chef 3810 Posted June 16, 2021 Posted June 16, 2021 (edited) I received an alert on the Disk Space GitHub repo, that their security alert system had found an issue with the (older) chart.js library used in the plugin, and it had to be updated. I've updated the chart library and released a updated version of the Emby plugin. Make sure to install that updated version of the plugin. Perhaps even do a server restart to force that update if needed. Thanks! EDIT: There may be three consecutive updates for Disk Space. All the way to 1.0.5.6. Edited June 16, 2021 by chef 3
rbjtech 5284 Posted June 16, 2021 Posted June 16, 2021 6 minutes ago, chef said: I received an alert on the Disk Space GitHub repo, that their security alert system had found an issue with the (older) chart.js library used in the plugin, and it had to be updated. I've updated the chart library and released a updated version of the Emby plugin. Make sure to install that updated version of the plugin. Perhaps even do a server restart to force that update if needed. Thanks! Pro-active security update !? Well done Chef.. ! 1
CBers 7450 Posted June 16, 2021 Posted June 16, 2021 (edited) Just updated, but not seeing anything in the plugin Seeing error messages in the server log. 2021-06-16 14:49:40.348 Info DiskSpaceService: DISK SPACE -- C:\ 2021-06-16 14:49:40.350 Error DiskSpaceService: Index and length must refer to a location within the string. (Parameter 'length') 2021-06-16 14:49:40.350 Error DiskSpaceService: Index was outside the bounds of the array. 2021-06-16 14:49:40.350 Debug XmlSerializer: Deserializing file C:\Users\Media\AppData\Roaming\Emby-Server\plugins\configurations\DiskSpace.xml 2021-06-16 14:49:40.374 Debug XmlSerializer: Serializing to file C:\Users\Media\AppData\Roaming\Emby-Server\plugins\configurations\DiskSpace.xml 2021-06-16 14:49:40.380 Debug XmlSerializer: Deserializing file C:\Users\Media\AppData\Roaming\Emby-Server\config\notifications.xml 2021-06-16 14:49:40.392 Info DiskSpaceService: DISK SPACE -- F:\ 2021-06-16 14:49:40.392 Error DiskSpaceService: Index and length must refer to a location within the string. (Parameter 'length') 2021-06-16 14:49:40.392 Error DiskSpaceService: Index was outside the bounds of the array. 2021-06-16 14:49:40.392 Debug XmlSerializer: Serializing to file C:\Users\Media\AppData\Roaming\Emby-Server\plugins\configurations\DiskSpace.xml 2021-06-16 14:49:40.393 Info DiskSpaceService: DISK SPACE -- V:\ 2021-06-16 14:49:40.393 Error DiskSpaceService: Index and length must refer to a location within the string. (Parameter 'length') 2021-06-16 14:49:40.393 Error DiskSpaceService: Index was outside the bounds of the array. 2021-06-16 14:49:40.393 Debug XmlSerializer: Serializing to file C:\Users\Media\AppData\Roaming\Emby-Server\plugins\configurations\DiskSpace.xml 2021-06-16 14:49:40.394 Info DiskSpaceService: DISK SPACE -- X:\ 2021-06-16 14:49:40.394 Error DiskSpaceService: Index and length must refer to a location within the string. (Parameter 'length') 2021-06-16 14:49:40.394 Error DiskSpaceService: Index was outside the bounds of the array. 2021-06-16 14:49:40.395 Debug XmlSerializer: Serializing to file C:\Users\Media\AppData\Roaming\Emby-Server\plugins\configurations\DiskSpace.xml 2021-06-16 14:49:40.398 Info DiskSpaceService: DISK SPACE -- Z:\ 2021-06-16 14:49:40.398 Error DiskSpaceService: Index and length must refer to a location within the string. (Parameter 'length') 2021-06-16 14:49:40.399 Error DiskSpaceService: Index was outside the bounds of the array. 2021-06-16 14:49:40.399 Debug XmlSerializer: Serializing to file C:\Users\Media\AppData\Roaming\Emby-Server\plugins\configurations\DiskSpace.xml 2021-06-16 14:49:40.405 Info Server: http/1.1 Response 200 to 192.168.1.100. Time: 64ms. http://192.168.1.100/emby/GetTotalStorage?X-Emby-Client=Emby Web&X-Emby-Device-Name=Chrome&X-Emby-Device-Id=85fe7d17-e124-420a-abcc-8343f2a4673b&X-Emby-Client-Version=4.7.0.2 2021-06-16 14:49:40.414 Info Server: http/1.1 GET http://192.168.1.100/web/configurationpage?name=Chart.bundle.js&v=4.7.0.2. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36 2021-06-16 14:49:40.419 Error Server: Error processing request *** Error Report *** Version: 4.7.0.2 Command line: C:\Users\Media\AppData\Roaming\Emby-Server\system\EmbyServer.dll -noautorunwebapp Operating system: Microsoft Windows 10.0.19043 Framework: .NET Core 3.1.13 OS/Process: x64/x64 Runtime: C:/Users/Media/AppData/Roaming/Emby-Server/system/System.Private.CoreLib.dll Processor count: 12 Data path: C:\Users\Media\AppData\Roaming\Emby-Server Application path: C:\Users\Media\AppData\Roaming\Emby-Server\system MediaBrowser.Common.Extensions.ResourceNotFoundException: MediaBrowser.Common.Extensions.ResourceNotFoundException: Exception of type 'MediaBrowser.Common.Extensions.ResourceNotFoundException' was thrown. at Emby.Web.Api.DashboardService.Get(GetDashboardConfigurationPage request) at Emby.Server.Implementations.Services.ServiceController.Execute(HttpListenerHost appHost, Object requestDto, IRequest req) at Emby.Server.Implementations.Services.ServiceHandler.ProcessRequestAsync(HttpListenerHost appHost, IRequest httpReq, IResponse httpRes, RestPath restPath, String responseContentType, CancellationToken cancellationToken) at Emby.Server.Implementations.HttpServer.HttpListenerHost.RequestHandler(IRequest httpReq, ReadOnlyMemory`1 urlString, ReadOnlyMemory`1 localPath, CancellationToken cancellationToken) Source: Emby.Web TargetSite: System.Threading.Tasks.Task`1[System.Object] Get(Emby.Web.Api.GetDashboardConfigurationPage) Edited June 16, 2021 by CBers 1
chef 3810 Posted June 16, 2021 Author Posted June 16, 2021 (edited) 2 minutes ago, CBers said: Just updated, but not seeing anything in the plugin Seeing error messages in the server log. 2021-06-16 14:49:40.348 Info DiskSpaceService: DISK SPACE -- C:\ 2021-06-16 14:49:40.350 Error DiskSpaceService: Index and length must refer to a location within the string. (Parameter 'length') 2021-06-16 14:49:40.350 Error DiskSpaceService: Index was outside the bounds of the array. 2021-06-16 14:49:40.350 Debug XmlSerializer: Deserializing file C:\Users\Media\AppData\Roaming\Emby-Server\plugins\configurations\DiskSpace.xml 2021-06-16 14:49:40.374 Debug XmlSerializer: Serializing to file C:\Users\Media\AppData\Roaming\Emby-Server\plugins\configurations\DiskSpace.xml 2021-06-16 14:49:40.380 Debug XmlSerializer: Deserializing file C:\Users\Media\AppData\Roaming\Emby-Server\config\notifications.xml 2021-06-16 14:49:40.392 Info DiskSpaceService: DISK SPACE -- F:\ 2021-06-16 14:49:40.392 Error DiskSpaceService: Index and length must refer to a location within the string. (Parameter 'length') 2021-06-16 14:49:40.392 Error DiskSpaceService: Index was outside the bounds of the array. 2021-06-16 14:49:40.392 Debug XmlSerializer: Serializing to file C:\Users\Media\AppData\Roaming\Emby-Server\plugins\configurations\DiskSpace.xml 2021-06-16 14:49:40.393 Info DiskSpaceService: DISK SPACE -- V:\ 2021-06-16 14:49:40.393 Error DiskSpaceService: Index and length must refer to a location within the string. (Parameter 'length') 2021-06-16 14:49:40.393 Error DiskSpaceService: Index was outside the bounds of the array. 2021-06-16 14:49:40.393 Debug XmlSerializer: Serializing to file C:\Users\Media\AppData\Roaming\Emby-Server\plugins\configurations\DiskSpace.xml 2021-06-16 14:49:40.394 Info DiskSpaceService: DISK SPACE -- X:\ 2021-06-16 14:49:40.394 Error DiskSpaceService: Index and length must refer to a location within the string. (Parameter 'length') 2021-06-16 14:49:40.394 Error DiskSpaceService: Index was outside the bounds of the array. 2021-06-16 14:49:40.395 Debug XmlSerializer: Serializing to file C:\Users\Media\AppData\Roaming\Emby-Server\plugins\configurations\DiskSpace.xml 2021-06-16 14:49:40.398 Info DiskSpaceService: DISK SPACE -- Z:\ 2021-06-16 14:49:40.398 Error DiskSpaceService: Index and length must refer to a location within the string. (Parameter 'length') 2021-06-16 14:49:40.399 Error DiskSpaceService: Index was outside the bounds of the array. 2021-06-16 14:49:40.399 Debug XmlSerializer: Serializing to file C:\Users\Media\AppData\Roaming\Emby-Server\plugins\configurations\DiskSpace.xml 2021-06-16 14:49:40.405 Info Server: http/1.1 Response 200 to 192.168.1.100. Time: 64ms. http://192.168.1.100/emby/GetTotalStorage?X-Emby-Client=Emby Web&X-Emby-Device-Name=Chrome&X-Emby-Device-Id=85fe7d17-e124-420a-abcc-8343f2a4673b&X-Emby-Client-Version=4.7.0.2 2021-06-16 14:49:40.414 Info Server: http/1.1 GET http://192.168.1.100/web/configurationpage?name=Chart.bundle.js&v=4.7.0.2. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36 2021-06-16 14:49:40.419 Error Server: Error processing request *** Error Report *** Version: 4.7.0.2 Command line: C:\Users\Media\AppData\Roaming\Emby-Server\system\EmbyServer.dll -noautorunwebapp Operating system: Microsoft Windows 10.0.19043 Framework: .NET Core 3.1.13 OS/Process: x64/x64 Runtime: C:/Users/Media/AppData/Roaming/Emby-Server/system/System.Private.CoreLib.dll Processor count: 12 Data path: C:\Users\Media\AppData\Roaming\Emby-Server Application path: C:\Users\Media\AppData\Roaming\Emby-Server\system MediaBrowser.Common.Extensions.ResourceNotFoundException: MediaBrowser.Common.Extensions.ResourceNotFoundException: Exception of type 'MediaBrowser.Common.Extensions.ResourceNotFoundException' was thrown. at Emby.Web.Api.DashboardService.Get(GetDashboardConfigurationPage request) at Emby.Server.Implementations.Services.ServiceController.Execute(HttpListenerHost appHost, Object requestDto, IRequest req) at Emby.Server.Implementations.Services.ServiceHandler.ProcessRequestAsync(HttpListenerHost appHost, IRequest httpReq, IResponse httpRes, RestPath restPath, String responseContentType, CancellationToken cancellationToken) at Emby.Server.Implementations.HttpServer.HttpListenerHost.RequestHandler(IRequest httpReq, ReadOnlyMemory`1 urlString, ReadOnlyMemory`1 localPath, CancellationToken cancellationToken) Source: Emby.Web TargetSite: System.Threading.Tasks.Task`1[System.Object] Get(Emby.Web.Api.GetDashboardConfigurationPage) That's not good. Okay, let me see what's going on. Edited June 16, 2021 by CBers Removed identifiable information,
CBers 7450 Posted June 16, 2021 Posted June 16, 2021 (edited) 4 minutes ago, chef said: Could you do a clear browser cache? Still the same. Is it working OK for you? Perhaps user error on my part Edited June 16, 2021 by CBers 1
chef 3810 Posted June 16, 2021 Author Posted June 16, 2021 Just now, CBers said: Still the same. Okay, I think I found what happened. I just need to fix some naming. 1
chef 3810 Posted June 16, 2021 Author Posted June 16, 2021 I put 1.0.5.5 into release. - fixed naming problems - made sure the new chart.js was an embedded resource
chef 3810 Posted June 16, 2021 Author Posted June 16, 2021 But... There were changes with how the charts show used/available space.... it is now showing/calculating space in bytes.... I'm going to have to figure that out again. Darn! I'll do that now. 1
chef 3810 Posted June 16, 2021 Author Posted June 16, 2021 Welp! that was sort of a PITA. I had to quickly learn a whole bunch of new stuff. Geesh! Looks like (from what I can tell) 1.0.5.6 (which has been release) is working. 1 1
TeamB 2438 Posted June 16, 2021 Posted June 16, 2021 @chef do you have a link to the security warning for Chart.js
chef 3810 Posted June 16, 2021 Author Posted June 16, 2021 5 minutes ago, TeamB said: @chef do you have a link to the security warning for Chart.js This is what was sent to me. CVE-2020-7746 high severity Vulnerable versions: < 2.9.4 Patched version: 2.9.4 This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) are deeply merged with provided options. However, during this operation, the keys of the object being set are not checked, leading to a prototype pollution.
TeamB 2438 Posted June 17, 2021 Posted June 17, 2021 (edited) Prototype pollution looks like it is more of a problem for server side code running in a js node environment on the server, client side JS looks like it is effected also BUT client side JS is susceptible at all the hacking as you can pop open the JS debugger and fiddle with all the things. However I should still look at updating Playback Reporting, did you have any issues updating the JS Chart lib, are there any big changes? Edited June 17, 2021 by TeamB
chef 3810 Posted June 17, 2021 Author Posted June 17, 2021 (edited) 48 minutes ago, TeamB said: Prototype pollution looks like it is more of a problem for server side code running in a js node environment on the server, client side JS looks like it is effected also BUT client side JS is susceptible at all the hacking as you can pop open the JS debugger and fiddle with all the things. However I should still look at updating Playback Reporting, did you have any issues updating the JS Chart lib, are there any big changes? Yeah a couple changes. They don't have a complete release build. They expect you to build it with npm. So I just followed the CDN link and copied the code from there.... the disk space plugin didn't need any fancy plugins for chart.js Options have changed for each chart too. But I think that that is what the security problem was referring too, so it was to be expected. Other then that, nothing too crazy. Probably could have left it, but then the repo would have had a security flag on it... So... Might as well try to fix it. Edited June 17, 2021 by chef
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now