mirror of
https://github.com/hotomoe/hotomoe
synced 2024-11-24 07:06:12 +09:00
fix(frontend): disable Mk:apiExternal
This commit is contained in:
parent
6c1f839cbe
commit
fcf0f5f6b5
@ -46,6 +46,7 @@
|
||||
- Fix: 共有機能をサポートしていないブラウザの場合は共有ボタンを非表示にする #11305
|
||||
- Fix: 通知のグルーピング設定を変更してもリロードされるまで表示が変わらない問題を修正 #12470
|
||||
- Fix: 長い名前のチャンネルにおける投稿フォームの表示が崩れる問題を修正
|
||||
- Fix: セキュリティ向上のためAiScriptの`Mk:apiExternal`を無効化
|
||||
|
||||
### Server
|
||||
- Enhance: MFM `$[ruby ]` が他ソフトウェアと連合されるように
|
||||
|
@ -5,8 +5,8 @@
|
||||
|
||||
// TODO: なんでもかんでもos.tsに突っ込むのやめたいのでよしなに分割する
|
||||
|
||||
import { pendingApiRequestsCount, api, apiExternal, apiGet } from '@/scripts/api.js';
|
||||
export { pendingApiRequestsCount, api, apiExternal, apiGet };
|
||||
import { pendingApiRequestsCount, api, apiGet } from '@/scripts/api.js';
|
||||
export { pendingApiRequestsCount, api, apiGet };
|
||||
import { Component, markRaw, Ref, ref, defineAsyncComponent } from 'vue';
|
||||
import { EventEmitter } from 'eventemitter3';
|
||||
import insertTextAtCursor from 'insert-text-at-cursor';
|
||||
|
@ -50,6 +50,7 @@ export function createAiScriptEnv(opts) {
|
||||
return values.ERROR('request_failed', utils.jsToVal(err));
|
||||
});
|
||||
}),
|
||||
/* セキュリティ上の問題があるため無効化
|
||||
'Mk:apiExternal': values.FN_NATIVE(async ([host, ep, param, token]) => {
|
||||
utils.assertString(host);
|
||||
utils.assertString(ep);
|
||||
@ -60,6 +61,7 @@ export function createAiScriptEnv(opts) {
|
||||
return values.ERROR('request_failed', utils.jsToVal(err));
|
||||
});
|
||||
}),
|
||||
*/
|
||||
'Mk:save': values.FN_NATIVE(([key, value]) => {
|
||||
utils.assertString(key);
|
||||
miLocalStorage.setItem(`aiscript:${opts.storageKey}:${key.value}`, JSON.stringify(utils.valToJs(value)));
|
||||
|
@ -56,54 +56,6 @@ export function api<E extends keyof Misskey.Endpoints, P extends Misskey.Endpoin
|
||||
return promise;
|
||||
}
|
||||
|
||||
export function apiExternal<E extends keyof Misskey.Endpoints, P extends Misskey.Endpoints[E]['req']>(
|
||||
hostUrl: string,
|
||||
endpoint: E, data: P = {} as any,
|
||||
token?: string | null | undefined,
|
||||
signal?: AbortSignal,
|
||||
): Promise<Misskey.api.SwitchCaseResponseType<E, P>> {
|
||||
if (!/^https?:\/\//.test(hostUrl)) throw new Error('invalid host name');
|
||||
if (endpoint.includes('://')) throw new Error('invalid endpoint');
|
||||
pendingApiRequestsCount.value++;
|
||||
|
||||
const onFinally = () => {
|
||||
pendingApiRequestsCount.value--;
|
||||
};
|
||||
|
||||
const promise = new Promise<Misskey.Endpoints[E]['res'] | void>((resolve, reject) => {
|
||||
// Append a credential
|
||||
(data as any).i = token;
|
||||
|
||||
const fullUrl = (hostUrl.slice(-1) === '/' ? hostUrl.slice(0, -1) : hostUrl)
|
||||
+ '/api/' + (endpoint.slice(0, 1) === '/' ? endpoint.slice(1) : endpoint);
|
||||
// Send request
|
||||
window.fetch(fullUrl, {
|
||||
method: 'POST',
|
||||
body: JSON.stringify(data),
|
||||
credentials: 'omit',
|
||||
cache: 'no-cache',
|
||||
headers: {
|
||||
'Content-Type': 'application/json',
|
||||
},
|
||||
signal,
|
||||
}).then(async (res) => {
|
||||
const body = res.status === 204 ? null : await res.json();
|
||||
|
||||
if (res.status === 200) {
|
||||
resolve(body);
|
||||
} else if (res.status === 204) {
|
||||
resolve();
|
||||
} else {
|
||||
reject(body.error);
|
||||
}
|
||||
}).catch(reject);
|
||||
});
|
||||
|
||||
promise.then(onFinally, onFinally);
|
||||
|
||||
return promise;
|
||||
}
|
||||
|
||||
// Implements Misskey.api.ApiClient.request
|
||||
export function apiGet<E extends keyof Misskey.Endpoints, P extends Misskey.Endpoints[E]['req']>(
|
||||
endpoint: E,
|
||||
|
Loading…
Reference in New Issue
Block a user