Commit Graph

9 Commits

Author SHA1 Message Date
Sam Atkins
33785b3786 chore: Add missing imports for node:process 2024-05-02 11:21:50 +01:00
スーチ・ファトマワティ
3f6f4bb4c0
fix(security): update follow-redirects
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

## Steps To Reproduce & PoC
```js
const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
 headers: {
 'AuThorization': 'Rear Test',
 'ProXy-AuthoriZation': 'Rear Test',
 'coOkie': 't=1'
 }
})
 .then((response) => {
 console.log(response);
 })
```
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

```diff
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
```
CWE-200
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
CVE-2024-28849
2024-04-24 15:23:47 -04:00
KernelDeimos
65a73b5b45 Rename workspace modules to avoid confusion 2024-04-23 04:06:15 -04:00
Sam Atkins
2f49c1c9b0 Remove a whole load of noisy log messages
These can be added back if and when we need them, but right now, it's
hard to follow console output with all this chatter. 😅
2024-04-19 17:29:26 +01:00
Sam Atkins
e355c77a4a Phoenix: Wait for apps to finish executing, and connect stdio to them
After launching an app, if successful, we connect stdio streams to it,
and wait for it to exit before we return to the prompt.

stdio is implemented as regular AppConnection messages:
- stdin:  `{ $: 'stdin',  data: Uint8Array }` from phoenix -> child
- stdout: `{ $: 'stdout', data: Uint8Array }` from child -> phoenix

Terminal and Phoenix now communicate with each other using the same
style, instead of 'input' and 'output' messages. This will help with
eventually running subshells.

SIGINT currently is not sent. We also suffer from the same "one more
read from stdin happens after app exits" bug that's in
PathCommandProvider where I copied the stdin code from.
2024-04-19 15:52:59 +01:00
KernelDeimos
f3495f3098 Fix xterm.css not loading 2024-04-15 14:46:16 -04:00
KernelDeimos
081b093e7e Add missing asset for xterm, fix SDK url 2024-04-15 14:43:15 -04:00
KernelDeimos
4a36670417 Update README.md files for monorepo'd projects 2024-04-12 23:54:41 -04:00
KernelDeimos
0306a395a2 Copy over terminal 2024-04-12 20:53:32 -04:00