From c95d469eb32ce67247d02be7c94eb947d136c063 Mon Sep 17 00:00:00 2001 From: Hannah Wolfe Date: Mon, 7 Oct 2013 14:31:57 +0100 Subject: [PATCH 1/8] Updated to latest version of express closes #875 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 103a53dc60..496c1ebae8 100644 --- a/package.json +++ b/package.json @@ -11,7 +11,7 @@ }, "engineStrict": true, "dependencies": { - "express": "3.3.4", + "express": "3.4.0", "express-hbs": "0.2.2", "connect-slashes": "0.0.9", "node-polyglot": "0.2.1", From d169bba3f81e0f1ef962acbb3a133beecc3ebab2 Mon Sep 17 00:00:00 2001 From: Hannah Wolfe Date: Mon, 7 Oct 2013 16:42:25 +0100 Subject: [PATCH 2/8] Updated to latest version of express-hbs issue #830 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 496c1ebae8..af42ec5dd4 100644 --- a/package.json +++ b/package.json @@ -12,7 +12,7 @@ "engineStrict": true, "dependencies": { "express": "3.4.0", - "express-hbs": "0.2.2", + "express-hbs": "0.3.0", "connect-slashes": "0.0.9", "node-polyglot": "0.2.1", "moment": "2.1.0", From c9235ccb0b2f3051714e178b787d19910cf2f35a Mon Sep 17 00:00:00 2001 From: Tim Griesser Date: Mon, 7 Oct 2013 13:02:57 -0400 Subject: [PATCH 3/8] Escaping several fields to prevent XSS issue #938 - escapes post's title field - escapes settings title, description, email - escapes user's name field - includes test for post title --- core/server/models/post.js | 2 +- core/server/models/settings.js | 12 ++++++++++++ core/server/models/user.js | 7 +++++++ core/test/unit/api_posts_spec.js | 12 ++++++++++++ 4 files changed, 32 insertions(+), 1 deletion(-) diff --git a/core/server/models/post.js b/core/server/models/post.js index 74a197c263..a25e1a4b97 100644 --- a/core/server/models/post.js +++ b/core/server/models/post.js @@ -51,7 +51,7 @@ Post = GhostBookshelf.Model.extend({ this.set('html', converter.makeHtml(this.get('markdown'))); - this.set('title', this.get('title').trim()); + this.set('title', this.escape('title').trim()); if (this.hasChanged('status') && this.get('status') === 'published') { if (!this.get('published_at')) { diff --git a/core/server/models/settings.js b/core/server/models/settings.js index 5faf9e301a..ba8d299aca 100644 --- a/core/server/models/settings.js +++ b/core/server/models/settings.js @@ -73,7 +73,19 @@ Settings = GhostBookshelf.Model.extend({ validation[validationName].apply(validation, validationOptions); }, this); } + }, + + + saving: function () { + + // All blog setting keys that need their values to be escaped. + if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) { + this.set('value', this.escape('value')); + } + + return GhostBookshelf.Model.prototype.saving.apply(this, arguments); } + }, { read: function (_key) { // Allow for just passing the key instead of attributes diff --git a/core/server/models/user.js b/core/server/models/user.js index 894a3df261..2e41e10203 100644 --- a/core/server/models/user.js +++ b/core/server/models/user.js @@ -55,6 +55,13 @@ User = GhostBookshelf.Model.extend({ } }, + saving: function () { + + this.set('name', this.escape('name')); + + return GhostBookshelf.Model.prototype.saving.apply(this, arguments); + }, + posts: function () { return this.hasMany(Posts, 'created_by'); }, diff --git a/core/test/unit/api_posts_spec.js b/core/test/unit/api_posts_spec.js index 6731d9222b..48e3b56301 100644 --- a/core/test/unit/api_posts_spec.js +++ b/core/test/unit/api_posts_spec.js @@ -367,4 +367,16 @@ describe('Post Model', function () { done(); }).then(null, done); }); + + it('should escape the title', function (done) { + + new PostModel().fetch().then(function(model) { + return model.set({'title': ''}).save(); + }).then(function(saved) { + saved.get('title').should.eql('<script>alert("hello world")</script>'); + done(); + }).otherwise(done); + + }); + }); From 95f9fce3be96ce3508b51c109111d2ebd67637b6 Mon Sep 17 00:00:00 2001 From: Hannah Wolfe Date: Wed, 9 Oct 2013 19:11:29 +0100 Subject: [PATCH 4/8] Swapping escape to sanitze issue #938 - rather than using escape, use node-validatiors santize function which is designed for preventing xss vectors - added listener for changes to both editor and settings page - added more sanitization to the user model - consistently use triple-braces when outputting blog post titles --- core/client/tpl/list-item.hbs | 2 +- core/client/views/editor.js | 6 ++++++ core/client/views/settings.js | 21 +++++++++++++++------ core/server/helpers/tpl/nav.hbs | 2 +- core/server/models/base.js | 7 ++++++- core/server/models/post.js | 2 +- core/server/models/settings.js | 2 +- core/server/models/user.js | 6 +++++- core/test/unit/api_posts_spec.js | 10 +++++----- 9 files changed, 41 insertions(+), 17 deletions(-) diff --git a/core/client/tpl/list-item.hbs b/core/client/tpl/list-item.hbs index ae4b22dbb5..78506151f4 100644 --- a/core/client/tpl/list-item.hbs +++ b/core/client/tpl/list-item.hbs @@ -1,5 +1,5 @@ -

{{title}}

+

{{{title}}}

\ No newline at end of file diff --git a/core/server/models/base.js b/core/server/models/base.js index a8e2cd1638..65db8cae4b 100644 --- a/core/server/models/base.js +++ b/core/server/models/base.js @@ -5,7 +5,8 @@ var GhostBookshelf, _ = require('underscore'), uuid = require('node-uuid'), config = require('../../../config'), - Validator = require('validator').Validator; + Validator = require('validator').Validator, + sanitize = require('validator').sanitize; // Initializes Bookshelf as its own instance, so we can modify the Models and not mess up // others' if they're using the library outside of ghost. @@ -78,6 +79,10 @@ GhostBookshelf.Model = GhostBookshelf.Model.extend({ return attrs; }, + sanitize: function (attr) { + return sanitize(this.get(attr)).xss(); + }, + // #### generateSlug // Create a string act as the permalink for an object. generateSlug: function (Model, base) { diff --git a/core/server/models/post.js b/core/server/models/post.js index a25e1a4b97..111c32fff9 100644 --- a/core/server/models/post.js +++ b/core/server/models/post.js @@ -51,7 +51,7 @@ Post = GhostBookshelf.Model.extend({ this.set('html', converter.makeHtml(this.get('markdown'))); - this.set('title', this.escape('title').trim()); + this.set('title', this.sanitize('title').trim()); if (this.hasChanged('status') && this.get('status') === 'published') { if (!this.get('published_at')) { diff --git a/core/server/models/settings.js b/core/server/models/settings.js index ba8d299aca..cce389311d 100644 --- a/core/server/models/settings.js +++ b/core/server/models/settings.js @@ -80,7 +80,7 @@ Settings = GhostBookshelf.Model.extend({ // All blog setting keys that need their values to be escaped. if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) { - this.set('value', this.escape('value')); + this.set('value', this.sanitize('value')); } return GhostBookshelf.Model.prototype.saving.apply(this, arguments); diff --git a/core/server/models/user.js b/core/server/models/user.js index 2e41e10203..d814a91dea 100644 --- a/core/server/models/user.js +++ b/core/server/models/user.js @@ -57,7 +57,11 @@ User = GhostBookshelf.Model.extend({ saving: function () { - this.set('name', this.escape('name')); + this.set('name', this.sanitize('name')); + this.set('email', this.sanitize('email')); + this.set('location', this.sanitize('location')); + this.set('website', this.sanitize('website')); + this.set('bio', this.sanitize('bio')); return GhostBookshelf.Model.prototype.saving.apply(this, arguments); }, diff --git a/core/test/unit/api_posts_spec.js b/core/test/unit/api_posts_spec.js index 48e3b56301..9355ec7f72 100644 --- a/core/test/unit/api_posts_spec.js +++ b/core/test/unit/api_posts_spec.js @@ -368,12 +368,12 @@ describe('Post Model', function () { }).then(null, done); }); - it('should escape the title', function (done) { + it('should santize the title', function (done) { - new PostModel().fetch().then(function(model) { - return model.set({'title': ''}).save(); - }).then(function(saved) { - saved.get('title').should.eql('<script>alert("hello world")</script>'); + new PostModel().fetch().then(function (model) { + return model.set({'title': ""}).save(); + }).then(function (saved) { + saved.get('title').should.eql("</title></head><body>[removed]alert('blogtitle');[removed]"); done(); }).otherwise(done); From 14ac43776301ef50da50e755ee6efa321decf198 Mon Sep 17 00:00:00 2001 From: Hannah Wolfe Date: Wed, 9 Oct 2013 19:29:38 +0100 Subject: [PATCH 5/8] Updating to latest Casper - triple braces for post titles everywhere --- content/themes/casper | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/themes/casper b/content/themes/casper index c4c276653d..10beda3f6c 160000 --- a/content/themes/casper +++ b/content/themes/casper @@ -1 +1 @@ -Subproject commit c4c276653dc751e50fd927bd8c88a72930f4beff +Subproject commit 10beda3f6c02921fa4644d8b33f30eefbf5af9ca From f1317b84af5ab52e3d06af16d7beb8ee8c4b6554 Mon Sep 17 00:00:00 2001 From: Hannah Wolfe Date: Wed, 9 Oct 2013 19:51:55 +0100 Subject: [PATCH 6/8] Improving tag handling in post_class and body_class closes #967, closes #987 - use slug instead of name (it's unique) - get tags even if we aren't inside the post context - add tag handling to body_class too --- core/server/helpers/index.js | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/core/server/helpers/index.js b/core/server/helpers/index.js index 85796b64e5..669d44ce29 100644 --- a/core/server/helpers/index.js +++ b/core/server/helpers/index.js @@ -179,7 +179,9 @@ coreHelpers = function (ghost) { ghost.registerThemeHelper('body_class', function (options) { - var classes = []; + var classes = [], + tags = this.post && this.post.tags ? this.post.tags : this.tags || []; + if (_.isString(this.path) && this.path.match(/\/page/)) { classes.push('archive-template'); } else if (!this.path || this.path === '/' || this.path === '') { @@ -188,6 +190,10 @@ coreHelpers = function (ghost) { classes.push('post-template'); } + if (tags) { + classes = classes.concat(tags.map(function (tag) { return 'tag-' + tag.slug; })); + } + return ghost.doFilter('body_class', classes, function (classes) { var classString = _.reduce(classes, function (memo, item) { return memo + ' ' + item; }, ''); return new hbs.handlebars.SafeString(classString.trim()); @@ -195,10 +201,11 @@ coreHelpers = function (ghost) { }); ghost.registerThemeHelper('post_class', function (options) { - var classes = ['post']; + var classes = ['post'], + tags = this.post && this.post.tags ? this.post.tags : this.tags || []; - if (this.tags) { - classes = classes.concat(this.tags.map(function (tag) { return 'tag-' + tag.name; })); + if (tags) { + classes = classes.concat(tags.map(function (tag) { return 'tag-' + tag.slug; })); } return ghost.doFilter('post_class', classes, function (classes) { From 97f592aa4126f88c7228954b31f34d0b1bcedde4 Mon Sep 17 00:00:00 2001 From: Patrick Garman Date: Wed, 9 Oct 2013 11:07:43 -0500 Subject: [PATCH 7/8] Allow Ghost to run using sockets Closes #887 - Adds getSocket function > Returns the socket location if sockets are enabled or false - Adds startGhost function > Callback for server.listen --- core/server.js | 140 ++++++++++++++++++++++++++++--------------------- 1 file changed, 80 insertions(+), 60 deletions(-) diff --git a/core/server.js b/core/server.js index 4f752425c5..12f44c44d2 100644 --- a/core/server.js +++ b/core/server.js @@ -4,6 +4,7 @@ var express = require('express'), _ = require('underscore'), colors = require('colors'), semver = require('semver'), + fs = require('fs'), slashes = require('connect-slashes'), errors = require('./server/errorHandling'), admin = require('./server/controllers/admin'), @@ -360,68 +361,87 @@ when(ghost.init()).then(function () { server.get('/:slug/', frontend.single); server.get('/', frontend.homepage); + // Are we using sockets? Custom socket or the default? + function getSocket() { + if (ghost.config().server.hasOwnProperty('socket')) { + return _.isString(ghost.config().server.socket) ? ghost.config().server.socket : path.join(__dirname, '../content/', process.env.NODE_ENV + '.socket'); + } + return false; + } + function startGhost() { + // Tell users if their node version is not supported, and exit + if (!semver.satisfies(process.versions.node, packageInfo.engines.node)) { + console.log( + "\nERROR: Unsupported version of Node".red, + "\nGhost needs Node version".red, + packageInfo.engines.node.yellow, + "you are using version".red, + process.versions.node.yellow, + "\nPlease go to http://nodejs.org to get the latest version".green + ); + + process.exit(0); + } + + // Startup & Shutdown messages + if (process.env.NODE_ENV === 'production') { + console.log( + "Ghost is running...".green, + "\nYour blog is now available on", + ghost.config().url, + "\nCtrl+C to shut down".grey + ); + + // ensure that Ghost exits correctly on Ctrl+C + process.on('SIGINT', function () { + console.log( + "\nGhost has shut down".red, + "\nYour blog is now offline" + ); + process.exit(0); + }); + } else { + console.log( + "Ghost is running...".green, + "\nListening on", + getSocket() || ghost.config().server.host + ':' + ghost.config().server.port, + "\nUrl configured as:", + ghost.config().url, + "\nCtrl+C to shut down".grey + ); + // ensure that Ghost exits correctly on Ctrl+C + process.on('SIGINT', function () { + console.log( + "\nGhost has shutdown".red, + "\nGhost was running for", + Math.round(process.uptime()), + "seconds" + ); + process.exit(0); + }); + } + + // Let everyone know we have finished loading + loading.resolve(); + } // ## Start Ghost App - server.listen( - ghost.config().server.port, - ghost.config().server.host, - function () { + if (getSocket()) { + // Make sure the socket is gone before trying to create another + fs.unlink(getSocket(), function (err) { + server.listen( + getSocket(), + startGhost + ); + fs.chmod(getSocket(), '0744'); + }); - // Tell users if their node version is not supported, and exit - if (!semver.satisfies(process.versions.node, packageInfo.engines.node)) { - console.log( - "\nERROR: Unsupported version of Node".red, - "\nGhost needs Node version".red, - packageInfo.engines.node.yellow, - "you are using version".red, - process.versions.node.yellow, - "\nPlease go to http://nodejs.org to get the latest version".green - ); - - process.exit(0); - } - - // Startup & Shutdown messages - if (process.env.NODE_ENV === 'production') { - console.log( - "Ghost is running...".green, - "\nYour blog is now available on", - ghost.config().url, - "\nCtrl+C to shut down".grey - ); - - // ensure that Ghost exits correctly on Ctrl+C - process.on('SIGINT', function () { - console.log( - "\nGhost has shut down".red, - "\nYour blog is now offline" - ); - process.exit(0); - }); - } else { - console.log( - "Ghost is running...".green, - "\nListening on", - ghost.config().server.host + ':' + ghost.config().server.port, - "\nUrl configured as:", - ghost.config().url, - "\nCtrl+C to shut down".grey - ); - // ensure that Ghost exits correctly on Ctrl+C - process.on('SIGINT', function () { - console.log( - "\nGhost has shutdown".red, - "\nGhost was running for", - Math.round(process.uptime()), - "seconds" - ); - process.exit(0); - }); - } - - // Let everyone know we have finished loading - loading.resolve(); - } - ); + } else { + server.listen( + ghost.config().server.port, + ghost.config().server.host, + startGhost + ); + } }, errors.logAndThrowError); From 31e2737cfd449ce26c13bf14aec83bfc55cb493c Mon Sep 17 00:00:00 2001 From: Hannah Wolfe Date: Thu, 10 Oct 2013 16:11:35 +0100 Subject: [PATCH 8/8] Update config validation to allow for socket only issue #887 --- core/config-loader.js | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/core/config-loader.js b/core/config-loader.js index b22c77a1e7..2cc66f1f07 100644 --- a/core/config-loader.js +++ b/core/config-loader.js @@ -36,6 +36,8 @@ function writeConfigFile() { function validateConfigEnvironment() { var envVal = process.env.NODE_ENV || 'undefined', + hasHostAndPort, + hasSocket, config, parsedUrl; @@ -45,6 +47,7 @@ function validateConfigEnvironment() { } + // Check if we don't even have a config if (!config) { errors.logError(new Error('Cannot find the configuration for the current NODE_ENV'), "NODE_ENV=" + envVal, 'Ensure your config.js has a section for the current NODE_ENV value'); @@ -64,9 +67,12 @@ function validateConfigEnvironment() { return when.reject(); } + hasHostAndPort = config.server && !!config.server.host && !!config.server.port; + hasSocket = config.server && !!config.server.socket; + // Check for valid server host and port values - if (!config.server || !config.server.host || !config.server.port) { - errors.logError(new Error('Your server values (host and port) in config.js are invalid.'), JSON.stringify(config.server), 'Please provide them before restarting.'); + if (!config.server || !(hasHostAndPort || hasSocket)) { + errors.logError(new Error('Your server values (socket, or host and port) in config.js are invalid.'), JSON.stringify(config.server), 'Please provide them before restarting.'); return when.reject(); }