From f0d7cf3ce6b5693cce31a76f345db68e5127f6cf Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Wed, 5 Jun 2024 19:38:26 -0700
Subject: [PATCH] Security: Sanitize widget api keys from response

Closes https://github.com/gethomepage/homepage/security/advisories/GHSA-cjgf-vhj6-8cx4
---
 src/pages/api/widgets/openweathermap.js | 6 ++++--
 src/pages/api/widgets/weather.js        | 6 ++++--
 src/utils/config/widget-helpers.js      | 5 +++--
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/pages/api/widgets/openweathermap.js b/src/pages/api/widgets/openweathermap.js
index a20709975..089ee804e 100644
--- a/src/pages/api/widgets/openweathermap.js
+++ b/src/pages/api/widgets/openweathermap.js
@@ -1,9 +1,11 @@
 import cachedFetch from "utils/proxy/cached-fetch";
 import { getSettings } from "utils/config/config";
+import { getPrivateWidgetOptions } from "utils/config/widget-helpers";
 
 export default async function handler(req, res) {
-  const { latitude, longitude, units, provider, cache, lang } = req.query;
-  let { apiKey } = req.query;
+  const { latitude, longitude, units, provider, cache, lang, index } = req.query;
+  const privateWidgetOptions = await getPrivateWidgetOptions("openweathermap", index);
+  let { apiKey } = privateWidgetOptions;
 
   if (!apiKey && !provider) {
     return res.status(400).json({ error: "Missing API key or provider" });
diff --git a/src/pages/api/widgets/weather.js b/src/pages/api/widgets/weather.js
index 5cba47ba7..9d0451ce9 100644
--- a/src/pages/api/widgets/weather.js
+++ b/src/pages/api/widgets/weather.js
@@ -1,9 +1,11 @@
 import cachedFetch from "utils/proxy/cached-fetch";
 import { getSettings } from "utils/config/config";
+import { getPrivateWidgetOptions } from "utils/config/widget-helpers";
 
 export default async function handler(req, res) {
-  const { latitude, longitude, provider, cache, lang } = req.query;
-  let { apiKey } = req.query;
+  const { latitude, longitude, provider, cache, lang, index } = req.query;
+  const privateWidgetOptions = await getPrivateWidgetOptions("weatherapi", index);
+  let { apiKey } = privateWidgetOptions;
 
   if (!apiKey && !provider) {
     return res.status(400).json({ error: "Missing API key or provider" });
diff --git a/src/utils/config/widget-helpers.js b/src/utils/config/widget-helpers.js
index 6514fea2c..7c5c78cd5 100644
--- a/src/utils/config/widget-helpers.js
+++ b/src/utils/config/widget-helpers.js
@@ -32,7 +32,7 @@ export async function cleanWidgetGroups(widgets) {
     const optionKeys = Object.keys(sanitizedOptions);
 
     // delete private options from the sanitized options
-    ["username", "password", "key"].forEach((pO) => {
+    ["username", "password", "key", "apiKey"].forEach((pO) => {
       if (optionKeys.includes(pO)) {
         delete sanitizedOptions[pO];
       }
@@ -57,7 +57,7 @@ export async function getPrivateWidgetOptions(type, widgetIndex) {
   const widgets = await widgetsFromConfig();
 
   const privateOptions = widgets.map((widget) => {
-    const { index, url, username, password, key } = widget.options;
+    const { index, url, username, password, key, apiKey } = widget.options;
 
     return {
       type: widget.type,
@@ -67,6 +67,7 @@ export async function getPrivateWidgetOptions(type, widgetIndex) {
         username,
         password,
         key,
+        apiKey,
       },
     };
   });