silence more false security alerts #407

.eslintignore

@@ -0,0 +1 @@
+/tossface-emjois/

locales/index.js

@@ -49,7 +49,7 @@ const primaries = {
 };
 
 // 何故か文字列にバックスペース文字が混入することがあり、YAMLが壊れるので取り除く
-const clean = (text) => text.replace(new RegExp(String.fromCodePoint(0x08), 'g'), '');
+const clean = (text) => text.replace(new RegExp(String.fromCodePoint(0x08), 'g'), ''); // eslint-disable-line detect-non-literal-regexp
 
 export function build() {
 	const locales = languages.reduce((a, c) => (a[c] = yaml.load(clean(fs.readFileSync(new URL(`${c}.yml`, import.meta.url), 'utf-8'))) || {}, a), {});

packages/backend/src/server/api/AuthenticateService.ts

@@ -42,7 +42,7 @@ export class AuthenticateService implements OnApplicationShutdown {
 
 	@bindThis
 	public async authenticate(token: string | null | undefined): Promise<[MiLocalUser | null, MiAccessToken | null]> {
-		if (token == null) {
+		if (token == null) { // eslint-disable-line detect-possible-timing-attacks
 			return [null, null];
 		}
 

packages/backend/src/server/api/endpoints/i/2fa/key-done.ts

@@ -76,7 +76,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 			const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
 
 			if (profile.twoFactorEnabled) {
-				if (token == null) {
+				if (token == null) { // eslint-disable-line detect-possible-timing-attacks
 					throw new Error('authentication failed');
 				}
 

packages/backend/src/server/api/endpoints/i/2fa/register-key.ts

@@ -208,7 +208,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
 
 			// Compare password
 			if (profile.twoFactorEnabled) {
-				if (token == null) {
+				if (token == null) { // eslint-disable-line detect-possible-timing-attacks
 					throw new Error('authentication failed');
 				}
 

packages/backend/src/server/api/endpoints/i/2fa/register.ts

@@ -67,7 +67,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
 
 			if (profile.twoFactorEnabled) {
-				if (token == null) {
+				if (token == null) { // eslint-disable-line detect-possible-timing-attacks
 					throw new Error('authentication failed');
 				}
 

packages/backend/src/server/api/endpoints/i/2fa/remove-key.ts

@@ -57,7 +57,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 
 			// Compare password
 			if (profile.twoFactorEnabled) {
-				if (token == null) {
+				if (token == null) { // eslint-disable-line detect-possible-timing-attacks
 					throw new Error('authentication failed');
 				}
 

packages/backend/src/server/api/endpoints/i/2fa/unregister.ts

@@ -52,7 +52,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
 
 			if (profile.twoFactorEnabled) {
-				if (token == null) {
+				if (token == null) { // eslint-disable-line detect-possible-timing-attacks
 					throw new Error('authentication failed');
 				}
 

packages/backend/src/server/api/endpoints/i/change-password.ts

@@ -40,7 +40,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
 
 			if (profile.twoFactorEnabled) {
-				if (token == null) {
+				if (token == null) { // eslint-disable-line detect-possible-timing-attacks
 					throw new Error('authentication failed');
 				}
 

packages/backend/src/server/api/endpoints/i/delete-account.ts

@@ -44,7 +44,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
 
 			if (profile.twoFactorEnabled) {
-				if (token == null) {
+				if (token == null) { // eslint-disable-line detect-possible-timing-attacks
 					throw new Error('authentication failed');
 				}
 

packages/backend/src/server/api/endpoints/i/update-email.ts

@@ -77,7 +77,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
 
 			if (profile.twoFactorEnabled) {
-				if (token == null) {
+				if (token == null) { // eslint-disable-line detect-possible-timing-attacks
 					throw new Error('authentication failed');
 				}
 

packages/backend/src/server/web/ClientServerService.ts

@@ -200,7 +200,7 @@ export class ClientServerService {
 			const url = decodeURI(request.routeOptions.url);
 			if (url === bullBoardPath || url.startsWith(bullBoardPath + '/')) {
 				const token = request.cookies.token;
-				if (token == null) {
+				if (token == null) { // eslint-disable-line detect-possible-timing-attacks
 					reply.code(401).send('Login required');
 					return;
 				}

packages/frontend/.eslintignore

@@ -0,0 +1 @@
+/assets/

packages/frontend/public/mockServiceWorker.js

@@ -117,6 +117,7 @@ self.addEventListener('fetch', function (event) {
   }
 
   // Generate unique request ID.
+  // eslint-disable-next-line node_insecure_random_generator
   const requestId = Math.random().toString(16).slice(2)
 
   event.respondWith(

packages/frontend/src/scripts/check-word-mute.ts

@@ -27,6 +27,11 @@ export function checkWordMute(note: Record<string, any>, me: Record<string, any>
 				if (!regexp) return false;
 
 				try {
+					/*
+						this could actually be a problem, but not here: here it's
+						user-supplied regexes running on the user's browser
+
+						eslint-disable-next-line detect-non-literal-regexp */
 					return new RegExp(regexp[1], regexp[2]).test(text);
 				} catch (err) {
 					// This should never happen due to input sanitisation.

packages/frontend/src/scripts/misskey-api.ts

@@ -31,7 +31,7 @@ export function misskeyApi<
 	const promise = new Promise<_ResT>((resolve, reject) => {
 		// Append a credential
 		if ($i) (data as any).i = $i.token;
-		if (token !== undefined) (data as any).i = token;
+		if (token !== undefined) (data as any).i = token; // eslint-disable-line detect-possible-timing-attacks
 
 		// Send request
 		window.fetch(`${apiUrl}/${endpoint}`, {

packages/megalodon/src/misskey.ts

@@ -1470,6 +1470,11 @@ export default class Misskey implements MegalodonInterface {
    */
   public async uploadMedia(file: any, _options?: { description?: string; focus?: string }): Promise<Response<Entity.Attachment>> {
     const formData = new FormData()
+    /*
+      this is called from MastodonApiServerService and `file` is
+      generated by `falstify` upload code, so should be safe
+
+      eslint-disable-next-line detect-non-literal-fs-filename */
     formData.append('file', fs.createReadStream(file.path), {
 			contentType: file.mimetype,
 		});

scripts/build-pre.js

@@ -3,6 +3,8 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
+// eslint-disable detect-non-literal-fs-filename
+
 const fs = require('fs');
 const packageJsonPath = __dirname + '/../package.json'
 

scripts/trim-deps.mjs

@@ -1,5 +1,6 @@
 // trims dependencies for production
 // only run after a full build
+// eslint-disable detect-non-literal-fs-filename
 
 import fs from 'node:fs'