From f796afe55ece4c9e9e2ff86c1f4f279be986aea9 Mon Sep 17 00:00:00 2001 From: Eric Eastwood Date: Tue, 18 Oct 2022 02:40:40 -0500 Subject: [PATCH] Sanity check that we are not leaking the access token to the client (#82) This isn't spawning from any previous security issue. Just adding an extra check to help ensure we don't ever regress this in the future. ``` AssertionError [ERR_ASSERTION]: We should not be leaking the `config.matrixAccessToken` to the Hydrogen render function because this will reach the client! at renderHydrogenToString (matrix-public-archive\server\hydrogen-render\render-hydrogen-to-string.js:24:3) at renderHydrogenVmRenderScriptToPageHtml (matrix-public-archive\server\hydrogen-render\render-hydrogen-vm-render-script-to-page-html.js:22:36) at matrix-public-archive\server\routes\room-directory-routes.js:53:28 at processTicksAndRejections (node:internal/process/task_queues:96:5) ``` --- server/hydrogen-render/render-hydrogen-to-string.js | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/server/hydrogen-render/render-hydrogen-to-string.js b/server/hydrogen-render/render-hydrogen-to-string.js index bb25f92..bd9f562 100644 --- a/server/hydrogen-render/render-hydrogen-to-string.js +++ b/server/hydrogen-render/render-hydrogen-to-string.js @@ -18,6 +18,14 @@ async function renderHydrogenToString(renderOptions) { assert(renderOptions.vmRenderScriptFilePath); assert(renderOptions.vmRenderContext); + // We expect `config` but we should sanity check that we aren't leaking the access token + // to the client if someone naievely copied the whole `config` object to here. + assert(renderOptions.vmRenderContext.config); + assert( + !renderOptions.vmRenderContext.config.matrixAccessToken, + 'We should not be leaking the `config.matrixAccessToken` to the Hydrogen render function because this will reach the client!' + ); + try { // In development, if you're running into a hard to track down error with // the render hydrogen stack and fighting against the multiple layers of