fixup! implement CSP, remove commercial supporters from about section

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
2024-11-11 20:12:44 -06:00 · 2024-11-11 20:12:44 -06:00 · 2419a9f740
commit 2419a9f740
parent 3fcea3eeb6
6 changed files with 27 additions and 21 deletions
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
 	"name": "misskey",
-	"version": "2024.11.0-yumechinokuni.3",
+	"version": "2024.11.0-yumechinokuni.3p2",
 	"codename": "nasubi",
 	"repository": {
 		"type": "git",
--- a/packages/backend/src/server/csp.ts
+++ b/packages/backend/src/server/csp.ts
@ -24,9 +24,9 @@ export function generateCSP(hashedMap: Map<string, CSPHashed>, options: {
    return ([
        ['default-src', ['\'self\'']],
-        ['img-src', 
+        ['img-src',
-            [   
+            [
-                '\'self\'', 
+                '\'self\'',
                'data:',
                // 'https://avatars.githubusercontent.com', // uncomment this for contributor avatars to work
                options.mediaProxy
@ -41,7 +41,7 @@ export function generateCSP(hashedMap: Map<string, CSPHashed>, options: {
        // Since you can not write CSS selectors or cascading rules in the inline style attributes.
        //
        // ref: https://github.com/shikijs/shiki/issues/671
-        ['style-src-attr', ['\'self\'', '\'unsafe-inline\'']], 
+        ['style-src-attr', ['\'self\'', '\'unsafe-inline\'']],
        ['script-src', ['\'self\'', '\'wasm-unsafe-eval\'', ...scripts]],
        ['object-src', ['\'none\'']],
        ['frame-src', ['\'none\'']],
--- a/packages/backend/src/server/oauth/OAuth2ProviderService.ts
+++ b/packages/backend/src/server/oauth/OAuth2ProviderService.ts
@ -34,6 +34,7 @@ import Logger from '@/logger.js';
 import { StatusError } from '@/misc/status-error.js';
 import type { ServerResponse } from 'node:http';
 import type { FastifyInstance } from 'fastify';
 import { commonPugFilters } from '../pug-filters.js';
 // TODO: Consider migrating to @node-oauth/oauth2-server once
 // https://github.com/node-oauth/node-oauth2-server/issues/180 is figured out.
@ -391,6 +392,9 @@ export class OAuth2ProviderService {
 				version: this.config.version,
 				config: this.config,
 			},
 			options: {
 				filters: commonPugFilters,
 			},
 		});
 		await fastify.register(fastifyExpress);
--- a/packages/backend/src/server/pug-filters.ts
+++ b/packages/backend/src/server/pug-filters.ts
@ -0,0 +1,12 @@
 export const commonPugFilters = {
    dataTag: (data: string, options: { tagName: string, mimeType: string }) => {
        if (!/^[a-z]+$/.test(options.tagName)) {
            throw new Error('Invalid tagName');
        }
        if (/[;'"]/.test(options.mimeType)) {
            throw new Error('Invalid mimeType');
        }
        const dataURI = `data:${options.mimeType};base64,${Buffer.from(data).toString('base64')}`;
        return `<${options.tagName} data="${dataURI}"></${options.tagName}>`;
    }
 } as const;
--- a/packages/backend/src/server/web/ClientServerService.ts
+++ b/packages/backend/src/server/web/ClientServerService.ts
@ -69,6 +69,7 @@ import type { FastifyInstance, FastifyPluginOptions, FastifyReply } from 'fastif
 import { makeHstsHook } from '../hsts.js';
 import { generateCSP } from '../csp.js';
 import { appendQuery, query } from '@/misc/prelude/url.js';
 import { commonPugFilters } from '../pug-filters.js';
 const _filename = fileURLToPath(import.meta.url);
 const _dirname = dirname(_filename);
@ -322,19 +323,8 @@ export class ClientServerService {
 				config: this.config,
 			},
 			options: {
-				filters: {
+				filters: commonPugFilters,
-					dataTag: (data: string, options: { tagName: string, mimeType: string }) => {
+			},
 						if (!/^[a-z]+$/.test(options.tagName)) {
 							throw new Error('Invalid tagName');
 						}
 						if (/[;'"]/.test(options.mimeType)) {
 							throw new Error('Invalid mimeType');
 						}
 						const dataURI = `data:${options.mimeType};base64,${Buffer.from(data).toString('base64')}`;
 						return `<${options.tagName} data="${dataURI}"></${options.tagName}>`;
 					}
 				}
 			}
 		});
 		fastify.addHook('onRequest', (request, reply, done) => {
--- a/packages/backend/src/server/web/views/base-embed.pug
+++ b/packages/backend/src/server/web/views/base-embed.pug
@ -2,9 +2,9 @@ block vars
 block loadClientEntry
 	- const entry = config.frontendEntry
-	- const styleCSS = config.cspPrerenderedContent['style.embed.css']
+	- const styleCSS = config.cspPrerenderedContent.get('style.css');
-	- const bootJS = config.cspPrerenderedContent['boot.embed.js']
+	- const jsPrelude = config.cspPrerenderedContent.get('.prelude.js');
-	- const jsPrelude = config.cspPrerenderedContent['baseHtmlJSPrelude']
+	- const bootJS = config.cspPrerenderedContent.get('boot.js');
 doctype html