client: do not import config.js directly

It can be a security hazard to compile config.js into static assets.
jesec · Aug 22, 2020 · 042cb4c · 042cb4c
1 parent 46bc245
commit 042cb4c
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 6 deletions.
diff --git a/client/.eslintrc.js b/client/.eslintrc.js
@@ -14,6 +14,9 @@ module.exports = {
   },
   plugins: ['import'],
   rules: {
+    "no-restricted-imports": ["error", {
+      "patterns": ["**/config"],
+    }],
     '@typescript-eslint/no-var-requires': 0,
     '@typescript-eslint/camelcase': ['error'],
     camelcase: 0,

diff --git a/client/config/env.js b/client/config/env.js
@@ -40,6 +40,7 @@ function getClientEnvironment() {
         NODE_ENV: environment,
         BASE_URI: environment !== 'development' ? paths.servedPath : '',
         POLL_INTERVAL: userConfig.torrentClientPollInterval,
+        DISABLE_AUTH: userConfig.disableUsersAndAuth,
       },
     );
   // Stringify all values so we can feed into Webpack DefinePlugin

diff --git a/client/src/javascript/components/AppWrapper.js b/client/src/javascript/components/AppWrapper.js
@@ -4,6 +4,7 @@ import PropTypes from 'prop-types';
 import React from 'react';
 
 import AuthStore from '../stores/AuthStore';
+import ConfigStore from '../stores/ConfigStore';
 import Checkmark from './icons/Checkmark';
 import ClientConnectionInterruption from './general/ClientConnectionInterruption';
 import ClientStatusStore from '../stores/ClientStatusStore';
@@ -13,8 +14,6 @@ import LoadingIndicator from './general/LoadingIndicator';
 import UIStore from '../stores/UIStore';
 import WindowTitle from './general/WindowTitle';
 
-import UserConfig from '../../../../config';
-
 const ICONS = {
   satisfied: <Checkmark />,
 };
@@ -55,7 +54,7 @@ class AuthEnforcer extends React.Component {
     }
 
     // TODO: disableUsersAndAuth is server's config not user's
-    if (isAuthenticated && !isClientConnected && !UserConfig.disableUsersAndAuth) {
+    if (isAuthenticated && !isClientConnected && !ConfigStore.getDisableAuth()) {
       content = (
         <div className="application__loading-overlay">
           <div className="application__entry-barrier">

diff --git a/client/src/javascript/components/modals/settings-modal/SettingsModal.js b/client/src/javascript/components/modals/settings-modal/SettingsModal.js
@@ -9,12 +9,11 @@ import connectStores from '../../../util/connectStores';
 import EventTypes from '../../../constants/EventTypes';
 import Modal from '../Modal';
 import ResourcesTab from './ResourcesTab';
+import ConfigStore from '../../../stores/ConfigStore';
 import SettingsStore from '../../../stores/SettingsStore';
 import UITab from './UITab';
 import DiskUsageTab from './DiskUsageTab';
 
-import UserConfig from '../../../../../../config';
-
 class SettingsModal extends React.Component {
   modalBodyRef = null;
 
@@ -175,7 +174,7 @@ class SettingsModal extends React.Component {
         }),
       },
       // TODO: disableUsersAndAuth is server's config not user's
-      ...(UserConfig.disableUsersAndAuth !== true
+      ...(!ConfigStore.getDisableAuth()
         ? {
             authentication: {
               content: AuthTab,

diff --git a/client/src/javascript/stores/ConfigStore.js b/client/src/javascript/stores/ConfigStore.js
@@ -8,6 +8,10 @@ class ConfigStoreClass extends BaseStore {
   getPollInterval() {
     return process.env.POLL_INTERVAL || 5000;
   }
+
+  getDisableAuth() {
+    return process.env.DISABLE_AUTH || false;
+  }
 }
 
 export default new ConfigStoreClass();