specter/CyTube
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Fix a couple issues discussed on IRC

Browse source
This commit is contained in:
Calvin Montgomery 2023-01-11 17:57:02 -08:00
parent fad1da7ab4
commit c78ef333da
4 changed files with 43 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
integration_test/channel/kickban.js
View file

@ -110,6 +110,25 @@ describe('KickbanModule', () => {
); );
}); });
it('rejects if the username is invalid', done => {
mockUser.socket.emit = (frame, obj) => {
if (frame === 'errorMsg') {
assert.strictEqual(
obj.msg,
'Invalid username'
);
done();
}
};
kickban.handleCmdBan(
mockUser,
'/ban test_user<>%$# because reasons',
{}
);
});
it('rejects if the user does not have ban permission', done => { it('rejects if the user does not have ban permission', done => {
mockUser.socket.emit = (frame, obj) => { mockUser.socket.emit = (frame, obj) => {
if (frame === 'errorMsg') { if (frame === 'errorMsg') {

2
package.json
View file

@ -2,7 +2,7 @@
"author": "Calvin Montgomery", "author": "Calvin Montgomery",
"name": "CyTube", "name": "CyTube",
"description": "Online media synchronizer and chat", "description": "Online media synchronizer and chat",
"version": "3.84.0", "version": "3.85.0",
"repository": { "repository": {
"url": "http://github.com/calzoneman/sync" "url": "http://github.com/calzoneman/sync"
}, },

15
player/custom-embed.coffee
View file

@ -15,8 +15,19 @@ window.CustomEmbedPlayer = class CustomEmbedPlayer extends EmbedPlayer
return return
embedSrc = data.meta.embed.src embedSrc = data.meta.embed.src
link = "<a href=\"#{embedSrc}\" target=\"_blank\"><strong>#{embedSrc}</strong></a>"
alert = makeAlert('Untrusted Content', CUSTOM_EMBED_WARNING.replace('%link%', link), link = document.createElement('a')
link.href = embedSrc
link.target = '_blank'
link.rel = 'noopener noreferer'
strong = document.createElement('strong')
strong.textContent = embedSrc
link.appendChild(strong)
# TODO: Ideally makeAlert() would allow optionally providing a DOM
# element instead of requiring HTML text
alert = makeAlert('Untrusted Content', CUSTOM_EMBED_WARNING.replace('%link%', link.outerHTML),
'alert-warning') 'alert-warning')
.removeClass('col-md-12') .removeClass('col-md-12')
$('<button/>').addClass('btn btn-default') $('<button/>').addClass('btn btn-default')

12
src/channel/kickban.js
View file

@ -4,6 +4,7 @@ var Flags = require("../flags");
var util = require("../utilities"); var util = require("../utilities");
var Account = require("../account"); var Account = require("../account");
import Promise from 'bluebird'; import Promise from 'bluebird';
const XSS = require("../xss");
const dbIsNameBanned = Promise.promisify(db.channels.isNameBanned); const dbIsNameBanned = Promise.promisify(db.channels.isNameBanned);
const dbIsIPBanned = Promise.promisify(db.channels.isIPBanned); const dbIsIPBanned = Promise.promisify(db.channels.isIPBanned);
@ -261,7 +262,6 @@ KickBanModule.prototype.handleCmdIPBan = function (user, msg, _meta) {
chan.refCounter.ref("KickBanModule::handleCmdIPBan"); chan.refCounter.ref("KickBanModule::handleCmdIPBan");
this.banAll(user, name, range, reason).catch(error => { this.banAll(user, name, range, reason).catch(error => {
//console.log('!!!', error.stack);
const message = error.message || error; const message = error.message || error;
user.socket.emit("errorMsg", { msg: message }); user.socket.emit("errorMsg", { msg: message });
}).then(() => { }).then(() => {
@ -276,6 +276,10 @@ KickBanModule.prototype.checkChannelAlive = function checkChannelAlive() {
}; };
KickBanModule.prototype.banName = async function banName(actor, name, reason) { KickBanModule.prototype.banName = async function banName(actor, name, reason) {
if (!util.isValidUserName(name)) {
throw new Error("Invalid username");
}
reason = reason.substring(0, 255); reason = reason.substring(0, 255);
var chan = this.channel; var chan = this.channel;
@ -323,6 +327,9 @@ KickBanModule.prototype.banName = async function banName(actor, name, reason) {
}; };
KickBanModule.prototype.banIP = async function banIP(actor, ip, name, reason) { KickBanModule.prototype.banIP = async function banIP(actor, ip, name, reason) {
if (!util.isValidUserName(name)) {
throw new Error("Invalid username");
}
reason = reason.substring(0, 255); reason = reason.substring(0, 255);
var masked = util.cloakIP(ip); var masked = util.cloakIP(ip);
@ -445,8 +452,9 @@ KickBanModule.prototype.handleUnban = function (user, data) {
self.channel.logger.log("[mod] " + user.getName() + " unbanned " + data.name); self.channel.logger.log("[mod] " + user.getName() + " unbanned " + data.name);
if (self.channel.modules.chat) { if (self.channel.modules.chat) {
var banperm = self.channel.modules.permissions.permissions.ban; var banperm = self.channel.modules.permissions.permissions.ban;
// TODO: quick fix, shouldn't trust name from unban frame.
self.channel.modules.chat.sendModMessage( self.channel.modules.chat.sendModMessage(
user.getName() + " unbanned " + data.name, user.getName() + " unbanned " + XSS.sanitizeText(data.name),
banperm banperm
); );
} }