inetChecksite() possible security issue fix

CHANGELOG.md

@@ -72,7 +72,8 @@ For major (breaking) changes - **version 4, 3 and 2** - see end of page.
 
 | Version        | Date           | Comment  |
 | -------------- | -------------- | -------- |
-| 5.3.1          | 2020-02-14     | `inetLatency()` `ineChecksite()` `servcices()` `processes()` fixed possible security issue |
+| 5.3.2          | 2020-02-15     | `inetLatency()` `ineChecksite()` fixed possible security issue (file://) |
+| 5.3.1          | 2020-02-14     | `inetLatency()` `ineChecksite()` `servcices()` `processes()` fixed possible security issue (arrays) |
 | 5.3.0          | 2020-02-12     | `osInfo()` added remoteSession (windows) |
 | 5.2.7          | 2020-02-12     | `fsStats()`, `blockDevices()` improved linux |
 | 5.2.6          | 2020-02-12     | `inetLatency()` fixed possible DOS intrusion |

docs/history.html

@@ -56,6 +56,11 @@ <h3>Full version history</h3>
                   </tr>
                 </thead>
                 <tbody>
+                  <tr>
+                    <th scope="row">5.3.2</th>
+                    <td>2020-02-15</td>
+                    <td><span class="code">inetLatency()</span> <span class="code">inetChecksite()</span> fix possible security issue (file://)</td>
+                  </tr>
                   <tr>
                     <th scope="row">5.3.1</th>
                     <td>2020-02-14</td>

docs/index.html

@@ -166,11 +166,11 @@
 <body>
   <header class="bg-image-full">
     <div class="top-container">
-      <a href="security.html" class="recommendation">Security advisory:<br>Update to v5.3.1</a>
+      <a href="security.html" class="recommendation">Security advisory:<br>Update to v5.3.2</a>
       <img class="logo" src="assets/logo.png">
       <div class="title">systeminformation</div>
       <div class="subtitle"><span id="typed"></span>&nbsp;</div>
-      <div class="version">New Version: <span id="version">5.3.1</span></div>
+      <div class="version">New Version: <span id="version">5.3.2</span></div>
       <button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
     </div>
     <div class="down">
@@ -201,15 +201,15 @@
     </div>
     <div class="row number-section">
       <div class="col-xl-4 col-lg-4 col-md-4 col-12">
-        <div class="numbers">13,752</div>
+        <div class="numbers">13,833</div>
         <div class="title">Lines of code</div>
       </div>
       <div class="col-xl-4 col-lg-4 col-md-4 col-12">
         <div id="downloads" class="numbers">...</div>
         <div class="title">Downloads last month</div>
       </div>
       <div class="col-xl-4 col-lg-4 col-md-4 col-12">
-        <div class="numbers">382</div>
+        <div class="numbers">387</div>
         <div class="title">Dependents</div>
       </div>
     </div>

docs/security.html

@@ -43,6 +43,23 @@
           <div class="col-12 sectionheader">
             <div class="title">Security Advisories</div>
             <div class="text">
+              <h2>Insufficient File Scheme Validation</h2>
+              <p><span class="bold">Affected versions:</span>
+                &lt; 5.3.2 and &lt; 4.34.12<br>
+                <span class="bold">Date:</span> 2021-02-15<br>
+                <span class="bold">CVE indentifier</span> -
+              </p>
+
+              <h4>Impact</h4>
+              <p>We had an issue that there was a possibility to run inetChecksite against local files due to improper file scheme validation. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>.</p>
+
+              <h4>Patch</h4>
+              <p>Problem was fixed with additional parameter checking. Please upgrade to version >= 5.3.2 (or >= 4.34.12 if you are using version 4).</p>
+
+              <h4>Workarround</h4>
+              <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span> (sanitize `file://` parameter)</p>
+              <hr>
+              <br>
               <h2>Command Injection Vulnerability</h2>
               <p><span class="bold">Affected versions:</span>
                 &lt; 5.3.1 and &lt; 4.34.11<br>

docs/v4/gettingstarted.html

@@ -67,7 +67,7 @@ <h3>Attention:</h3>
               <p>This library is supposed to be used as a <a href="https://nodejs.org/en/" rel="nofollow">node.js</a> backend/server-side library and will definilely not work within a browser.</p>
 
               <h2>Installation (old version 4)</h2>
-              <pre>$ npm install systeminformation@4 —save</pre>
+              <pre>$ npm install systeminformation@4 —-save</pre>
               <h2>Usage</h2>
               <p>All functions (except <span class="code">version</span> and <span class="code">time</span>) are implemented as asynchronous functions. Here a small example how to use them:</p>
               <pre><code class="js">const si = require('systeminformation');

docs/v4/history.html

@@ -83,6 +83,11 @@ <h3>Full version history</h3>
                   </tr>
                 </thead>
                 <tbody>
+                  <tr>
+                    <th scope="row">4.34.12</th>
+                    <td>2020-02-15</td>
+                    <td><span class="code">inetLatency()</span> <span class="code">inetChecksite()</span> fix possible security issue (file://)</td>
+                  </tr>
                   <tr>
                     <th scope="row">4.34.11</th>
                     <td>2020-02-14</td>

docs/v4/index.html

@@ -170,7 +170,7 @@
       <div class="title">systeminformation </div>
       <div class="subtitle"><span id="typed"></span>&nbsp;</div>
       <div class="version larger">Version 4 documentation</div>
-      <div class="version">Current Version: <span id="version">4.34.11</span></div>
+      <div class="version">Current Version: <span id="version">4.34.12</span></div>
       <button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
     </div>
     <div class="down">

docs/v4/security.html

@@ -42,6 +42,23 @@
           <div class="col-12 sectionheader">
             <div class="title">Security Advisories</div>
             <div class="text">
+              <h2>Insufficient File Scheme Validation</h2>
+              <p><span class="bold">Affected versions:</span>
+                4.34.12<br>
+                <span class="bold">Date:</span> 2021-02-15<br>
+                <span class="bold">CVE indentifier</span> -
+              </p>
+
+              <h4>Impact</h4>
+              <p>We had an issue that there was a possibility to run inetChecksite against local files due to improper file scheme validation. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>.</p>
+
+              <h4>Patch</h4>
+              <p>Problem was fixed with additional parameter checking. Please upgrade to version >= 4.34.12 if you are using version 4.</p>
+
+              <h4>Workarround</h4>
+              <p>If you cannot upgrade, be sure to check or sanitize service parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span> (sanitize `file://` parameter)</p>
+              <hr>
+              <br>
               <h2>Command Injection Vulnerability</h2>
               <p><span class="bold">Affected versions:</span>
                 &lt; 4.34.11<br>

lib/internet.js

@@ -58,6 +58,11 @@ function inetChecksite(url, callback) {
       result.url = urlSanitized;
       try {
         if (urlSanitized && !util.isPrototypePolluted()) {
+          urlSanitized.__proto__.startsWith = util.stringStartWith;
+          if (urlSanitized.startsWith('file:')) {
+            if (callback) { callback(result); }
+            return resolve(result);
+          }
           let t = Date.now();
           if (_linux || _freebsd || _openbsd || _netbsd || _darwin || _sunos) {
             let args = ' -I --connect-timeout 5 -m 5 ' + urlSanitized + ' 2>/dev/null | head -n 1 | cut -d " " -f2';
@@ -146,6 +151,11 @@ function inetLatency(host, callback) {
           }
         }
       }
+      hostSanitized.__proto__.startsWith = util.stringStartWith;
+      if (hostSanitized.startsWith('file:')) {
+        if (callback) { callback(null); }
+        return resolve(null);
+      }
       let params;
       let filt;
       if (_linux || _freebsd || _openbsd || _netbsd || _darwin) {

lib/util.js

@@ -57,6 +57,7 @@ const stringToLower = new String().toLowerCase;
 const stringToString = new String().toString;
 const stringSubstr = new String().substr;
 const stringTrim = new String().trim;
+const stringStartWith = new String().startsWith;
 
 function isFunction(functionToCheck) {
   let getType = {};
@@ -939,5 +940,6 @@ exports.stringToLower = stringToLower;
 exports.stringToString = stringToString;
 exports.stringSubstr = stringSubstr;
 exports.stringTrim = stringTrim;
+exports.stringStartWith = stringStartWith;
 exports.WINDIR = WINDIR;
 exports.getFilesInPath = getFilesInPath;