ActionHero v15.1.2: Security Release

actionhero javascript node.js 
↞ See all posts

Today we released the first-ever security release for ActionHero. Details can be found below:

404 Web Request with malicious file name

Previously, the default error responder when a client asked for a static-file which was missing (404) returned the name the of that file

1api.config.errors.fileNotFound = function (connection) { 2 return connection.localize([ 3 "That file is not found (%s)", 4 connection.params.file, 5 ]); 6};

This is dangerous because a malicious actor could request a filename with an executable javascript tag and harm the requester. We now will no longer return the file name:

1api.config.errors.fileNotFound = function (connection) { 2 return connection.localize(["That file is not found"]); 3};

Malicious callback provided when requesting an action via JSONp

When requesting an action via JSONp, it was possible (though unlikely) that the callback string you were providing contained malicious javascript which would harm the requester. We will now sanitize the provided callback in the following way:

1function callbackHtmlEscape(str) { 2 return str 3 .replace(/&/g, "&amp;") 4 .replace(/"/g, "&quot;") 5 .replace(/'/g, "&#39;") 6 .replace(/</g, "&lt;") 7 .replace(/>/g, "&gt;") 8 .replace(/\)/g, "") 9 .replace(/\(/g, ""); 10}

This fix has been back-ported to:

A huge thank you to @submitteddenied is earned for reporting these issues and working to fix them.

Hi, I'm Evan

I write about Technology, Software, and Startups. I use my Product Management, Software Engineering, and Leadership skills to build teams that create world-class digital products.

Get in touch