From 8827da6478e5e1083238bc3c93b02f72541fdf2a Mon Sep 17 00:00:00 2001
From: AJ ONeal <awesome@coolaj86.com>
Date: Thu, 5 Mar 2015 22:07:45 +0000
Subject: [PATCH] fix XSS vulnerability on error pages

---
 lib/insecure-server.js  |  4 ++--
 lib/vhost-sni-server.js | 34 +++++++++++++++++++++-------------
 2 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/lib/insecure-server.js b/lib/insecure-server.js
index 2654b1e..9be997b 100644
--- a/lib/insecure-server.js
+++ b/lib/insecure-server.js
@@ -42,11 +42,11 @@ module.exports.create = function (securePort, insecurePort, redirects) {
       + '<html>\n'
       + '<head>\n'
       + '  <style>* { background-color: white; color: white; text-decoration: none; }</style>\n'
-      + '  <META http-equiv="refresh" content="0;URL=' + newLocation + '">\n'
+      + '  <META http-equiv="refresh" content="0;URL=' + encodeURI(newLocation) + '">\n'
       + '</head>\n'
       + '<body style="display: none;">\n'
       + '  <p>You requested an insecure resource. Please use this instead: \n'
-      + '    <a href="' + newLocation + '">' + newLocation + '</a></p>\n'
+      + '    <a href="' + encodeURI(newLocation) + '">' + encodeURI(newLocation) + '</a></p>\n'
       + '</body>\n'
       + '</html>\n'
       ;
diff --git a/lib/vhost-sni-server.js b/lib/vhost-sni-server.js
index c9fec1d..2193940 100644
--- a/lib/vhost-sni-server.js
+++ b/lib/vhost-sni-server.js
@@ -45,13 +45,13 @@ module.exports.create = function (securePort, certsPath, vhostsdir) {
         + "<body>"
         + "<pre>"
         + "<code>"
-        + "Method: " + req.method
+        + "Method: " + encodeURI(req.method)
         + '\n'
-        + "Hostname: " + domaininfo.hostname
+        + "Hostname: " + encodeURI(domaininfo.hostname)
         + '\n'
-        + "App: " + (domaininfo.pathname ? (domaininfo.pathname + '/') : '')
+        + "App: " + encodeURI(domaininfo.pathname ? (domaininfo.pathname + '/') : '')
         + '\n'
-        + "Route: " + req.url//.replace(/^\//, '')
+        + "Route: " + encodeURI(req.url)//.replace(/^\//, '')
         + '\n'
           // TODO better sanatization
         + 'Error: '  + (err.message || err.toString()).replace(/</g, '&lt;')
@@ -151,20 +151,20 @@ module.exports.create = function (securePort, certsPath, vhostsdir) {
                     + "</head>"
                     + "<body>"
                     + "Cannot "
-                    + req.method
+                    + encodeURI(req.method)
                     + " 'https://"
-                    + domaininfo.hostname
+                    + encodeURI(domaininfo.hostname)
                     + '/' 
-                    + (domaininfo.pathname ? (domaininfo.pathname + '/') : '')
-                    + req.url.replace(/^\//, '')
+                    + encodeURI(domaininfo.pathname ? (domaininfo.pathname + '/') : '')
+                    + encodeURI(req.url.replace(/^\//, ''))
                     + "'"
                     + "<br/>"
                     + "<br/>"
-                    + "Domain: " + domaininfo.hostname
+                    + "Domain: " + encodeURI(domaininfo.hostname)
                     + "<br/>"
-                    + "App: " + domaininfo.pathname
+                    + "App: " + encodeURI(domaininfo.pathname)
                     + "<br/>"
-                    + "Route : " + req.url
+                    + "Route : " + encodeURI(req.url)
                     + "</body>"
                     + "</html>"
                   );
@@ -182,10 +182,15 @@ module.exports.create = function (securePort, certsPath, vhostsdir) {
               appContext = localAppWrapped;
               appContext(req, res, next);
             } catch(e) {
-              console.error('[ERROR] ' + domaininfo.hostname + ':' + securePort + '/' + domaininfo.pathname);
+              console.error('[ERROR] '
+                + domaininfo.hostname + ':' + securePort
+                + '/' + domaininfo.pathname
+              );
               console.error(e);
+              // TODO this may not work in web apps (due to 500), probably okay
+              res.writeHead(500);
               res.end('{ "error": { "message": "[ERROR] could not load '
-                + domaininfo.hostname + ':' + securePort + '/' + domaininfo.pathname
+                + encodeURI(domaininfo.hostname) + ':' + securePort + '/' + encodeURI(domaininfo.pathname)
                 + 'or default error app." } }');
             }
           });
@@ -224,6 +229,7 @@ module.exports.create = function (securePort, certsPath, vhostsdir) {
         console.error(err);
         console.error(msg);
         return function (req, res) {
+          res.writeHead(500);
           res.end('{ "error": { "message": "' + msg + '" } }');
         }
       }
@@ -392,6 +398,8 @@ module.exports.create = function (securePort, certsPath, vhostsdir) {
       key:          localDummyCerts.key
     , cert:         localDummyCerts.cert
     , ca:           localDummyCerts.ca
+                    // changes from default: disallow RC4
+    , ciphers:      "ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL"
     };
 
     function addSniWorkaroundCallback() {