silence more false security alerts #407

This commit is contained in:
dakkar 2024-02-09 13:42:08 +00:00
parent 36b7e45392
commit 7cf570565e
20 changed files with 29 additions and 12 deletions

1
.eslintignore Normal file
View file

@ -0,0 +1 @@
/tossface-emjois/

View file

@ -49,7 +49,7 @@ const primaries = {
};
// 何故か文字列にバックスペース文字が混入することがあり、YAMLが壊れるので取り除く
const clean = (text) => text.replace(new RegExp(String.fromCodePoint(0x08), 'g'), '');
const clean = (text) => text.replace(new RegExp(String.fromCodePoint(0x08), 'g'), ''); // eslint-disable-line detect-non-literal-regexp
export function build() {
const locales = languages.reduce((a, c) => (a[c] = yaml.load(clean(fs.readFileSync(new URL(`${c}.yml`, import.meta.url), 'utf-8'))) || {}, a), {});

File diff suppressed because one or more lines are too long

View file

@ -42,7 +42,7 @@ export class AuthenticateService implements OnApplicationShutdown {
@bindThis
public async authenticate(token: string | null | undefined): Promise<[MiLocalUser | null, MiAccessToken | null]> {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
return [null, null];
}

View file

@ -76,7 +76,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

View file

@ -208,7 +208,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
// Compare password
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

View file

@ -67,7 +67,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

View file

@ -57,7 +57,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
// Compare password
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

View file

@ -52,7 +52,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

View file

@ -40,7 +40,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

View file

@ -44,7 +44,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

View file

@ -77,7 +77,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
if (profile.twoFactorEnabled) {
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
throw new Error('authentication failed');
}

View file

@ -200,7 +200,7 @@ export class ClientServerService {
const url = decodeURI(request.routeOptions.url);
if (url === bullBoardPath || url.startsWith(bullBoardPath + '/')) {
const token = request.cookies.token;
if (token == null) {
if (token == null) { // eslint-disable-line detect-possible-timing-attacks
reply.code(401).send('Login required');
return;
}

View file

@ -0,0 +1 @@
/assets/

View file

@ -117,6 +117,7 @@ self.addEventListener('fetch', function (event) {
}
// Generate unique request ID.
// eslint-disable-next-line node_insecure_random_generator
const requestId = Math.random().toString(16).slice(2)
event.respondWith(

View file

@ -27,6 +27,11 @@ export function checkWordMute(note: Record<string, any>, me: Record<string, any>
if (!regexp) return false;
try {
/*
this could actually be a problem, but not here: here it's
user-supplied regexes running on the user's browser
eslint-disable-next-line detect-non-literal-regexp */
return new RegExp(regexp[1], regexp[2]).test(text);
} catch (err) {
// This should never happen due to input sanitisation.

View file

@ -31,7 +31,7 @@ export function misskeyApi<
const promise = new Promise<_ResT>((resolve, reject) => {
// Append a credential
if ($i) (data as any).i = $i.token;
if (token !== undefined) (data as any).i = token;
if (token !== undefined) (data as any).i = token; // eslint-disable-line detect-possible-timing-attacks
// Send request
window.fetch(`${apiUrl}/${endpoint}`, {

View file

@ -1470,6 +1470,11 @@ export default class Misskey implements MegalodonInterface {
*/
public async uploadMedia(file: any, _options?: { description?: string; focus?: string }): Promise<Response<Entity.Attachment>> {
const formData = new FormData()
/*
this is called from MastodonApiServerService and `file` is
generated by `falstify` upload code, so should be safe
eslint-disable-next-line detect-non-literal-fs-filename */
formData.append('file', fs.createReadStream(file.path), {
contentType: file.mimetype,
});

View file

@ -3,6 +3,8 @@
* SPDX-License-Identifier: AGPL-3.0-only
*/
// eslint-disable detect-non-literal-fs-filename
const fs = require('fs');
const packageJsonPath = __dirname + '/../package.json'

View file

@ -1,5 +1,6 @@
// trims dependencies for production
// only run after a full build
// eslint-disable detect-non-literal-fs-filename
import fs from 'node:fs'