mirror/cherrypick
1
1
Fork 0
mirror of https://github.com/kokonect-link/cherrypick synced 2025-01-19 00:03:19 +09:00
Code

Fix Vulnerability

Browse Source
This commit is contained in:
Chocolate Pie 2023-06-07 11:00:56 +09:00
parent de7ec82222
commit 7b63146d98
8 changed files with 15 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
packages/backend/src/server/api/ApiCallService.ts
View File

@ -341,7 +341,7 @@ export class ApiCallService implements OnApplicationShutdown {
}
// API invoking
return await ep.exec(data, user, token, file, request.ip, request.headers).catch((err: Error) => {
return await ep.exec(data, user, token, flashToken, file, request.ip, request.headers).catch((err: Error) => {
if (err instanceof ApiError || err instanceof AuthenticationError) {
throw err;
} else {

9
packages/backend/src/server/api/endpoint-base.ts
View File

@ -3,6 +3,7 @@ import Ajv from 'ajv';
import type { Schema, SchemaType } from '@/misc/json-schema.js';
import type { LocalUser } from '@/models/entities/User.js';
import type { AccessToken } from '@/models/entities/AccessToken.js';
import type { FlashToken } from '@/misc/flash-token.js';
import { ApiError } from './error.js';
import type { IEndpointMeta } from './endpoints.js';
@ -21,16 +22,16 @@ type File = {
// TODO: paramsの型をT['params']のスキーマ定義から推論する
type Executor<T extends IEndpointMeta, Ps extends Schema> =
(params: SchemaType<Ps>, user: T['requireCredential'] extends true ? LocalUser : LocalUser | null, token: AccessToken | null, file?: File, cleanup?: () => any, ip?: string | null, headers?: Record<string, string> | null) =>
(params: SchemaType<Ps>, user: T['requireCredential'] extends true ? LocalUser : LocalUser | null, token: AccessToken | null, flashToken: FlashToken | null, file?: File, cleanup?: () => any, ip?: string | null, headers?: Record<string, string> | null) =>
Promise<T['res'] extends undefined ? Response : SchemaType<NonNullable<T['res']>>>;
export abstract class Endpoint<T extends IEndpointMeta, Ps extends Schema> {
public exec: (params: any, user: T['requireCredential'] extends true ? LocalUser : LocalUser | null, token: AccessToken | null, file?: File, ip?: string | null, headers?: Record<string, string> | null) => Promise<any>;
public exec: (params: any, user: T['requireCredential'] extends true ? LocalUser : LocalUser | null, token: AccessToken | null, flashToken: FlashToken | null, file?: File, ip?: string | null, headers?: Record<string, string> | null) => Promise<any>;
constructor(meta: T, paramDef: Ps, cb: Executor<T, Ps>) {
const validate = ajv.compile(paramDef);
this.exec = (params: any, user: T['requireCredential'] extends true ? LocalUser : LocalUser | null, token: AccessToken | null, file?: File, ip?: string | null, headers?: Record<string, string> | null) => {
this.exec = (params: any, user: T['requireCredential'] extends true ? LocalUser : LocalUser | null, token: AccessToken | null, flashToken: FlashToken | null, file?: File, ip?: string | null, headers?: Record<string, string> | null) => {
let cleanup: undefined | (() => void) = undefined;
if (meta.requireFile) {
@ -61,7 +62,7 @@ export abstract class Endpoint<T extends IEndpointMeta, Ps extends Schema> {
return Promise.reject(err);
}
return cb(params as SchemaType<Ps>, user, token, file, cleanup, ip, headers);
return cb(params as SchemaType<Ps>, user, token, flashToken, file, cleanup, ip, headers);
};
}
}

4
packages/backend/src/server/api/endpoints/app/show.ts
View File

@ -40,8 +40,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
private appEntityService: AppEntityService,
) {
super(meta, paramDef, async (ps, user, token) => {
const isSecure = user != null && token == null;
super(meta, paramDef, async (ps, user, token, flashToken) => {
const isSecure = user != null && token == null && flashToken == null;
// Lookup app
const ap = await this.appsRepository.findOneBy({ id: ps.appId });

2
packages/backend/src/server/api/endpoints/drive/files/create.ts
View File

@ -78,7 +78,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
private metaService: MetaService,
private driveService: DriveService,
) {
super(meta, paramDef, async (ps, me, _, file, cleanup, ip, headers) => {
super(meta, paramDef, async (ps, me, _1, _2, file, cleanup, ip, headers) => {
// Get 'name' parameter
let name = ps.name ?? file!.name ?? null;
if (name != null) {

2
packages/backend/src/server/api/endpoints/drive/files/upload-from-url.ts
View File

@ -48,7 +48,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
private driveService: DriveService,
private globalEventService: GlobalEventService,
) {
super(meta, paramDef, async (ps, user, _1, _2, _3, ip, headers) => {
super(meta, paramDef, async (ps, user, _1, _2, _3, _4, ip, headers) => {
this.driveService.uploadFromUrl({ url: ps.url, user, folderId: ps.folderId, sensitive: ps.isSensitive, force: ps.force, comment: ps.comment, requestIp: ip, requestHeaders: headers }).then(file => {
this.driveFileEntityService.pack(file, { self: true }).then(packedFile => {
this.globalEventService.publishMainStream(user.id, 'urlUploadFinished', {

4
packages/backend/src/server/api/endpoints/i.ts
View File

@ -44,8 +44,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
private userEntityService: UserEntityService,
) {
super(meta, paramDef, async (ps, user, token) => {
const isSecure = token == null;
super(meta, paramDef, async (ps, user, token, flashToken) => {
const isSecure = token == null && flashToken == null;
const now = new Date();
const today = `${now.getFullYear()}/${now.getMonth() + 1}/${now.getDate()}`;

4
packages/backend/src/server/api/endpoints/i/update.ts
View File

@ -194,9 +194,9 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
private roleService: RoleService,
private cacheService: CacheService,
) {
super(meta, paramDef, async (ps, _user, token) => {
super(meta, paramDef, async (ps, _user, token, flashToken) => {
const user = await this.usersRepository.findOneByOrFail({ id: _user.id });
const isSecure = token == null;
const isSecure = token == null && flashToken == null;
const updates = {} as Partial<User>;
const profileUpdates = {} as Partial<UserProfile>;

2
packages/backend/src/server/api/endpoints/users/show.ts
View File

@ -87,7 +87,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
private perUserPvChart: PerUserPvChart,
private apiLoggerService: ApiLoggerService,
) {
super(meta, paramDef, async (ps, me, _1, _2, _3, ip) => {
super(meta, paramDef, async (ps, me, _1, _2, _3, _4, ip) => {
let user;
const isModerator = await this.roleService.isModerator(me);