graphite/Sharkey
1
0
Fork 0
mirror of https://git.joinsharkey.org/Sharkey/Sharkey.git synced 2024-11-26 05:33:08 +02:00
Code Issues Projects Releases Packages Wiki Activity

silence more false security alerts #407

Browse source
This commit is contained in:
dakkar 2024-02-09 13:42:08 +00:00
parent 36b7e45392
commit 7cf570565e
20 changed files with 29 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.eslintignore Normal file
View file

@ -0,0 +1 @@
/tossface-emjois/

2
locales/index.js
View file

@ -49,7 +49,7 @@ const primaries = {
};
// 何故か文字列にバックスペース文字が混入することがあり、YAMLが壊れるので取り除く
const clean = (text) => text.replace(new RegExp(String.fromCodePoint(0x08), 'g'), '');
const clean = (text) => text.replace(new RegExp(String.fromCodePoint(0x08), 'g'), ''); // eslint-disable-line detect-non-literal-regexp
export function build() {
const locales = languages.reduce((a, c) => (a[c] = yaml.load(clean(fs.readFileSync(new URL(`${c}.yml`, import.meta.url), 'utf-8'))) || {}, a), {});

1
packages/backend/src/misc/emoji-regex.ts
View file

File diff suppressed because one or more lines are too long

2
packages/backend/src/server/api/AuthenticateService.ts
View file

@ -42,7 +42,7 @@ export class AuthenticateService implements OnApplicationShutdown {
@bindThis
public async authenticate(token: string | null | undefined): Promise<[MiLocalUser | null, MiAccessToken | null]> {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
return [null, null];
}

2
packages/backend/src/server/api/endpoints/i/2fa/key-done.ts
View file

@ -76,7 +76,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

2
packages/backend/src/server/api/endpoints/i/2fa/register-key.ts
View file

@ -208,7 +208,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
// Compare password
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

2
packages/backend/src/server/api/endpoints/i/2fa/register.ts
View file

@ -67,7 +67,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

2
packages/backend/src/server/api/endpoints/i/2fa/remove-key.ts
View file

@ -57,7 +57,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
// Compare password
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

2
packages/backend/src/server/api/endpoints/i/2fa/unregister.ts
View file

@ -52,7 +52,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

2
packages/backend/src/server/api/endpoints/i/change-password.ts
View file

@ -40,7 +40,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

2
packages/backend/src/server/api/endpoints/i/delete-account.ts
View file

@ -44,7 +44,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

2
packages/backend/src/server/api/endpoints/i/update-email.ts
View file

@ -77,7 +77,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

2
packages/backend/src/server/web/ClientServerService.ts
View file

@ -200,7 +200,7 @@ export class ClientServerService {
const url = decodeURI(request.routeOptions.url);
if (url === bullBoardPath || url.startsWith(bullBoardPath + '/')) {
const token = request.cookies.token;
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
reply.code(401).send('Login required');
return;
}

1
packages/frontend/.eslintignore Normal file
View file

@ -0,0 +1 @@
/assets/

1
packages/frontend/public/mockServiceWorker.js
View file

@ -117,6 +117,7 @@ self.addEventListener('fetch', function (event) {
}
// Generate unique request ID.
// eslint-disable-next-line node_insecure_random_generator
const requestId = Math.random().toString(16).slice(2)
event.respondWith(

5
packages/frontend/src/scripts/check-word-mute.ts
View file

@ -27,6 +27,11 @@ export function checkWordMute(note: Record<string, any>, me: Record<string, any>
if (!regexp) return false;
try {
/*
this could actually be a problem, but not here: here it's
user-supplied regexes running on the user's browser
eslint-disable-next-line detect-non-literal-regexp */
return new RegExp(regexp[1], regexp[2]).test(text);
} catch (err) {
// This should never happen due to input sanitisation.

2
packages/frontend/src/scripts/misskey-api.ts
View file

@ -31,7 +31,7 @@ export function misskeyApi<
const promise = new Promise<_ResT>((resolve, reject) => {
// Append a credential
if ($i) (data as any).i = $i.token;
if (token !== undefined) (data as any).i = token;
if (token !== undefined) (data as any).i = token; // eslint-disable-line detect-possible-timing-attacks
// Send request
window.fetch(`${apiUrl}/${endpoint}`, {

5
packages/megalodon/src/misskey.ts
View file

@ -1470,6 +1470,11 @@ export default class Misskey implements MegalodonInterface {
*/
public async uploadMedia(file: any, _options?: { description?: string; focus?: string }): Promise<Response<Entity.Attachment>> {
const formData = new FormData()
/*
this is called from MastodonApiServerService and `file` is
generated by `falstify` upload code, so should be safe
eslint-disable-next-line detect-non-literal-fs-filename */
formData.append('file', fs.createReadStream(file.path), {
contentType: file.mimetype,
});

2
scripts/build-pre.js
View file

@ -3,6 +3,8 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
// eslint-disable detect-non-literal-fs-filename
const fs = require('fs');
const packageJsonPath = __dirname + '/../package.json'

1
scripts/trim-deps.mjs
View file

@ -1,5 +1,6 @@
// trims dependencies for production
// only run after a full build
// eslint-disable detect-non-literal-fs-filename
import fs from 'node:fs'