restrict replaceSecretPlaceholder to cors with allowWhitelist (#4102)

and cleanup spelling

Author: khassel

cspell.config.json

@@ -13,9 +13,12 @@
 		"armv",
 		"ashishtank",
 		"autoplay",
+		"avghumidity",
+		"avgtemp",
 		"Autorestart",
 		"beada",
 		"Behaviour",
+		"Beschreibung",
 		"Binney",
 		"bluemanos",
 		"bnitkin",
@@ -111,6 +114,7 @@
 		"flopp",
 		"fontawesome",
 		"fontface",
+		"forecastday",
 		"forecastweather",
 		"fortawesome",
 		"frameguard",
@@ -186,14 +190,18 @@
 		"luxon",
 		"lxsession",
 		"magicmirror",
+		"mapbox",
 		"martingron",
 		"marvai",
 		"mastermerge",
 		"matchtype",
 		"maxentries",
+		"maxtemp",
+		"maxwind",
 		"Meteo",
 		"michaelteeuw",
 		"michmich",
+		"mintemp",
 		"Midori",
 		"mirontoli",
 		"MISSINGLANG",
@@ -212,7 +220,9 @@
 		"NEWSFEED",
 		"newsfeedfetcher",
 		"newsfetcher",
+		"newyear",
 		"newsitems",
+		"nextdaysrelative",
 		"nfogal",
 		"njwilliams",
 		"nonrepeating",
@@ -239,8 +249,10 @@
 		"pmin",
 		"Português",
 		"PRECIP",
+		"precips",
 		"Problema",
 		"psieg",
+		"ptype",
 		"pubdate",
 		"radokristof",
 		"rajniszp",
@@ -255,12 +267,14 @@
 		"Rosso",
 		"Rothfusz",
 		"rrule",
+		"sameorigin",
 		"savvadam",
 		"sdetweil",
 		"searchstr",
 		"sendheaders",
 		"serveronly",
 		"sexualized",
+		"showend",
 		"Sitecode",
 		"skpanagiotis",
 		"SMHI",
@@ -295,8 +309,11 @@
 		"timeformat",
 		"titlereplacestr",
 		"titlesearchstr",
+		"TOCTOU",
 		"todaytemp",
 		"tomzt",
+		"totalprecip",
+		"totalsnow",
 		"trunc",
 		"ttlms",
 		"ukmetoffice",
@@ -317,6 +334,7 @@
 		"Vorberechnung",
 		"vppencilsharpener",
 		"Wallys",
+		"weatherapi",
 		"Weatherbit",
 		"weathercode",
 		"WEATHERDATA",
@@ -336,6 +354,7 @@
 		"Woolridge",
 		"worktree",
 		"Wsymb",
+		"xhvw",
 		"xlarge",
 		"xmark",
 		"xrandr",

js/server_functions.js

@@ -22,9 +22,14 @@ function getStartup (req, res) {
  * @returns {string} the input with real variable content
  */
 function replaceSecretPlaceholder (input) {
-	return input.replaceAll(/\*\*(SECRET_[^*]+)\*\*/g, (match, group) => {
-		return process.env[group];
-	});
+	if (global.config.cors === "allowWhitelist") {
+		return input.replaceAll(/\*\*(SECRET_[^*]+)\*\*/g, (match, group) => {
+			return process.env[group];
+		});
+	} else {
+		Log.error("Replacing secrets works only with CORS and `allowWhitelist`, you need to set this in `config.js`, set `cors: allowWhitelist`");
+		return input;
+	}
 }
 
 /**

tests/unit/functions/server_functions_spec.js

@@ -8,7 +8,11 @@ const undici = require("undici");
 const { cors, getUserAgent, replaceSecretPlaceholder } = require("#server_functions");
 
 describe("server_functions tests", () => {
-	describe("The replaceSecretPlaceholder method", () => {
+	describe("The replaceSecretPlaceholder method with cors=allowWhitelist", () => {
+		beforeEach(() => {
+			global.config = { cors: "allowWhitelist" };
+		});
+
 		it("Calls string without secret placeholder", () => {
 			const teststring = "test string without secret placeholder";
 			const result = replaceSecretPlaceholder(teststring);
@@ -25,6 +29,24 @@ describe("server_functions tests", () => {
 		});
 	});
 
+	describe("The replaceSecretPlaceholder method with cors=allowAll", () => {
+		beforeEach(() => {
+			global.config = { cors: "allowAll" };
+		});
+
+		it("Calls string without secret placeholder", () => {
+			const teststring = "test string without secret placeholder";
+			const result = replaceSecretPlaceholder(teststring);
+			expect(result).toBe(teststring);
+		});
+
+		it("Calls string with 2 secret placeholders", () => {
+			const teststring = "test string with secret1=**SECRET_ONE** and secret2=**SECRET_TWO**";
+			const result = replaceSecretPlaceholder(teststring);
+			expect(result).toBe(teststring);
+		});
+	});
+
 	describe("The cors method", () => {
 		let fetchSpy;
 		let fetchResponseHeadersGet;