diff options
| author | Amelia Yukii <amelia.yukii@shourai.de> | 2024-02-01 15:06:21 +0000 |
|---|---|---|
| committer | Amelia Yukii <amelia.yukii@shourai.de> | 2024-02-01 15:07:35 +0000 |
| commit | a6e257f502296495cf2c1bdc7565e9ce34848506 (patch) | |
| tree | f393fd4520c60e55a1a60149ff5a324d1454870c /packages/backend/src/queue | |
| parent | Merge branch 'Amelia-stable-patch-29368' into 'stable' (diff) | |
| download | sharkey-a6e257f502296495cf2c1bdc7565e9ce34848506.tar.gz sharkey-a6e257f502296495cf2c1bdc7565e9ce34848506.tar.bz2 sharkey-a6e257f502296495cf2c1bdc7565e9ce34848506.zip | |
Merge branch 'feture/code-injection-fix' into 'develop'
CVE: Fixed code injection from twitter import
See merge request TransFem-org/Sharkey!390
(cherry picked from commit 127f8556d409a1082f0050a7ebf57ba846263f6f)
2a8e93e4 Fixed code injection from twitter import
Diffstat (limited to 'packages/backend/src/queue')
| -rw-r--r-- | packages/backend/src/queue/processors/ImportNotesProcessorService.ts | 42 |
1 files changed, 25 insertions, 17 deletions
diff --git a/packages/backend/src/queue/processors/ImportNotesProcessorService.ts b/packages/backend/src/queue/processors/ImportNotesProcessorService.ts index 03a0e951b3..d64a861b03 100644 --- a/packages/backend/src/queue/processors/ImportNotesProcessorService.ts +++ b/packages/backend/src/queue/processors/ImportNotesProcessorService.ts @@ -130,6 +130,17 @@ export class ImportNotesProcessorService { return typeof obj[Symbol.iterator] === 'function'; } + private parseTwitterFile(str : string) : null | [{ tweet: any }] { + const removed = str.replace(new RegExp('window\\.YTD\\.tweets\\.part0 = ', 'g'), ''); + + try { + return JSON.parse(removed); + } catch (error) { + //The format is not what we expected. Either this file was tampered with or twitters exports changed + return null; + } + } + @bindThis public async process(job: Bull.Job<DbNoteImportJobData>): Promise<void> { this.logger.info(`Starting note import of ${job.data.user.id} ...`); @@ -175,23 +186,20 @@ export class ImportNotesProcessorService { try { this.logger.succ(`Unzipping to ${outputPath}`); ZipReader.withDestinationPath(outputPath).viaBuffer(await fs.promises.readFile(destPath)); - const fakeWindow: any = { - window: { - YTD: { - tweets: { - part0: {}, - }, - }, - }, - }; - const script = new vm.Script(fs.readFileSync(outputPath + '/data/tweets.js', 'utf-8')); - const context = vm.createContext(fakeWindow); - script.runInContext(context); - const tweets = Object.keys(fakeWindow.window.YTD.tweets.part0).reduce((m, key, i, obj) => { - return m.concat(fakeWindow.window.YTD.tweets.part0[key].tweet); - }, []); - const processedTweets = await this.recreateChain(['id_str'], ['in_reply_to_status_id_str'], tweets, false); - this.queueService.createImportTweetsToDbJob(job.data.user, processedTweets, null); + + const unprocessedTweetJson = this.parseTwitterFile(fs.readFileSync(outputPath + '/data/tweets.js', 'utf-8')); + + //Make sure that it isnt null (because if something went wrong in parseTwitterFile it returns null) + if (unprocessedTweetJson) { + const tweets = Object.keys(unprocessedTweetJson).reduce((m, key, i, obj) => { + return m.concat(unprocessedTweetJson[i].tweet); + }, []); + + const processedTweets = await this.recreateChain(['id_str'], ['in_reply_to_status_id_str'], tweets, false); + this.queueService.createImportTweetsToDbJob(job.data.user, processedTweets, null); + } else { + this.logger.warn('Failed to import twitter notes due to malformed file'); + } } finally { cleanup(); } |