Merge remote-tracking branch 'upstream/master'

2022-02-02 01:35:23 +09:00
parent 804ffd2e2e 1fd6c97532
commit 79bc4defdf
139 changed files with 2052 additions and 1513 deletions
--- a/packages/backend/package.json
+++ b/packages/backend/package.json
@ -122,7 +122,7 @@
 		"langmap": "0.0.16",
 		"mfm-js": "0.21.0",
 		"mime-types": "2.1.34",
-		"misskey-js": "0.0.13",
+		"misskey-js": "0.0.14",
 		"mocha": "8.4.0",
 		"ms": "3.0.0-canary.1",
 		"multer": "1.4.4",
--- a/packages/backend/src/server/api/api-handler.ts
+++ b/packages/backend/src/server/api/api-handler.ts
@ -32,7 +32,7 @@ export default (endpoint: IEndpoint, ctx: Koa.Context) => new Promise((res) => {
 	// Authentication
 	authenticate(body['i']).then(([user, app]) => {
 		// API invoking
-		call(endpoint.name, user, app, body, (ctx as any).file).then((res: any) => {
+		call(endpoint.name, user, app, body, ctx).then((res: any) => {
 			reply(res);
 		}).catch((e: ApiError) => {
 			reply(e.httpStatusCode ? e.httpStatusCode : e.kind === 'client' ? 400 : 500, e);
--- a/packages/backend/src/server/api/call.ts
+++ b/packages/backend/src/server/api/call.ts
@ -1,3 +1,4 @@
+import * as Koa from 'koa';
 import { performance } from 'perf_hooks';
 import { limiter } from './limiter';
 import { User } from '@/models/entities/user';
@ -12,7 +13,7 @@ const accessDenied = {
 	id: '56f35758-7dd5-468b-8439-5d6fb8ec9b8e',
 };

-export default async (endpoint: string, user: User | null | undefined, token: AccessToken | null | undefined, data: any, file?: any) => {
+export default async (endpoint: string, user: User | null | undefined, token: AccessToken | null | undefined, data: any, ctx?: Koa.Context) => {
 	const isSecure = user != null && token == null;

 	const ep = endpoints.find(e => e.name === endpoint);
@ -76,9 +77,20 @@ export default async (endpoint: string, user: User | null | undefined, token: Ac
 		});
 	}

+	// Cast non JSON input
+	if (ep.meta.requireFile && ep.meta.params) {
+		const body = (ctx!.request as any).body;
+		for (const k of Object.keys(ep.meta.params)) {
+			const param = ep.meta.params[k];
+			if (['Boolean', 'Number'].includes(param.validator.name) && typeof body[k] === 'string') {
+				body[k] = JSON.parse(body[k]);
+			}
+		}
+	}
+
 	// API invoking
 	const before = performance.now();
-	return await ep.exec(data, user, token, file).catch((e: Error) => {
+	return await ep.exec(data, user, token, ctx!.file).catch((e: Error) => {
 		if (e instanceof ApiError) {
 			throw e;
 		} else {
--- a/packages/backend/src/server/api/endpoints/drive/files/create.ts
+++ b/packages/backend/src/server/api/endpoints/drive/files/create.ts
@ -39,15 +39,13 @@ export const meta = {
 		},

 		isSensitive: {
-			validator: $.optional.either($.bool, $.str),
+			validator: $.optional.bool,
 			default: false,
-			transform: (v: any): boolean => v === true || v === 'true',
 		},

 		force: {
-			validator: $.optional.either($.bool, $.str),
+			validator: $.optional.bool,
 			default: false,
-			transform: (v: any): boolean => v === true || v === 'true',
 		},
 	},

--- a/packages/backend/src/server/file/index.ts
+++ b/packages/backend/src/server/file/index.ts
@ -18,7 +18,7 @@ const _dirname = dirname(_filename);
 const app = new Koa();
 app.use(cors());
 app.use(async (ctx, next) => {
-	ctx.set('Content-Security-Policy', `default-src 'none'; style-src 'unsafe-inline'`);
+	ctx.set('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
 	await next();
 });

--- a/packages/backend/src/server/proxy/index.ts
+++ b/packages/backend/src/server/proxy/index.ts
@ -11,7 +11,7 @@ import { proxyMedia } from './proxy-media';
 const app = new Koa();
 app.use(cors());
 app.use(async (ctx, next) => {
-	ctx.set('Content-Security-Policy', `default-src 'none'; style-src 'unsafe-inline'`);
+	ctx.set('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
 	await next();
 });

--- a/packages/backend/yarn.lock
+++ b/packages/backend/yarn.lock
@ -4967,10 +4967,10 @@ minizlib@^2.0.0, minizlib@^2.1.1:
    minipass "^3.0.0"
    yallist "^4.0.0"

-misskey-js@0.0.13:
-  version "0.0.13"
-  resolved "https://registry.yarnpkg.com/misskey-js/-/misskey-js-0.0.13.tgz#03a4e469186e28752d599dc4093519eb64647970"
-  integrity sha512-kBdJdfe281gtykzzsrN3IAxWUQIimzPiJGyKWf863ggWJlWYVPmP9hTFlX2z8oPOaypgVBPEPHyw/jNUdc2DbQ==
+misskey-js@0.0.14:
+  version "0.0.14"
+  resolved "https://registry.yarnpkg.com/misskey-js/-/misskey-js-0.0.14.tgz#1a616bdfbe81c6ee6900219eaf425bb5c714dd4d"
+  integrity sha512-bvLx6U3OwQwqHfp/WKwIVwdvNYAAPk0+YblXyxmSG3dwlzCgBRRLcB8o6bNruUDyJgh3t73pLDcOz3myxcUmww==
  dependencies:
    autobind-decorator "^2.4.0"
    eventemitter3 "^4.0.7"