Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-webui / 295132260f9cea7fbf84595c0e9884048ad66e34
commit295132260f9cea7fbf84595c0e9884048ad66e34[log] [tgz]
authorGunnar Mills <gmills@us.ibm.com>Tue Jan 08 15:14:11 2019 -0600
committerGunnar Mills <gmills@us.ibm.com>Tue Jan 08 15:42:25 2019 -0600
treeea8cf0c8c7ae39e6539960270dbdfb4a86e13a37
parent0a2cbd67103a4750e9262802d138fd64e4c265d2 [diff]
Address webpack-dev-server security vulnerability

Although we only use webpack-dev-server for development and
this isn't a security vulnerability for us, still going to fix.

From GitHub:

"We found a potential security vulnerability in one of your
dependencies.

Remediation
Upgrade webpack-dev-server to version 3.1.11 or later."

"An issue was discovered in lib/Server.js in webpack-dev-server
before 3.1.11. Attackers are able to steal developer's code because
the origin of requests is not checked by the WebSocket server,
which is used for HMR (Hot Module Replacement). Anyone can receive
the HMR message sent by the WebSocket server via a
ws://127.0.0.1:8080/ connection from any origin."

More information can be found at:
https://nvd.nist.gov/vuln/detail/CVE-2018-14732

Edited webpack-dev-server in package.json to be 3.1.11 then
did a npm install to create the package-lock.json.

Tested: Launched the dev server and pointed it at a Witherspoon.
Change-Id: Id6615ce387db8c6e1d2b64ff1e059db9167e11d0
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
2 files changed
tree: ea8cf0c8c7ae39e6539960270dbdfb4a86e13a37
  1. app/
  2. .babelrc
  3. .clang-format
  4. .gitignore
  5. config.json
  6. format-code.sh
  7. karma.conf.js
  8. LICENSE
  9. MAINTAINERS
  10. package-lock.json
  11. package.json
  12. postcss.config.js
  13. README.md
  14. sonar-project.properties
  15. webpack.config.js
README.md

OpenBMC Web User Interface

The OpenBMC WebUI is a Web-based user interface for the OpenBMC firmware stack. The WebUI uses AngularJS. Features include:

  • View system overview data such as model information and serial number
  • View and manage event logs
  • View inventory data
  • View sensor data
  • Power On/Off server operations
  • Reboot BMC
  • Manage and update BMC and Host firmware
  • IPv4 network settings
  • SoL console

Requirements

nodejs (>= 4.2.6) npm (>= 5.6.0)

Note The default installation of your Linux distro may not come with the required versions above. See the following for more information on updating:

https://docs.npmjs.com/troubleshooting/try-the-latest-stable-version-of-node https://docs.npmjs.com/troubleshooting/try-the-latest-stable-version-of-npm

Installation

npm install

Note This must be run from within the phosphor-webui git repository.

Running locally

npm run-script server

This will start a server instance and begin listening for connections at http://localhost:8080. This development server provides live reloading on code changes. NOTE: Browsing to https://<BMC> and accepting the self-signed certificate might be required to prevent your browser from blocking traffic to the BMC.

Logging in

Enter the BMC Host or BMC IP address, username, and password. The default username and password are root/0penBmc.

Note that some OpenBMC implementations use bmcweb for its backend. For security reasons, bmcweb will need to be recompiled and loaded onto the target BMC Host before the above redirect command will work. The option to turn on within bmcweb is BMCWEB_INSECURE_DISABLE_XSS_PREVENTION.