179 lines
5.8 KiB
Markdown
179 lines
5.8 KiB
Markdown
<h1 align="center">Fix LeanCloud Counter Plugin Security Vulnerability</h1>
|
||
|
||
Before you make the config, please upgrade your NexT version to v6.0.6 or greater.
|
||
|
||
Please note the difference between **site config file** and **theme config file**
|
||
|
||
---
|
||
|
||
# Sign up to LeanCloud and create an app
|
||
- Go to LeanCloud website [leancloud.app](https://leancloud.app) and sign up to LeanCloud. Then login.
|
||
- Click `1` to enter the console:
|
||
|
||
|
||
|
||
- Then click `1` to create an app:
|
||
|
||
|
||
|
||
- Type your app name in `1` in the pop up window(eg. "test"), then choose `2`, which means developer's plan, and then click `3` to create the app:
|
||
|
||
|
||
|
||
# Create Counter class and enable plugin in NexT
|
||
- Click `1` (app name) to enter the app manage page:
|
||
|
||
|
||
|
||
- then click `1` to create a class for counter:
|
||
|
||
|
||
|
||
- Type `Counter` in the pop up window in `1`, check `2`, then click `3`:
|
||
|
||
|
||
|
||
- Click `1` to enter the app setting, then click `2`:
|
||
|
||
|
||
|
||
- Paste `App ID` and `App Key` to **theme config file** `_config.yml` like this:
|
||
```yml
|
||
leancloud_visitors:
|
||
enable: true
|
||
app_id: # <your app id>
|
||
app_key: # <your app key>
|
||
# Required for apps from CN region
|
||
server_url: # <your server url>
|
||
# Dependencies: https://github.com/theme-next/hexo-leancloud-counter-security
|
||
security: true
|
||
```
|
||
|
||
- Set domain whitelist: Click `1`, then type your domain into `2` (**protocol, domain and port should be exactly the same**):
|
||
|
||
|
||
|
||
# Deploy web engine to avoid your data being changed illegally
|
||
- Click `1 -> 2 -> 3` by order
|
||
|
||
|
||
|
||
- Click `1`:
|
||
|
||
|
||
|
||
- In the pop up window, click `1` to choose type `Hook`, then choose`beforeUpdate` in `2`, choose `Counter` in `3`. Paste code below into `4`, then click `5` to save it:
|
||
```javascript
|
||
var query = new AV.Query("Counter");
|
||
if (request.object.updatedKeys.includes('time')) {
|
||
return query.get(request.object.id).then(function (obj) {
|
||
if (obj.get("time") > request.object.get("time")) {
|
||
throw new AV.Cloud.Error('Invalid update!');
|
||
}
|
||
return request.object.save();
|
||
});
|
||
}
|
||
```
|
||
|
||
|
||
|
||
- Click `1` to deploy after the message in the red rect shows up:
|
||
|
||
|
||
|
||
- Click `1` in the pop up:
|
||
|
||
|
||
|
||
- Click `1` to close the pop up window after the message in the red rect shows up:
|
||
|
||
|
||
|
||
# Set access control for your database
|
||
- Open **theme config file** `_config.yml`, set `leancloud_visitors: security` to `true`:
|
||
```yml
|
||
leancloud_visitors:
|
||
enable: true
|
||
app_id: # <your app id>
|
||
app_key: # <your app key>
|
||
# Required for apps from CN region
|
||
server_url: # <your server url>
|
||
# Dependencies: https://github.com/theme-next/hexo-leancloud-counter-security
|
||
security: true
|
||
```
|
||
|
||
- Open cmd then switch to **root path of site**, type commands to install `hexo-leancloud-counter-security` plugin:
|
||
```
|
||
npm install hexo-leancloud-counter-security
|
||
```
|
||
|
||
- Open **site config file** `_config.yml`, add those config:
|
||
```yml
|
||
leancloud_counter_security:
|
||
enable_sync: true
|
||
app_id: <your app id>
|
||
app_key: <your app key>
|
||
username:
|
||
password:
|
||
```
|
||
|
||
- Type command:
|
||
```
|
||
hexo lc-counter register <username> <password>
|
||
```
|
||
or
|
||
```
|
||
hexo lc-counter r <username> <password>
|
||
```
|
||
|
||
Change `<username>` and `<password>` to your own username and password (no need to be the same as leancloud account). They will be used in the hexo deploying.
|
||
|
||
- Open **site config file** `_config.yml`, change `<username>` and `<password>`to those you set above:
|
||
```yml
|
||
leancloud_counter_security:
|
||
enable_sync: true
|
||
app_id: <your app id>
|
||
app_key: <your app key>
|
||
username: <your username> # will be asked while deploying if be left blank
|
||
password: <your password> # recommend to leave it blank for security, will be asked while deploying if be left blank
|
||
```
|
||
|
||
- Add the deployer in the `deploy` of **site config file** `_config.yml`:
|
||
```yml
|
||
deploy:
|
||
- type: git
|
||
repo: // your repo
|
||
...
|
||
- type: leancloud_counter_security_sync
|
||
```
|
||
|
||
- Return to the LeanCloud console. Click `1 -> 2`, check if there is a record added in the `_User` (the img below is using username "admin" for example):
|
||
|
||
|
||
|
||
- Click `1 -> 2 -> 3` by order:
|
||
|
||
|
||
|
||
- <del>Click `1` (add_fields), then choose `2`:</del> Do as below "create" setting(choose the user you create):
|
||
|
||
|
||
|
||
- click `1` (create), then choose `2`, type the username in `3`, then click `4 -> 5`:
|
||
|
||
|
||
|
||
Now your page should be similar to this img after finishing the step.
|
||
|
||
|
||
|
||
- Click `1` (delete), then choose `2`:
|
||
|
||
|
||
|
||
Now the bug is fixed.
|
||
|
||
---
|
||
|
||
See detailed version here: https://leaferx.online/2018/03/16/lc-security-en/
|