mirrors/puter
1
0
Fork 0
mirror of https://github.com/HeyPuter/puter synced 2024-11-15 06:15:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
944 Commits 21 Branches 9 Tags 28 MiB
c89b50bf31
Commit Graph

280 Commits

Author SHA1 Message Date
KernelDeimos
8e6ee9ea79 Fix oversight in token compression 2024-04-29 22:48:10 -04:00
KernelDeimos
e7e7363fa7 Drop useless header 2024-04-29 22:34:19 -04:00
KernelDeimos
5a76bad28d fix: reduce token lengths 2024-04-29 21:46:02 -04:00
KernelDeimos
c1e4eeec32 Add TokenService and test utility 2024-04-29 21:11:31 -04:00
KernelDeimos
04432df554 feat: improve password recovery experience 2024-04-29 19:26:29 -04:00
KernelDeimos
c44028f413 refactor: normalize email calls 2024-04-29 17:34:24 -04:00
Nariman Jelveh
42d85abfc2 Update WebServerService.js 2024-04-27 19:10:10 -07:00
Nariman Jelveh
fd4e2f59dc Update WebServerService.js 2024-04-27 19:03:48 -07:00
Nariman Jelveh
053728a03f Validate the Host header before responding to requests 2024-04-27 18:52:01 -07:00
KernelDeimos
d7d6ff0cca Rate limit updates 2024-04-26 21:02:01 -04:00
KernelDeimos
79d6f64451 Notify old email when email change is initiated 2024-04-26 21:02:01 -04:00
Eric Dubé
2ee00ca8e6
Revert "fix(security): Prevent email enumeration" (#351) 2024-04-26 18:22:14 -04:00
Nariman Jelveh
378b87459a Add robust hostname comparison for when declaring an environment as GUI 2024-04-25 17:51:20 -07:00
KernelDeimos
ecec8bf75d Use pread for signup page 2024-04-25 19:44:06 -04:00
KernelDeimos
736ebb6f28 Improve server health service 2024-04-25 19:39:18 -04:00
Nariman Jelveh
928dd90f61
Merge pull request #346 from youngsiiimba/main 
fix(security): Prevent email enumeration
 2024-04-25 14:59:56 -07:00
KernelDeimos
eb166a67a9 fix(security): Fix session revocation 2024-04-25 16:19:46 -04:00
Nariman Jelveh
c4b2d9861f Clean up some of the unnecessary console warnings 2024-04-25 13:11:11 -07:00
Simba Chawanda
ed70314686 fix(security): Prevent email enumeration 2024-04-25 09:27:37 +02:00
KernelDeimos
7800ef6102 fix(security): skip cache when checking old passwd 2024-04-24 22:28:27 -04:00
Nariman Jelveh
25eea41f60 Keep track of app_instance_ids 2024-04-24 17:57:30 -07:00
KernelDeimos
74e9270d58 Fix 2024-04-24 16:16:31 -04:00
KernelDeimos
b2e72adba9 Add ratelimit for /confirm-email 2024-04-24 16:12:09 -04:00
KernelDeimos
1eac147918 Add ratelimit for /contactUs 2024-04-24 16:09:04 -04:00
スーチ・ファトマワティ
3f6f4bb4c0
fix(security): update follow-redirects 
When using axios, its dependency follow-redirects only clears authorization header during cross-domain redirect, but allows the proxy-authentication header which contains credentials too.

## Steps To Reproduce & PoC
```js
const axios = require('axios');

axios.get('http://127.0.0.1:10081/', {
 headers: {
 'AuThorization': 'Rear Test',
 'ProXy-AuthoriZation': 'Rear Test',
 'coOkie': 't=1'
 }
})
 .then((response) => {
 console.log(response);
 })
```
When I meet the cross-domain redirect, the sensitive headers like authorization and cookie are cleared, but proxy-authentication header is kept.

```diff
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:authorization|proxy-authorization|cookie)$/i, this._options.headers);
```
CWE-200
`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`
CVE-2024-28849
 2024-04-24 15:23:47 -04:00
Sam Atkins
a8d1d3b87a
docs: Add help text to dcall utility (#335) 2024-04-24 15:21:31 -04:00
Nariman Jelveh
cdd0231a76 translation fix 2024-04-24 12:06:05 -07:00
Sam Atkins
cf0eee1fa3 feat: Add command names to phoenix tab-completion 
Gives CommandProviders a `complete(query, {ctx})` method where they can provide completed command names, and then make use of this in CommandCompleter.

Supported CommandProvider sources:
- Shell built-ins (was supported previously)
- PATH executables (when running under Node)
- Puter app names (when running in Puter)

Script filenames are not yet supported.
 2024-04-24 15:08:54 +01:00
Sam Atkins
dc5b010d09 feat: Allow querying puter-apps driver by partial app names 2024-04-24 15:08:54 +01:00
Sam Atkins
a854a0dc0a feat: Implement 'Like' predicate in entity storage 
This acts like the SQL 'LIKE' keyword, allowing partial string matches.
 2024-04-24 15:08:54 +01:00
Sam Atkins
d733119456 fix: Make PathCommandProvider reject queries with path separators 
`../bin/foo` should only find `foo` relative to the current working
directory, not to directories in PATH.

Also switch to using the Node path library since PathCommandProvider is
Node-only, and this means getting the correct path separator and
delimiter values on Windows.
 2024-04-24 11:45:21 +01:00
Sam Atkins
670673ab8d Rename FooCompleter js files to match FooCommandProvider file names 2024-04-24 11:19:25 +01:00
Nariman Jelveh
c9e8207e4b Clean up the console warninf message 2024-04-23 23:53:15 -07:00
KernelDeimos
44aac16991 Add ip rate limiting 2024-04-23 19:13:37 -04:00
KernelDeimos
65a73b5b45 Rename workspace modules to avoid confusion 2024-04-23 04:06:15 -04:00
KernelDeimos
74e213a534 fix(security): always use application/octet-stream 2024-04-22 23:54:03 -04:00
KernelDeimos
f9d561d40b docs: document purpose of scary-looking token 2024-04-22 23:48:45 -04:00
KernelDeimos
c166560ff4 feat: add /healthcheck endpoint 2024-04-22 22:02:40 -04:00
Eric Dubé
331d9e7542
feat: allow apps to add a menubar via puter.js 
* Begin work on menubar and dropdowns

* Improve menubar

* Fix pointer event behavior

* Fix labels

* Fix active button

* Eliminate flicker

* Update _default.js

---------

Co-authored-by: Nariman Jelveh <n.jelveh@gmail.com>
 2024-04-22 20:38:16 -04:00
Nariman Jelveh
3cba4cab1e Disable iframing of the main domain using meta tags as well 2024-04-22 14:14:20 -07:00
Nariman Jelveh
ef35a04c4a Disable iframing of the main domain 2024-04-22 14:09:32 -07:00
KernelDeimos
eee5c9e48b Cleanup 2024-04-22 16:29:12 -04:00
KernelDeimos
2f5780d1d1 Cleanup 2024-04-22 16:28:22 -04:00
KernelDeimos
a741bd5419 Make errors in /batch more preemptive 2024-04-22 04:35:01 -04:00
KernelDeimos
4d2d4a7ca3 Fix 86888h53w 2024-04-21 22:06:36 -04:00
KernelDeimos
5c1e6ab16b Fix false-positive password recovery response 2024-04-21 18:28:58 -04:00
KernelDeimos
b2f5cc11b5 Fix dbrr reference 2024-04-21 17:10:18 -04:00
Eric Dubé
dc2a620b4e
Merge pull request #304 from HeyPuter/eric/stdio-bridge/2 
stdio-bridge 2
 2024-04-20 19:29:15 -04:00
KernelDeimos
58b83c27f2 Remove large log 2024-04-20 07:23:32 -04:00
KernelDeimos
27553ef926 Cleanup 2024-04-19 23:35:56 -04:00
KernelDeimos
3f249fcc89 Fix pipes 2024-04-19 23:31:23 -04:00
KernelDeimos
c3654ab148 Add more streaming fixes 2024-04-19 23:24:32 -04:00
KernelDeimos
0e9e8d41d9 Fix authorizer not defined 2024-04-19 17:12:15 -04:00
Sam Atkins
2f49c1c9b0 Remove a whole load of noisy log messages 
These can be added back if and when we need them, but right now, it's
hard to follow console output with all this chatter. 😅
 2024-04-19 17:29:26 +01:00
Sam Atkins
072dbe8db5 Make BetterReader buffer and cancel, to fix stdin data loss 
BetterReader.read_with_cancel() returns both the read promise, and a
function that can be used to cancel the read. A cancelled read is
placed back into the BetterReader's chunk buffer, to be consumed by the
next user that requests a read.

This is used by Coupler so that when the coupler is closed, its pending
read() call does not consume the next batch of input.

This fixes the problem we were having with child applications consuming
one chunk of stdin after they are closed, meaning the first key you
press after an app exits would disappear.

Co-authored-by: KernelDeimos <eric.alex.dube@gmail.com>
 2024-04-19 15:52:59 +01:00
KernelDeimos
da208e23f5 Add a valve and internal pipe to commands 2024-04-19 15:52:59 +01:00
Sam Atkins
222a617c44 Phoenix: Use regular code path to run built-in apps 
Now launchApp() can always be awaited, we can run built-in apps using
the same code path for other apps, and eventually have SIGINT close
them.
 2024-04-19 15:52:59 +01:00
Sam Atkins
e355c77a4a Phoenix: Wait for apps to finish executing, and connect stdio to them 
After launching an app, if successful, we connect stdio streams to it,
and wait for it to exit before we return to the prompt.

stdio is implemented as regular AppConnection messages:
- stdin:  `{ $: 'stdin',  data: Uint8Array }` from phoenix -> child
- stdout: `{ $: 'stdout', data: Uint8Array }` from child -> phoenix

Terminal and Phoenix now communicate with each other using the same
style, instead of 'input' and 'output' messages. This will help with
eventually running subshells.

SIGINT currently is not sent. We also suffer from the same "one more
read from stdin happens after app exits" bug that's in
PathCommandProvider where I copied the stdin code from.
 2024-04-19 15:52:59 +01:00
Sam Atkins
0aa5543397 Let AppConnection know if its target app uses the Puter SDK 
Apps are not required to use the Puter SDK. If they don't, then we can
still launch them, close them, and listen to their close event, but are
unable to send messages to them.
 2024-04-19 15:52:59 +01:00
Eric Lighthall
4783e3eae4 Optimize console redraw by tracking widget changes 
Instead of redrawing the widget area every 2 seconds, only auto redraw when the widget area has changed, reducing unecessary redraw operations.
 2024-04-19 00:48:36 -07:00
Eric Dubé
4931ad3960
Merge pull request #297 from AtkinsSJ/test-minimum-version 
Make tests work in Node 16.x
 2024-04-18 14:41:20 -04:00
Sam Atkins
dc95f2e065 Phoenix: Support older Node versions in test harness 
This brings Phoenix's minimum required version from 20.x down to 16.x.

ReadableStream.from() is deemed experimental, and requires Node 20.x
(or at least, something higher than 18.x). This was the only code that
made us require version 20.x.

ReadableStream and WritableStream are available from Node 16.5, but
require that they be explicitly imported.
 2024-04-18 14:41:06 +01:00
KernelDeimos
0361ceba6c Normalize session objects to have both user_uid and user_id 2024-04-17 23:22:10 -04:00
KernelDeimos
4ecc7372f9 Fix issue with use_bundled_gui flag 2024-04-17 22:59:22 -04:00
KernelDeimos
dbcd627815 Apply various small fixes 2024-04-17 20:57:59 -04:00
Nariman Jelveh
6061c81c36 Update get-launch-apps.js 2024-04-17 17:58:11 -07:00
KernelDeimos
f0d3346ca7 Update session.last_touch always 2024-04-17 13:03:32 -04:00
KernelDeimos
e8ca6376be Avoid logging sensitive query params 2024-04-17 12:51:30 -04:00
KernelDeimos
c48c134869 Remove verbose log 2024-04-17 12:42:12 -04:00
KernelDeimos
49e334521d Update timers 2024-04-17 12:41:43 -04:00
Sam Atkins
f2e8b5ee3e Phoenix: Remove unwanted CSS includes 2024-04-17 11:05:03 +01:00
KernelDeimos
7e0c6c6470 Fix last_activity_ts 2024-04-16 19:30:30 -04:00
KernelDeimos
19c49db538 Improve sessions 2024-04-16 18:57:02 -04:00
KernelDeimos
653898b463 Report proper error when an operation is invalid 2024-04-15 22:27:03 -04:00
Eric Dubé
e4f2c4a28b
Merge pull request #280 from vineeth-vk11/#206 
fixing on conflict issue in sqlite kv write
 2024-04-15 17:55:52 -04:00
KernelDeimos
826ea36502 Add use_bundled_gui option 2024-04-15 17:50:44 -04:00
KernelDeimos
397819d45e Add missing endpoint /down 2024-04-15 16:38:03 -04:00
KernelDeimos
e8dc220981 This is 2.1.0 I decided 2024-04-15 15:37:13 -04:00
KernelDeimos
1c2b05d8f6 Fix phoenix for auto ports 2024-04-15 15:34:58 -04:00
KernelDeimos
f3495f3098 Fix xterm.css not loading 2024-04-15 14:46:16 -04:00
KernelDeimos
081b093e7e Add missing asset for xterm, fix SDK url 2024-04-15 14:43:15 -04:00
KernelDeimos
4d30753958 Fix more phoenix dev issues 2024-04-15 14:25:40 -04:00
KernelDeimos
c72e0cb0e0 Fix phoenix watcher 2024-04-15 14:08:50 -04:00
KernelDeimos
25f8dbf120 Add postinstall for phoenix 2024-04-15 14:02:49 -04:00
KernelDeimos
b21755b5a3 Fix casualty of phoenix due to Docker naming conventions 2024-04-15 12:12:28 -04:00
KernelDeimos
e71b586fe5 Invalidate cached user when the user's email address is changed 2024-04-14 23:50:39 -04:00
KernelDeimos
2fcac12340 Fixg 2024-04-14 23:24:47 -04:00
KernelDeimos
0847395c92 Socket 2024-04-14 23:10:23 -04:00
KernelDeimos
58192cacb3 Try again 2024-04-14 23:00:07 -04:00
KernelDeimos
b81284e2c6 Pass the RIGHT token to email 2024-04-14 22:49:51 -04:00
KernelDeimos
5b39e39e1f Use jwt for email change confirmation 2024-04-14 22:44:04 -04:00
KernelDeimos
b944217410 Fix 2024-04-14 22:29:54 -04:00
KernelDeimos
dca7304be9 Remove requirement of auth from email confirm 2024-04-14 22:23:42 -04:00
KernelDeimos
231878266c Fix 2024-04-14 22:08:31 -04:00
KernelDeimos
51bf8fdde6 Fix 2024-04-14 21:41:08 -04:00
KernelDeimos
18134629d2 Move 2024-04-14 21:37:12 -04:00
KernelDeimos
f6b737e45d Add confirmation email for email change 2024-04-14 21:33:15 -04:00
KernelDeimos
3b7be8a719 Add delete-own-user 2024-04-14 21:32:43 -04:00
KernelDeimos
ef0da306a8 Fix change_email 2024-04-14 20:35:34 -04:00
vineethvk11
5d8d25f370 fixing on conflict issue in sqlite kv write 2024-04-14 16:39:29 +05:30
Nariman Jelveh
255e80d077 Make Puter.js verbosity optional via debug flag. 2024-04-13 17:31:29 -07:00
KernelDeimos
965d99d137 Fix socket auth 2024-04-13 17:19:12 -04:00
KernelDeimos
df45e22813 Make node-pty not required 2024-04-13 13:56:57 -04:00
Nariman Jelveh
8db8ec3574 Update Apps.js 2024-04-12 22:04:28 -07:00
KernelDeimos
4a36670417 Update README.md files for monorepo'd projects 2024-04-12 23:54:41 -04:00
KernelDeimos
77ac503bfc Edit phoenix README.md 2024-04-12 23:49:43 -04:00
Nariman Jelveh
be55e447bb fix issue with two session managers on top of each other 2024-04-12 20:43:15 -07:00
KernelDeimos
00e9f922c0 Fix target version 2024-04-12 23:16:49 -04:00
KernelDeimos
361e51060a Update apps 2024-04-12 22:03:40 -04:00
KernelDeimos
d919b1f312 Register terminal and phoenix builtins 2024-04-12 20:56:16 -04:00
KernelDeimos
cb81579c53 Copy over phoenix 2024-04-12 20:53:44 -04:00
KernelDeimos
0306a395a2 Copy over terminal 2024-04-12 20:53:32 -04:00
KernelDeimos
5fbbfb4c18 Enable background and builtin apps 2024-04-12 20:52:57 -04:00
KernelDeimos
09c3cc6db1 Fix error when session not found 2024-04-12 01:22:33 -04:00
KernelDeimos
356a3284fa Fix mysql incompatibility 2024-04-12 00:10:56 -04:00
KernelDeimos
0eedcf567e Apply some fixes 2024-04-11 23:48:17 -04:00
KernelDeimos
f4f58dbfb9 Fix destructuring 2024-04-11 23:28:40 -04:00
Eric Dubé
8135e076c2
Merge pull request #266 from HeyPuter/eric/session-updates 
session management
 2024-04-11 22:04:07 -04:00
KernelDeimos
13525c85a0 -dot- 2024-04-11 21:46:43 -04:00
KernelDeimos
2f6f7e39bb Add timestamp 2024-04-11 21:41:19 -04:00
KernelDeimos
2d76025c9c Send cookie on token upgrade 2024-04-11 21:40:10 -04:00
KernelDeimos
bb9edc4f65 Add automatic token migration 2024-04-11 21:33:44 -04:00
KernelDeimos
b8e66cada9 Add puter.js 2024-04-11 19:07:00 -04:00
KernelDeimos
fc5025a2a8 Simplify PuterVersionService 2024-04-11 14:37:34 -04:00
KernelDeimos
e3d238f897 Do not use git to get version number 2024-04-11 13:57:40 -04:00
Nariman Jelveh
9ab3e3ccd8
Merge pull request #244 from HeyPuter/eric/host-storage 
Display storage use of host/puter separately
 2024-04-11 10:14:45 -07:00
KernelDeimos
09bf422686 Add session manager ui 2024-04-11 00:29:39 -04:00
KernelDeimos
18b3e06fe8 Add session listing and revocation 2024-04-10 23:00:37 -04:00
KernelDeimos
e436693d3e Improve session mgmt (part 1) 2024-04-10 21:54:16 -04:00
KernelDeimos
eb66848aee Update database version when creating a new one 2024-04-10 12:25:44 -04:00
KernelDeimos
0eded34c8c Add indented logs and fix a bug 2024-04-10 12:22:21 -04:00
KernelDeimos
367c18bfc5 Add endpoint to list permissions 2024-04-10 12:16:08 -04:00
KernelDeimos
cb4b8c5914 Add minor fixes 2024-04-07 00:06:11 -04:00
KernelDeimos
dc5a7ca431 Display storage use of host/puter separately 2024-04-06 23:26:18 -04:00
KernelDeimos
674cebd9e1 Add Linux support to HostDiskUsageService 2024-04-06 05:33:46 -04:00
Eric Dubé
0dd66463df
Merge pull request #241 from vineeth-vk11/#233 
Implementing HostDiskUsageService removing diskusage dependency
 2024-04-06 05:29:21 -04:00
vineethvk11
bf4bc214b2 Implementing HostDiskUsageService removing diskusage dependency 2024-04-06 13:03:09 +05:30
Eric Dubé
c6fb75c65f
Merge pull request #231 from HeyPuter/eric/user-to-user-permissions 
User-to-User Permission Granting
 2024-04-05 23:11:32 -04:00
KernelDeimos
38e8b19b50 Cleanup 2024-04-05 23:05:20 -04:00
KernelDeimos
90ce840234 Add revoke-user-user endpoint 2024-04-05 23:01:50 -04:00
KernelDeimos
fc6eda392b Allow granting user-to-user permissions 2024-04-05 22:11:36 -04:00
KernelDeimos
343edbff51 Use weak CORS policy for experimental_no_subdomain 2024-04-05 16:51:57 -04:00
KernelDeimos
fe88880486 Add experimental_no_subdomain flag 2024-04-05 16:21:19 -04:00
KernelDeimos
1c2e4968e2 Remove console log 2024-04-05 14:38:50 -04:00
KernelDeimos
f9b375a39b Fix case when main domain is a subdomain 2024-04-05 14:38:33 -04:00
KernelDeimos
207fa139d4 Add user-to-user permissions table 2024-04-05 03:23:31 -04:00
vineethvk11
6006767a9f fixing issues in copy while overwriting 2024-04-05 09:11:39 +05:30
KernelDeimos
35abf9a6bc Stop printing default password in logs 2024-04-04 22:17:00 -04:00
KernelDeimos
c3a4223bbf Add service to check EOL date of node 2024-04-04 22:10:56 -04:00
KernelDeimos
17a323298c Make dismiss command print what was dismissed 2024-04-04 20:46:03 -04:00