replace yubikeyotp to avoid form-data cve

Signed-off-by: si458 <simonsmith5521@gmail.com>
2025-10-29 23:35:02 -04:00 · 2025-09-09 15:38:57 +01:00 · 2025-09-09 15:38:57 +01:00 · 6bcf39610a
commit 6bcf39610a
parent 4bff9f1788
5 changed files with 11 additions and 18 deletions
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -121,7 +121,7 @@ RUN case "$PREINSTALL_LIBS" in \
        true|yes|TRUE|YES) \
            cd meshcentral && \
            echo -e "----------\nPREINSTALLING LIBRARIES...\n----------"; \
-            npm install ssh2@1.16.0 nodemailer@6.10.1 image-size@2.0.2 wildleek@2.0.0 otplib@12.0.1 yubikeyotp@0.2.0;; \
+            npm install ssh2@1.16.0 nodemailer@6.10.1 image-size@2.0.2 wildleek@2.0.0 otplib@12.0.1 yub@0.11.1;; \
        false|no|FALSE|NO) \
            echo "Not pre-installing libraries.";; \
        *) \
--- a/meshcentral-config-schema.json
+++ b/meshcentral-config-schema.json
@ -2785,7 +2785,7 @@
          },
          "yubikey": {
            "type": "object",
-            "description": "Yubikey configuration",
+            "description": "Yubikey OTP configuration (get API Key from https://upgrade.yubico.com/getapikey/)",
            "properties": {
              "id": {
                "type": "string",
@ -2794,11 +2794,6 @@
              "secret": {
                "type": "string",
                "description": "Yubikey secret key"
-              },
-              "proxy": {
-                "type": "string",
-                "format": "uri",
-                "description": "Yubikey proxy URL"
              }
            },
            "required": [
--- a/meshcentral.js
+++ b/meshcentral.js
@ -4369,7 +4369,7 @@ function mainStart() {
        // Setup 2nd factor authentication
        if (config.settings.no2factorauth !== true) {
            // Setup YubiKey OTP if configured
-            if (yubikey == true) { modules.push('yubikeyotp@0.2.0'); } // Add YubiKey OTP support
+            if (yubikey == true) { modules.push('yub@0.11.1'); } // Add YubiKey OTP support (replaced yubikeyotp due to form-data issues)
            if (allsspi == false) { modules.push('otplib@12.0.1'); } // Google Authenticator support (v10 supports older NodeJS versions).
        }

--- a/meshuser.js
+++ b/meshuser.js
@ -3906,12 +3906,12 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                    if ((user.siteadmin != 0xFFFFFFFF) && ((user.siteadmin & 1024) != 0)) return; // If this account is settings locked, return here.

                    // Yubico API id and signature key can be requested from https://upgrade.yubico.com/getapikey/
-                    var yubikeyotp = null;
-                    try { yubikeyotp = require('yubikeyotp'); } catch (ex) { }
+                    var yub = null;
+                    try { yub = require('yub'); } catch (ex) { }

                    // Check if 2-step login is supported
                    const twoStepLoginSupported = ((parent.parent.config.settings.no2factorauth !== true) && (domain.auth != 'sspi') && (parent.parent.certificates.CommonName.indexOf('.') != -1) && (args.nousers !== true));
-                    if ((yubikeyotp == null) || (twoStepLoginSupported == false) || (typeof command.otp != 'string')) {
+                    if ((yub == null) || (twoStepLoginSupported == false) || (typeof command.otp != 'string')) {
                        ws.send(JSON.stringify({ action: 'otp-hkey-yubikey-add', result: false, name: command.name }));
                        break;
                    }
@ -3925,9 +3925,8 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
                    // TODO: Check if command.otp is modhex encoded, reject if not.

                    // Query the YubiKey server to validate the OTP
-                    var request = { otp: command.otp, id: domain.yubikey.id, key: domain.yubikey.secret, timestamp: true }
-                    if (domain.yubikey.proxy) { request.requestParams = { proxy: domain.yubikey.proxy }; }
-                    yubikeyotp.verifyOTP(request, function (err, results) {
+                    yub.init(domain.yubikey.id, domain.yubikey.secret);
+                    yub.verify(command.otp, function (err, results) {
                        if ((results != null) && (results.status == 'OK')) {
                            var keyIndex = parent.crypto.randomBytes(4).readUInt32BE(0);
                            var keyId = command.otp.substring(0, 12);
--- a/webserver.js
+++ b/webserver.js
@ -1073,10 +1073,9 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF

            // If we have a match, check the OTP
            if (match === true) {
-                var yubikeyotp = require('yubikeyotp');
-                var request = { otp: token, id: domain.yubikey.id, key: domain.yubikey.secret, timestamp: true }
-                if (domain.yubikey.proxy) { request.requestParams = { proxy: domain.yubikey.proxy }; }
-                yubikeyotp.verifyOTP(request, function (err, results) {
+                var yub = require('yub');
+                yub.init(domain.yubikey.id, domain.yubikey.secret);
+                yub.verify(token, function (err, results) {
                    if ((results != null) && (results.status == 'OK')) {
                        parent.debug('web', 'checkUserOneTimePassword: success (Yubikey).');
                        func(true, { twoFactorType: 'hwotp' });