vh/homepage
1
0
Fork 0
mirror of https://github.com/gethomepage/homepage.git synced 2025-12-07 09:35:54 -08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Security: Sanitize widget api keys from response

Browse Source 
Closes https://github.com/gethomepage/homepage/security/advisories/GHSA-cjgf-vhj6-8cx4
This commit is contained in:
shamoon
2024-06-05 19:38:26 -07:00
parent 36e77e1fe3
commit f0d7cf3ce6
3 changed files with 11 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/utils/config/widget-helpers.js
View File

@@ -32,7 +32,7 @@ export async function cleanWidgetGroups(widgets) {
const optionKeys = Object.keys(sanitizedOptions);
// delete private options from the sanitized options
["username", "password", "key"].forEach((pO) => {
["username", "password", "key", "apiKey"].forEach((pO) => {
if (optionKeys.includes(pO)) {
delete sanitizedOptions[pO];
}
@@ -57,7 +57,7 @@ export async function getPrivateWidgetOptions(type, widgetIndex) {
const widgets = await widgetsFromConfig();
const privateOptions = widgets.map((widget) => {
const { index, url, username, password, key } = widget.options;
const { index, url, username, password, key, apiKey } = widget.options;
return {
type: widget.type,
@@ -67,6 +67,7 @@ export async function getPrivateWidgetOptions(type, widgetIndex) {
username,
password,
key,
apiKey,
},
};
});