From 0f3f42eb395300399b1e60f511ba596a2461ac39 Mon Sep 17 00:00:00 2001 From: Johann150 Date: Wed, 7 Dec 2022 18:03:29 +0100 Subject: [PATCH] remove rndstr dependency This dependency was unused in the client. The use of it in the server can be replaced entirely by the secureRndstr function, with some slight modifications. That function could probably be refactored a bit more as well. --- packages/backend/package.json | 1 - packages/backend/src/misc/secure-rndstr.ts | 8 ++++-- .../src/server/api/common/inject-featured.ts | 4 +-- .../server/api/endpoints/admin/emoji/add.ts | 3 +-- .../src/server/api/endpoints/admin/invite.ts | 8 +++--- .../api/endpoints/admin/reset-password.ts | 4 +-- .../server/api/endpoints/i/update-email.ts | 4 +-- .../api/endpoints/request-reset-password.ts | 4 +-- .../backend/src/server/api/private/signup.ts | 4 +-- packages/client/package.json | 1 - yarn.lock | 26 ------------------- 11 files changed, 20 insertions(+), 47 deletions(-) diff --git a/packages/backend/package.json b/packages/backend/package.json index 4dd134b32..6fa587750 100644 --- a/packages/backend/package.json +++ b/packages/backend/package.json @@ -91,7 +91,6 @@ "reflect-metadata": "0.1.13", "rename": "1.0.4", "require-all": "3.0.0", - "rndstr": "1.0.0", "rss-parser": "3.12.0", "sanitize-html": "2.7.0", "semver": "7.3.7", diff --git a/packages/backend/src/misc/secure-rndstr.ts b/packages/backend/src/misc/secure-rndstr.ts index 8d4fcb1ba..1da3c53ef 100644 --- a/packages/backend/src/misc/secure-rndstr.ts +++ b/packages/backend/src/misc/secure-rndstr.ts @@ -3,8 +3,7 @@ import * as crypto from 'node:crypto'; const L_CHARS = '0123456789abcdefghijklmnopqrstuvwxyz'; const LU_CHARS = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; -export function secureRndstr(length = 32, useLU = true): string { - const chars = useLU ? LU_CHARS : L_CHARS; +export function secureRndstrCustom(length = 32, chars: string): string { const chars_len = chars.length; let str = ''; @@ -19,3 +18,8 @@ export function secureRndstr(length = 32, useLU = true): string { return str; } + +export function secureRndstr(length = 32, useLU = true): string { + const chars = useLU ? LU_CHARS : L_CHARS; + return secureRndstrCustom(length, chars); +} diff --git a/packages/backend/src/server/api/common/inject-featured.ts b/packages/backend/src/server/api/common/inject-featured.ts index f79c57cbf..13bf156c1 100644 --- a/packages/backend/src/server/api/common/inject-featured.ts +++ b/packages/backend/src/server/api/common/inject-featured.ts @@ -1,7 +1,7 @@ -import rndstr from 'rndstr'; import { DAY } from '@/const.js'; import { Note } from '@/models/entities/note.js'; import { User } from '@/models/entities/user.js'; +import { secureRndstr } from '@/misc/secure-rndstr.js'; import { Notes, UserProfiles, NoteReactions } from '@/models/index.js'; import { generateMutedUserQuery } from './generate-muted-user-query.js'; import { generateBlockedUserQuery } from './generate-block-query.js'; @@ -50,7 +50,7 @@ export async function injectFeatured(timeline: Note[], user?: User | null) { // Pick random one const featured = notes[Math.floor(Math.random() * notes.length)]; - (featured as any)._featuredId_ = rndstr('a-z0-9', 8); + (featured as any)._featuredId_ = secureRndstr(8); // Inject featured timeline.splice(3, 0, featured); diff --git a/packages/backend/src/server/api/endpoints/admin/emoji/add.ts b/packages/backend/src/server/api/endpoints/admin/emoji/add.ts index ad5b9896c..a4871da27 100644 --- a/packages/backend/src/server/api/endpoints/admin/emoji/add.ts +++ b/packages/backend/src/server/api/endpoints/admin/emoji/add.ts @@ -1,4 +1,3 @@ -import rndstr from 'rndstr'; import { publishBroadcastStream } from '@/services/stream.js'; import { db } from '@/db/postgre.js'; import { Emojis, DriveFiles } from '@/models/index.js'; @@ -30,7 +29,7 @@ export default define(meta, paramDef, async (ps, me) => { if (file == null) throw new ApiError('NO_SUCH_FILE'); - const name = file.name.split('.')[0].match(/^[a-z0-9_]+$/) ? file.name.split('.')[0] : `_${rndstr('a-z0-9', 8)}_`; + const name = file.name.split('.')[0].match(/^[a-z0-9_]+$/) ? file.name.split('.')[0] : `_${genId()}_`; const emoji = await Emojis.insert({ id: genId(), diff --git a/packages/backend/src/server/api/endpoints/admin/invite.ts b/packages/backend/src/server/api/endpoints/admin/invite.ts index a7b2dac4d..38ec85e51 100644 --- a/packages/backend/src/server/api/endpoints/admin/invite.ts +++ b/packages/backend/src/server/api/endpoints/admin/invite.ts @@ -1,6 +1,6 @@ -import rndstr from 'rndstr'; import { RegistrationTickets } from '@/models/index.js'; import { genId } from '@/misc/gen-id.js'; +import { secureRndstrCustom } from '@/misc/secure-rndstr.js'; import define from '../../define.js'; export const meta = { @@ -32,10 +32,8 @@ export const paramDef = { // eslint-disable-next-line import/no-default-export export default define(meta, paramDef, async () => { - const code = rndstr({ - length: 8, - chars: '2-9A-HJ-NP-Z', // [0-9A-Z] w/o [01IO] (32 patterns) - }); + // omit visually ambiguous zero and letter O as well as one and letter I + const code = secureRndstrCustom(8, '23456789ABCDEFGHJKLMNPQRSTUVWXYZ'); await RegistrationTickets.insert({ id: genId(), diff --git a/packages/backend/src/server/api/endpoints/admin/reset-password.ts b/packages/backend/src/server/api/endpoints/admin/reset-password.ts index d0a98ff5b..97d6f51d4 100644 --- a/packages/backend/src/server/api/endpoints/admin/reset-password.ts +++ b/packages/backend/src/server/api/endpoints/admin/reset-password.ts @@ -1,5 +1,5 @@ import bcrypt from 'bcryptjs'; -import rndstr from 'rndstr'; +import { secureRndstr } from '@/misc/secure-rndstr.js'; import { Users, UserProfiles } from '@/models/index.js'; import define from '../../define.js'; @@ -43,7 +43,7 @@ export default define(meta, paramDef, async (ps) => { throw new Error('cannot reset password of admin'); } - const passwd = rndstr('a-zA-Z0-9', 8); + const passwd = secureRndstr(8, true); // Generate hash of password const hash = bcrypt.hashSync(passwd); diff --git a/packages/backend/src/server/api/endpoints/i/update-email.ts b/packages/backend/src/server/api/endpoints/i/update-email.ts index cb3d6356a..057ad5cf3 100644 --- a/packages/backend/src/server/api/endpoints/i/update-email.ts +++ b/packages/backend/src/server/api/endpoints/i/update-email.ts @@ -1,7 +1,7 @@ -import rndstr from 'rndstr'; import bcrypt from 'bcryptjs'; import { publishMainStream } from '@/services/stream.js'; import config from '@/config/index.js'; +import { secureRndstr } from '@/misc/secure-rndstr.js'; import { Users, UserProfiles } from '@/models/index.js'; import { sendEmail } from '@/services/send-email.js'; import { validateEmailForAccount } from '@/services/validate-email-for-account.js'; @@ -62,7 +62,7 @@ export default define(meta, paramDef, async (ps, user) => { publishMainStream(user.id, 'meUpdated', iObj); if (ps.email != null) { - const code = rndstr('a-z0-9', 16); + const code = secureRndstr(16); await UserProfiles.update(user.id, { emailVerifyCode: code, diff --git a/packages/backend/src/server/api/endpoints/request-reset-password.ts b/packages/backend/src/server/api/endpoints/request-reset-password.ts index 4ca4703e9..e97d9c4b2 100644 --- a/packages/backend/src/server/api/endpoints/request-reset-password.ts +++ b/packages/backend/src/server/api/endpoints/request-reset-password.ts @@ -1,9 +1,9 @@ -import rndstr from 'rndstr'; import { IsNull } from 'typeorm'; import config from '@/config/index.js'; import { Users, UserProfiles, PasswordResetRequests } from '@/models/index.js'; import { sendEmail } from '@/services/send-email.js'; import { genId } from '@/misc/gen-id.js'; +import { secureRndstr } from '@/misc/secure-rndstr.js'; import { DAY } from '@/const.js'; import define from '../define.js'; @@ -53,7 +53,7 @@ export default define(meta, paramDef, async (ps) => { return; } - const token = rndstr('a-z0-9', 64); + const token = secureRndstr(64); await PasswordResetRequests.insert({ id: genId(), diff --git a/packages/backend/src/server/api/private/signup.ts b/packages/backend/src/server/api/private/signup.ts index bb2a11437..e20fb9abb 100644 --- a/packages/backend/src/server/api/private/signup.ts +++ b/packages/backend/src/server/api/private/signup.ts @@ -1,11 +1,11 @@ import Koa from 'koa'; -import rndstr from 'rndstr'; import bcrypt from 'bcryptjs'; import { fetchMeta } from '@/misc/fetch-meta.js'; import { verifyHcaptcha, verifyRecaptcha } from '@/misc/captcha.js'; import { Users, RegistrationTickets, UserPendings } from '@/models/index.js'; import config from '@/config/index.js'; import { sendEmail } from '@/services/send-email.js'; +import { secureRndstr } from '@/misc/secure-rndstr.js'; import { genId } from '@/misc/gen-id.js'; import { validateEmailForAccount } from '@/services/validate-email-for-account.js'; import { signup } from '../common/signup.js'; @@ -69,7 +69,7 @@ export default async (ctx: Koa.Context) => { } if (instance.emailRequiredForSignup) { - const code = rndstr('a-z0-9', 16); + const code = secureRndstr(16); // Generate hash of password const salt = await bcrypt.genSalt(8); diff --git a/packages/client/package.json b/packages/client/package.json index bc904ffbe..c83497529 100644 --- a/packages/client/package.json +++ b/packages/client/package.json @@ -50,7 +50,6 @@ "punycode": "2.1.1", "qrcode": "1.5.1", "reflect-metadata": "0.1.13", - "rndstr": "1.0.0", "rollup": "2.75.7", "sass": "1.53.0", "seedrandom": "3.0.5", diff --git a/yarn.lock b/yarn.lock index 7ddb9e66b..1819dee80 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3750,7 +3750,6 @@ __metadata: reflect-metadata: 0.1.13 rename: 1.0.4 require-all: 3.0.0 - rndstr: 1.0.0 rss-parser: 3.12.0 sanitize-html: 2.7.0 semver: 7.3.7 @@ -4735,7 +4734,6 @@ __metadata: punycode: 2.1.1 qrcode: 1.5.1 reflect-metadata: 0.1.13 - rndstr: 1.0.0 rollup: 2.75.7 sass: 1.53.0 seedrandom: 3.0.5 @@ -14292,13 +14290,6 @@ __metadata: languageName: node linkType: hard -"rangestr@npm:0.0.1": - version: 0.0.1 - resolution: "rangestr@npm:0.0.1" - checksum: d7e3233f43a196a513f0f6c6a8a0a46b3c0e5fff97ad4d0c45031ea7494a3785d5db36d36231609b416acddaf5fe464e2c74fcc7a8f4032af83e05af23c33700 - languageName: node - linkType: hard - "ratelimiter@npm:3.4.1": version: 3.4.1 resolution: "ratelimiter@npm:3.4.1" @@ -14954,16 +14945,6 @@ __metadata: languageName: node linkType: hard -"rndstr@npm:1.0.0": - version: 1.0.0 - resolution: "rndstr@npm:1.0.0" - dependencies: - rangestr: 0.0.1 - seedrandom: 2.4.2 - checksum: 4eb485a72bbcdfdd8017888122eaa2fe391d92f5a426558ae523f485d7d0fee8a0122ed513955225aab9a034d6eb694d8fb034c612de0bfadf5f4734d592789d - languageName: node - linkType: hard - "rollup@npm:2.75.7": version: 2.75.7 resolution: "rollup@npm:2.75.7" @@ -15150,13 +15131,6 @@ __metadata: languageName: node linkType: hard -"seedrandom@npm:2.4.2": - version: 2.4.2 - resolution: "seedrandom@npm:2.4.2" - checksum: 09b4a2883e667601338964f86c000839f64ca8f811c41b4b425a03eabc5c4d243e09b5d15c29c3441cd61a384a316b02d341dbfaf3b0097b5973aa12544f9435 - languageName: node - linkType: hard - "seedrandom@npm:3.0.5": version: 3.0.5 resolution: "seedrandom@npm:3.0.5"