From ded3d1e155716b303d97ef8ddb07b5eafee541aa Mon Sep 17 00:00:00 2001 From: Elyas Najibzadeh Date: Thu, 26 Dec 2024 01:23:59 +0330 Subject: [PATCH] fix(security): ensure proper validation of AdminJS assets in Fastify integration - Resolved privilege escalation issue caused by improper handling of `admin.options.assets`. - Ensured function-based `assets` are processed correctly. - Excluded non-string `assets` (e.g., `coreScripts`) from bypassing route protection. - Strengthened API route protection and authentication checks. --- src/authentication/protected-routes.handler.ts | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/authentication/protected-routes.handler.ts b/src/authentication/protected-routes.handler.ts index 7ecbbd9..fa31ee1 100644 --- a/src/authentication/protected-routes.handler.ts +++ b/src/authentication/protected-routes.handler.ts @@ -1,4 +1,4 @@ -import AdminJS, { Router as AdminRouter } from 'adminjs'; +import AdminJS, { CurrentAdmin, Router as AdminRouter } from 'adminjs'; import { FastifyInstance } from 'fastify'; export const withProtectedRoutesHandler = ( @@ -11,11 +11,16 @@ export const withProtectedRoutesHandler = ( const buildComponentRoute = AdminRouter.routes.find( (r) => r.action === "bundleComponents" )?.path; + + let AdminOptionsAssets = admin.options?.assets ?? {}; + if (typeof AdminOptionsAssets === 'function') + AdminOptionsAssets = await AdminOptionsAssets(request.session.get('adminUser') as CurrentAdmin); const assets = [ ...AdminRouter.assets.map((a) => a.path), - ...Object.values(admin.options?.assets ?? {}).flat(), + ...Object.values(AdminOptionsAssets).flat(), ]; - if (assets.find((a) => request.url.match(a))) { + + if (assets.find((a) => typeof a === 'string' && request.url.match(a))) { return; } else if (buildComponentRoute && request.url.match(buildComponentRoute)) { return;