6733556582
This wasn't intended to make its way into a public repo. :)
The existing key was a long-forgotten kluge that was supposed to be
temporary, allowing internal services to create quotes without
authentication. The chances of this being practically exploited are minimal
in our environment, and it's auditable using webserver logs.
This moves the skey into a configuration file, which allows it to vary by
server and be rotated until a better solution is made available. skey is
disabled by default (empty string), and when used by us internally, the keys
are now generated using a CSPRNG rather than a brute-forcable 5-byte key
that was hard-coded.
The fact that this appears in webserver logs is a big issue as well. I
added a task to address that.
* conf/vanilla-server.json (skey): New key. Default empty.
* src/server/daemon/Daemon.js (start): Provide skey to `#getRouters'.
(getRouters): Provide skey to `#getProgramController'.
(getProgramController): Set skey on `controller'.
* src/server/daemon/controller.js (skey): New mutable export (unideal; quick
change).
(has_skey): Use it.
|
||
|---|---|---|
| bin | ||
| build-aux | ||
| conf | ||
| doc | ||
| src | ||
| test | ||
| tools | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| COPYING | ||
| COPYING.AGPL | ||
| Makefile.am | ||
| README.hacking | ||
| README.md | ||
| autogen.sh | ||
| configure.ac | ||
| index.js | ||
| npm-shrinkwrap.json | ||
| package.json.in | ||
| yarn.lock | ||
README.md
Liza Data Collection Framework
Liza is a data collection, validation, and processing framework for JavaScript.
About
The Liza Data Collection Framework—"Liza" for short—is an effort to clean up, formalize, and expand upon a framework that was developed at RT Specialty / LoVullo for collecting, validating, and processing large amounts of user input for insurance quoting.
Configuring
If your distribution does not contain a `configure' file in the project root, then you likely have the sources as committed to the project repository; you may generate the script by issuing the following command:
$ ./autogen.sh
You may then see ./configure --help for more information.
Building
If configure is not available, see the section "Configuring" above.
$ ./configure # see --help for optional arguments
$ make # build
$ make check # run test cases
Documentation
Compiled documentation for the latest release is available via our GitLab mirror, which uses the same build pipeline as we do on our internal GitLab instance. Available formats are:
License
Liza is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
The liza server is licensed differently: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
The full licenses are available in COPYING and COPYING.AGPL.