search

runt1me / stormcloud

Windows backup software from Dark Age Technology Group
2 stars 0 forks source link

Remove hard-coded values from ColdFusion #85

Closed runt1me closed 2 months ago

runt1me commented 3 months ago

backup_restore.cfm and/or mvp_backup_restore_v2.cfm seem to have hard-coded values for at least one field (api key) being used in AJAX requests. Need to remove and associate with API key of customer.

EccentricKnight commented 2 months ago

@runt1me Not aware of any more hard-coding. Can we close this?

runt1me commented 2 months ago

@EccentricKnight still seeing this in backup_restore.cfm. Is it being used?

Lines 200-220 ish:

    $(document).ready(function() {
            // Adding click handlers for Restore and Backup & Restore buttons
            $('#restoreButton').click(function() {
        var agentIdMap = {};
        for (var i = 0; i < rs.DATA.length; i++) {
          var deviceId = rs.DATA[i][0];
          var agentId = rs.DATA[i][1];
          agentIdMap[deviceId] = agentId;

          console.log("Initial deviceId: ", deviceId);
          console.log("Initial agentId: ", agentId);
          console.log("Initial agentId (from map): ", agentIdMap[deviceId]);
        }   
        // Adding click handler for the Restore button
        // Loop through each device form to get its files
        $(".deviceForm").each(function() {
          var deviceId = $(this).attr('id').split('_')[1];
          var agentId = agentIdMap[deviceId];  // Retrieve the Agent ID associated with this Device ID
          var listItem = $(this).find('.folderList').children();  // Assume each child div represents a file

          // Loop through each file for this device
          listItem.each(function() {
            var filePath = $(this).find('.folderName').text();

            console.log("deviceId: ", deviceId);
            console.log("agentId: ", agentId);
            console.log("filePath: ", filePath);

            // Make the API call to restore this file for this device
            $.ajax({
              url: 'https://www2.darkage.io:8443/api/queue-file-for-restore',
              type: 'POST',
              contentType: 'application/json',
              data: JSON.stringify({
                'api_key': 'W0eDEwKTLnO7H3xlkxKtTw',
                'agent_id': agentId,
                'file_path': filePath
              }),
              success: function(response) {
                console.log('Successfully restored file', response);
              },
              error: function(error) {
                console.error('Error restoring file', error);
              }
            });
          });
        });

Also seeing it on 240-280 ish in the same file.

Seeing the same in mvp_backup_restore_v2.cfm, lines 183-217 (ish).

EccentricKnight commented 2 months ago

@runt1me Confirmed there are no references to backup_restore.cfm in the front end, archived that file.

I do see it in mvp_backup_restore_v2.cfm (the actual cfm we're using). Did we hard-code it because we need to pass an admin api_key for restoring?

If so, don't think we can pull api_key from session since users generally won't be admins.

runt1me commented 2 months ago

An admin API key should not be necessary for that endpoint, so we should pull it from the session.

EccentricKnight commented 2 months ago

@runt1me Should be fixed. Need to test restore process again.

image

EccentricKnight commented 2 months ago

Closing this for now. We can re-open if we discover any more issues.