From 2419a9f740e84914f3f411f1bd086f5d068f2462 Mon Sep 17 00:00:00 2001 From: eternal-flame-AD Date: Mon, 11 Nov 2024 20:12:44 -0600 Subject: [PATCH] fixup! implement CSP, remove commercial supporters from about section Signed-off-by: eternal-flame-AD --- package.json | 2 +- packages/backend/src/server/csp.ts | 8 ++++---- .../src/server/oauth/OAuth2ProviderService.ts | 4 ++++ packages/backend/src/server/pug-filters.ts | 12 ++++++++++++ .../src/server/web/ClientServerService.ts | 16 +++------------- .../backend/src/server/web/views/base-embed.pug | 6 +++--- 6 files changed, 27 insertions(+), 21 deletions(-) create mode 100644 packages/backend/src/server/pug-filters.ts diff --git a/package.json b/package.json index a8e0b047bb..619b4e9558 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "misskey", - "version": "2024.11.0-yumechinokuni.3", + "version": "2024.11.0-yumechinokuni.3p2", "codename": "nasubi", "repository": { "type": "git", diff --git a/packages/backend/src/server/csp.ts b/packages/backend/src/server/csp.ts index ab114851a2..1797d93707 100644 --- a/packages/backend/src/server/csp.ts +++ b/packages/backend/src/server/csp.ts @@ -24,9 +24,9 @@ export function generateCSP(hashedMap: Map, options: { return ([ ['default-src', ['\'self\'']], - ['img-src', - [ - '\'self\'', + ['img-src', + [ + '\'self\'', 'data:', // 'https://avatars.githubusercontent.com', // uncomment this for contributor avatars to work options.mediaProxy @@ -41,7 +41,7 @@ export function generateCSP(hashedMap: Map, options: { // Since you can not write CSS selectors or cascading rules in the inline style attributes. // // ref: https://github.com/shikijs/shiki/issues/671 - ['style-src-attr', ['\'self\'', '\'unsafe-inline\'']], + ['style-src-attr', ['\'self\'', '\'unsafe-inline\'']], ['script-src', ['\'self\'', '\'wasm-unsafe-eval\'', ...scripts]], ['object-src', ['\'none\'']], ['frame-src', ['\'none\'']], diff --git a/packages/backend/src/server/oauth/OAuth2ProviderService.ts b/packages/backend/src/server/oauth/OAuth2ProviderService.ts index e065c451f1..9959e3f29d 100644 --- a/packages/backend/src/server/oauth/OAuth2ProviderService.ts +++ b/packages/backend/src/server/oauth/OAuth2ProviderService.ts @@ -34,6 +34,7 @@ import Logger from '@/logger.js'; import { StatusError } from '@/misc/status-error.js'; import type { ServerResponse } from 'node:http'; import type { FastifyInstance } from 'fastify'; +import { commonPugFilters } from '../pug-filters.js'; // TODO: Consider migrating to @node-oauth/oauth2-server once // https://github.com/node-oauth/node-oauth2-server/issues/180 is figured out. @@ -391,6 +392,9 @@ export class OAuth2ProviderService { version: this.config.version, config: this.config, }, + options: { + filters: commonPugFilters, + }, }); await fastify.register(fastifyExpress); diff --git a/packages/backend/src/server/pug-filters.ts b/packages/backend/src/server/pug-filters.ts new file mode 100644 index 0000000000..eea8ffc3ad --- /dev/null +++ b/packages/backend/src/server/pug-filters.ts @@ -0,0 +1,12 @@ +export const commonPugFilters = { + dataTag: (data: string, options: { tagName: string, mimeType: string }) => { + if (!/^[a-z]+$/.test(options.tagName)) { + throw new Error('Invalid tagName'); + } + if (/[;'"]/.test(options.mimeType)) { + throw new Error('Invalid mimeType'); + } + const dataURI = `data:${options.mimeType};base64,${Buffer.from(data).toString('base64')}`; + return `<${options.tagName} data="${dataURI}">`; + } +} as const; diff --git a/packages/backend/src/server/web/ClientServerService.ts b/packages/backend/src/server/web/ClientServerService.ts index 8e15cc95b3..e2f227323f 100644 --- a/packages/backend/src/server/web/ClientServerService.ts +++ b/packages/backend/src/server/web/ClientServerService.ts @@ -69,6 +69,7 @@ import type { FastifyInstance, FastifyPluginOptions, FastifyReply } from 'fastif import { makeHstsHook } from '../hsts.js'; import { generateCSP } from '../csp.js'; import { appendQuery, query } from '@/misc/prelude/url.js'; +import { commonPugFilters } from '../pug-filters.js'; const _filename = fileURLToPath(import.meta.url); const _dirname = dirname(_filename); @@ -322,19 +323,8 @@ export class ClientServerService { config: this.config, }, options: { - filters: { - dataTag: (data: string, options: { tagName: string, mimeType: string }) => { - if (!/^[a-z]+$/.test(options.tagName)) { - throw new Error('Invalid tagName'); - } - if (/[;'"]/.test(options.mimeType)) { - throw new Error('Invalid mimeType'); - } - const dataURI = `data:${options.mimeType};base64,${Buffer.from(data).toString('base64')}`; - return `<${options.tagName} data="${dataURI}">`; - } - } - } + filters: commonPugFilters, + }, }); fastify.addHook('onRequest', (request, reply, done) => { diff --git a/packages/backend/src/server/web/views/base-embed.pug b/packages/backend/src/server/web/views/base-embed.pug index 42ec11fe3a..4babecf228 100644 --- a/packages/backend/src/server/web/views/base-embed.pug +++ b/packages/backend/src/server/web/views/base-embed.pug @@ -2,9 +2,9 @@ block vars block loadClientEntry - const entry = config.frontendEntry - - const styleCSS = config.cspPrerenderedContent['style.embed.css'] - - const bootJS = config.cspPrerenderedContent['boot.embed.js'] - - const jsPrelude = config.cspPrerenderedContent['baseHtmlJSPrelude'] + - const styleCSS = config.cspPrerenderedContent.get('style.css'); + - const jsPrelude = config.cspPrerenderedContent.get('.prelude.js'); + - const bootJS = config.cspPrerenderedContent.get('boot.js'); doctype html