Closed Rossebma closed 6 months ago
This looks like a bigger issue, I'll assign earth to it. In the meantime, is your apache2 webserver proxying the bot panel?
So I fixed the Issue for me. Sadly not in a way that would be perticularly helpful for you. The first problem was that I didn't setup the proxy for the web server. (I wanted to run it in secure mode (https)). But before I fixed this I completely reinstalled the Bot. And when I did, I did two things different:
npm audit fix
(I think it was sth like that. But I remember the word "force" somewhere in the command...). This was recommended during both installations and the second time I didn't do it.I hope this gives you at least clues where to look. If you need any further information feel free to ask me here or via discord (Name: rossebma
)
I'm still unable to reproduce this error.
I think Rossebma is talking about that, which relates to this:
I think if you do run "npm audit fix --force", it causes the error originally posted.
It can be resolved by taking aback up of the database and env, deleting the entire directory that contains Discord tickets, installing again from git clone, running "npm i --production", copying back the .env file, run "npm run postinstall" and re-importing the database, then try "node ." again
You will then be on the latest Discord Tickets BUT one of the dependency will have a high risk vulnerability. This project needs to be made compatible with the safe and updated version of the dependency.
Related:
Impact
All versions of @fastify/oauth2 used a statically generated
state
parameter at startup time and were used across all requests for all users. The purpose of the Oauth2state
parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it.Patches
v7.2.0 changes the default behavior to store the
state
in a cookie with thehttp-only
andsame-site=lax
attributes set. Thestate
is now by default generated for every user.Note that this contains a breaking change in the
checkStateFunction
function, which now accepts the fullRequest
object.Workarounds
There are no known workarounds.
References
Thank you for the clarification @chrisbadley.
Errors are to be expected as the patched version of @fastify/oauth2
introduces breaking changes, however, the fact that this obvious flaw was in the package from the beginning and the fact that the state
parameter is optional makes me question the "high" severity.
Anyway, Discord Tickets already uses random state
parameters to provide the redirects, so I think this vulnerability and patch can be safely ignored, and the solution is to not force-fix npm audits.
With that said, I will eventually need to upgrade all of the fastify dependencies and update any affected code so the patched version is compatible. This will allow npm audit fix
to be used in the future, so I'll keep this issue open for now.
Also need to update this to delete used states.
Is there an existing issue for this?
Current Behavior
The bot itself seems to run, however the settings webpanel is not reachable and I get huge Festify Errors dureing startup.
Expected Behavior
Well I would expect the webpanel to work. (Sry. I don't know how to really describe it other than that.)
Steps To Reproduce
Environment:
Config:
Run:
node .
See error:
Anything else?
No response