fix(config): add whitelisting for interface config

For now all keys are whitelisted.
FeracodeBR · Oct 11, 2019 · 1010f53 · 1010f53
1 parent f7a526f
commit 1010f53
Show file tree

Hide file tree

Showing 4 changed files with 223 additions and 145 deletions.
diff --git a/interface_config.js b/interface_config.js
@@ -221,6 +221,13 @@ var interfaceConfig = {
      * milliseconds, those notifications should remain displayed.
      */
     // ENFORCE_NOTIFICATION_AUTO_DISMISS_TIMEOUT: 15000,
+
+    // List of undocumented settings
+    /**
+     INDICATOR_FONT_SIZES
+     MOBILE_DYNAMIC_LINK
+     PHONE_NUMBER_REGEX
+    */
 };
 
 /* eslint-enable no-unused-vars, no-var, max-len */
diff --git a/react/features/base/config/configWhitelist.js b/react/features/base/config/configWhitelist.js
@@ -0,0 +1,137 @@
+/**
+ * The config keys to whitelist, the keys that can be overridden.
+ * Currently we can only whitelist the first part of the properties, like
+ * 'p2p.useStunTurn' and 'p2p.enabled' we whitelist all p2p options.
+ * The whitelist is used only for config.js.
+ *
+ * @type Array
+ */
+export default [
+    '_desktopSharingSourceDevice',
+    '_peerConnStatusOutOfLastNTimeout',
+    '_peerConnStatusRtcMuteTimeout',
+    'abTesting',
+    'analytics.disabled',
+    'autoRecord',
+    'autoRecordToken',
+    'avgRtpStatsN',
+    'callFlowsEnabled',
+    'callStatsConfIDNamespace',
+    'callStatsID',
+    'callStatsSecret',
+
+    /**
+     * The display name of the CallKit call representing the conference/meeting
+     * associated with this config.js including while the call is ongoing in the
+     * UI presented by CallKit and in the system-wide call history. The property
+     * is meant for use cases in which the room name is not desirable as a
+     * display name for CallKit purposes and the desired display name is not
+     * provided in the form of a JWT callee. As the value is associated with a
+     * conference/meeting, the value makes sense not as a deployment-wide
+     * configuration, only as a runtime configuration override/overwrite
+     * provided by, for example, Jitsi Meet SDK for iOS.
+     *
+     * @type string
+     */
+    'callDisplayName',
+
+    /**
+     * The handle
+     * ({@link https://developer.apple.com/documentation/callkit/cxhandle}) of
+     * the CallKit call representing the conference/meeting associated with this
+     * config.js. The property is meant for use cases in which the room URL is
+     * not desirable as the handle for CallKit purposes. As the value is
+     * associated with a conference/meeting, the value makes sense not as a
+     * deployment-wide configuration, only as a runtime configuration
+     * override/overwrite provided by, for example, Jitsi Meet SDK for iOS.
+     *
+     * @type string
+     */
+    'callHandle',
+
+    /**
+     * The UUID of the CallKit call representing the conference/meeting
+     * associated with this config.js. The property is meant for use cases in
+     * which Jitsi Meet is to work with a CallKit call created outside of Jitsi
+     * Meet and to be adopted by Jitsi Meet such as, for example, an incoming
+     * and/or outgoing CallKit call created by Jitsi Meet SDK for iOS
+     * clients/consumers prior to giving control to Jitsi Meet. As the value is
+     * associated with a conference/meeting, the value makes sense not as a
+     * deployment-wide configuration, only as a runtime configuration
+     * override/overwrite provided by, for example, Jitsi Meet SDK for iOS.
+     *
+     * @type string
+     */
+    'callUUID',
+
+    'channelLastN',
+    'constraints',
+    'debug',
+    'debugAudioLevels',
+    'defaultLanguage',
+    'desktopSharingChromeDisabled',
+    'desktopSharingChromeExtId',
+    'desktopSharingChromeMinExtVersion',
+    'desktopSharingChromeSources',
+    'desktopSharingFrameRate',
+    'desktopSharingFirefoxDisabled',
+    'desktopSharingSources',
+    'disable1On1Mode',
+    'disableAEC',
+    'disableAGC',
+    'disableAP',
+    'disableAudioLevels',
+    'disableDeepLinking',
+    'disableH264',
+    'disableHPF',
+    'disableNS',
+    'disableRemoteControl',
+    'disableRtx',
+    'disableSuspendVideo',
+    'displayJids',
+    'e2eping',
+    'enableDisplayNameInStats',
+    'enableLayerSuspension',
+    'enableLipSync',
+    'disableLocalVideoFlip',
+    'enableRemb',
+    'enableStatsID',
+    'enableTalkWhileMuted',
+    'enableTcc',
+    'etherpad_base',
+    'failICE',
+    'fileRecordingsEnabled',
+    'firefox_fake_device',
+    'forceJVB121Ratio',
+    'gatherStats',
+    'googleApiApplicationClientID',
+    'hiddenDomain',
+    'hosts',
+    'iAmRecorder',
+    'iAmSipGateway',
+    'iceTransportPolicy',
+    'ignoreStartMuted',
+    'liveStreamingEnabled',
+    'localRecording',
+    'minParticipants',
+    'nick',
+    'openBridgeChannel',
+    'p2p',
+    'preferH264',
+    'requireDisplayName',
+    'resolution',
+    'startAudioMuted',
+    'startAudioOnly',
+    'startBitrate',
+    'startSilent',
+    'startScreenSharing',
+    'startVideoMuted',
+    'startWithVideoMuted',
+    'subject',
+    'testing',
+    'useIPv6',
+    'useNicks',
+    'useStunTurn',
+    'webrtcIceTcpDisable',
+    'webrtcIceUdpDisable'
+];
diff --git a/react/features/base/config/functions.any.js b/react/features/base/config/functions.any.js
@@ -2,152 +2,14 @@
 
 import _ from 'lodash';
 
+import CONFIG_WHITELIST from './configWhitelist';
 import { _CONFIG_STORE_PREFIX } from './constants';
+import INTERFACE_CONFIG_WHITELIST from './interfaceConfigWhitelist';
 import parseURLParams from './parseURLParams';
 import logger from './logger';
 
 declare var $: Object;
 
-/**
- * The config keys to whitelist, the keys that can be overridden.
- * Currently we can only whitelist the first part of the properties, like
- * 'p2p.useStunTurn' and 'p2p.enabled' we whitelist all p2p options.
- * The whitelist is used only for config.js.
- *
- * @private
- * @type Array
- */
-const WHITELISTED_KEYS = [
-    '_desktopSharingSourceDevice',
-    '_peerConnStatusOutOfLastNTimeout',
-    '_peerConnStatusRtcMuteTimeout',
-    'abTesting',
-    'analytics.disabled',
-    'autoRecord',
-    'autoRecordToken',
-    'avgRtpStatsN',
-    'callFlowsEnabled',
-    'callStatsConfIDNamespace',
-    'callStatsID',
-    'callStatsSecret',
-
-    /**
-     * The display name of the CallKit call representing the conference/meeting
-     * associated with this config.js including while the call is ongoing in the
-     * UI presented by CallKit and in the system-wide call history. The property
-     * is meant for use cases in which the room name is not desirable as a
-     * display name for CallKit purposes and the desired display name is not
-     * provided in the form of a JWT callee. As the value is associated with a
-     * conference/meeting, the value makes sense not as a deployment-wide
-     * configuration, only as a runtime configuration override/overwrite
-     * provided by, for example, Jitsi Meet SDK for iOS.
-     *
-     * @type string
-     */
-    'callDisplayName',
-
-    /**
-     * The handle
-     * ({@link https://developer.apple.com/documentation/callkit/cxhandle}) of
-     * the CallKit call representing the conference/meeting associated with this
-     * config.js. The property is meant for use cases in which the room URL is
-     * not desirable as the handle for CallKit purposes. As the value is
-     * associated with a conference/meeting, the value makes sense not as a
-     * deployment-wide configuration, only as a runtime configuration
-     * override/overwrite provided by, for example, Jitsi Meet SDK for iOS.
-     *
-     * @type string
-     */
-    'callHandle',
-
-    /**
-     * The UUID of the CallKit call representing the conference/meeting
-     * associated with this config.js. The property is meant for use cases in
-     * which Jitsi Meet is to work with a CallKit call created outside of Jitsi
-     * Meet and to be adopted by Jitsi Meet such as, for example, an incoming
-     * and/or outgoing CallKit call created by Jitsi Meet SDK for iOS
-     * clients/consumers prior to giving control to Jitsi Meet. As the value is
-     * associated with a conference/meeting, the value makes sense not as a
-     * deployment-wide configuration, only as a runtime configuration
-     * override/overwrite provided by, for example, Jitsi Meet SDK for iOS.
-     *
-     * @type string
-     */
-    'callUUID',
-
-    'channelLastN',
-    'constraints',
-    'debug',
-    'debugAudioLevels',
-    'defaultLanguage',
-    'desktopSharingChromeDisabled',
-    'desktopSharingChromeExtId',
-    'desktopSharingChromeMinExtVersion',
-    'desktopSharingChromeSources',
-    'desktopSharingFrameRate',
-    'desktopSharingFirefoxDisabled',
-    'desktopSharingSources',
-    'disable1On1Mode',
-    'disableAEC',
-    'disableAGC',
-    'disableAP',
-    'disableAudioLevels',
-    'disableDeepLinking',
-    'disableH264',
-    'disableHPF',
-    'disableNS',
-    'disableRemoteControl',
-    'disableRtx',
-    'disableSuspendVideo',
-    'displayJids',
-    'e2eping',
-    'enableDisplayNameInStats',
-    'enableLayerSuspension',
-    'enableLipSync',
-    'disableLocalVideoFlip',
-    'enableRemb',
-    'enableStatsID',
-    'enableTalkWhileMuted',
-    'enableTcc',
-    'etherpad_base',
-    'failICE',
-    'fileRecordingsEnabled',
-    'firefox_fake_device',
-    'forceJVB121Ratio',
-    'gatherStats',
-    'googleApiApplicationClientID',
-    'hiddenDomain',
-    'hosts',
-    'iAmRecorder',
-    'iAmSipGateway',
-    'iceTransportPolicy',
-    'ignoreStartMuted',
-    'liveStreamingEnabled',
-    'localRecording',
-    'minParticipants',
-    'nick',
-    'openBridgeChannel',
-    'p2p',
-    'preferH264',
-    'requireDisplayName',
-    'resolution',
-    'startAudioMuted',
-    'startAudioOnly',
-    'startBitrate',
-    'startSilent',
-    'startScreenSharing',
-    'startVideoMuted',
-    'startWithAudioMuted',
-    'startWithVideoMuted',
-    'subject',
-    'testing',
-    'useIPv6',
-    'useNicks',
-    'useStunTurn',
-    'webrtcIceTcpDisable',
-    'webrtcIceUdpDisable'
-];
-
 // XXX The functions getRoomName and parseURLParams are split out of
 // functions.js because they are bundled in both app.bundle and
 // do_external_connect, webpack 1 does not support tree shaking, and we don't
@@ -306,8 +168,8 @@ export function overrideConfigJSON(
 /* eslint-enable max-params, no-shadow */
 
 /**
- * Whitelist only config.js, skips this for others configs
- * (interfaceConfig, loggingConfig).
+ * Apply whitelist filtering for configs with whitelists, skips this for others
+ * configs (loggingConfig).
  * Only extracts overridden values for keys we allow to be overridden.
  *
  * @param {string} configName - The config name, one of config,
@@ -318,11 +180,13 @@ export function overrideConfigJSON(
  * that are whitelisted.
  */
 function _getWhitelistedJSON(configName, configJSON) {
-    if (configName !== 'config') {
-        return configJSON;
+    if (configName === 'interfaceConfig') {
+        return _.pick(configJSON, INTERFACE_CONFIG_WHITELIST);
+    } else if (configName === 'config') {
+        return _.pick(configJSON, CONFIG_WHITELIST);
     }
 
-    return _.pick(configJSON, WHITELISTED_KEYS);
+    return configJSON;
 }
 
 /**