mirror of
https://git.joinsharkey.org/Sharkey/Sharkey.git
synced 2024-11-26 07:53:09 +02:00
silence more false security alerts #407
This commit is contained in:
parent
36b7e45392
commit
7cf570565e
20 changed files with 29 additions and 12 deletions
1
.eslintignore
Normal file
1
.eslintignore
Normal file
|
@ -0,0 +1 @@
|
|||
/tossface-emjois/
|
|
@ -49,7 +49,7 @@ const primaries = {
|
|||
};
|
||||
|
||||
// 何故か文字列にバックスペース文字が混入することがあり、YAMLが壊れるので取り除く
|
||||
const clean = (text) => text.replace(new RegExp(String.fromCodePoint(0x08), 'g'), '');
|
||||
const clean = (text) => text.replace(new RegExp(String.fromCodePoint(0x08), 'g'), ''); // eslint-disable-line detect-non-literal-regexp
|
||||
|
||||
export function build() {
|
||||
const locales = languages.reduce((a, c) => (a[c] = yaml.load(clean(fs.readFileSync(new URL(`${c}.yml`, import.meta.url), 'utf-8'))) || {}, a), {});
|
||||
|
|
File diff suppressed because one or more lines are too long
|
@ -42,7 +42,7 @@ export class AuthenticateService implements OnApplicationShutdown {
|
|||
|
||||
@bindThis
|
||||
public async authenticate(token: string | null | undefined): Promise<[MiLocalUser | null, MiAccessToken | null]> {
|
||||
if (token == null) {
|
||||
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||
return [null, null];
|
||||
}
|
||||
|
||||
|
|
|
@ -76,7 +76,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
|
|||
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
||||
|
||||
if (profile.twoFactorEnabled) {
|
||||
if (token == null) {
|
||||
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||
throw new Error('authentication failed');
|
||||
}
|
||||
|
||||
|
|
|
@ -208,7 +208,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
|
|||
|
||||
// Compare password
|
||||
if (profile.twoFactorEnabled) {
|
||||
if (token == null) {
|
||||
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||
throw new Error('authentication failed');
|
||||
}
|
||||
|
||||
|
|
|
@ -67,7 +67,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
|||
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
||||
|
||||
if (profile.twoFactorEnabled) {
|
||||
if (token == null) {
|
||||
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||
throw new Error('authentication failed');
|
||||
}
|
||||
|
||||
|
|
|
@ -57,7 +57,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
|||
|
||||
// Compare password
|
||||
if (profile.twoFactorEnabled) {
|
||||
if (token == null) {
|
||||
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||
throw new Error('authentication failed');
|
||||
}
|
||||
|
||||
|
|
|
@ -52,7 +52,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
|||
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
||||
|
||||
if (profile.twoFactorEnabled) {
|
||||
if (token == null) {
|
||||
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||
throw new Error('authentication failed');
|
||||
}
|
||||
|
||||
|
|
|
@ -40,7 +40,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
|||
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
||||
|
||||
if (profile.twoFactorEnabled) {
|
||||
if (token == null) {
|
||||
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||
throw new Error('authentication failed');
|
||||
}
|
||||
|
||||
|
|
|
@ -44,7 +44,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
|||
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
||||
|
||||
if (profile.twoFactorEnabled) {
|
||||
if (token == null) {
|
||||
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||
throw new Error('authentication failed');
|
||||
}
|
||||
|
||||
|
|
|
@ -77,7 +77,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
|
|||
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
||||
|
||||
if (profile.twoFactorEnabled) {
|
||||
if (token == null) {
|
||||
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||
throw new Error('authentication failed');
|
||||
}
|
||||
|
||||
|
|
|
@ -200,7 +200,7 @@ export class ClientServerService {
|
|||
const url = decodeURI(request.routeOptions.url);
|
||||
if (url === bullBoardPath || url.startsWith(bullBoardPath + '/')) {
|
||||
const token = request.cookies.token;
|
||||
if (token == null) {
|
||||
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
|
||||
reply.code(401).send('Login required');
|
||||
return;
|
||||
}
|
||||
|
|
1
packages/frontend/.eslintignore
Normal file
1
packages/frontend/.eslintignore
Normal file
|
@ -0,0 +1 @@
|
|||
/assets/
|
|
@ -117,6 +117,7 @@ self.addEventListener('fetch', function (event) {
|
|||
}
|
||||
|
||||
// Generate unique request ID.
|
||||
// eslint-disable-next-line node_insecure_random_generator
|
||||
const requestId = Math.random().toString(16).slice(2)
|
||||
|
||||
event.respondWith(
|
||||
|
|
|
@ -27,6 +27,11 @@ export function checkWordMute(note: Record<string, any>, me: Record<string, any>
|
|||
if (!regexp) return false;
|
||||
|
||||
try {
|
||||
/*
|
||||
this could actually be a problem, but not here: here it's
|
||||
user-supplied regexes running on the user's browser
|
||||
|
||||
eslint-disable-next-line detect-non-literal-regexp */
|
||||
return new RegExp(regexp[1], regexp[2]).test(text);
|
||||
} catch (err) {
|
||||
// This should never happen due to input sanitisation.
|
||||
|
|
|
@ -31,7 +31,7 @@ export function misskeyApi<
|
|||
const promise = new Promise<_ResT>((resolve, reject) => {
|
||||
// Append a credential
|
||||
if ($i) (data as any).i = $i.token;
|
||||
if (token !== undefined) (data as any).i = token;
|
||||
if (token !== undefined) (data as any).i = token; // eslint-disable-line detect-possible-timing-attacks
|
||||
|
||||
// Send request
|
||||
window.fetch(`${apiUrl}/${endpoint}`, {
|
||||
|
|
|
@ -1470,6 +1470,11 @@ export default class Misskey implements MegalodonInterface {
|
|||
*/
|
||||
public async uploadMedia(file: any, _options?: { description?: string; focus?: string }): Promise<Response<Entity.Attachment>> {
|
||||
const formData = new FormData()
|
||||
/*
|
||||
this is called from MastodonApiServerService and `file` is
|
||||
generated by `falstify` upload code, so should be safe
|
||||
|
||||
eslint-disable-next-line detect-non-literal-fs-filename */
|
||||
formData.append('file', fs.createReadStream(file.path), {
|
||||
contentType: file.mimetype,
|
||||
});
|
||||
|
|
|
@ -3,6 +3,8 @@
|
|||
* SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
|
||||
// eslint-disable detect-non-literal-fs-filename
|
||||
|
||||
const fs = require('fs');
|
||||
const packageJsonPath = __dirname + '/../package.json'
|
||||
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
// trims dependencies for production
|
||||
// only run after a full build
|
||||
// eslint-disable detect-non-literal-fs-filename
|
||||
|
||||
import fs from 'node:fs'
|
||||
|
||||
|
|
Loading…
Reference in a new issue