🔒 Removed unused and insecure preview endpoint

refs: https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg

- This was part of an experiment during the build phase of 4.0. We never ended up using it, but the endpoint wasn't cleaned up.
- The endpoint leaves sites open to a security vulnerability. Anyone running 4.x should update to 4.3.3

Credits: Paul Gerste, SonarSource (https://www.sonarsource.com/)
This commit is contained in:
Hannah Wolfe 2021-04-29 12:09:38 +01:00 committed by Daniel Lockyer
parent 95651b33a6
commit 14b3431de1
No known key found for this signature in database
GPG Key ID: FFBC6FA2A6F6ABC1
4 changed files with 0 additions and 72 deletions

1
.gitignore vendored
View File

@ -123,7 +123,6 @@ test/coverage
# Built asset files # Built asset files
/core/built /core/built
/core/server/web/admin/views/*.html /core/server/web/admin/views/*.html
!/core/server/web/admin/views/preview.html
/core/server/public/ghost.min.css /core/server/public/ghost.min.css
# Caddyfile - for local development with ssl + caddy # Caddyfile - for local development with ssl + caddy

View File

@ -6,14 +6,11 @@ const constants = require('@tryghost/constants');
const urlUtils = require('../../../shared/url-utils'); const urlUtils = require('../../../shared/url-utils');
const shared = require('../shared'); const shared = require('../shared');
const adminMiddleware = require('./middleware'); const adminMiddleware = require('./middleware');
const preview = require('./preview');
module.exports = function setupAdminApp() { module.exports = function setupAdminApp() {
debug('Admin setup start'); debug('Admin setup start');
const adminApp = express('admin'); const adminApp = express('admin');
adminApp.use('/preview', preview);
// Admin assets // Admin assets
// @TODO ensure this gets a local 404 error handler // @TODO ensure this gets a local 404 error handler
const configMaxAge = config.get('caching:admin:maxAge'); const configMaxAge = config.get('caching:admin:maxAge');

View File

@ -1,15 +0,0 @@
const path = require('path');
const config = require('../../../shared/config');
function servePreview(req, res, next) {
if (req.path === '/') {
const templatePath = path.resolve(config.get('paths').adminViews, 'preview.html');
return res.sendFile(templatePath);
}
next();
}
module.exports = [
servePreview
];

View File

@ -1,53 +0,0 @@
<script type="text/javascript" charset="utf-8">
(function(){
function onReceive(message) {
// If we're not using IE, or HTTPS we can use document.write
if ((window.location.protocol === 'http:') || !navigator.userAgent.match(/MSIE|rv:11/i)) {
document.write(message.data);
document.close();
return;
}
// In all other cases document.write() is blocked in callbacks - process the HTML instead
// We also have to individually add <script> tags back in - same as when using unsafeHTML in react
var domParser = new DOMParser();
var html = domParser.parseFromString(message.data, 'text/html');
document.getElementsByTagName('head')[0].innerHTML = html.getElementsByTagName('head')[0].innerHTML;
document.getElementsByTagName('body')[0].innerHTML = html.getElementsByTagName('body')[0].innerHTML;
var allScripts = document.getElementsByTagName('script');
if (allScripts.length > 0) {
var scripts = [];
for (var i = 0; i < allScripts.length; i++) {
scripts.push(allScripts[i]);
}
for (var i = 0; i < scripts.length; i++) {
var s = document.createElement('script');
s.innerHTML = scripts[i].innerHTML;
scripts[i].parentNode.appendChild(s);
scripts[i].parentNode.removeChild(scripts[i]);
}
}
}
if (window.addEventListener){
addEventListener("message", onReceive, true);
} else {
attachEvent("onmessage", onReceive);
}
top.postMessage('loaded', "*");
})();
(function(XMLHttpRequest){
if (!XMLHttpRequest || !XMLHttpRequest.prototype) return;
var noXHR = function() {
if (console) {
console.error('Not Permitted');
}
};
XMLHttpRequest.prototype.open = XMLHttpRequest.prototype.send = noXHR;
})(this.XMLHttpRequest);
</script>