TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-21 09:52:06 +03:00
Code Issues Projects Releases Wiki Activity
ba9b2ee68f
Ghost/core/server/web/admin/app.js
Hannah Wolfe 14b3431de1
🔒 Removed unused and insecure preview endpoint 
refs: https://github.com/TryGhost/Ghost/security/advisories/GHSA-9fgx-q25h-jxrg

- This was part of an experiment during the build phase of 4.0. We never ended up using it, but the endpoint wasn't cleaned up.
- The endpoint leaves sites open to a security vulnerability. Anyone running 4.x should update to 4.3.3

Credits: Paul Gerste, SonarSource (https://www.sonarsource.com/)
2021-04-29 12:10:39 +01:00

57 lines
2.1 KiB
JavaScript
Raw Blame History

const debug = require('ghost-ignition').debug('web:admin:app');
const express = require('../../../shared/express');
const serveStatic = express.static;
const config = require('../../../shared/config');
const constants = require('@tryghost/constants');
const urlUtils = require('../../../shared/url-utils');
const shared = require('../shared');
const adminMiddleware = require('./middleware');
module.exports = function setupAdminApp() {
debug('Admin setup start');
const adminApp = express('admin');
// Admin assets
// @TODO ensure this gets a local 404 error handler
const configMaxAge = config.get('caching:admin:maxAge');
adminApp.use('/assets', serveStatic(
config.get('paths').clientAssets,
{maxAge: (configMaxAge || configMaxAge === 0) ? configMaxAge : constants.ONE_YEAR_MS, fallthrough: false}
));
// Ember CLI's live-reload script
if (config.get('env') === 'development') {
adminApp.get('/ember-cli-live-reload.js', function emberLiveReload(req, res) {
res.redirect(`http://localhost:4200${urlUtils.getSubdir()}/ghost/ember-cli-live-reload.js`);
});
}
// Render error page in case of maintenance
adminApp.use(shared.middlewares.maintenance);
// Force SSL if required
// must happen AFTER asset loading and BEFORE routing
adminApp.use(shared.middlewares.urlRedirects.adminSSLAndHostRedirect);
// Add in all trailing slashes & remove uppercase
// must happen AFTER asset loading and BEFORE routing
adminApp.use(shared.middlewares.prettyUrls);
// Cache headers go last before serving the request
// Admin is currently set to not be cached at all
adminApp.use(shared.middlewares.cacheControl('private'));
// Special redirects for the admin (these should have their own cache-control headers)
adminApp.use(adminMiddleware);
// Finally, routing
adminApp.get('*', require('./controller'));
adminApp.use(shared.middlewares.errorHandler.pageNotFound);
adminApp.use(shared.middlewares.errorHandler.handleHTMLResponse);
debug('Admin setup end');
return adminApp;
};
Reference in New Issue View Git Blame Copy Permalink