packages/backend/src/core/MfmService.ts

@@ -474,176 +474,176 @@ export class MfmService {
 		}
 
 		const handlers: {
-			[K in mfm.MfmNode['type']]: (node: mfm.NodeType<K>) => any;
+            [K in mfm.MfmNode['type']]: (node: mfm.NodeType<K>) => any;
-		} = {
+        } = {
-			async bold(node) {
+        	async bold(node) {
-				const el = doc.createElement('span');
+        		const el = doc.createElement('span');
-				el.textContent = '**';
+        		el.textContent = '**';
-				await appendChildren(node.children, el);
+        		await appendChildren(node.children, el);
-				el.textContent += '**';
+        		el.textContent += '**';
-				return el;
+        		return el;
-			},
+        	},
 
-			async small(node) {
+        	async small(node) {
-				const el = doc.createElement('small');
+        		const el = doc.createElement('small');
-				await appendChildren(node.children, el);
+        		await appendChildren(node.children, el);
-				return el;
+        		return el;
-			},
+        	},
 
-			async strike(node) {
+        	async strike(node) {
-				const el = doc.createElement('span');
+        		const el = doc.createElement('span');
-				el.textContent = '~~';
+        		el.textContent = '~~';
-				await appendChildren(node.children, el);
+        		await appendChildren(node.children, el);
-				el.textContent += '~~';
+        		el.textContent += '~~';
-				return el;
+        		return el;
-			},
+        	},
 
-			async italic(node) {
+        	async italic(node) {
-				const el = doc.createElement('span');
+        		const el = doc.createElement('span');
-				el.textContent = '*';
+        		el.textContent = '*';
-				await appendChildren(node.children, el);
+        		await appendChildren(node.children, el);
-				el.textContent += '*';
+        		el.textContent += '*';
-				return el;
+        		return el;
-			},
+        	},
 
-			async fn(node) {
+        	async fn(node) {
-				const el = doc.createElement('span');
+        		const el = doc.createElement('span');
-				el.textContent = '*';
+        		el.textContent = '*';
-				await appendChildren(node.children, el);
+        		await appendChildren(node.children, el);
-				el.textContent += '*';
+        		el.textContent += '*';
-				return el;
+        		return el;
-			},
+        	},
 
-			blockCode(node) {
+        	blockCode(node) {
-				const pre = doc.createElement('pre');
+        		const pre = doc.createElement('pre');
-				const inner = doc.createElement('code');
+        		const inner = doc.createElement('code');
 
-				const nodes = node.props.code
+        		const nodes = node.props.code
-					.split(/\r\n|\r|\n/)
+        			.split(/\r\n|\r|\n/)
-					.map((x) => doc.createTextNode(x));
+        			.map((x) => doc.createTextNode(x));
 
-				for (const x of intersperse<FIXME | 'br'>('br', nodes)) {
+        		for (const x of intersperse<FIXME | 'br'>('br', nodes)) {
-					inner.appendChild(x === 'br' ? doc.createElement('br') : x);
+        			inner.appendChild(x === 'br' ? doc.createElement('br') : x);
-				}
+        		}
 
-				pre.appendChild(inner);
+        		pre.appendChild(inner);
-				return pre;
+        		return pre;
-			},
+        	},
 
-			async center(node) {
+        	async center(node) {
-				const el = doc.createElement('div');
+        		const el = doc.createElement('div');
-				await appendChildren(node.children, el);
+        		await appendChildren(node.children, el);
-				return el;
+        		return el;
-			},
+        	},
 
-			emojiCode(node) {
+        	emojiCode(node) {
-				return doc.createTextNode(`\u200B:${node.props.name}:\u200B`);
+        		return doc.createTextNode(`\u200B:${node.props.name}:\u200B`);
-			},
+        	},
 
-			unicodeEmoji(node) {
+        	unicodeEmoji(node) {
-				return doc.createTextNode(node.props.emoji);
+        		return doc.createTextNode(node.props.emoji);
-			},
+        	},
 
-			hashtag: (node) => {
+        	hashtag: (node) => {
-				const a = doc.createElement('a');
+        		const a = doc.createElement('a');
-				a.setAttribute('href', `${this.config.url}/tags/${node.props.hashtag}`);
+        		a.setAttribute('href', `${this.config.url}/tags/${node.props.hashtag}`);
-				a.textContent = `#${node.props.hashtag}`;
+        		a.textContent = `#${node.props.hashtag}`;
-				a.setAttribute('rel', 'tag');
+        		a.setAttribute('rel', 'tag');
-				a.setAttribute('class', 'hashtag');
+        		a.setAttribute('class', 'hashtag');
-				return a;
+        		return a;
-			},
+        	},
 
-			inlineCode(node) {
+        	inlineCode(node) {
-				const el = doc.createElement('code');
+        		const el = doc.createElement('code');
-				el.textContent = node.props.code;
+        		el.textContent = node.props.code;
-				return el;
+        		return el;
-			},
+        	},
 
-			mathInline(node) {
+        	mathInline(node) {
-				const el = doc.createElement('code');
+        		const el = doc.createElement('code');
-				el.textContent = node.props.formula;
+        		el.textContent = node.props.formula;
-				return el;
+        		return el;
-			},
+        	},
 
-			mathBlock(node) {
+        	mathBlock(node) {
-				const el = doc.createElement('code');
+        		const el = doc.createElement('code');
-				el.textContent = node.props.formula;
+        		el.textContent = node.props.formula;
-				return el;
+        		return el;
-			},
+        	},
 
-			async link(node) {
+        	async link(node) {
-				const a = doc.createElement('a');
+        		const a = doc.createElement('a');
-				a.setAttribute('rel', 'nofollow noopener noreferrer');
+        		a.setAttribute('rel', 'nofollow noopener noreferrer');
-				a.setAttribute('target', '_blank');
+        		a.setAttribute('target', '_blank');
-				a.setAttribute('href', node.props.url);
+        		a.setAttribute('href', node.props.url);
-				await appendChildren(node.children, a);
+        		await appendChildren(node.children, a);
-				return a;
+        		return a;
-			},
+        	},
 
-			async mention(node) {
+        	async mention(node) {
-				const { username, host, acct } = node.props;
+        		const { username, host, acct } = node.props;
-				const resolved = mentionedRemoteUsers.find(remoteUser => remoteUser.username === username && remoteUser.host === host);
+        		const resolved = mentionedRemoteUsers.find(remoteUser => remoteUser.username === username && remoteUser.host === host);
 
-				const el = doc.createElement('span');
+        		const el = doc.createElement('span');
-				if (!resolved) {
+        		if (!resolved) {
-					el.textContent = acct;
+        			el.textContent = acct;
-				} else {
+        		} else {
-					el.setAttribute('class', 'h-card');
+        			el.setAttribute('class', 'h-card');
-					el.setAttribute('translate', 'no');
+        			el.setAttribute('translate', 'no');
-					const a = doc.createElement('a');
+        			const a = doc.createElement('a');
-					a.setAttribute('href', resolved.url ? resolved.url : resolved.uri);
+        			a.setAttribute('href', resolved.url ? resolved.url : resolved.uri);
-					a.className = 'u-url mention';
+        			a.className = 'u-url mention';
-					const span = doc.createElement('span');
+        			const span = doc.createElement('span');
-					span.textContent = resolved.username || username;
+        			span.textContent = resolved.username || username;
-					a.textContent = '@';
+        			a.textContent = '@';
-					a.appendChild(span);
+        			a.appendChild(span);
-					el.appendChild(a);
+        			el.appendChild(a);
-				}
+        		}
 
-				return el;
+        		return el;
-			},
+        	},
 
-			async quote(node) {
+        	async quote(node) {
-				const el = doc.createElement('blockquote');
+        		const el = doc.createElement('blockquote');
-				await appendChildren(node.children, el);
+        		await appendChildren(node.children, el);
-				return el;
+        		return el;
-			},
+        	},
 
-			text(node) {
+        	text(node) {
-				const el = doc.createElement('span');
+        		const el = doc.createElement('span');
-				const nodes = node.props.text
+        		const nodes = node.props.text
-					.split(/\r\n|\r|\n/)
+        			.split(/\r\n|\r|\n/)
-					.map((x) => doc.createTextNode(x));
+        			.map((x) => doc.createTextNode(x));
 
-				for (const x of intersperse<FIXME | 'br'>('br', nodes)) {
+        		for (const x of intersperse<FIXME | 'br'>('br', nodes)) {
-					el.appendChild(x === 'br' ? doc.createElement('br') : x);
+        			el.appendChild(x === 'br' ? doc.createElement('br') : x);
-				}
+        		}
 
-				return el;
+        		return el;
-			},
+        	},
 
-			url(node) {
+        	url(node) {
-				const a = doc.createElement('a');
+        		const a = doc.createElement('a');
-				a.setAttribute('rel', 'nofollow noopener noreferrer');
+        		a.setAttribute('rel', 'nofollow noopener noreferrer');
-				a.setAttribute('target', '_blank');
+        		a.setAttribute('target', '_blank');
-				a.setAttribute('href', node.props.url);
+        		a.setAttribute('href', node.props.url);
-				a.textContent = node.props.url.replace(/^https?:\/\//, '');
+        		a.textContent = node.props.url.replace(/^https?:\/\//, '');
-				return a;
+        		return a;
-			},
+        	},
 
-			search: (node) => {
+        	search: (node) => {
-				const a = doc.createElement('a');
+        		const a = doc.createElement('a');
-				a.setAttribute('href', `https"google.com/${node.props.query}`);
+        		a.setAttribute('href', `https"google.com/${node.props.query}`);
-				a.textContent = node.props.content;
+        		a.textContent = node.props.content;
-				return a;
+        		return a;
-			},
+        	},
 
-			async plain(node) {
+        	async plain(node) {
-				const el = doc.createElement('span');
+        		const el = doc.createElement('span');
-				await appendChildren(node.children, el);
+        		await appendChildren(node.children, el);
-				return el;
+        		return el;
-			},
+        	},
-		};
+        };
 		
 		await appendChildren(nodes, doc.body);
 

packages/backend/src/core/UserAuthService.ts

@@ -11,7 +11,7 @@ import type { MiUserProfile, UserProfilesRepository, UsersRepository } from '@/m
 import { bindThis } from '@/decorators.js';
 import { isDuplicateKeyValueError } from '@/misc/is-duplicate-key-value-error.js';
 import type { MiLocalUser } from '@/models/User.js';
-import { secureishCompare } from '@/misc/secure-ish-compare.js';
+import * as crypto from 'node:crypto';
 
 @Injectable()
 export class UserAuthService {
@@ -29,7 +29,7 @@ export class UserAuthService {
 		if (profile.twoFactorBackupSecret?.includes(token)) {
 			await this.userProfilesRepository.update({ userId: profile.userId }, {
 				twoFactorBackupSecret: profile.twoFactorBackupSecret.filter(
-					(secret) => !secureishCompare(secret, token)
+					(secret) => !crypto.timingSafeEqual(secret, token)
 				),
 			});
 		} else {

packages/backend/src/misc/secure-ish-compare.ts

@@ -1,33 +0,0 @@
-/*
- * SPDX-FileCopyrightText: dakkar and other sharkey contributors
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-import * as crypto from 'node:crypto';
-
-export function secureishCompare(expected: string, given:string) {
-	const expectedLen = expected.length;
-	const givenLen = given.length;
-
-	/*
-		this ensures that the two strings are the same length, so
-		`timingSafeEqual` will not throw an error
-
-		notice that we perform the same operations regardless of the
-		length of the strings, we're trying not to leak timing
-		information!
-	*/
-	const paddedExpected = Buffer.from(expected + given);
-	const paddedGiven = Buffer.from(given + expected);
-
-	/*
-		if the two strings were equal, `sortOfEqual` will be true
-
-		if will be true in other cases, too! like `abc` and `abcabc`; but
-		then, `expectedLen` and `givenLen` would be different, and we'd
-		return false
-	*/
-	const sortOfEqual = crypto.timingSafeEqual(paddedExpected, paddedGiven);
-
-	return sortOfEqual && (givenLen === expectedLen);
-}

packages/backend/src/server/ActivityPubServerService.ts

@@ -38,7 +38,6 @@ import type { FastifyInstance, FastifyRequest, FastifyReply, FastifyPluginOption
 import type { FindOptionsWhere } from 'typeorm';
 import type Logger from '@/logger.js';
 import { LoggerService } from '@/core/LoggerService.js';
-import { secureishCompare } from '@/misc/secure-ish-compare.js';
 
 const ACTIVITY_JSON = 'application/activity+json; charset=utf-8';
 const LD_JSON = 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"; charset=utf-8';
@@ -288,7 +287,7 @@ export class ActivityPubServerService {
 
 			const hash = crypto.createHash('sha256').update(request.rawBody).digest('base64');
 
-			if (!secureishCompare(hash, digestValue)) {
+			if (! crypto.timingSafeEqual(hash, digestValue)) {
 				// Invalid digest
 				reply.code(401);
 				return;

packages/backend/test/unit/misc/secure-ish-compare.ts

@@ -1,25 +0,0 @@
-/*
- * SPDX-FileCopyrightText: dakkar and other sharkey contributors
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-import { secureishCompare } from '@/misc/secure-ish-compare.js';
-
-describe(secureishCompare, () => {
-	it('should return true if strings are equal', () => {
-		expect(secureishCompare('abc','abc')).toBe(true);
-		expect(secureishCompare('aaa','aaa')).toBe(true);
-	});
-	it('should return false if strings are different', () => {
-		expect(secureishCompare('abc','def')).toBe(false);
-	});
-	it('should return false if one is prefix of the other', () => {
-		expect(secureishCompare('abc','abcabc')).toBe(false);
-		expect(secureishCompare('abcabc','abc')).toBe(false);
-		expect(secureishCompare('aaa','aa')).toBe(false);
-	});
-	it('should return false if strings are very different', () => {
-		expect(secureishCompare('abc','defghi')).toBe(false);
-		expect(secureishCompare('defghi','abc')).toBe(false);
-	});
-});