fix(config): add whitelisting for interface config

For now all keys are whitelisted.
2019-09-25 10:49:29 -07:00 · 2019-09-25 10:49:29 -07:00 · 1010f53a84
parent f7a526f488
commit 1010f53a84
4 changed files with 223 additions and 145 deletions
--- a/interface_config.js
+++ b/interface_config.js
@ -221,6 +221,13 @@ var interfaceConfig = {
     * milliseconds, those notifications should remain displayed.
     */
    // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000,
    // List of undocumented settings
    /**
     INDICATOR_FONT_SIZES
     MOBILE_DYNAMIC_LINK
     PHONE_NUMBER_REGEX
    */
 };
 /* eslint-enable no-unused-vars, no-var, max-len */
--- a/react/features/base/config/configWhitelist.js
+++ b/react/features/base/config/configWhitelist.js
@ -0,0 +1,137 @@
 /**
 * The config keys to whitelist, the keys that can be overridden.
 * Currently we can only whitelist the first part of the properties, like
 * 'p2p.useStunTurn' and 'p2p.enabled' we whitelist all p2p options.
 * The whitelist is used only for config.js.
 *
 * @type Array
 */
 export default [
    '_desktopSharingSourceDevice',
    '_peerConnStatusOutOfLastNTimeout',
    '_peerConnStatusRtcMuteTimeout',
    'abTesting',
    'analytics.disabled',
    'autoRecord',
    'autoRecordToken',
    'avgRtpStatsN',
    'callFlowsEnabled',
    'callStatsConfIDNamespace',
    'callStatsID',
    'callStatsSecret',
    /**
     * The display name of the CallKit call representing the conference/meeting
     * associated with this config.js including while the call is ongoing in the
     * UI presented by CallKit and in the system-wide call history. The property
     * is meant for use cases in which the room name is not desirable as a
     * display name for CallKit purposes and the desired display name is not
     * provided in the form of a JWT callee. As the value is associated with a
     * conference/meeting, the value makes sense not as a deployment-wide
     * configuration, only as a runtime configuration override/overwrite
     * provided by, for example, Jitsi Meet SDK for iOS.
     *
     * @type string
     */
    'callDisplayName',
    /**
     * The handle
     * ({@link https://developer.apple.com/documentation/callkit/cxhandle}) of
     * the CallKit call representing the conference/meeting associated with this
     * config.js. The property is meant for use cases in which the room URL is
     * not desirable as the handle for CallKit purposes. As the value is
     * associated with a conference/meeting, the value makes sense not as a
     * deployment-wide configuration, only as a runtime configuration
     * override/overwrite provided by, for example, Jitsi Meet SDK for iOS.
     *
     * @type string
     */
    'callHandle',
    /**
     * The UUID of the CallKit call representing the conference/meeting
     * associated with this config.js. The property is meant for use cases in
     * which Jitsi Meet is to work with a CallKit call created outside of Jitsi
     * Meet and to be adopted by Jitsi Meet such as, for example, an incoming
     * and/or outgoing CallKit call created by Jitsi Meet SDK for iOS
     * clients/consumers prior to giving control to Jitsi Meet. As the value is
     * associated with a conference/meeting, the value makes sense not as a
     * deployment-wide configuration, only as a runtime configuration
     * override/overwrite provided by, for example, Jitsi Meet SDK for iOS.
     *
     * @type string
     */
    'callUUID',
    'channelLastN',
    'constraints',
    'debug',
    'debugAudioLevels',
    'defaultLanguage',
    'desktopSharingChromeDisabled',
    'desktopSharingChromeExtId',
    'desktopSharingChromeMinExtVersion',
    'desktopSharingChromeSources',
    'desktopSharingFrameRate',
    'desktopSharingFirefoxDisabled',
    'desktopSharingSources',
    'disable1On1Mode',
    'disableAEC',
    'disableAGC',
    'disableAP',
    'disableAudioLevels',
    'disableDeepLinking',
    'disableH264',
    'disableHPF',
    'disableNS',
    'disableRemoteControl',
    'disableRtx',
    'disableSuspendVideo',
    'displayJids',
    'e2eping',
    'enableDisplayNameInStats',
    'enableLayerSuspension',
    'enableLipSync',
    'disableLocalVideoFlip',
    'enableRemb',
    'enableStatsID',
    'enableTalkWhileMuted',
    'enableTcc',
    'etherpad_base',
    'failICE',
    'fileRecordingsEnabled',
    'firefox_fake_device',
    'forceJVB121Ratio',
    'gatherStats',
    'googleApiApplicationClientID',
    'hiddenDomain',
    'hosts',
    'iAmRecorder',
    'iAmSipGateway',
    'iceTransportPolicy',
    'ignoreStartMuted',
    'liveStreamingEnabled',
    'localRecording',
    'minParticipants',
    'nick',
    'openBridgeChannel',
    'p2p',
    'preferH264',
    'requireDisplayName',
    'resolution',
    'startAudioMuted',
    'startAudioOnly',
    'startBitrate',
    'startSilent',
    'startScreenSharing',
    'startVideoMuted',
    'startWithVideoMuted',
    'subject',
    'testing',
    'useIPv6',
    'useNicks',
    'useStunTurn',
    'webrtcIceTcpDisable',
    'webrtcIceUdpDisable'
 ];
--- a/react/features/base/config/functions.any.js
+++ b/react/features/base/config/functions.any.js
@ -2,152 +2,14 @@
 import _ from 'lodash';
 import CONFIG_WHITELIST from './configWhitelist';
 import { _CONFIG_STORE_PREFIX } from './constants';
 import INTERFACE_CONFIG_WHITELIST from './interfaceConfigWhitelist';
 import parseURLParams from './parseURLParams';
 import logger from './logger';
 declare var $: Object;
 /**
 * The config keys to whitelist, the keys that can be overridden.
 * Currently we can only whitelist the first part of the properties, like
 * 'p2p.useStunTurn' and 'p2p.enabled' we whitelist all p2p options.
 * The whitelist is used only for config.js.
 *
 * @private
 * @type Array
 */
 const WHITELISTED_KEYS = [
    '_desktopSharingSourceDevice',
    '_peerConnStatusOutOfLastNTimeout',
    '_peerConnStatusRtcMuteTimeout',
    'abTesting',
    'analytics.disabled',
    'autoRecord',
    'autoRecordToken',
    'avgRtpStatsN',
    'callFlowsEnabled',
    'callStatsConfIDNamespace',
    'callStatsID',
    'callStatsSecret',
    /**
     * The display name of the CallKit call representing the conference/meeting
     * associated with this config.js including while the call is ongoing in the
     * UI presented by CallKit and in the system-wide call history. The property
     * is meant for use cases in which the room name is not desirable as a
     * display name for CallKit purposes and the desired display name is not
     * provided in the form of a JWT callee. As the value is associated with a
     * conference/meeting, the value makes sense not as a deployment-wide
     * configuration, only as a runtime configuration override/overwrite
     * provided by, for example, Jitsi Meet SDK for iOS.
     *
     * @type string
     */
    'callDisplayName',
    /**
     * The handle
     * ({@link https://developer.apple.com/documentation/callkit/cxhandle}) of
     * the CallKit call representing the conference/meeting associated with this
     * config.js. The property is meant for use cases in which the room URL is
     * not desirable as the handle for CallKit purposes. As the value is
     * associated with a conference/meeting, the value makes sense not as a
     * deployment-wide configuration, only as a runtime configuration
     * override/overwrite provided by, for example, Jitsi Meet SDK for iOS.
     *
     * @type string
     */
    'callHandle',
    /**
     * The UUID of the CallKit call representing the conference/meeting
     * associated with this config.js. The property is meant for use cases in
     * which Jitsi Meet is to work with a CallKit call created outside of Jitsi
     * Meet and to be adopted by Jitsi Meet such as, for example, an incoming
     * and/or outgoing CallKit call created by Jitsi Meet SDK for iOS
     * clients/consumers prior to giving control to Jitsi Meet. As the value is
     * associated with a conference/meeting, the value makes sense not as a
     * deployment-wide configuration, only as a runtime configuration
     * override/overwrite provided by, for example, Jitsi Meet SDK for iOS.
     *
     * @type string
     */
    'callUUID',
    'channelLastN',
    'constraints',
    'debug',
    'debugAudioLevels',
    'defaultLanguage',
    'desktopSharingChromeDisabled',
    'desktopSharingChromeExtId',
    'desktopSharingChromeMinExtVersion',
    'desktopSharingChromeSources',
    'desktopSharingFrameRate',
    'desktopSharingFirefoxDisabled',
    'desktopSharingSources',
    'disable1On1Mode',
    'disableAEC',
    'disableAGC',
    'disableAP',
    'disableAudioLevels',
    'disableDeepLinking',
    'disableH264',
    'disableHPF',
    'disableNS',
    'disableRemoteControl',
    'disableRtx',
    'disableSuspendVideo',
    'displayJids',
    'e2eping',
    'enableDisplayNameInStats',
    'enableLayerSuspension',
    'enableLipSync',
    'disableLocalVideoFlip',
    'enableRemb',
    'enableStatsID',
    'enableTalkWhileMuted',
    'enableTcc',
    'etherpad_base',
    'failICE',
    'fileRecordingsEnabled',
    'firefox_fake_device',
    'forceJVB121Ratio',
    'gatherStats',
    'googleApiApplicationClientID',
    'hiddenDomain',
    'hosts',
    'iAmRecorder',
    'iAmSipGateway',
    'iceTransportPolicy',
    'ignoreStartMuted',
    'liveStreamingEnabled',
    'localRecording',
    'minParticipants',
    'nick',
    'openBridgeChannel',
    'p2p',
    'preferH264',
    'requireDisplayName',
    'resolution',
    'startAudioMuted',
    'startAudioOnly',
    'startBitrate',
    'startSilent',
    'startScreenSharing',
    'startVideoMuted',
    'startWithAudioMuted',
    'startWithVideoMuted',
    'subject',
    'testing',
    'useIPv6',
    'useNicks',
    'useStunTurn',
    'webrtcIceTcpDisable',
    'webrtcIceUdpDisable'
 ];
 // XXX The functions getRoomName and parseURLParams are split out of
 // functions.js because they are bundled in both app.bundle and
 // do_external_connect, webpack 1 does not support tree shaking, and we don't
@ -306,8 +168,8 @@ export function overrideConfigJSON(
 /* eslint-enable max-params, no-shadow */
 /**
- * Whitelist only config.js, skips this for others configs
+ * Apply whitelist filtering for configs with whitelists, skips this for others
- * (interfaceConfig, loggingConfig).
+ * configs (loggingConfig).
 * Only extracts overridden values for keys we allow to be overridden.
 *
 * @param {string} configName - The config name, one of config,
@ -318,11 +180,13 @@ export function overrideConfigJSON(
 * that are whitelisted.
 */
 function _getWhitelistedJSON(configName, configJSON) {
-    if (configName !== 'config') {
+    if (configName === 'interfaceConfig') {
-        return configJSON;
+        return _.pick(configJSON, INTERFACE_CONFIG_WHITELIST);
    } else if (configName === 'config') {
        return _.pick(configJSON, CONFIG_WHITELIST);
    }
-    return _.pick(configJSON, WHITELISTED_KEYS);
+    return configJSON;
 }
 /**
--- a/react/features/base/config/interfaceConfigWhitelist.js
+++ b/react/features/base/config/interfaceConfigWhitelist.js
@ -0,0 +1,70 @@
 /**
 * The interface config keys to whitelist, the keys that can be overridden.
 *
 * @private
 * @type Array
 */
 export default [
    'ANDROID_APP_PACKAGE',
    'APP_NAME',
    'APP_SCHEME',
    'AUDIO_LEVEL_PRIMARY_COLOR',
    'AUDIO_LEVEL_SECONDARY_COLOR',
    'AUTHENTICATION_ENABLE',
    'AUTO_PIN_LATEST_SCREEN_SHARE',
    'BRAND_WATERMARK_LINK',
    'CLOSE_PAGE_GUEST_HINT',
    'CONNECTION_INDICATOR_AUTO_HIDE_ENABLED',
    'CONNECTION_INDICATOR_AUTO_HIDE_TIMEOUT',
    'CONNECTION_INDICATOR_DISABLED',
    'DEFAULT_BACKGROUND',
    'DEFAULT_LOCAL_DISPLAY_NAME',
    'DEFAULT_REMOTE_DISPLAY_NAME',
    'DISABLE_DOMINANT_SPEAKER_INDICATOR',
    'DISABLE_FOCUS_INDICATOR',
    'DISABLE_RINGING',
    'DISABLE_TRANSCRIPTION_SUBTITLES',
    'DISABLE_VIDEO_BACKGROUND',
    'DISPLAY_WELCOME_PAGE_CONTENT',
    'ENABLE_FEEDBACK_ANIMATION',
    'ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT',
    'FILM_STRIP_MAX_HEIGHT',
    'GENERATE_ROOMNAMES_ON_WELCOME_PAGE',
    'INDICATOR_FONT_SIZES',
    'INITIAL_TOOLBAR_TIMEOUT',
    'INVITATION_POWERED_BY',
    'JITSI_WATERMARK_LINK',
    'LANG_DETECTION',
    'LIVE_STREAMING_HELP_LINK',
    'LOCAL_THUMBNAIL_RATIO',
    'MAXIMUM_ZOOMING_COEFFICIENT',
    'MOBILE_APP_PROMO',
    'MOBILE_DOWNLOAD_LINK_ANDROID',
    'MOBILE_DOWNLOAD_LINK_IOS',
    'MOBILE_DYNAMIC_LINK',
    'NATIVE_APP_NAME',
    'OPTIMAL_BROWSERS',
    'PHONE_NUMBER_REGEX',
    'POLICY_LOGO',
    'PROVIDER_NAME',
    'RANDOM_AVATAR_URL_PREFIX',
    'RANDOM_AVATAR_URL_SUFFIX',
    'RECENT_LIST_ENABLED',
    'REMOTE_THUMBNAIL_RATIO',
    'SETTINGS_SECTIONS',
    'SHOW_BRAND_WATERMARK',
    'SHOW_DEEP_LINKING_IMAGE',
    'SHOW_JITSI_WATERMARK',
    'SHOW_POWERED_BY',
    'SHOW_WATERMARK_FOR_GUESTS',
    'SUPPORT_URL',
    'TILE_VIEW_MAX_COLUMNS',
    'TOOLBAR_ALWAYS_VISIBLE',
    'TOOLBAR_BUTTONS',
    'TOOLBAR_TIMEOUT',
    'UNSUPPORTED_BROWSERS',
    'VERTICAL_FILMSTRIP',
    'VIDEO_LAYOUT_FIT',
    'VIDEO_QUALITY_LABEL_DISABLED',
    'filmStripOnly'
 ];