mirror of
https://git.joinsharkey.org/Sharkey/Sharkey.git
synced 2024-11-26 07:43:09 +02:00
silence more false security alerts #407
This commit is contained in:
parent
36b7e45392
commit
7cf570565e
20 changed files with 29 additions and 12 deletions
1
.eslintignore
Normal file
1
.eslintignore
Normal file
|
@ -0,0 +1 @@
|
||||||
|
/tossface-emjois/
|
|
@ -49,7 +49,7 @@ const primaries = {
|
||||||
};
|
};
|
||||||
|
|
||||||
// 何故か文字列にバックスペース文字が混入することがあり、YAMLが壊れるので取り除く
|
// 何故か文字列にバックスペース文字が混入することがあり、YAMLが壊れるので取り除く
|
||||||
const clean = (text) => text.replace(new RegExp(String.fromCodePoint(0x08), 'g'), '');
|
const clean = (text) => text.replace(new RegExp(String.fromCodePoint(0x08), 'g'), ''); // eslint-disable-line detect-non-literal-regexp
|
||||||
|
|
||||||
export function build() {
|
export function build() {
|
||||||
const locales = languages.reduce((a, c) => (a[c] = yaml.load(clean(fs.readFileSync(new URL(`${c}.yml`, import.meta.url), 'utf-8'))) || {}, a), {});
|
const locales = languages.reduce((a, c) => (a[c] = yaml.load(clean(fs.readFileSync(new URL(`${c}.yml`, import.meta.url), 'utf-8'))) || {}, a), {});
|
||||||
|
|
File diff suppressed because one or more lines are too long
|
@ -42,7 +42,7 @@ export class AuthenticateService implements OnApplicationShutdown {
|
||||||
|
|
||||||
@bindThis
|
@bindThis
|
||||||
public async authenticate(token: string | null | undefined): Promise<[MiLocalUser | null, MiAccessToken | null]> {
|
public async authenticate(token: string | null | undefined): Promise<[MiLocalUser | null, MiAccessToken | null]> {
|
||||||
if (token == null) {
|
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||||
return [null, null];
|
return [null, null];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -76,7 +76,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
|
||||||
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
||||||
|
|
||||||
if (profile.twoFactorEnabled) {
|
if (profile.twoFactorEnabled) {
|
||||||
if (token == null) {
|
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||||
throw new Error('authentication failed');
|
throw new Error('authentication failed');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -208,7 +208,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
|
||||||
|
|
||||||
// Compare password
|
// Compare password
|
||||||
if (profile.twoFactorEnabled) {
|
if (profile.twoFactorEnabled) {
|
||||||
if (token == null) {
|
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||||
throw new Error('authentication failed');
|
throw new Error('authentication failed');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -67,7 +67,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
||||||
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
||||||
|
|
||||||
if (profile.twoFactorEnabled) {
|
if (profile.twoFactorEnabled) {
|
||||||
if (token == null) {
|
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||||
throw new Error('authentication failed');
|
throw new Error('authentication failed');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -57,7 +57,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
||||||
|
|
||||||
// Compare password
|
// Compare password
|
||||||
if (profile.twoFactorEnabled) {
|
if (profile.twoFactorEnabled) {
|
||||||
if (token == null) {
|
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||||
throw new Error('authentication failed');
|
throw new Error('authentication failed');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -52,7 +52,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
||||||
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
||||||
|
|
||||||
if (profile.twoFactorEnabled) {
|
if (profile.twoFactorEnabled) {
|
||||||
if (token == null) {
|
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||||
throw new Error('authentication failed');
|
throw new Error('authentication failed');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -40,7 +40,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
||||||
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
||||||
|
|
||||||
if (profile.twoFactorEnabled) {
|
if (profile.twoFactorEnabled) {
|
||||||
if (token == null) {
|
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||||
throw new Error('authentication failed');
|
throw new Error('authentication failed');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -44,7 +44,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
||||||
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
||||||
|
|
||||||
if (profile.twoFactorEnabled) {
|
if (profile.twoFactorEnabled) {
|
||||||
if (token == null) {
|
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||||
throw new Error('authentication failed');
|
throw new Error('authentication failed');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -77,7 +77,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
||||||
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
||||||
|
|
||||||
if (profile.twoFactorEnabled) {
|
if (profile.twoFactorEnabled) {
|
||||||
if (token == null) {
|
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||||
throw new Error('authentication failed');
|
throw new Error('authentication failed');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -200,7 +200,7 @@ export class ClientServerService {
|
||||||
const url = decodeURI(request.routeOptions.url);
|
const url = decodeURI(request.routeOptions.url);
|
||||||
if (url === bullBoardPath || url.startsWith(bullBoardPath + '/')) {
|
if (url === bullBoardPath || url.startsWith(bullBoardPath + '/')) {
|
||||||
const token = request.cookies.token;
|
const token = request.cookies.token;
|
||||||
if (token == null) {
|
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||||
reply.code(401).send('Login required');
|
reply.code(401).send('Login required');
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
1
packages/frontend/.eslintignore
Normal file
1
packages/frontend/.eslintignore
Normal file
|
@ -0,0 +1 @@
|
||||||
|
/assets/
|
|
@ -117,6 +117,7 @@ self.addEventListener('fetch', function (event) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Generate unique request ID.
|
// Generate unique request ID.
|
||||||
|
// eslint-disable-next-line node_insecure_random_generator
|
||||||
const requestId = Math.random().toString(16).slice(2)
|
const requestId = Math.random().toString(16).slice(2)
|
||||||
|
|
||||||
event.respondWith(
|
event.respondWith(
|
||||||
|
|
|
@ -27,6 +27,11 @@ export function checkWordMute(note: Record<string, any>, me: Record<string, any>
|
||||||
if (!regexp) return false;
|
if (!regexp) return false;
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
/*
|
||||||
|
this could actually be a problem, but not here: here it's
|
||||||
|
user-supplied regexes running on the user's browser
|
||||||
|
|
||||||
|
eslint-disable-next-line detect-non-literal-regexp */
|
||||||
return new RegExp(regexp[1], regexp[2]).test(text);
|
return new RegExp(regexp[1], regexp[2]).test(text);
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
// This should never happen due to input sanitisation.
|
// This should never happen due to input sanitisation.
|
||||||
|
|
|
@ -31,7 +31,7 @@ export function misskeyApi<
|
||||||
const promise = new Promise<_ResT>((resolve, reject) => {
|
const promise = new Promise<_ResT>((resolve, reject) => {
|
||||||
// Append a credential
|
// Append a credential
|
||||||
if ($i) (data as any).i = $i.token;
|
if ($i) (data as any).i = $i.token;
|
||||||
if (token !== undefined) (data as any).i = token;
|
if (token !== undefined) (data as any).i = token; // eslint-disable-line detect-possible-timing-attacks
|
||||||
|
|
||||||
// Send request
|
// Send request
|
||||||
window.fetch(`${apiUrl}/${endpoint}`, {
|
window.fetch(`${apiUrl}/${endpoint}`, {
|
||||||
|
|
|
@ -1470,6 +1470,11 @@ export default class Misskey implements MegalodonInterface {
|
||||||
*/
|
*/
|
||||||
public async uploadMedia(file: any, _options?: { description?: string; focus?: string }): Promise<Response<Entity.Attachment>> {
|
public async uploadMedia(file: any, _options?: { description?: string; focus?: string }): Promise<Response<Entity.Attachment>> {
|
||||||
const formData = new FormData()
|
const formData = new FormData()
|
||||||
|
/*
|
||||||
|
this is called from MastodonApiServerService and `file` is
|
||||||
|
generated by `falstify` upload code, so should be safe
|
||||||
|
|
||||||
|
eslint-disable-next-line detect-non-literal-fs-filename */
|
||||||
formData.append('file', fs.createReadStream(file.path), {
|
formData.append('file', fs.createReadStream(file.path), {
|
||||||
contentType: file.mimetype,
|
contentType: file.mimetype,
|
||||||
});
|
});
|
||||||
|
|
|
@ -3,6 +3,8 @@
|
||||||
* SPDX-License-Identifier: AGPL-3.0-only
|
* SPDX-License-Identifier: AGPL-3.0-only
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
// eslint-disable detect-non-literal-fs-filename
|
||||||
|
|
||||||
const fs = require('fs');
|
const fs = require('fs');
|
||||||
const packageJsonPath = __dirname + '/../package.json'
|
const packageJsonPath = __dirname + '/../package.json'
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
// trims dependencies for production
|
// trims dependencies for production
|
||||||
// only run after a full build
|
// only run after a full build
|
||||||
|
// eslint-disable detect-non-literal-fs-filename
|
||||||
|
|
||||||
import fs from 'node:fs'
|
import fs from 'node:fs'
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue