refactor(backend): replace rndstr with secureRndstr (#11044)

* refactor(backend): replace rndstr with secureRndstr

* Update pnpm-lock.yaml

* .js
This commit is contained in:
Kagami Sascha Rosylight 2023-06-25 04:04:33 +02:00 committed by GitHub
parent 7bb8c71543
commit ef354e94f2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 57 additions and 64 deletions

View file

@ -133,7 +133,6 @@
"redis-lock": "0.1.4", "redis-lock": "0.1.4",
"reflect-metadata": "0.1.13", "reflect-metadata": "0.1.13",
"rename": "1.0.4", "rename": "1.0.4",
"rndstr": "1.0.0",
"rss-parser": "3.13.0", "rss-parser": "3.13.0",
"rxjs": "7.8.1", "rxjs": "7.8.1",
"s-age": "1.1.2", "s-age": "1.1.2",

View file

@ -1,3 +1,3 @@
import { secureRndstr } from '@/misc/secure-rndstr.js'; import { secureRndstr } from '@/misc/secure-rndstr.js';
export default () => secureRndstr(16, true); export default () => secureRndstr(16);

View file

@ -1,10 +1,9 @@
import * as crypto from 'node:crypto'; import * as crypto from 'node:crypto';
const L_CHARS = '0123456789abcdefghijklmnopqrstuvwxyz'; export const L_CHARS = '0123456789abcdefghijklmnopqrstuvwxyz';
const LU_CHARS = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; const LU_CHARS = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
export function secureRndstr(length = 32, useLU = true): string { export function secureRndstr(length = 32, { chars = LU_CHARS } = {}): string {
const chars = useLU ? LU_CHARS : L_CHARS;
const chars_len = chars.length; const chars_len = chars.length;
let str = ''; let str = '';

View file

@ -1,5 +1,4 @@
import { Inject, Injectable } from '@nestjs/common'; import { Inject, Injectable } from '@nestjs/common';
import rndstr from 'rndstr';
import bcrypt from 'bcryptjs'; import bcrypt from 'bcryptjs';
import { IsNull } from 'typeorm'; import { IsNull } from 'typeorm';
import { DI } from '@/di-symbols.js'; import { DI } from '@/di-symbols.js';
@ -16,6 +15,7 @@ import { FastifyReplyError } from '@/misc/fastify-reply-error.js';
import { bindThis } from '@/decorators.js'; import { bindThis } from '@/decorators.js';
import { SigninService } from './SigninService.js'; import { SigninService } from './SigninService.js';
import type { FastifyRequest, FastifyReply } from 'fastify'; import type { FastifyRequest, FastifyReply } from 'fastify';
import { L_CHARS, secureRndstr } from '@/misc/secure-rndstr.js';
@Injectable() @Injectable()
export class SignupApiService { export class SignupApiService {
@ -142,7 +142,7 @@ export class SignupApiService {
throw new FastifyReplyError(400, 'DENIED_USERNAME'); throw new FastifyReplyError(400, 'DENIED_USERNAME');
} }
const code = rndstr('a-z0-9', 16); const code = secureRndstr(16, { chars: L_CHARS });
// Generate hash of password // Generate hash of password
const salt = await bcrypt.genSalt(8); const salt = await bcrypt.genSalt(8);

View file

@ -1,5 +1,4 @@
import { Inject, Injectable } from '@nestjs/common'; import { Inject, Injectable } from '@nestjs/common';
import rndstr from 'rndstr';
import { Endpoint } from '@/server/api/endpoint-base.js'; import { Endpoint } from '@/server/api/endpoint-base.js';
import type { DriveFilesRepository } from '@/models/index.js'; import type { DriveFilesRepository } from '@/models/index.js';
import { DI } from '@/di-symbols.js'; import { DI } from '@/di-symbols.js';

View file

@ -1,9 +1,9 @@
import { Inject, Injectable } from '@nestjs/common'; import { Inject, Injectable } from '@nestjs/common';
import bcrypt from 'bcryptjs'; import bcrypt from 'bcryptjs';
import rndstr from 'rndstr';
import { Endpoint } from '@/server/api/endpoint-base.js'; import { Endpoint } from '@/server/api/endpoint-base.js';
import type { UsersRepository, UserProfilesRepository } from '@/models/index.js'; import type { UsersRepository, UserProfilesRepository } from '@/models/index.js';
import { DI } from '@/di-symbols.js'; import { DI } from '@/di-symbols.js';
import { secureRndstr } from '@/misc/secure-rndstr.js';
export const meta = { export const meta = {
tags: ['admin'], tags: ['admin'],
@ -54,7 +54,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
throw new Error('cannot reset password of root'); throw new Error('cannot reset password of root');
} }
const passwd = rndstr('a-zA-Z0-9', 8); const passwd = secureRndstr(8);
// Generate hash of password // Generate hash of password
const hash = bcrypt.hashSync(passwd); const hash = bcrypt.hashSync(passwd);

View file

@ -44,7 +44,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
) { ) {
super(meta, paramDef, async (ps, me) => { super(meta, paramDef, async (ps, me) => {
// Generate secret // Generate secret
const secret = secureRndstr(32, true); const secret = secureRndstr(32);
// for backward compatibility // for backward compatibility
const permission = unique(ps.permission.map(v => v.replace(/^(.+)(\/|-)(read|write)$/, '$3:$1'))); const permission = unique(ps.permission.map(v => v.replace(/^(.+)(\/|-)(read|write)$/, '$3:$1')));

View file

@ -55,7 +55,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
throw new ApiError(meta.errors.noSuchSession); throw new ApiError(meta.errors.noSuchSession);
} }
const accessToken = secureRndstr(32, true); const accessToken = secureRndstr(32);
// Fetch exist access token // Fetch exist access token
const exist = await this.accessTokensRepository.findOneBy({ const exist = await this.accessTokensRepository.findOneBy({

View file

@ -1,5 +1,4 @@
import { Inject, Injectable } from '@nestjs/common'; import { Inject, Injectable } from '@nestjs/common';
import rndstr from 'rndstr';
import ms from 'ms'; import ms from 'ms';
import bcrypt from 'bcryptjs'; import bcrypt from 'bcryptjs';
import { Endpoint } from '@/server/api/endpoint-base.js'; import { Endpoint } from '@/server/api/endpoint-base.js';
@ -9,6 +8,7 @@ import { EmailService } from '@/core/EmailService.js';
import type { Config } from '@/config.js'; import type { Config } from '@/config.js';
import { DI } from '@/di-symbols.js'; import { DI } from '@/di-symbols.js';
import { GlobalEventService } from '@/core/GlobalEventService.js'; import { GlobalEventService } from '@/core/GlobalEventService.js';
import { L_CHARS, secureRndstr } from '@/misc/secure-rndstr.js';
import { ApiError } from '../../error.js'; import { ApiError } from '../../error.js';
export const meta = { export const meta = {
@ -94,7 +94,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
this.globalEventService.publishMainStream(me.id, 'meUpdated', iObj); this.globalEventService.publishMainStream(me.id, 'meUpdated', iObj);
if (ps.email != null) { if (ps.email != null) {
const code = rndstr('a-z0-9', 16); const code = secureRndstr(16, { chars: L_CHARS });
await this.userProfilesRepository.update(me.id, { await this.userProfilesRepository.update(me.id, {
emailVerifyCode: code, emailVerifyCode: code,

View file

@ -1,9 +1,9 @@
import rndstr from 'rndstr';
import { Inject, Injectable } from '@nestjs/common'; import { Inject, Injectable } from '@nestjs/common';
import { Endpoint } from '@/server/api/endpoint-base.js'; import { Endpoint } from '@/server/api/endpoint-base.js';
import type { RegistrationTicketsRepository } from '@/models/index.js'; import type { RegistrationTicketsRepository } from '@/models/index.js';
import { IdService } from '@/core/IdService.js'; import { IdService } from '@/core/IdService.js';
import { DI } from '@/di-symbols.js'; import { DI } from '@/di-symbols.js';
import { secureRndstr } from '@/misc/secure-rndstr.js';
export const meta = { export const meta = {
tags: ['meta'], tags: ['meta'],
@ -42,9 +42,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
private idService: IdService, private idService: IdService,
) { ) {
super(meta, paramDef, async (ps, me) => { super(meta, paramDef, async (ps, me) => {
const code = rndstr({ const code = secureRndstr(8, {
length: 8, chars: '23456789ABCDEFGHJKLMNPQRSTUVWXYZ', // [0-9A-Z] w/o [01IO] (32 patterns)
chars: '2-9A-HJ-NP-Z', // [0-9A-Z] w/o [01IO] (32 patterns)
}); });
await this.registrationTicketsRepository.insert({ await this.registrationTicketsRepository.insert({

View file

@ -49,7 +49,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
) { ) {
super(meta, paramDef, async (ps, me) => { super(meta, paramDef, async (ps, me) => {
// Generate access token // Generate access token
const accessToken = secureRndstr(32, true); const accessToken = secureRndstr(32);
const now = new Date(); const now = new Date();

View file

@ -1,4 +1,3 @@
import rndstr from 'rndstr';
import ms from 'ms'; import ms from 'ms';
import { IsNull } from 'typeorm'; import { IsNull } from 'typeorm';
import { Inject, Injectable } from '@nestjs/common'; import { Inject, Injectable } from '@nestjs/common';
@ -8,6 +7,7 @@ import { IdService } from '@/core/IdService.js';
import type { Config } from '@/config.js'; import type { Config } from '@/config.js';
import { DI } from '@/di-symbols.js'; import { DI } from '@/di-symbols.js';
import { EmailService } from '@/core/EmailService.js'; import { EmailService } from '@/core/EmailService.js';
import { L_CHARS, secureRndstr } from '@/misc/secure-rndstr.js';
export const meta = { export const meta = {
tags: ['reset password'], tags: ['reset password'],
@ -77,7 +77,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> {
return; return;
} }
const token = rndstr('a-z0-9', 64); const token = secureRndstr(64, { chars: L_CHARS });
await this.passwordResetRequestsRepository.insert({ await this.passwordResetRequestsRepository.insert({
id: this.idService.genId(), id: this.idService.genId(),

View file

@ -1,10 +1,10 @@
process.env.NODE_ENV = 'test'; process.env.NODE_ENV = 'test';
import * as assert from 'assert'; import * as assert from 'assert';
import rndstr from 'rndstr';
import { loadConfig } from '@/config.js'; import { loadConfig } from '@/config.js';
import { User, UsersRepository } from '@/models/index.js'; import { User, UsersRepository } from '@/models/index.js';
import { jobQueue } from '@/boot/common.js'; import { jobQueue } from '@/boot/common.js';
import { secureRndstr } from '@/misc/secure-rndstr.js';
import { uploadFile, signup, startServer, initTestDb, api, sleep, successfulApiCall } from '../utils.js'; import { uploadFile, signup, startServer, initTestDb, api, sleep, successfulApiCall } from '../utils.js';
import type { INestApplicationContext } from '@nestjs/common'; import type { INestApplicationContext } from '@nestjs/common';
import type * as misskey from 'misskey-js'; import type * as misskey from 'misskey-js';
@ -163,7 +163,7 @@ describe('Account Move', () => {
alsoKnownAs: [`@alice@${url.hostname}`], alsoKnownAs: [`@alice@${url.hostname}`],
}, root); }, root);
const listRoot = await api('/users/lists/create', { const listRoot = await api('/users/lists/create', {
name: rndstr('0-9a-z', 8), name: secureRndstr(8),
}, root); }, root);
await api('/users/lists/push', { await api('/users/lists/push', {
listId: listRoot.body.id, listId: listRoot.body.id,
@ -177,9 +177,9 @@ describe('Account Move', () => {
userId: eve.id, userId: eve.id,
}, alice); }, alice);
const antenna = await api('/antennas/create', { const antenna = await api('/antennas/create', {
name: rndstr('0-9a-z', 8), name: secureRndstr(8),
src: 'home', src: 'home',
keywords: [rndstr('0-9a-z', 8)], keywords: [secureRndstr(8)],
excludeKeywords: [], excludeKeywords: [],
users: [], users: [],
caseSensitive: false, caseSensitive: false,
@ -211,7 +211,7 @@ describe('Account Move', () => {
userId: dave.id, userId: dave.id,
}, eve); }, eve);
const listEve = await api('/users/lists/create', { const listEve = await api('/users/lists/create', {
name: rndstr('0-9a-z', 8), name: secureRndstr(8),
}, eve); }, eve);
await api('/users/lists/push', { await api('/users/lists/push', {
listId: listEve.body.id, listId: listEve.body.id,
@ -420,9 +420,9 @@ describe('Account Move', () => {
test('Prohibit access after moving: /antennas/update', async () => { test('Prohibit access after moving: /antennas/update', async () => {
const res = await api('/antennas/update', { const res = await api('/antennas/update', {
antennaId, antennaId,
name: rndstr('0-9a-z', 8), name: secureRndstr(8),
src: 'users', src: 'users',
keywords: [rndstr('0-9a-z', 8)], keywords: [secureRndstr(8)],
excludeKeywords: [], excludeKeywords: [],
users: [eve.id], users: [eve.id],
caseSensitive: false, caseSensitive: false,

View file

@ -4,7 +4,6 @@ import { jest } from '@jest/globals';
import { ModuleMocker } from 'jest-mock'; import { ModuleMocker } from 'jest-mock';
import { Test } from '@nestjs/testing'; import { Test } from '@nestjs/testing';
import * as lolex from '@sinonjs/fake-timers'; import * as lolex from '@sinonjs/fake-timers';
import rndstr from 'rndstr';
import { GlobalModule } from '@/GlobalModule.js'; import { GlobalModule } from '@/GlobalModule.js';
import { RoleService } from '@/core/RoleService.js'; import { RoleService } from '@/core/RoleService.js';
import type { Role, RolesRepository, RoleAssignmentsRepository, UsersRepository, User } from '@/models/index.js'; import type { Role, RolesRepository, RoleAssignmentsRepository, UsersRepository, User } from '@/models/index.js';
@ -14,6 +13,7 @@ import { genAid } from '@/misc/id/aid.js';
import { CacheService } from '@/core/CacheService.js'; import { CacheService } from '@/core/CacheService.js';
import { IdService } from '@/core/IdService.js'; import { IdService } from '@/core/IdService.js';
import { GlobalEventService } from '@/core/GlobalEventService.js'; import { GlobalEventService } from '@/core/GlobalEventService.js';
import { secureRndstr } from '@/misc/secure-rndstr.js';
import { sleep } from '../utils.js'; import { sleep } from '../utils.js';
import type { TestingModule } from '@nestjs/testing'; import type { TestingModule } from '@nestjs/testing';
import type { MockFunctionMetadata } from 'jest-mock'; import type { MockFunctionMetadata } from 'jest-mock';
@ -30,7 +30,7 @@ describe('RoleService', () => {
let clock: lolex.InstalledClock; let clock: lolex.InstalledClock;
function createUser(data: Partial<User> = {}) { function createUser(data: Partial<User> = {}) {
const un = rndstr('a-z0-9', 16); const un = secureRndstr(16);
return usersRepository.insert({ return usersRepository.insert({
id: genAid(new Date()), id: genAid(new Date()),
createdAt: new Date(), createdAt: new Date(),

View file

@ -1,7 +1,6 @@
process.env.NODE_ENV = 'test'; process.env.NODE_ENV = 'test';
import * as assert from 'assert'; import * as assert from 'assert';
import rndstr from 'rndstr';
import { Test } from '@nestjs/testing'; import { Test } from '@nestjs/testing';
import { jest } from '@jest/globals'; import { jest } from '@jest/globals';
@ -13,13 +12,14 @@ import { CoreModule } from '@/core/CoreModule.js';
import { FederatedInstanceService } from '@/core/FederatedInstanceService.js'; import { FederatedInstanceService } from '@/core/FederatedInstanceService.js';
import { LoggerService } from '@/core/LoggerService.js'; import { LoggerService } from '@/core/LoggerService.js';
import type { IActor } from '@/core/activitypub/type.js'; import type { IActor } from '@/core/activitypub/type.js';
import { MockResolver } from '../misc/mock-resolver.js';
import { Note } from '@/models/index.js'; import { Note } from '@/models/index.js';
import { secureRndstr } from '@/misc/secure-rndstr.js';
import { MockResolver } from '../misc/mock-resolver.js';
const host = 'https://host1.test'; const host = 'https://host1.test';
function createRandomActor(): IActor & { id: string } { function createRandomActor(): IActor & { id: string } {
const preferredUsername = `${rndstr('A-Z', 4)}${rndstr('a-z', 4)}`; const preferredUsername = secureRndstr(8);
const actorId = `${host}/users/${preferredUsername.toLowerCase()}`; const actorId = `${host}/users/${preferredUsername.toLowerCase()}`;
return { return {
@ -61,7 +61,7 @@ describe('ActivityPub', () => {
const post = { const post = {
'@context': 'https://www.w3.org/ns/activitystreams', '@context': 'https://www.w3.org/ns/activitystreams',
id: `${host}/users/${rndstr('0-9a-z', 8)}`, id: `${host}/users/${secureRndstr(8)}`,
type: 'Note', type: 'Note',
attributedTo: actor.id, attributedTo: actor.id,
to: 'https://www.w3.org/ns/activitystreams#Public', to: 'https://www.w3.org/ns/activitystreams#Public',
@ -94,7 +94,7 @@ describe('ActivityPub', () => {
test('Truncate long name', async () => { test('Truncate long name', async () => {
const actor = { const actor = {
...createRandomActor(), ...createRandomActor(),
name: rndstr('0-9a-z', 129), name: secureRndstr(129),
}; };
resolver._register(actor.id, actor); resolver._register(actor.id, actor);

View file

@ -314,9 +314,6 @@ importers:
rename: rename:
specifier: 1.0.4 specifier: 1.0.4
version: 1.0.4 version: 1.0.4
rndstr:
specifier: 1.0.0
version: 1.0.0
rss-parser: rss-parser:
specifier: 3.13.0 specifier: 3.13.0
version: 3.13.0 version: 3.13.0