dominik/homepage-plus
1
0
Fork 0
mirror of https://github.com/DI0IK/homepage-plus.git synced 2025-07-10 15:28:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Security: Sanitize widget api keys from response

Browse source 
Closes https://github.com/gethomepage/homepage/security/advisories/GHSA-cjgf-vhj6-8cx4
This commit is contained in:
shamoon 2024-06-05 19:38:26 -07:00
parent 36e77e1fe3
commit f0d7cf3ce6
3 changed files with 11 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/pages/api/widgets/openweathermap.js
View file

@ -1,9 +1,11 @@
import cachedFetch from "utils/proxy/cached-fetch";
import { getSettings } from "utils/config/config";
import { getPrivateWidgetOptions } from "utils/config/widget-helpers";
export default async function handler(req, res) {
const { latitude, longitude, units, provider, cache, lang } = req.query;
let { apiKey } = req.query;
const { latitude, longitude, units, provider, cache, lang, index } = req.query;
const privateWidgetOptions = await getPrivateWidgetOptions("openweathermap", index);
let { apiKey } = privateWidgetOptions;
if (!apiKey && !provider) {
return res.status(400).json({ error: "Missing API key or provider" });

6
src/pages/api/widgets/weather.js
View file

@ -1,9 +1,11 @@
import cachedFetch from "utils/proxy/cached-fetch";
import { getSettings } from "utils/config/config";
import { getPrivateWidgetOptions } from "utils/config/widget-helpers";
export default async function handler(req, res) {
const { latitude, longitude, provider, cache, lang } = req.query;
let { apiKey } = req.query;
const { latitude, longitude, provider, cache, lang, index } = req.query;
const privateWidgetOptions = await getPrivateWidgetOptions("weatherapi", index);
let { apiKey } = privateWidgetOptions;
if (!apiKey && !provider) {
return res.status(400).json({ error: "Missing API key or provider" });