Merge pull request 'more path sanitization' (#21) from develop into master
Some checks failed
Publish Docker image / Build (push) Successful in 4m42s
Lint / pnpm_install (push) Successful in 1m43s
Test (production install and build) / production (22.11.0) (push) Successful in 1m8s
Test (backend) / unit (22.11.0) (push) Successful in 8m22s
Test (backend) / e2e (22.11.0) (push) Failing after 12m4s
Lint / lint (backend) (push) Successful in 2m37s
Lint / lint (frontend) (push) Successful in 2m34s
Lint / lint (frontend-embed) (push) Successful in 2m33s
Lint / lint (frontend-shared) (push) Successful in 2m40s
Lint / lint (misskey-bubble-game) (push) Successful in 2m29s
Lint / lint (misskey-js) (push) Successful in 2m27s
Lint / lint (misskey-reversi) (push) Successful in 2m41s
Lint / lint (sw) (push) Successful in 2m40s
Lint / typecheck (backend) (push) Successful in 2m23s
Lint / typecheck (misskey-js) (push) Successful in 1m35s
Lint / typecheck (sw) (push) Successful in 1m41s

Reviewed-on: #21
This commit is contained in:
ゆめ 2024-11-17 12:58:51 -06:00
commit c22160aa90

View file

@ -18,6 +18,42 @@ export function sanitizeRequestURI(uri: string): string {
return '[embed_vite]'; return '[embed_vite]';
} }
if (uri.startsWith('/emoji/')) {
return '/emoji/[emoji]';
}
if (uri.startsWith('/identicon/')) {
return '/identicon/[identicon]';
}
if (uri.startsWith('/tags/')) {
return '/tags/[tag]';
}
if (uri.startsWith('/user-tags/')) {
return '/user-tags/[tag]';
}
if (uri.startsWith('/page/')) {
return '/page/[page]';
}
if (uri.startsWith('/fluent-emoji/')) {
return '/fluent-emoji/[fluent-emoji]';
}
if (uri.startsWith('/twemoji/')) {
return '/twemoji/[twemoji]';
}
if (uri.startsWith('/twemoji-badge/')) {
return '/twemoji-badge/[twemoji-badge]';
}
if (!uri.startsWith('/api/')) {
return '[other]';
}
const uuid = /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/g; const uuid = /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/g;
const username_local = /\/@\w+(\/|$)/; const username_local = /\/@\w+(\/|$)/;
const username_remote = /\/@\w+@[a-zA-Z0-9-.]+\.[a-zA-Z]{2,4}(\/|$)/; const username_remote = /\/@\w+@[a-zA-Z0-9-.]+\.[a-zA-Z]{2,4}(\/|$)/;
@ -26,12 +62,6 @@ export function sanitizeRequestURI(uri: string): string {
const aid = new RegExp(`/${aidRegExp.source.replace(/^\^/, '').replace(/\$$/, '')}(\/|$)`, 'g'); const aid = new RegExp(`/${aidRegExp.source.replace(/^\^/, '').replace(/\$$/, '')}(\/|$)`, 'g');
return uri return uri
.replace(/\/tags\/[^/]+/g, '/tags/[tag]')
.replace(/\/user-tags\/[^/]+/g, '/user-tags/[tag]')
.replace(/\/page\/[\w-]+/g, '/page/[page]')
.replace(/\/fluent-emoji\/[^/]+/g, '/fluent-emoji/[fluent-emoji]')
.replace(/\/twemoji\/[^/]+/g, '/twemoji/[twemoji]')
.replace(/\/twemoji-badge\/[^/]+/g, '/twemoji-badge/[twemoji-badge]')
.replace(aidx, '/[aidx]/') .replace(aidx, '/[aidx]/')
.replace(aid, '/[aid]/') .replace(aid, '/[aid]/')
.replace(token, '=[token]') .replace(token, '=[token]')