security: remove project script property, build for production

Author: unocelli

client/dist/index.html

@@ -86,6 +86,6 @@
             </div>
         </div>
     </app-root>
-<script src="runtime.9136a61a9b98f987.js" type="module"></script><script src="polyfills.d7de05f9af2fb559.js" type="module"></script><script src="scripts.d9e6ee984bf6f3b7.js" defer></script><script src="main.f8215ed2324002a9.js" type="module"></script></body>
+<script src="runtime.9136a61a9b98f987.js" type="module"></script><script src="polyfills.d7de05f9af2fb559.js" type="module"></script><script src="scripts.d9e6ee984bf6f3b7.js" defer></script><script src="main.cbcce26a6b6aacee.js" type="module"></script></body>
 
 </html>

client/dist/main.f8215ed2324002a9.js client/dist/main.cbcce26a6b6aacee.jsclient/dist/main.f8215ed2324002a9.js renamed to client/dist/main.cbcce26a6b6aacee.js

@@ -1,6 +1,6 @@
 {
   "name": "fuxa",
-  "version": "1.3.0-2778",
+  "version": "1.3.0-2779",
   "keywords": [],
   "author": "frangoteam <info@frangoteam.org>",
   "description": "Web-based Process Visualization (SCADA/HMI/Dashboard) software",

client/package.json

@@ -241,6 +241,9 @@ export class ScriptService {
 
     public async $runServerScript(scriptName: string, ...params: any[]) {
         let scriptToRun = Utils.clone(this.projectService.getScripts().find(dataScript => dataScript.name == scriptName));
+        if (!scriptToRun) {
+            return null;
+        }
         scriptToRun.parameters = params;
         return await lastValueFrom(this.runScript(scriptToRun, false));
     }

client/src/app/_services/script.service.ts

@@ -1004,6 +1004,9 @@ export class FuxaViewComponent implements OnInit, AfterViewInit, OnDestroy {
     onRunScript(event: GaugeEvent) {
         if (event.actparam) {
             let torun = Utils.clone(this.projectService.getScripts().find(dataScript => dataScript.id == event.actparam));
+            if (!torun) {
+                return;
+            }
             torun.parameters = Utils.clone(<ScriptParam[]>event.actoptions[SCRIPT_PARAMS_MAP]);
             const placeholders = torun.parameters.filter(param => param.value?.startsWith(PlaceholderDevice.id)).map(param => param.value);
             if (placeholders?.length) {

client/src/app/fuxa-view/fuxa-view.component.ts

@@ -396,6 +396,9 @@ export class DataTableComponent implements OnInit, AfterViewInit, OnDestroy {
     private runScript(event: GaugeEvent, selected: MatRow) {
         if (event.actparam) {
             let torun = Utils.clone(this.projectService.getScripts().find(dataScript => dataScript.id == event.actparam));
+            if (!torun) {
+                return;
+            }
             torun.parameters = <ScriptParam[]>Utils.clone(event.actoptions[SCRIPT_PARAMS_MAP]);
             torun.parameters.forEach(param => {
                 if (Utils.isNullOrUndefined(param.value)) {

client/src/app/gauges/controls/html-table/data-table/data-table.component.ts

@@ -1,6 +1,6 @@
 {
   "name": "fuxa-server",
-  "version": "1.3.0-2778",
+  "version": "1.3.0-2779",
   "description": "Web-based Process Visualization (SCADA/HMI/Dashboard) software",
   "main": "main.js",
   "scripts": {

server/package.json

@@ -928,6 +928,22 @@ function _filterProjectPermission(userPermission) {
         // from device remove the not used (no permission)
         // delete result.devices;
         delete result.server;
+        if (Array.isArray(result.scripts)) {
+            // Keep only scripts authorised for the current user. For authorised
+            // server-side scripts, retain just the metadata needed for event
+            // bindings and execution requests; do not expose source code.
+            result.scripts = result.scripts.filter(script => {
+                return script && runtime.scriptsMgr.isAuthorised(script, userPermission);
+            }).map(script => {
+                delete script.permission;
+                delete script.permissionRoles;
+                if (script.mode === 'CLIENT') {
+                    return script;
+                }
+                delete script.code;
+                return script;
+            });
+        }
         // check navigation permission
         if (result.hmi.layout && result.hmi.layout.navigation.items) {
             for (var i = result.hmi.layout.navigation.items.length - 1; i >= 0; i--) {

server/runtime/project/index.js

@@ -88,6 +88,10 @@ function ScriptsManager(_runtime) {
             const st = scriptModule.getScript(_script);
             var admin = (permission === -1 || permission === 255) ? true : false;
             if (runtime.settings.userRole) {
+                admin = admin || permission?.groups === -1 || permission?.groups === 255;
+                if (admin) {
+                    return true;
+                }
                 if (!st.permissionRoles || !st.permissionRoles.enabled) {
                     return true;
                 }