/:category_id.rss', generateForCategory); app.get('/category/:category_id.rss', middleware.maintenanceMode, generateForCategory);
app.get('/recent.rss', generateForRecent); app.get('/recent.rss', middleware.maintenanceMode, generateForRecent);
app.get('/popular.rss', generateForPopular); app.get('/popular.rss', middleware.maintenanceMode, generateForPopular);
app.get('/popular/:term.rss', generateForPopular); app.get('/popular/:term.rss', middleware.maintenanceMode, generateForPopular);
app.get('/recentposts.rss', generateForRecentPosts); app.get('/recentposts.rss', middleware.maintenanceMode, generateForRecentPosts);
app.get('/category/:category_id/recentposts.rss', generateForCategoryRecentPosts); app.get('/category/:category_id/recentposts.rss', middleware.maintenanceMode, generateForCategoryRecentPosts);
app.get('/user/:userslug/topics.rss', generateForUserTopics); app.get('/user/:userslug/topics.rss', middleware.maintenanceMode, generateForUserTopics);
}; };

2
src/routes/helpers.js
View File

@@ -3,7 +3,7 @@
var helpers = {}; var helpers = {};
helpers.setupPageRoute = function (router, name, middleware, middlewares, controller) { helpers.setupPageRoute = function (router, name, middleware, middlewares, controller) {
middlewares = middlewares.concat([middleware.registrationComplete, middleware.pageView, middleware.pluginHooks]); middlewares = middlewares.concat([middleware.maintenanceMode, middleware.registrationComplete, middleware.pageView, middleware.pluginHooks]);
router.get(name, middleware.busyCheck, middleware.buildHeader, middlewares, controller); router.get(name, middleware.busyCheck, middleware.buildHeader, middlewares, controller);
router.get('/api' + name, middlewares, controller); router.get('/api' + name, middlewares, controller);

2
src/routes/index.js
View File

@@ -117,8 +117,6 @@ module.exports = function (app, middleware, hotswapIds) {
app.all(relativePath + '(/api/admin|/api/admin/*?)', middleware.isAdmin); app.all(relativePath + '(/api/admin|/api/admin/*?)', middleware.isAdmin);
app.all(relativePath + '(/admin|/admin/*?)', ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login?local=1'), middleware.applyCSRF, middleware.isAdmin); app.all(relativePath + '(/admin|/admin/*?)', ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login?local=1'), middleware.applyCSRF, middleware.isAdmin);
app.use(middleware.maintenanceMode);
adminRoutes(router, middleware, controllers); adminRoutes(router, middleware, controllers);
metaRoutes(router, middleware, controllers); metaRoutes(router, middleware, controllers);
apiRoutes(router, middleware, controllers); apiRoutes(router, middleware, controllers);

374
src/socket.io/index.js
View File

@@ -7,223 +7,241 @@ var url = require('url');
var cookieParser = require('cookie-parser')(nconf.get('secret')); var cookieParser = require('cookie-parser')(nconf.get('secret'));
var db = require('../database'); var db = require('../database');
var user = require('../user');
var logger = require('../logger'); var logger = require('../logger');
var ratelimit = require('../middleware/ratelimit'); var ratelimit = require('../middleware/ratelimit');
(function (Sockets) {
var Namespaces = {};
var io;
Sockets.init = function (server) { var Namespaces = {};
requireModules(); var io;
var SocketIO = require('socket.io'); var Sockets = module.exports;
var socketioWildcard = require('socketio-wildcard')();
io = new SocketIO({
path: nconf.get('relative_path') + '/socket.io'
});
addRedisAdapter(io); Sockets.init = function (server) {
requireModules();
io.use(socketioWildcard); var SocketIO = require('socket.io');
io.use(authorize); var socketioWildcard = require('socketio-wildcard')();
io = new SocketIO({
path: nconf.get('relative_path') + '/socket.io'
});
io.on('connection', onConnection); addRedisAdapter(io);
io.listen(server, { io.use(socketioWildcard);
transports: nconf.get('socket.io:transports') io.use(authorize);
});
Sockets.server = io; io.on('connection', onConnection);
};
function onConnection(socket) { io.listen(server, {
socket.ip = socket.request.headers['x-forwarded-for'] || socket.request.connection.remoteAddress; transports: nconf.get('socket.io:transports')
});
logger.io_one(socket, socket.uid); Sockets.server = io;
};
onConnect(socket); function onConnection(socket) {
socket.ip = socket.request.headers['x-forwarded-for'] || socket.request.connection.remoteAddress;
socket.on('*', function (payload) { logger.io_one(socket, socket.uid);
onMessage(socket, payload);
}); onConnect(socket);
socket.on('*', function (payload) {
onMessage(socket, payload);
});
}
function onConnect(socket) {
if (socket.uid) {
socket.join('uid_' + socket.uid);
socket.join('online_users');
} else {
socket.join('online_guests');
} }
function onConnect(socket) { socket.join('sess_' + socket.request.signedCookies[nconf.get('sessionKey')]);
if (socket.uid) { io.sockets.sockets[socket.id].emit('checkSession', socket.uid);
socket.join('uid_' + socket.uid); }
socket.join('online_users');
function onMessage(socket, payload) {
if (!payload.data.length) {
return winston.warn('[socket.io] Empty payload');
}
var eventName = payload.data[0];
var params = payload.data[1];
var callback = typeof payload.data[payload.data.length - 1] === 'function' ? payload.data[payload.data.length - 1] : function () {
};
if (!eventName) {
return winston.warn('[socket.io] Empty method name');
}
var parts = eventName.toString().split('.');
var namespace = parts[0];
var methodToCall = parts.reduce(function (prev, cur) {
if (prev !== null && prev[cur]) {
return prev[cur];
} else { } else {
socket.join('online_guests'); return null;
} }
}, Namespaces);
socket.join('sess_' + socket.request.signedCookies[nconf.get('sessionKey')]); if (!methodToCall) {
io.sockets.sockets[socket.id].emit('checkSession', socket.uid); if (process.env.NODE_ENV === 'development') {
winston.warn('[socket.io] Unrecognized message: ' + eventName);
}
return callback({message: '[[error:invalid-event]]'});
} }
function onMessage(socket, payload) { socket.previousEvents = socket.previousEvents || [];
if (!payload.data.length) { socket.previousEvents.push(eventName);
return winston.warn('[socket.io] Empty payload'); if (socket.previousEvents.length > 20) {
} socket.previousEvents.shift();
}
var eventName = payload.data[0]; if (!eventName.startsWith('admin.') && ratelimit.isFlooding(socket)) {
var params = payload.data[1]; winston.warn('[socket.io] Too many emits! Disconnecting uid : ' + socket.uid + '. Events : ' + socket.previousEvents);
var callback = typeof payload.data[payload.data.length - 1] === 'function' ? payload.data[payload.data.length - 1] : function () { return socket.disconnect();
}; }
if (!eventName) { async.waterfall([
return winston.warn('[socket.io] Empty method name'); function (next) {
} checkMaintenance(socket, next);
},
var parts = eventName.toString().split('.'); function (next) {
var namespace = parts[0]; validateSession(socket, next);
var methodToCall = parts.reduce(function (prev, cur) { },
if (prev !== null && prev[cur]) { function (next) {
return prev[cur]; if (Namespaces[namespace].before) {
Namespaces[namespace].before(socket, eventName, params, next);
} else { } else {
return null; next();
} }
}, Namespaces); },
function (next) {
methodToCall(socket, params, next);
}
], function (err, result) {
callback(err ? {message: err.message} : null, result);
});
}
if (!methodToCall) { function requireModules() {
if (process.env.NODE_ENV === 'development') { var modules = ['admin', 'categories', 'groups', 'meta', 'modules',
winston.warn('[socket.io] Unrecognized message: ' + eventName); 'notifications', 'plugins', 'posts', 'topics', 'user', 'blacklist'
} ];
return callback({message: '[[error:invalid-event]]'});
modules.forEach(function (module) {
Namespaces[module] = require('./' + module);
});
}
function checkMaintenance(socket, callback) {
var meta = require('../meta');
if (parseInt(meta.config.maintenanceMode, 10) !== 1) {
return setImmediate(callback);
}
user.isAdministrator(socket.uid, function (err, isAdmin) {
if (err || isAdmin) {
return callback(err);
}
});
}
function validateSession(socket, callback) {
var req = socket.request;
if (!req.signedCookies || !req.signedCookies[nconf.get('sessionKey')]) {
return callback(new Error('[[error:invalid-session]]'));
}
db.sessionStore.get(req.signedCookies[nconf.get('sessionKey')], function (err, sessionData) {
if (err || !sessionData) {
return callback(err || new Error('[[error:invalid-session]]'));
} }
socket.previousEvents = socket.previousEvents || []; callback();
socket.previousEvents.push(eventName); });
if (socket.previousEvents.length > 20) { }
socket.previousEvents.shift();
}
if (!eventName.startsWith('admin.') && ratelimit.isFlooding(socket)) { function authorize(socket, callback) {
winston.warn('[socket.io] Too many emits! Disconnecting uid : ' + socket.uid + '. Events : ' + socket.previousEvents); var request = socket.request;
return socket.disconnect();
}
async.waterfall([ if (!request) {
function (next) { return callback(new Error('[[error:not-authorized]]'));
validateSession(socket, next); }
},
function (next) { async.waterfall([
if (Namespaces[namespace].before) { function (next) {
Namespaces[namespace].before(socket, eventName, params, next); cookieParser(request, {}, next);
} else { },
next(); function (next) {
db.sessionStore.get(request.signedCookies[nconf.get('sessionKey')], function (err, sessionData) {
if (err) {
return next(err);
} }
}, if (sessionData && sessionData.passport && sessionData.passport.user) {
function (next) { request.session = sessionData;
methodToCall(socket, params, next); socket.uid = parseInt(sessionData.passport.user, 10);
} } else {
], function (err, result) { socket.uid = 0;
callback(err ? {message: err.message} : null, result); }
}); next();
} });
function requireModules() {
var modules = ['admin', 'categories', 'groups', 'meta', 'modules',
'notifications', 'plugins', 'posts', 'topics', 'user', 'blacklist'
];
modules.forEach(function (module) {
Namespaces[module] = require('./' + module);
});
}
function validateSession(socket, callback) {
var req = socket.request;
if (!req.signedCookies || !req.signedCookies[nconf.get('sessionKey')]) {
return callback(new Error('[[error:invalid-session]]'));
} }
db.sessionStore.get(req.signedCookies[nconf.get('sessionKey')], function (err, sessionData) { ], callback);
if (err || !sessionData) { }
return callback(err || new Error('[[error:invalid-session]]'));
}
callback(); function addRedisAdapter(io) {
}); if (nconf.get('redis')) {
var redisAdapter = require('socket.io-redis');
var redis = require('../database/redis');
var pub = redis.connect();
var sub = redis.connect({return_buffers: true});
io.adapter(redisAdapter({pubClient: pub, subClient: sub}));
} else if (nconf.get('isCluster') === 'true') {
winston.warn('[socket.io] Clustering detected, you are advised to configure Redis as a websocket store.');
}
}
Sockets.in = function (room) {
return io.in(room);
};
Sockets.getUserSocketCount = function (uid) {
if (!io) {
return 0;
} }
function authorize(socket, callback) { var room = io.sockets.adapter.rooms['uid_' + uid];
var request = socket.request; return room ? room.length : 0;
};
if (!request) {
return callback(new Error('[[error:not-authorized]]'));
}
async.waterfall([ Sockets.reqFromSocket = function (socket, payload, event) {
function (next) { var headers = socket.request ? socket.request.headers : {};
cookieParser(request, {}, next); var encrypted = socket.request ? !!socket.request.connection.encrypted : false;
}, var host = headers.host;
function (next) { var referer = headers.referer || '';
db.sessionStore.get(request.signedCookies[nconf.get('sessionKey')], function (err, sessionData) { var data = ((payload || {}).data || []);
if (err) {
return next(err); if (!host) {
} host = url.parse(referer).host || '';
if (sessionData && sessionData.passport && sessionData.passport.user) {
request.session = sessionData;
socket.uid = parseInt(sessionData.passport.user, 10);
} else {
socket.uid = 0;
}
next();
});
}
], callback);
} }
function addRedisAdapter(io) { return {
if (nconf.get('redis')) { uid: socket.uid,
var redisAdapter = require('socket.io-redis'); params: data[1],
var redis = require('../database/redis'); method: event || data[0],
var pub = redis.connect(); body: payload,
var sub = redis.connect({return_buffers: true}); ip: headers['x-forwarded-for'] || socket.ip,
io.adapter(redisAdapter({pubClient: pub, subClient: sub})); host: host,
} else if (nconf.get('isCluster') === 'true') { protocol: encrypted ? 'https' : 'http',
winston.warn('[socket.io] Clustering detected, you are advised to configure Redis as a websocket store.'); secure: encrypted,
} url: referer,
} path: referer.substr(referer.indexOf(host) + host.length),
headers: headers
Sockets.in = function (room) {
return io.in(room);
};
Sockets.getUserSocketCount = function (uid) {
if (!io) {
return 0;
}
var room = io.sockets.adapter.rooms['uid_' + uid];
return room ? room.length : 0;
}; };
};
Sockets.reqFromSocket = function (socket, payload, event) {
var headers = socket.request ? socket.request.headers : {};
var encrypted = socket.request ? !!socket.request.connection.encrypted : false;
var host = headers.host;
var referer = headers.referer || '';
var data = ((payload || {}).data || []);
if (!host) {
host = url.parse(referer).host || '';
}
return {
uid: socket.uid,
params: data[1],
method: event || data[0],
body: payload,
ip: headers['x-forwarded-for'] || socket.ip,
host: host,
protocol: encrypted ? 'https' : 'http',
secure: encrypted,
url: referer,
path: referer.substr(referer.indexOf(host) + host.length),
headers: headers
};
};
}(exports));