CodeQL caught a path where we were passing in req.query.path
to pathToFsPath, which may not have been a string.
So we refactored some things to ensure we only pass it a string
which also let us change the parameter type to string
instead of string | string[].
There's a chance this function can be called with a path that is not a string.
To catch that, we check if path is of a different type and throw an error if it
is.
This also adds a couple tests for this function.
This can be used to escape any special characters in a string with HTML before
sending from the server back to the client. This is important to prevent a
cross-site scripting attack.
Previously, we used argon2 to verify the hash with the password.
If the hash didn't start with a $, then it would enter the catch block.
Now we check the hash before trying to verify it and we also throw an Error if
the verify fails.
This makes the isHashMatch function more robust.
There was a case with the hashed-password which had multiple equal signs in the
value and it wasn't being parsed correctly. This uses a new function and adds a
few tests.
Remove the Mac directory copy instead of refactoring it since we've had
this for a long time now and I think it's safe to assume that users
running code-server on Mac don't have the old directory anymore.
Now we add a subject alt name, set extendedKeyUsage and use the
correct certificate extension.
The above allow it to be properly trusted by iOS.
See https://support.apple.com/en-us/HT210176
*.cert isn't a real extension for certificates, *.crt is correct
for it to be recognized by e.g. keychain or when importing as a profile
into iOS.
Updates #1566
I've been able to successfully connect from my iPad Pro now to my
code-server instance with a self signed certificate! Next commit
will be docs.
I temporarily removed this during the refactor so it needed to be added
back. This time I bundled it with the nbin loader code since it's all
related (will also make it easier to remove).
Fixes issues with unexpected characters breaking things when setting the
cookie (like semicolons).
This change as-is does not affect the security of code-server
itself (we've just replaced the static password with a static hash) but
if we were to add a salt in the future it would let us invalidate keys
by rehashing with a new salt which could be handy.
