From cc5c63d3b1c1d551d98cbc29437824d1ec6377fe Mon Sep 17 00:00:00 2001
From: rainbow napkin <ourforest@tuta.io>
Date: Sun, 27 Apr 2025 08:08:39 -0400
Subject: [PATCH] Added instance-unique salt to IP hashes

---
 config.example.json      | 1 +
 src/server.js            | 2 --
 src/utils/configCheck.js | 6 +++++-
 src/utils/hashUtils.js   | 7 +++++--
 4 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/config.example.json b/config.example.json
index 0afa5f4..68c5002 100644
--- a/config.example.json
+++ b/config.example.json
@@ -7,6 +7,7 @@
     "domain": "localhost",
     "sessionSecret": "CHANGE_ME",
     "altchaSecret": "CHANGE_ME",
+    "ipSecret": "CHANGE_ME",
     "ssl":{
         "cert": "./server.cert",
         "key": "./server.key"
diff --git a/src/server.js b/src/server.js
index 11f6c5f..fc32a3d 100644
--- a/src/server.js
+++ b/src/server.js
@@ -180,8 +180,6 @@ app.use(errorMiddleware);
 //Basic 404 handler
 app.use(fileNotFoundController);
 
-
-
 //Increment launch counter
 statModel.incrementLaunchCount();
 
diff --git a/src/utils/configCheck.js b/src/utils/configCheck.js
index 76b8137..d0f9c55 100644
--- a/src/utils/configCheck.js
+++ b/src/utils/configCheck.js
@@ -47,6 +47,11 @@ module.exports.securityCheck = function(){
         loggerUtil.consoleWarn("Insecure Altcha Secret! Change Altcha Secret!");
     }
 
+    //check ipHash secret
+    if(!validator.isStrongPassword(config.ipSecret) || config.ipSecret == "CHANGE_ME"){
+        loggerUtil.consoleWarn("Insecure IP Hashing Secret! Change IP Hashing Secret!");
+    }
+
     //check DB pass
     if(!validator.isStrongPassword(config.db.pass) || config.db.pass == "CHANGE_ME" || config.db.pass == config.db.user){
         loggerUtil.consoleWarn("Insecure Database Password! Change Database password!");
@@ -56,5 +61,4 @@ module.exports.securityCheck = function(){
     if(!validator.isStrongPassword(config.mail.pass) || config.mail.pass == "CHANGE_ME"){
         loggerUtil.consoleWarn("Insecure Email Password! Change Email password!");
     }
-
 }
\ No newline at end of file
diff --git a/src/utils/hashUtils.js b/src/utils/hashUtils.js
index 115ec45..cc78d01 100644
--- a/src/utils/hashUtils.js
+++ b/src/utils/hashUtils.js
@@ -14,6 +14,9 @@ GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 
+//Config
+const config = require('../../config.json');
+
 //Node Imports
 const crypto = require('node:crypto');
 
@@ -33,8 +36,8 @@ module.exports.hashIP = function(ip){
     //Create hash object
     const hashObj = crypto.createHash('md5');
 
-    //add IP to the hash
-    hashObj.update(ip);
+    //add IP and salt to the hash
+    hashObj.update(`${ip}${config.ipSecret}`);
 
     //return the IP hash as a string
     return hashObj.digest('hex');