|
|
|
@ -78,18 +78,24 @@ const _homeUrlReachableProbe: Probe = {
|
|
|
|
|
name: 'Is home page available at expected URL',
|
|
|
|
|
apply: async (server, req) => {
|
|
|
|
|
const url = server.getHomeUrl(req);
|
|
|
|
|
const details: Record<string, any> = {
|
|
|
|
|
url,
|
|
|
|
|
};
|
|
|
|
|
try {
|
|
|
|
|
const resp = await fetch(url);
|
|
|
|
|
details.status = resp.status;
|
|
|
|
|
if (resp.status !== 200) {
|
|
|
|
|
throw new ApiError(await resp.text(), resp.status);
|
|
|
|
|
}
|
|
|
|
|
return {
|
|
|
|
|
success: true,
|
|
|
|
|
details,
|
|
|
|
|
};
|
|
|
|
|
} catch (e) {
|
|
|
|
|
return {
|
|
|
|
|
success: false,
|
|
|
|
|
details: {
|
|
|
|
|
...details,
|
|
|
|
|
error: String(e),
|
|
|
|
|
},
|
|
|
|
|
severity: 'fault',
|
|
|
|
@ -105,11 +111,12 @@ const _statusCheckProbe: Probe = {
|
|
|
|
|
const baseUrl = server.getHomeUrl(req);
|
|
|
|
|
const url = new URL(baseUrl);
|
|
|
|
|
url.pathname = removeTrailingSlash(url.pathname) + '/status';
|
|
|
|
|
const details = {
|
|
|
|
|
const details: Record<string, any> = {
|
|
|
|
|
url: url.href,
|
|
|
|
|
};
|
|
|
|
|
try {
|
|
|
|
|
const resp = await fetch(url);
|
|
|
|
|
details.status = resp.status;
|
|
|
|
|
if (resp.status !== 200) {
|
|
|
|
|
throw new Error(`Failed with status ${resp.status}`);
|
|
|
|
|
}
|
|
|
|
@ -124,8 +131,10 @@ const _statusCheckProbe: Probe = {
|
|
|
|
|
} catch (e) {
|
|
|
|
|
return {
|
|
|
|
|
success: false,
|
|
|
|
|
details,
|
|
|
|
|
details: {
|
|
|
|
|
...details,
|
|
|
|
|
error: String(e),
|
|
|
|
|
},
|
|
|
|
|
severity: 'fault',
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
@ -136,8 +145,12 @@ const _userProbe: Probe = {
|
|
|
|
|
id: 'system-user',
|
|
|
|
|
name: 'Is the system user following best practice',
|
|
|
|
|
apply: async () => {
|
|
|
|
|
const details = {
|
|
|
|
|
uid: process.getuid ? process.getuid() : 'unavailable',
|
|
|
|
|
};
|
|
|
|
|
if (process.getuid && process.getuid() === 0) {
|
|
|
|
|
return {
|
|
|
|
|
details,
|
|
|
|
|
success: false,
|
|
|
|
|
verdict: 'User appears to be root (UID 0)',
|
|
|
|
|
severity: 'warning',
|
|
|
|
@ -145,6 +158,7 @@ const _userProbe: Probe = {
|
|
|
|
|
} else {
|
|
|
|
|
return {
|
|
|
|
|
success: true,
|
|
|
|
|
details,
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
@ -154,12 +168,18 @@ const _bootProbe: Probe = {
|
|
|
|
|
id: 'boot-page',
|
|
|
|
|
name: 'Is the boot page adequately protected',
|
|
|
|
|
apply: async (server) => {
|
|
|
|
|
if (!server.hasBoot) {
|
|
|
|
|
return { success: true };
|
|
|
|
|
const details: Record<string, any> = {
|
|
|
|
|
bootKeySet: server.hasBoot(),
|
|
|
|
|
};
|
|
|
|
|
console.log(details);
|
|
|
|
|
if (!server.hasBoot()) {
|
|
|
|
|
return { success: true, details };
|
|
|
|
|
}
|
|
|
|
|
const maybeSecureEnough = String(process.env.GRIST_BOOT_KEY).length > 10;
|
|
|
|
|
const bootKeyLength = String(process.env.GRIST_BOOT_KEY).length;
|
|
|
|
|
details.bootKeyLength = bootKeyLength;
|
|
|
|
|
return {
|
|
|
|
|
success: maybeSecureEnough,
|
|
|
|
|
success: bootKeyLength > 10,
|
|
|
|
|
details,
|
|
|
|
|
severity: 'hmm',
|
|
|
|
|
};
|
|
|
|
|
},
|
|
|
|
@ -178,19 +198,26 @@ const _hostHeaderProbe: Probe = {
|
|
|
|
|
apply: async (server, req) => {
|
|
|
|
|
const host = req.header('host');
|
|
|
|
|
const url = new URL(server.getHomeUrl(req));
|
|
|
|
|
const details = {
|
|
|
|
|
homeUrlHost: url.hostname,
|
|
|
|
|
headerHost: host,
|
|
|
|
|
};
|
|
|
|
|
if (url.hostname === 'localhost') {
|
|
|
|
|
return {
|
|
|
|
|
done: true,
|
|
|
|
|
details,
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
if (String(url.hostname).toLowerCase() !== String(host).toLowerCase()) {
|
|
|
|
|
return {
|
|
|
|
|
success: false,
|
|
|
|
|
details,
|
|
|
|
|
severity: 'hmm',
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
return {
|
|
|
|
|
done: true,
|
|
|
|
|
details,
|
|
|
|
|
};
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|