dominik/homepage-plus
1
0
Fork 0
mirror of https://github.com/DI0IK/homepage-plus.git synced 2025-07-17 18:29:48 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Security: Sanitize widget api keys from response

Browse source 
Closes https://github.com/gethomepage/homepage/security/advisories/GHSA-cjgf-vhj6-8cx4
This commit is contained in:
shamoon 2024-06-05 19:38:26 -07:00
parent 36e77e1fe3
commit f0d7cf3ce6
3 changed files with 11 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/utils/config/widget-helpers.js
View file

@ -32,7 +32,7 @@ export async function cleanWidgetGroups(widgets) {
const optionKeys = Object.keys(sanitizedOptions);
// delete private options from the sanitized options
["username", "password", "key"].forEach((pO) => {
["username", "password", "key", "apiKey"].forEach((pO) => {
if (optionKeys.includes(pO)) {
delete sanitizedOptions[pO];
}
@ -57,7 +57,7 @@ export async function getPrivateWidgetOptions(type, widgetIndex) {
const widgets = await widgetsFromConfig();
const privateOptions = widgets.map((widget) => {
const { index, url, username, password, key } = widget.options;
const { index, url, username, password, key, apiKey } = widget.options;
return {
type: widget.type,
@ -67,6 +67,7 @@ export async function getPrivateWidgetOptions(type, widgetIndex) {
username,
password,
key,
apiKey,
},
};
});