diff --git a/package.json b/package.json index 38c33700..f23d2ae0 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "gun", - "version": "0.2019.514", + "version": "0.2019.515", "description": "A realtime, decentralized, offline-first, graph data synchronization engine.", "main": "index.js", "browser": "gun.js", diff --git a/sea.js b/sea.js index f44214cd..e58474f3 100644 --- a/sea.js +++ b/sea.js @@ -1113,10 +1113,6 @@ } var ctx = this.as; (msg._||(msg._=function(){})).user = ctx.user; - if(ctx.opt.faith && msg._.faith){ // you probably shouldn't have faith in this! - this.to.next(msg); - return; - } security.call(this, msg); } @@ -1125,6 +1121,10 @@ // This is broken down into some pretty clear edge cases, let's go over them: function security(msg){ var at = this.as, sea = at.sea, to = this.to; + if(at.opt.faith && (msg._||noop).faith){ // you probably shouldn't have faith in this! + this.to.next(msg); // why do we allow skipping security? I'm very scared about it actually. + return; // but so that way storage adapters that already verified something can get performance boost. This was a community requested feature. If anybody finds an exploit with it, please report immediately. It should only be exploitable if you have XSS control anyways, which if you do, you can bypass security regardless of this. + } if(msg.get){ // if there is a request to read data from us, then... var soul = msg.get['#']; diff --git a/sea/index.js b/sea/index.js index 56afb70a..2a0b42eb 100644 --- a/sea/index.js +++ b/sea/index.js @@ -55,10 +55,6 @@ } var ctx = this.as; (msg._||(msg._=function(){})).user = ctx.user; - if(ctx.opt.faith && msg._.faith){ // you probably shouldn't have faith in this! - this.to.next(msg); - return; - } security.call(this, msg); } @@ -67,6 +63,10 @@ // This is broken down into some pretty clear edge cases, let's go over them: function security(msg){ var at = this.as, sea = at.sea, to = this.to; + if(at.opt.faith && (msg._||noop).faith){ // you probably shouldn't have faith in this! + this.to.next(msg); // why do we allow skipping security? I'm very scared about it actually. + return; // but so that way storage adapters that already verified something can get performance boost. This was a community requested feature. If anybody finds an exploit with it, please report immediately. It should only be exploitable if you have XSS control anyways, which if you do, you can bypass security regardless of this. + } if(msg.get){ // if there is a request to read data from us, then... var soul = msg.get['#']; diff --git a/test/tmp/tmp.html b/test/tmp/tmp.html index 39e50963..ae263152 100644 --- a/test/tmp/tmp.html +++ b/test/tmp/tmp.html @@ -18,8 +18,9 @@ var db = Gun({faith: true}); setTimeout(function(){ - console.log(db.get(window.SOUL)._.put); - return; + //return; + //console.log(db.get(window.SOUL)._.put); + //return; db.get(window.SOUL).once(function(data){ console.log('oye!', data); }) @@ -27,8 +28,8 @@ setTimeout(function(){ function test(result, dedupId){ setTimeout(function(){ if (result) { - var foo = function(){}; foo.faith = true; - db.on('in').to.next({ + var foo = function(){}; foo.faith = false; + db.on('in', { '@': dedupId, from: 'local', put: { [Gun.node.soul(result)]: result }, @@ -44,7 +45,7 @@ test(window.foo = {"_":{"#": window.SOUL = "nab/things/1d0f60a50f65b95dd91036836 "author":"{\":\":\"go1dfish\",\"~\":\"ovwCbuQeYp5rRABi9bTNKcEeeFXEiozWG28aRCl+MjOMNeqOxDEKIsnsgYgJmmSXvNhe/MpuL3376nL0vTN6qA==\"}", "authorId":"{\":\":\"JG43ynRxqjy1-AemyMUoz14UqKM6cnh7zSPy_EAPgts.RCZ5dY7iRaIW_B7cDBlBsDNKwn2QCtbbA1uQ6iL8ENw\",\"~\":\"ekhiqU7UP1M8nHxBFv8QItNBIstP6zuQBtutk6sqMBNaN/2U9BAjb7Vjsogj23kphEMHeCSgO7AqaOE3cOZiyg==\"}", "timestamp":"{\":\":1557772735666,\"~\":\"Z2AiDehqJKrbRlXXUllkwWjOEn5//HnjjTMdgNz2j8K/Bw5XPK1g0huVQsfWdKOKfr9XU7Y5sY2N526V13O4XA==\"}","kind":"{\":\":\"submission\",\"~\":\"KwjYOjPnpZH85VVOHZAxLm2Ntd/0p3o74sLEGtTf7grBCKb0pzDo7yERjWIaTEiQJ2IFEtu43V/vzhZMTvuvUQ==\"}"}) -db.get(window.SOUL); +//db.get(window.SOUL); \ No newline at end of file