From 68bade8532035108d946fdada7f47df910605ce5 Mon Sep 17 00:00:00 2001 From: DVD Date: Wed, 12 Jul 2023 09:26:15 +0800 Subject: [PATCH 01/12] Disable signature check --- packages/client/src/pages/settings/import-export.vue | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/client/src/pages/settings/import-export.vue b/packages/client/src/pages/settings/import-export.vue index b2ac12cad..4a9286748 100644 --- a/packages/client/src/pages/settings/import-export.vue +++ b/packages/client/src/pages/settings/import-export.vue @@ -222,7 +222,7 @@ const importPosts = async (ev) => { const file = await selectFile(ev.currentTarget ?? ev.target); os.api("i/import-posts", { fileId: file.id, - signatureCheck: importType.value === "mastodon" ? true : false, + signatureCheck: false, }) .then(onImportSuccess) .catch(onError); From b8fcd0dc331ce73994f85ce078c03509bb8cc5ea Mon Sep 17 00:00:00 2001 From: ThatOneCalculator Date: Sat, 15 Jul 2023 14:13:21 -0700 Subject: [PATCH 02/12] fix: :lock: prevent potential SSRF through media proxy --- packages/backend/src/misc/download-url.ts | 3 +- .../backend/src/server/proxy/proxy-media.ts | 36 +++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/packages/backend/src/misc/download-url.ts b/packages/backend/src/misc/download-url.ts index 7fafb635b..b96871e72 100644 --- a/packages/backend/src/misc/download-url.ts +++ b/packages/backend/src/misc/download-url.ts @@ -21,9 +21,10 @@ export async function downloadUrl(url: string, path: string): Promise { const maxSize = config.maxFileSize || 262144000; const req = got - .stream(url, { + .stream(url, { headers: { "User-Agent": config.userAgent, + "Host": new URL(url).hostname, }, timeout: { lookup: timeout, diff --git a/packages/backend/src/server/proxy/proxy-media.ts b/packages/backend/src/server/proxy/proxy-media.ts index a9c257bfe..b3bb03124 100644 --- a/packages/backend/src/server/proxy/proxy-media.ts +++ b/packages/backend/src/server/proxy/proxy-media.ts @@ -1,4 +1,6 @@ import * as fs from "node:fs"; +import net from "node:net"; +import { promises } from "node:dns"; import type Koa from "koa"; import sharp from "sharp"; import type { IImage } from "@/services/drive/image-processor.js"; @@ -19,6 +21,40 @@ export async function proxyMedia(ctx: Koa.Context) { return; } + const { hostname } = new URL(url); + let resolvedIps; + try { + resolvedIps = await promises.resolve(hostname); + } catch (error) { + ctx.status = 400; + ctx.body = { message: "Invalid URL" }; + return; + } + + const isSSRF = resolvedIps.some((ip) => { + if (net.isIPv4(ip)) { + const parts = ip.split(".").map(Number); + return ( + parts[0] === 10 || + (parts[0] === 172 && parts[1] >= 16 && parts[1] < 32) || + (parts[0] === 192 && parts[1] === 168) || + parts[0] === 127 || + parts[0] === 0 + ); + } else if (net.isIPv6(ip)) { + return ( + ip.startsWith("::") || ip.startsWith("fc00:") || ip.startsWith("fe80:") + ); + } + return false; + }); + + if (isSSRF) { + ctx.status = 400; + ctx.body = { message: "Access to this URL is not allowed" }; + return; + } + // Create temp file const [path, cleanup] = await createTemp(); From 9fbcdb529ed01a3391f4fbf56630fa4c79116c9f Mon Sep 17 00:00:00 2001 From: Mizunashi Mana Date: Sun, 16 Jul 2023 18:57:38 +0900 Subject: [PATCH 03/12] feat: Move json5 to prod dependencies --- packages/backend/package.json | 2 +- pnpm-lock.yaml | 94 ++++++----------------------------- 2 files changed, 17 insertions(+), 79 deletions(-) diff --git a/packages/backend/package.json b/packages/backend/package.json index fe8c078a0..8564ca832 100644 --- a/packages/backend/package.json +++ b/packages/backend/package.json @@ -71,6 +71,7 @@ "is-svg": "4.3.2", "js-yaml": "4.1.0", "jsdom": "20.0.3", + "json5": "2.2.3", "jsonld": "8.2.0", "jsrsasign": "10.8.6", "koa": "2.14.2", @@ -185,7 +186,6 @@ "cross-env": "7.0.3", "eslint": "^8.44.0", "execa": "6.1.0", - "json5": "2.2.3", "json5-loader": "4.0.1", "mocha": "10.2.0", "pug": "3.0.2", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index adead9c6f..540d94109 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -219,6 +219,9 @@ importers: jsdom: specifier: 20.0.3 version: 20.0.3 + json5: + specifier: 2.2.3 + version: 2.2.3 jsonld: specifier: 8.2.0 version: 8.2.0 @@ -563,9 +566,6 @@ importers: execa: specifier: 6.1.0 version: 6.1.0 - json5: - specifier: 2.2.3 - version: 2.2.3 json5-loader: specifier: 4.0.1 version: 4.0.1(webpack@5.88.1) @@ -595,7 +595,7 @@ importers: version: 5.1.6 webpack: specifier: ^5.88.1 - version: 5.88.1(@swc/core@1.3.68) + version: 5.88.1(@swc/core@1.3.68)(webpack-cli@5.1.3) ws: specifier: 8.13.0 version: 8.13.0 @@ -780,7 +780,7 @@ importers: version: 2.30.0 emojilib: specifier: github:thatonecalculator/emojilib - version: github.com/thatonecalculator/emojilib/1d6adc1af8105b4937d2f0e7479acf5bd565bd9b + version: github.com/thatonecalculator/emojilib/d3c8c6a77d4362b3b3180099f1d2eac344ce245c escape-regexp: specifier: 0.0.1 version: 0.0.1 @@ -5138,7 +5138,7 @@ packages: /axios@0.24.0: resolution: {integrity: sha512-Q6cWsys88HoPgAaFAVUb0WpPk0O8iTeisR9IMqy9G8AbO4NlpVknrnQS03zzF9PGAWgO3cgletO3VjV/P7VztA==} dependencies: - follow-redirects: 1.15.2 + follow-redirects: 1.15.2(debug@4.3.4) transitivePeerDependencies: - debug dev: false @@ -5164,7 +5164,7 @@ packages: /axios@1.4.0: resolution: {integrity: sha512-S4XCWMEmzvo64T9GfvQDOXgYRDJ/wsSZc7Jvdgx5u1sd0JwsuPLqb3SYmusag+edF6ziyMensPVqLTSc1PiSEA==} dependencies: - follow-redirects: 1.15.2 + follow-redirects: 1.15.2(debug@4.3.4) form-data: 4.0.0 proxy-from-env: 1.1.0 transitivePeerDependencies: @@ -6843,17 +6843,6 @@ packages: dependencies: ms: 2.0.0 - /debug@3.2.7: - resolution: {integrity: sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==} - peerDependencies: - supports-color: '*' - peerDependenciesMeta: - supports-color: - optional: true - dependencies: - ms: 2.1.3 - dev: false - /debug@3.2.7(supports-color@8.1.1): resolution: {integrity: sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==} peerDependencies: @@ -6864,7 +6853,6 @@ packages: dependencies: ms: 2.1.3 supports-color: 8.1.1 - dev: true /debug@4.3.3: resolution: {integrity: sha512-/zxw5+vh1Tfv+4Qn7a5nsbcJKPaSvCDhojn6FEl9vupwK2VCSDtEiEtqr8DFtzYFOdz63LBkxec7DYuc2jon6Q==} @@ -8377,16 +8365,6 @@ packages: tabbable: 6.2.0 dev: true - /follow-redirects@1.15.2: - resolution: {integrity: sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==} - engines: {node: '>=4.0'} - peerDependencies: - debug: '*' - peerDependenciesMeta: - debug: - optional: true - dev: false - /follow-redirects@1.15.2(debug@4.3.4): resolution: {integrity: sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==} engines: {node: '>=4.0'} @@ -9355,7 +9333,7 @@ packages: engines: {node: '>= 4.5.0'} dependencies: agent-base: 4.3.0 - debug: 3.2.7 + debug: 3.2.7(supports-color@8.1.1) transitivePeerDependencies: - supports-color dev: false @@ -11280,7 +11258,7 @@ packages: json5: 2.2.3 loader-utils: 2.0.4 schema-utils: 3.3.0 - webpack: 5.88.1(@swc/core@1.3.68) + webpack: 5.88.1(@swc/core@1.3.68)(webpack-cli@5.1.3) dev: true /json5@1.0.2: @@ -11535,7 +11513,7 @@ packages: resolution: {integrity: sha512-UqyYyH5YEXaJrf9S8E23GoJFQZXkBVJ9zYYMPGz919MSX1KuvAcycIuS0ci150HCoPf4XQVhQ84Qf8xRPWxFaQ==} engines: {node: '>= 7.6.0'} dependencies: - debug: 3.2.7 + debug: 3.2.7(supports-color@8.1.1) koa-send: 5.0.1 transitivePeerDependencies: - supports-color @@ -12579,7 +12557,7 @@ packages: engines: {node: '>= 4.4.x'} hasBin: true dependencies: - debug: 3.2.7 + debug: 3.2.7(supports-color@8.1.1) iconv-lite: 0.4.24 sax: 1.2.4 transitivePeerDependencies: @@ -15558,7 +15536,7 @@ packages: webpack: '>=2' dependencies: '@swc/core': 1.3.68 - webpack: 5.88.1(@swc/core@1.3.68) + webpack: 5.88.1(@swc/core@1.3.68)(webpack-cli@5.1.3) dev: true /swiper@10.0.4: @@ -15677,7 +15655,7 @@ packages: schema-utils: 3.3.0 serialize-javascript: 6.0.1 terser: 5.19.0 - webpack: 5.88.1(@swc/core@1.3.68) + webpack: 5.88.1(@swc/core@1.3.68)(webpack-cli@5.1.3) dev: true /terser@5.19.0: @@ -16016,7 +15994,7 @@ packages: micromatch: 4.0.5 semver: 7.5.4 typescript: 5.1.6 - webpack: 5.88.1(@swc/core@1.3.68) + webpack: 5.88.1(@swc/core@1.3.68)(webpack-cli@5.1.3) dev: true /ts-node@10.4.0(@swc/core@1.3.68)(@types/node@20.3.1)(typescript@5.1.3): @@ -16933,46 +16911,6 @@ packages: engines: {node: '>=10.13.0'} dev: true - /webpack@5.88.1(@swc/core@1.3.68): - resolution: {integrity: sha512-FROX3TxQnC/ox4N+3xQoWZzvGXSuscxR32rbzjpXgEzWudJFEJBpdlkkob2ylrv5yzzufD1zph1OoFsLtm6stQ==} - engines: {node: '>=10.13.0'} - hasBin: true - peerDependencies: - webpack-cli: '*' - peerDependenciesMeta: - webpack-cli: - optional: true - dependencies: - '@types/eslint-scope': 3.7.4 - '@types/estree': 1.0.1 - '@webassemblyjs/ast': 1.11.6 - '@webassemblyjs/wasm-edit': 1.11.6 - '@webassemblyjs/wasm-parser': 1.11.6 - acorn: 8.10.0 - acorn-import-assertions: 1.9.0(acorn@8.10.0) - browserslist: 4.21.9 - chrome-trace-event: 1.0.3 - enhanced-resolve: 5.15.0 - es-module-lexer: 1.3.0 - eslint-scope: 5.1.1 - events: 3.3.0 - glob-to-regexp: 0.4.1 - graceful-fs: 4.2.11 - json-parse-even-better-errors: 2.3.1 - loader-runner: 4.3.0 - mime-types: 2.1.35 - neo-async: 2.6.2 - schema-utils: 3.3.0 - tapable: 2.2.1 - terser-webpack-plugin: 5.3.9(@swc/core@1.3.68)(webpack@5.88.1) - watchpack: 2.4.0 - webpack-sources: 3.2.3 - transitivePeerDependencies: - - '@swc/core' - - esbuild - - uglify-js - dev: true - /webpack@5.88.1(@swc/core@1.3.68)(webpack-cli@5.1.3): resolution: {integrity: sha512-FROX3TxQnC/ox4N+3xQoWZzvGXSuscxR32rbzjpXgEzWudJFEJBpdlkkob2ylrv5yzzufD1zph1OoFsLtm6stQ==} engines: {node: '>=10.13.0'} @@ -17486,8 +17424,8 @@ packages: url-polyfill: 1.1.12 dev: true - github.com/thatonecalculator/emojilib/1d6adc1af8105b4937d2f0e7479acf5bd565bd9b: - resolution: {tarball: https://codeload.github.com/thatonecalculator/emojilib/tar.gz/1d6adc1af8105b4937d2f0e7479acf5bd565bd9b} + github.com/thatonecalculator/emojilib/d3c8c6a77d4362b3b3180099f1d2eac344ce245c: + resolution: {tarball: https://codeload.github.com/thatonecalculator/emojilib/tar.gz/d3c8c6a77d4362b3b3180099f1d2eac344ce245c} name: emojilib version: 3.0.10 dev: true From 9c245e603123c88683da0eb1bbbefbe5ce637acc Mon Sep 17 00:00:00 2001 From: DVD Date: Sun, 16 Jul 2023 21:54:42 +0800 Subject: [PATCH 04/12] Fix: Quicktime Video Play on Chrome --- packages/client/src/components/MkMedia.vue | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/packages/client/src/components/MkMedia.vue b/packages/client/src/components/MkMedia.vue index 4c023f131..2cbb881f3 100644 --- a/packages/client/src/components/MkMedia.vue +++ b/packages/client/src/components/MkMedia.vue @@ -54,7 +54,7 @@ controls @contextmenu.stop > - + @@ -80,7 +80,7 @@