Security: Sanitize widget api keys from response

Closes https://github.com/gethomepage/homepage/security/advisories/GHSA-cjgf-vhj6-8cx4
feature-disable-release-checking
shamoon 7 months ago
parent 36e77e1fe3
commit f0d7cf3ce6

@ -1,9 +1,11 @@
import cachedFetch from "utils/proxy/cached-fetch";
import { getSettings } from "utils/config/config";
import { getPrivateWidgetOptions } from "utils/config/widget-helpers";
export default async function handler(req, res) {
const { latitude, longitude, units, provider, cache, lang } = req.query;
let { apiKey } = req.query;
const { latitude, longitude, units, provider, cache, lang, index } = req.query;
const privateWidgetOptions = await getPrivateWidgetOptions("openweathermap", index);
let { apiKey } = privateWidgetOptions;
if (!apiKey && !provider) {
return res.status(400).json({ error: "Missing API key or provider" });

@ -1,9 +1,11 @@
import cachedFetch from "utils/proxy/cached-fetch";
import { getSettings } from "utils/config/config";
import { getPrivateWidgetOptions } from "utils/config/widget-helpers";
export default async function handler(req, res) {
const { latitude, longitude, provider, cache, lang } = req.query;
let { apiKey } = req.query;
const { latitude, longitude, provider, cache, lang, index } = req.query;
const privateWidgetOptions = await getPrivateWidgetOptions("weatherapi", index);
let { apiKey } = privateWidgetOptions;
if (!apiKey && !provider) {
return res.status(400).json({ error: "Missing API key or provider" });

@ -32,7 +32,7 @@ export async function cleanWidgetGroups(widgets) {
const optionKeys = Object.keys(sanitizedOptions);
// delete private options from the sanitized options
["username", "password", "key"].forEach((pO) => {
["username", "password", "key", "apiKey"].forEach((pO) => {
if (optionKeys.includes(pO)) {
delete sanitizedOptions[pO];
}
@ -57,7 +57,7 @@ export async function getPrivateWidgetOptions(type, widgetIndex) {
const widgets = await widgetsFromConfig();
const privateOptions = widgets.map((widget) => {
const { index, url, username, password, key } = widget.options;
const { index, url, username, password, key, apiKey } = widget.options;
return {
type: widget.type,
@ -67,6 +67,7 @@ export async function getPrivateWidgetOptions(type, widgetIndex) {
username,
password,
key,
apiKey,
},
};
});

Loading…
Cancel
Save