yume/yumechi-no-kuni
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fixup! implement CSP, remove commercial supporters from about section
Some checks failed
Lint / pnpm_install (pull_request) Successful in 1m28s
Details
Lint / pnpm_install (push) Successful in 1m37s
Details
Publish Docker image / Build (pull_request) Successful in 4m53s
Details
Test (production install and build) / production (20.16.0) (pull_request) Successful in 1m8s
Details
Test (backend) / unit (20.16.0) (pull_request) Successful in 6m54s
Details
Test (backend) / e2e (20.16.0) (pull_request) Successful in 10m7s
Details
Test (backend) / unit (20.16.0) (push) Successful in 6m38s
Details
Test (production install and build) / production (20.16.0) (push) Successful in 1m28s
Details
Publish Docker image / Build (push) Has been cancelled
Details
Lint / lint (backend) (pull_request) Successful in 2m29s
Details
Lint / lint (frontend) (pull_request) Successful in 2m30s
Details
Test (backend) / e2e (20.16.0) (push) Successful in 11m22s
Details
Lint / lint (frontend-embed) (pull_request) Successful in 2m26s
Details
Lint / lint (frontend-shared) (pull_request) Successful in 2m24s
Details
Lint / lint (misskey-bubble-game) (pull_request) Successful in 2m30s
Details
Lint / lint (misskey-js) (pull_request) Successful in 2m37s
Details
Lint / lint (misskey-reversi) (pull_request) Successful in 2m31s
Details
Lint / typecheck (backend) (pull_request) Failing after 52s
Details
Lint / typecheck (misskey-js) (pull_request) Successful in 1m43s
Details
Lint / lint (sw) (pull_request) Successful in 3m21s
Details
Lint / typecheck (sw) (pull_request) Successful in 2m3s
Details
Lint / lint (backend) (push) Successful in 2m31s
Details
Lint / lint (frontend-embed) (push) Successful in 2m32s
Details
Lint / lint (frontend) (push) Successful in 2m46s
Details
Lint / lint (frontend-shared) (push) Successful in 2m10s
Details
Lint / lint (misskey-bubble-game) (push) Successful in 2m25s
Details
Lint / lint (misskey-js) (push) Successful in 2m27s
Details
Lint / lint (misskey-reversi) (push) Successful in 2m21s
Details
Lint / lint (sw) (push) Successful in 2m28s
Details
Lint / typecheck (backend) (push) Successful in 2m27s
Details
Lint / typecheck (misskey-js) (push) Successful in 1m36s
Details
Lint / typecheck (sw) (push) Successful in 1m46s
Details

Browse source 
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
This commit is contained in:
ゆめ 2024-11-11 20:12:44 -06:00
parent 3fcea3eeb6
commit 2b236b2919
No known key found for this signature in database
4 changed files with 23 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
packages/backend/src/server/csp.ts
View file

@ -24,9 +24,9 @@ export function generateCSP(hashedMap: Map<string, CSPHashed>, options: {
return ([ return ([
['default-src', ['\'self\'']], ['default-src', ['\'self\'']],
['img-src', ['img-src',
[ [
'\'self\'', '\'self\'',
'data:', 'data:',
// 'https://avatars.githubusercontent.com', // uncomment this for contributor avatars to work // 'https://avatars.githubusercontent.com', // uncomment this for contributor avatars to work
options.mediaProxy options.mediaProxy
@ -41,7 +41,7 @@ export function generateCSP(hashedMap: Map<string, CSPHashed>, options: {
// Since you can not write CSS selectors or cascading rules in the inline style attributes. // Since you can not write CSS selectors or cascading rules in the inline style attributes.
// //
// ref: https://github.com/shikijs/shiki/issues/671 // ref: https://github.com/shikijs/shiki/issues/671
['style-src-attr', ['\'self\'', '\'unsafe-inline\'']], ['style-src-attr', ['\'self\'', '\'unsafe-inline\'']],
['script-src', ['\'self\'', '\'wasm-unsafe-eval\'', ...scripts]], ['script-src', ['\'self\'', '\'wasm-unsafe-eval\'', ...scripts]],
['object-src', ['\'none\'']], ['object-src', ['\'none\'']],
['frame-src', ['\'none\'']], ['frame-src', ['\'none\'']],

4
packages/backend/src/server/oauth/OAuth2ProviderService.ts
View file

@ -34,6 +34,7 @@ import Logger from '@/logger.js';
import { StatusError } from '@/misc/status-error.js'; import { StatusError } from '@/misc/status-error.js';
import type { ServerResponse } from 'node:http'; import type { ServerResponse } from 'node:http';
import type { FastifyInstance } from 'fastify'; import type { FastifyInstance } from 'fastify';
import { commonPugFilters } from '../pug-filters.js';
// TODO: Consider migrating to @node-oauth/oauth2-server once // TODO: Consider migrating to @node-oauth/oauth2-server once
// https://github.com/node-oauth/node-oauth2-server/issues/180 is figured out. // https://github.com/node-oauth/node-oauth2-server/issues/180 is figured out.
@ -391,6 +392,9 @@ export class OAuth2ProviderService {
version: this.config.version, version: this.config.version,
config: this.config, config: this.config,
}, },
options: {
filters: commonPugFilters,
},
}); });
await fastify.register(fastifyExpress); await fastify.register(fastifyExpress);

12
packages/backend/src/server/pug-filters.ts Normal file
View file

@ -0,0 +1,12 @@
export const commonPugFilters = {
dataTag: (data: string, options: { tagName: string, mimeType: string }) => {
if (!/^[a-z]+$/.test(options.tagName)) {
throw new Error('Invalid tagName');
}
if (/[;'"]/.test(options.mimeType)) {
throw new Error('Invalid mimeType');
}
const dataURI = `data:${options.mimeType};base64,${Buffer.from(data).toString('base64')}`;
return `<${options.tagName} data="${dataURI}"></${options.tagName}>`;
}
} as const;

16
packages/backend/src/server/web/ClientServerService.ts
View file

@ -69,6 +69,7 @@ import type { FastifyInstance, FastifyPluginOptions, FastifyReply } from 'fastif
import { makeHstsHook } from '../hsts.js'; import { makeHstsHook } from '../hsts.js';
import { generateCSP } from '../csp.js'; import { generateCSP } from '../csp.js';
import { appendQuery, query } from '@/misc/prelude/url.js'; import { appendQuery, query } from '@/misc/prelude/url.js';
import { commonPugFilters } from '../pug-filters.js';
const _filename = fileURLToPath(import.meta.url); const _filename = fileURLToPath(import.meta.url);
const _dirname = dirname(_filename); const _dirname = dirname(_filename);
@ -322,19 +323,8 @@ export class ClientServerService {
config: this.config, config: this.config,
}, },
options: { options: {
filters: { filters: commonPugFilters,
dataTag: (data: string, options: { tagName: string, mimeType: string }) => { },
if (!/^[a-z]+$/.test(options.tagName)) {
throw new Error('Invalid tagName');
}
if (/[;'"]/.test(options.mimeType)) {
throw new Error('Invalid mimeType');
}
const dataURI = `data:${options.mimeType};base64,${Buffer.from(data).toString('base64')}`;
return `<${options.tagName} data="${dataURI}"></${options.tagName}>`;
}
}
}
}); });
fastify.addHook('onRequest', (request, reply, done) => { fastify.addHook('onRequest', (request, reply, done) => {