fix whitespace lints after f091b84c6e

packages/backend/src/core/MfmService.ts

@@ -474,176 +474,176 @@ export class MfmService {
 		}
 
 		const handlers: {
-            [K in mfm.MfmNode['type']]: (node: mfm.NodeType<K>) => any;
+			[K in mfm.MfmNode['type']]: (node: mfm.NodeType<K>) => any;
-        } = {
+		} = {
-        	async bold(node) {
+			async bold(node) {
-        		const el = doc.createElement('span');
+				const el = doc.createElement('span');
-        		el.textContent = '**';
+				el.textContent = '**';
-        		await appendChildren(node.children, el);
+				await appendChildren(node.children, el);
-        		el.textContent += '**';
+				el.textContent += '**';
-        		return el;
+				return el;
-        	},
+			},
 
-        	async small(node) {
+			async small(node) {
-        		const el = doc.createElement('small');
+				const el = doc.createElement('small');
-        		await appendChildren(node.children, el);
+				await appendChildren(node.children, el);
-        		return el;
+				return el;
-        	},
+			},
 
-        	async strike(node) {
+			async strike(node) {
-        		const el = doc.createElement('span');
+				const el = doc.createElement('span');
-        		el.textContent = '~~';
+				el.textContent = '~~';
-        		await appendChildren(node.children, el);
+				await appendChildren(node.children, el);
-        		el.textContent += '~~';
+				el.textContent += '~~';
-        		return el;
+				return el;
-        	},
+			},
 
-        	async italic(node) {
+			async italic(node) {
-        		const el = doc.createElement('span');
+				const el = doc.createElement('span');
-        		el.textContent = '*';
+				el.textContent = '*';
-        		await appendChildren(node.children, el);
+				await appendChildren(node.children, el);
-        		el.textContent += '*';
+				el.textContent += '*';
-        		return el;
+				return el;
-        	},
+			},
 
-        	async fn(node) {
+			async fn(node) {
-        		const el = doc.createElement('span');
+				const el = doc.createElement('span');
-        		el.textContent = '*';
+				el.textContent = '*';
-        		await appendChildren(node.children, el);
+				await appendChildren(node.children, el);
-        		el.textContent += '*';
+				el.textContent += '*';
-        		return el;
+				return el;
-        	},
+			},
 
-        	blockCode(node) {
+			blockCode(node) {
-        		const pre = doc.createElement('pre');
+				const pre = doc.createElement('pre');
-        		const inner = doc.createElement('code');
+				const inner = doc.createElement('code');
 
-        		const nodes = node.props.code
+				const nodes = node.props.code
-        			.split(/\r\n|\r|\n/)
+					.split(/\r\n|\r|\n/)
-        			.map((x) => doc.createTextNode(x));
+					.map((x) => doc.createTextNode(x));
 
-        		for (const x of intersperse<FIXME | 'br'>('br', nodes)) {
+				for (const x of intersperse<FIXME | 'br'>('br', nodes)) {
-        			inner.appendChild(x === 'br' ? doc.createElement('br') : x);
+					inner.appendChild(x === 'br' ? doc.createElement('br') : x);
-        		}
+				}
 
-        		pre.appendChild(inner);
+				pre.appendChild(inner);
-        		return pre;
+				return pre;
-        	},
+			},
 
-        	async center(node) {
+			async center(node) {
-        		const el = doc.createElement('div');
+				const el = doc.createElement('div');
-        		await appendChildren(node.children, el);
+				await appendChildren(node.children, el);
-        		return el;
+				return el;
-        	},
+			},
 
-        	emojiCode(node) {
+			emojiCode(node) {
-        		return doc.createTextNode(`\u200B:${node.props.name}:\u200B`);
+				return doc.createTextNode(`\u200B:${node.props.name}:\u200B`);
-        	},
+			},
 
-        	unicodeEmoji(node) {
+			unicodeEmoji(node) {
-        		return doc.createTextNode(node.props.emoji);
+				return doc.createTextNode(node.props.emoji);
-        	},
+			},
 
-        	hashtag: (node) => {
+			hashtag: (node) => {
-        		const a = doc.createElement('a');
+				const a = doc.createElement('a');
-        		a.setAttribute('href', `${this.config.url}/tags/${node.props.hashtag}`);
+				a.setAttribute('href', `${this.config.url}/tags/${node.props.hashtag}`);
-        		a.textContent = `#${node.props.hashtag}`;
+				a.textContent = `#${node.props.hashtag}`;
-        		a.setAttribute('rel', 'tag');
+				a.setAttribute('rel', 'tag');
-        		a.setAttribute('class', 'hashtag');
+				a.setAttribute('class', 'hashtag');
-        		return a;
+				return a;
-        	},
+			},
 
-        	inlineCode(node) {
+			inlineCode(node) {
-        		const el = doc.createElement('code');
+				const el = doc.createElement('code');
-        		el.textContent = node.props.code;
+				el.textContent = node.props.code;
-        		return el;
+				return el;
-        	},
+			},
 
-        	mathInline(node) {
+			mathInline(node) {
-        		const el = doc.createElement('code');
+				const el = doc.createElement('code');
-        		el.textContent = node.props.formula;
+				el.textContent = node.props.formula;
-        		return el;
+				return el;
-        	},
+			},
 
-        	mathBlock(node) {
+			mathBlock(node) {
-        		const el = doc.createElement('code');
+				const el = doc.createElement('code');
-        		el.textContent = node.props.formula;
+				el.textContent = node.props.formula;
-        		return el;
+				return el;
-        	},
+			},
 
-        	async link(node) {
+			async link(node) {
-        		const a = doc.createElement('a');
+				const a = doc.createElement('a');
-        		a.setAttribute('rel', 'nofollow noopener noreferrer');
+				a.setAttribute('rel', 'nofollow noopener noreferrer');
-        		a.setAttribute('target', '_blank');
+				a.setAttribute('target', '_blank');
-        		a.setAttribute('href', node.props.url);
+				a.setAttribute('href', node.props.url);
-        		await appendChildren(node.children, a);
+				await appendChildren(node.children, a);
-        		return a;
+				return a;
-        	},
+			},
 
-        	async mention(node) {
+			async mention(node) {
-        		const { username, host, acct } = node.props;
+				const { username, host, acct } = node.props;
-        		const resolved = mentionedRemoteUsers.find(remoteUser => remoteUser.username === username && remoteUser.host === host);
+				const resolved = mentionedRemoteUsers.find(remoteUser => remoteUser.username === username && remoteUser.host === host);
 
-        		const el = doc.createElement('span');
+				const el = doc.createElement('span');
-        		if (!resolved) {
+				if (!resolved) {
-        			el.textContent = acct;
+					el.textContent = acct;
-        		} else {
+				} else {
-        			el.setAttribute('class', 'h-card');
+					el.setAttribute('class', 'h-card');
-        			el.setAttribute('translate', 'no');
+					el.setAttribute('translate', 'no');
-        			const a = doc.createElement('a');
+					const a = doc.createElement('a');
-        			a.setAttribute('href', resolved.url ? resolved.url : resolved.uri);
+					a.setAttribute('href', resolved.url ? resolved.url : resolved.uri);
-        			a.className = 'u-url mention';
+					a.className = 'u-url mention';
-        			const span = doc.createElement('span');
+					const span = doc.createElement('span');
-        			span.textContent = resolved.username || username;
+					span.textContent = resolved.username || username;
-        			a.textContent = '@';
+					a.textContent = '@';
-        			a.appendChild(span);
+					a.appendChild(span);
-        			el.appendChild(a);
+					el.appendChild(a);
-        		}
+				}
 
-        		return el;
+				return el;
-        	},
+			},
 
-        	async quote(node) {
+			async quote(node) {
-        		const el = doc.createElement('blockquote');
+				const el = doc.createElement('blockquote');
-        		await appendChildren(node.children, el);
+				await appendChildren(node.children, el);
-        		return el;
+				return el;
-        	},
+			},
 
-        	text(node) {
+			text(node) {
-        		const el = doc.createElement('span');
+				const el = doc.createElement('span');
-        		const nodes = node.props.text
+				const nodes = node.props.text
-        			.split(/\r\n|\r|\n/)
+					.split(/\r\n|\r|\n/)
-        			.map((x) => doc.createTextNode(x));
+					.map((x) => doc.createTextNode(x));
 
-        		for (const x of intersperse<FIXME | 'br'>('br', nodes)) {
+				for (const x of intersperse<FIXME | 'br'>('br', nodes)) {
-        			el.appendChild(x === 'br' ? doc.createElement('br') : x);
+					el.appendChild(x === 'br' ? doc.createElement('br') : x);
-        		}
+				}
 
-        		return el;
+				return el;
-        	},
+			},
 
-        	url(node) {
+			url(node) {
-        		const a = doc.createElement('a');
+				const a = doc.createElement('a');
-        		a.setAttribute('rel', 'nofollow noopener noreferrer');
+				a.setAttribute('rel', 'nofollow noopener noreferrer');
-        		a.setAttribute('target', '_blank');
+				a.setAttribute('target', '_blank');
-        		a.setAttribute('href', node.props.url);
+				a.setAttribute('href', node.props.url);
-        		a.textContent = node.props.url.replace(/^https?:\/\//, '');
+				a.textContent = node.props.url.replace(/^https?:\/\//, '');
-        		return a;
+				return a;
-        	},
+			},
 
-        	search: (node) => {
+			search: (node) => {
-        		const a = doc.createElement('a');
+				const a = doc.createElement('a');
-        		a.setAttribute('href', `https"google.com/${node.props.query}`);
+				a.setAttribute('href', `https"google.com/${node.props.query}`);
-        		a.textContent = node.props.content;
+				a.textContent = node.props.content;
-        		return a;
+				return a;
-        	},
+			},
 
-        	async plain(node) {
+			async plain(node) {
-        		const el = doc.createElement('span');
+				const el = doc.createElement('span');
-        		await appendChildren(node.children, el);
+				await appendChildren(node.children, el);
-        		return el;
+				return el;
-        	},
+			},
-        };
+		};
 
 		await appendChildren(nodes, doc.body);
 

packages/backend/src/core/UserAuthService.ts

@@ -11,7 +11,7 @@ import type { MiUserProfile, UserProfilesRepository, UsersRepository } from '@/m
 import { bindThis } from '@/decorators.js';
 import { isDuplicateKeyValueError } from '@/misc/is-duplicate-key-value-error.js';
 import type { MiLocalUser } from '@/models/User.js';
-import * as crypto from 'node:crypto';
+import { secureishCompare } from '@/misc/secure-ish-compare.js';
 
 @Injectable()
 export class UserAuthService {
@@ -29,7 +29,7 @@ export class UserAuthService {
 		if (profile.twoFactorBackupSecret?.includes(token)) {
 			await this.userProfilesRepository.update({ userId: profile.userId }, {
 				twoFactorBackupSecret: profile.twoFactorBackupSecret.filter(
-					(secret) => !crypto.timingSafeEqual(secret, token)
+					(secret) => !secureishCompare(secret, token)
 				),
 			});
 		} else {

packages/backend/src/misc/secure-ish-compare.ts

@@ -0,0 +1,33 @@
+/*
+ * SPDX-FileCopyrightText: dakkar and other sharkey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import * as crypto from 'node:crypto';
+
+export function secureishCompare(expected: string, given:string) {
+	const expectedLen = expected.length;
+	const givenLen = given.length;
+
+	/*
+		this ensures that the two strings are the same length, so
+		`timingSafeEqual` will not throw an error
+
+		notice that we perform the same operations regardless of the
+		length of the strings, we're trying not to leak timing
+		information!
+	*/
+	const paddedExpected = Buffer.from(expected + given);
+	const paddedGiven = Buffer.from(given + expected);
+
+	/*
+		if the two strings were equal, `sortOfEqual` will be true
+
+		if will be true in other cases, too! like `abc` and `abcabc`; but
+		then, `expectedLen` and `givenLen` would be different, and we'd
+		return false
+	*/
+	const sortOfEqual = crypto.timingSafeEqual(paddedExpected, paddedGiven);
+
+	return sortOfEqual && (givenLen === expectedLen);
+}

packages/backend/src/server/ActivityPubServerService.ts

@@ -38,6 +38,7 @@ import type { FastifyInstance, FastifyRequest, FastifyReply, FastifyPluginOption
 import type { FindOptionsWhere } from 'typeorm';
 import type Logger from '@/logger.js';
 import { LoggerService } from '@/core/LoggerService.js';
+import { secureishCompare } from '@/misc/secure-ish-compare.js';
 
 const ACTIVITY_JSON = 'application/activity+json; charset=utf-8';
 const LD_JSON = 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"; charset=utf-8';
@@ -287,7 +288,7 @@ export class ActivityPubServerService {
 
 			const hash = crypto.createHash('sha256').update(request.rawBody).digest('base64');
 
-			if (! crypto.timingSafeEqual(hash, digestValue)) {
+			if (!secureishCompare(hash, digestValue)) {
 				// Invalid digest
 				reply.code(401);
 				return;

packages/backend/test/unit/misc/secure-ish-compare.ts

@@ -0,0 +1,25 @@
+/*
+ * SPDX-FileCopyrightText: dakkar and other sharkey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { secureishCompare } from '@/misc/secure-ish-compare.js';
+
+describe(secureishCompare, () => {
+	it('should return true if strings are equal', () => {
+		expect(secureishCompare('abc','abc')).toBe(true);
+		expect(secureishCompare('aaa','aaa')).toBe(true);
+	});
+	it('should return false if strings are different', () => {
+		expect(secureishCompare('abc','def')).toBe(false);
+	});
+	it('should return false if one is prefix of the other', () => {
+		expect(secureishCompare('abc','abcabc')).toBe(false);
+		expect(secureishCompare('abcabc','abc')).toBe(false);
+		expect(secureishCompare('aaa','aa')).toBe(false);
+	});
+	it('should return false if strings are very different', () => {
+		expect(secureishCompare('abc','defghi')).toBe(false);
+		expect(secureishCompare('defghi','abc')).toBe(false);
+	});
+});