Merge branch 'develop' into pizzax-indexeddb

author: tamaina <tamaina@hotmail.co.jp> 2022-01-02 21:56:34 +0900
committer: tamaina <tamaina@hotmail.co.jp> 2022-01-02 21:56:34 +0900
commit: 8804f896b06a1ab3c2bfbb79d0e286b59d72aea2 (patch)
tree: e08521bf8f4e40745d84e7e4955cb6e58c373556 /packages/backend
parent: modify comment (diff)
parent: update deps (diff)
download: misskey-8804f896b06a1ab3c2bfbb79d0e286b59d72aea2.tar.gz
misskey-8804f896b06a1ab3c2bfbb79d0e286b59d72aea2.tar.bz2
misskey-8804f896b06a1ab3c2bfbb79d0e286b59d72aea2.zip
6 files changed, 62 insertions, 42 deletions
diff --git a/packages/backend/package.json b/packages/backend/package.json
index ffd179dfa3..65da382e2d 100644
--- a/packages/backend/package.json
+++ b/packages/backend/package.json
@@ -76,7 +76,6 @@
 		"abort-controller": "3.0.0",
 		"archiver": "5.3.0",
 		"autobind-decorator": "2.4.0",
-		"autosize": "4.0.4",
 		"autwh": "0.1.0",
 		"aws-sdk": "2.1013.0",
 		"bcryptjs": "2.4.3",
@@ -91,7 +90,6 @@
 		"chartjs-adapter-date-fns": "2.0.0",
 		"chartjs-plugin-zoom": "1.1.1",
 		"cli-highlight": "2.1.11",
-		"compare-versions": "3.6.0",
 		"content-disposition": "0.5.3",
 		"crc-32": "1.2.0",
 		"css-loader": "6.5.1",
@@ -111,8 +109,6 @@
 		"got": "11.8.2",
 		"hpagent": "0.1.2",
 		"http-signature": "1.3.5",
-		"idb-keyval": "5.1.3",
-		"insert-text-at-cursor": "0.3.0",
 		"ip-cidr": "3.0.4",
 		"is-svg": "4.3.1",
 		"js-yaml": "4.1.0",
@@ -133,7 +129,7 @@
 		"langmap": "0.0.16",
 		"mfm-js": "0.20.0",
 		"mime-types": "2.1.34",
-		"misskey-js": "0.0.8",
+		"misskey-js": "0.0.12",
 		"mocha": "8.4.0",
 		"ms": "3.0.0-canary.1",
 		"multer": "1.4.3",
diff --git a/packages/backend/src/const.ts b/packages/backend/src/const.ts
index 43f59f1e4f..b00bd81655 100644
--- a/packages/backend/src/const.ts
+++ b/packages/backend/src/const.ts
@@ -1,2 +1,47 @@
 export const USER_ONLINE_THRESHOLD = 1000 * 60 * 10; // 10min
 export const USER_ACTIVE_THRESHOLD = 1000 * 60 * 60 * 24 * 3; // 3days
+
+// ブラウザで直接表示することを許可するファイルの種類のリスト
+// ここに含まれないものは application/octet-stream としてレスポンスされる
+// SVGはXSSを生むので許可しない
+export const FILE_TYPE_BROWSERSAFE = [
+	// Images
+	'image/png',
+	'image/gif',
+	'image/jpeg',
+	'image/webp',
+	'image/apng',
+	'image/bmp',
+	'image/tiff',
+	'image/x-icon',
+
+	// OggS
+	'audio/opus',
+	'video/ogg',
+	'audio/ogg',
+	'application/ogg',
+
+	// ISO/IEC base media file format
+	'video/quicktime',
+	'video/mp4',
+	'audio/mp4',
+	'video/x-m4v',
+	'audio/x-m4a',
+	'video/3gpp',
+	'video/3gpp2',
+
+	'video/mpeg',
+	'audio/mpeg',
+
+	'video/webm',
+	'audio/webm',
+
+	'audio/aac',
+	'audio/x-flac',
+	'audio/vnd.wave',
+];
+/*
+https://github.com/sindresorhus/file-type/blob/main/supported.js
+https://github.com/sindresorhus/file-type/blob/main/core.js
+https://developer.mozilla.org/en-US/docs/Web/Media/Formats/Containers
+*/
diff --git a/packages/backend/src/server/file/send-drive-file.ts b/packages/backend/src/server/file/send-drive-file.ts
index 8bb5655b4f..7bfc36e25a 100644
--- a/packages/backend/src/server/file/send-drive-file.ts
+++ b/packages/backend/src/server/file/send-drive-file.ts
@@ -14,6 +14,7 @@ import { detectType } from '@/misc/get-file-info';
 import { convertToJpeg, convertToPngOrJpeg } from '@/services/drive/image-processor';
 import { GenerateVideoThumbnail } from '@/services/drive/generate-video-thumbnail';
 import { StatusError } from '@/misc/fetch';
+import { FILE_TYPE_BROWSERSAFE } from '@/const';
 
 //const _filename = fileURLToPath(import.meta.url);
 const _filename = __filename;
@@ -27,6 +28,7 @@ const commonReadableHandlerGenerator = (ctx: Koa.Context) => (e: Error): void =>
 	ctx.set('Cache-Control', 'max-age=300');
 };
 
+// eslint-disable-next-line import/no-default-export
 export default async function(ctx: Koa.Context) {
 	const key = ctx.params.key;
 
@@ -81,7 +83,7 @@ export default async function(ctx: Koa.Context) {
 
 				const image = await convertFile();
 				ctx.body = image.data;
-				ctx.set('Content-Type', image.type);
+				ctx.set('Content-Type', FILE_TYPE_BROWSERSAFE.includes(image.type) ? image.type : 'application/octet-stream');
 				ctx.set('Cache-Control', 'max-age=31536000, immutable');
 			} catch (e) {
 				serverLogger.error(`${e}`);
@@ -112,14 +114,14 @@ export default async function(ctx: Koa.Context) {
 		}).toString();
 
 		ctx.body = InternalStorage.read(key);
-		ctx.set('Content-Type', mime);
+		ctx.set('Content-Type', FILE_TYPE_BROWSERSAFE.includes(mime) ? mime : 'application/octet-stream');
 		ctx.set('Cache-Control', 'max-age=31536000, immutable');
 		ctx.set('Content-Disposition', contentDisposition('inline', filename));
 	} else {
 		const readable = InternalStorage.read(file.accessKey!);
 		readable.on('error', commonReadableHandlerGenerator(ctx));
 		ctx.body = readable;
-		ctx.set('Content-Type', file.type);
+		ctx.set('Content-Type', FILE_TYPE_BROWSERSAFE.includes(file.type) ? file.type : 'application/octet-stream');
 		ctx.set('Cache-Control', 'max-age=31536000, immutable');
 		ctx.set('Content-Disposition', contentDisposition('inline', file.name));
 	}
diff --git a/packages/backend/src/server/proxy/proxy-media.ts b/packages/backend/src/server/proxy/proxy-media.ts
index 9e13c0877f..aba08bb805 100644
--- a/packages/backend/src/server/proxy/proxy-media.ts
+++ b/packages/backend/src/server/proxy/proxy-media.ts
@@ -6,6 +6,7 @@ import { createTemp } from '@/misc/create-temp';
 import { downloadUrl } from '@/misc/download-url';
 import { detectType } from '@/misc/get-file-info';
 import { StatusError } from '@/misc/fetch';
+import { FILE_TYPE_BROWSERSAFE } from '@/const';
 
 export async function proxyMedia(ctx: Koa.Context) {
 	const url = 'url' in ctx.query ? ctx.query.url : 'https://' + ctx.params.url;
@@ -19,6 +20,7 @@ export async function proxyMedia(ctx: Koa.Context) {
 		const { mime, ext } = await detectType(path);
 
 		if (!mime.startsWith('image/')) throw 403;
+		if (!FILE_TYPE_BROWSERSAFE.includes(mime)) throw 403;
 
 		let image: IImage;
 
diff --git a/packages/backend/src/services/drive/add-file.ts b/packages/backend/src/services/drive/add-file.ts
index ee4d51a96d..3d53fe8d34 100644
--- a/packages/backend/src/services/drive/add-file.ts
+++ b/packages/backend/src/services/drive/add-file.ts
@@ -20,6 +20,7 @@ import { isDuplicateKeyValueError } from '@/misc/is-duplicate-key-value-error';
 import * as S3 from 'aws-sdk/clients/s3';
 import { getS3 } from './s3';
 import * as sharp from 'sharp';
+import { FILE_TYPE_BROWSERSAFE } from '@/const';
 
 const logger = driveLogger.createSubLogger('register', 'yellow');
 
@@ -160,7 +161,7 @@ export async function generateAlts(path: string, type: string, generateWeb: bool
 		}
 	}
 
-	if (!['image/jpeg', 'image/png', 'image/webp'].includes(type)) {
+	if (!['image/jpeg', 'image/png', 'image/webp', 'image/svg+xml'].includes(type)) {
 		logger.debug(`web image and thumbnail not created (not an required file)`);
 		return {
 			webpublic: null,
@@ -201,7 +202,7 @@ export async function generateAlts(path: string, type: string, generateWeb: bool
 				webpublic = await convertSharpToJpeg(img, 2048, 2048);
 			} else if (['image/webp'].includes(type)) {
 				webpublic = await convertSharpToWebp(img, 2048, 2048);
-			} else if (['image/png'].includes(type)) {
+			} else if (['image/png', 'image/svg+xml'].includes(type)) {
 				webpublic = await convertSharpToPng(img, 2048, 2048);
 			} else {
 				logger.debug(`web image not created (not an required image)`);
@@ -220,7 +221,7 @@ export async function generateAlts(path: string, type: string, generateWeb: bool
 	try {
 		if (['image/jpeg', 'image/webp'].includes(type)) {
 			thumbnail = await convertSharpToJpeg(img, 498, 280);
-		} else if (['image/png'].includes(type)) {
+		} else if (['image/png', 'image/svg+xml'].includes(type)) {
 			thumbnail = await convertSharpToPngOrJpeg(img, 498, 280);
 		} else {
 			logger.debug(`thumbnail not created (not an required file)`);
@@ -241,6 +242,7 @@ export async function generateAlts(path: string, type: string, generateWeb: bool
  */
 async function upload(key: string, stream: fs.ReadStream | Buffer, type: string, filename?: string) {
 	if (type === 'image/apng') type = 'image/png';
+	if (!FILE_TYPE_BROWSERSAFE.includes(type)) type = 'application/octet-stream';
 
 	const meta = await fetchMeta();
 
diff --git a/packages/backend/yarn.lock b/packages/backend/yarn.lock
index 0652d1df3f..16144b6d57 100644
--- a/packages/backend/yarn.lock
+++ b/packages/backend/yarn.lock
@@ -1449,11 +1449,6 @@ autobind-decorator@2.4.0, autobind-decorator@^2.4.0:
   resolved "https://registry.yarnpkg.com/autobind-decorator/-/autobind-decorator-2.4.0.tgz#ea9e1c98708cf3b5b356f7cf9f10f265ff18239c"
   integrity sha512-OGYhWUO72V6DafbF8PM8rm3EPbfuyMZcJhtm5/n26IDwO18pohE4eNazLoCGhPiXOCD0gEGmrbU3849QvM8bbw==
 
-autosize@4.0.4:
-  version "4.0.4"
-  resolved "https://registry.yarnpkg.com/autosize/-/autosize-4.0.4.tgz#924f13853a466b633b9309330833936d8bccce03"
-  integrity sha512-5yxLQ22O0fCRGoxGfeLSNt3J8LB1v+umtpMnPW6XjkTWXKoN0AmXAIhelJcDtFT/Y/wYWmfE+oqU10Q0b8FhaQ==
-
 autwh@0.1.0:
   version "0.1.0"
   resolved "https://registry.yarnpkg.com/autwh/-/autwh-0.1.0.tgz#24a5300923309d105133401a2568f9c8ab7d7e03"
@@ -2145,11 +2140,6 @@ commander@^8.2.0:
   resolved "https://registry.yarnpkg.com/commander/-/commander-8.3.0.tgz#4837ea1b2da67b9c616a67afbb0fafee567bca66"
   integrity sha512-OkTL9umf+He2DZkUq8f8J9of7yL6RJKI24dVITBmNfZBmri9zYZQrKkuXiKhyfPSu8tUhnVBB1iKXevvnlR4Ww==
 
-compare-versions@3.6.0:
-  version "3.6.0"
-  resolved "https://registry.yarnpkg.com/compare-versions/-/compare-versions-3.6.0.tgz#1a5689913685e5a87637b8d3ffca75514ec41d62"
-  integrity sha512-W6Af2Iw1z4CB7q4uU4hv646dW9GQuBM+YpC0UvUCWSD8w90SJjp+ujJuXaEMtAXBtSqGfMPuFOVn4/+FlaqfBA==
-
 compress-commons@^4.1.0:
   version "4.1.1"
   resolved "https://registry.yarnpkg.com/compress-commons/-/compress-commons-4.1.1.tgz#df2a09a7ed17447642bad10a85cc9a19e5c42a7d"
@@ -3951,13 +3941,6 @@ icss-utils@^5.0.0, icss-utils@^5.1.0:
   resolved "https://registry.yarnpkg.com/icss-utils/-/icss-utils-5.1.0.tgz#c6be6858abd013d768e98366ae47e25d5887b1ae"
   integrity sha512-soFhflCVWLfRNOPU3iv5Z9VUdT44xFRbzjLsEzSr5AQmgqPMTHdU3PMT1Cf1ssx8fLNJDA1juftYl+PUcv3MqA==
 
-idb-keyval@5.1.3:
-  version "5.1.3"
-  resolved "https://registry.yarnpkg.com/idb-keyval/-/idb-keyval-5.1.3.tgz#6ef5dff371897c23f144322dc6374eadd6a345d9"
-  integrity sha512-N9HbCK/FaXSRVI+k6Xq4QgWxbcZRUv+SfG1y7HJ28JdV8yEJu6k+C/YLea7npGckX2DQJeEVuMc4bKOBeU/2LQ==
-  dependencies:
-    safari-14-idb-fix "^1.0.4"
-
 ieee754@1.1.13, ieee754@^1.1.4:
   version "1.1.13"
   resolved "https://registry.yarnpkg.com/ieee754/-/ieee754-1.1.13.tgz#ec168558e95aa181fd87d37f55c32bbcb6708b84"
@@ -4039,11 +4022,6 @@ ini@^1.3.4, ini@~1.3.0:
   resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.7.tgz#a09363e1911972ea16d7a8851005d84cf09a9a84"
   integrity sha512-iKpRpXP+CrP2jyrxvg1kMUpXDyRUFDWurxbnVT1vQPx+Wz9uCYsMIqYuSBLV+PAaZG/d7kRLKRFc9oDMsH+mFQ==
 
-insert-text-at-cursor@0.3.0:
-  version "0.3.0"
-  resolved "https://registry.yarnpkg.com/insert-text-at-cursor/-/insert-text-at-cursor-0.3.0.tgz#1819607680ec1570618347c4cd475e791faa25da"
-  integrity sha512-/nPtyeX9xPUvxZf+r0518B7uqNKlP+LqNJqSiXFEaa2T71rWIwTVXGH7hB9xO/EVdwa5/pWlFCPwShOW81XIxQ==
-
 install-artifact-from-github@^1.2.0:
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/install-artifact-from-github/-/install-artifact-from-github-1.2.0.tgz#adcbd123c16a4337ec44ea76d0ebf253cc16b074"
@@ -5207,10 +5185,10 @@ minizlib@^2.0.0, minizlib@^2.1.1:
     minipass "^3.0.0"
     yallist "^4.0.0"
 
-misskey-js@0.0.8:
-  version "0.0.8"
-  resolved "https://registry.yarnpkg.com/misskey-js/-/misskey-js-0.0.8.tgz#b47a1ec54bff96b23cc2a6b307a3895f99a94424"
-  integrity sha512-Q1L6FaroVz8kpW7T4xQyJmJKSwjOYPbNY3TspOUWmbIBDf2JP0HVeKEFLI9dvdSL0kSkdQNz3MSVLjlHiyPqLQ==
+misskey-js@0.0.12:
+  version "0.0.12"
+  resolved "https://registry.yarnpkg.com/misskey-js/-/misskey-js-0.0.12.tgz#c8fc2fc823c69b0b7d1cb153a5a29afc33f0ff4d"
+  integrity sha512-Aq74/XskxaFN5CeCLeKPp5UP/xTFHvVnOV677G/zoSIShJRTeLsN5YnzwFpOVI2KN21JQ/ExesKDLoWlvQHtNA==
   dependencies:
     autobind-decorator "^2.4.0"
     eventemitter3 "^4.0.7"
@@ -6827,11 +6805,6 @@ s-age@1.1.2:
   resolved "https://registry.yarnpkg.com/s-age/-/s-age-1.1.2.tgz#c0cf15233ccc93f41de92ea42c36d957977d1ea2"
   integrity sha512-aSN2TlF39WLoZA/6cgYSJZhKt63kJ4EaadejPWjWY9/h4rksIqvfWY3gfd+3uAegSM1IXsA9aWeEhJtkxkFQtA==
 
-safari-14-idb-fix@^1.0.4:
-  version "1.0.4"
-  resolved "https://registry.yarnpkg.com/safari-14-idb-fix/-/safari-14-idb-fix-1.0.4.tgz#5c68ba63e2a8ae0d89a0aa1e13fe89e3aef7da19"
-  integrity sha512-4+Y2baQdgJpzu84d0QjySl70Kyygzf0pepVg8NVg4NnQEPpfC91fAn0baNvtStlCjUUxxiu0BOMiafa98fRRuA==
-
 safe-buffer@*:
   version "5.2.1"
   resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.2.1.tgz#1eaf9fa9bdb1fdd4ec75f58f9cdb4e6b7827eec6"
author	tamaina <tamaina@hotmail.co.jp>	2022-01-02 21:56:34 +0900
committer	tamaina <tamaina@hotmail.co.jp>	2022-01-02 21:56:34 +0900
commit	8804f896b06a1ab3c2bfbb79d0e286b59d72aea2 (patch)
tree	e08521bf8f4e40745d84e7e4955cb6e58c373556 /packages/backend
parent	modify comment (diff)
parent	update deps (diff)
download	misskey-8804f896b06a1ab3c2bfbb79d0e286b59d72aea2.tar.gz misskey-8804f896b06a1ab3c2bfbb79d0e286b59d72aea2.tar.bz2 misskey-8804f896b06a1ab3c2bfbb79d0e286b59d72aea2.zip