Conversation
* fix(backend): 連合限定先が間違って連合しない先に代入されているのを修正 * build: fix property typo
* feat: サーバー初期設定時専用の初期パスワードを設定できるように * 無いのに入力された場合もエラーにする * 🎨 * 🎨 * cypress-devcontainerにもpassを設定(テストが失敗するため) * [ci skip] 🎨 * ✌️ * test: please revert this commit before merge * Revert "test: please revert this commit before merge" This reverts commit 66b2b48. * Update locales/ja-JP.yml Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> * build assets * Update Changelog * fix condition * fix condition * add comment * change error code * 他のエラーコードと合わせる * Update CHANGELOG.md --------- Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
* fix: 初期パスワードをコメントアウト * 🎨 * fix indent
* wip * Update MkSignin.vue * Update MkSignin.vue * wip * Update CHANGELOG.md * enhance(frontend): サインイン画面の改善 * Update Changelog * 14655の変更取り込み * spdx * fix * fix * fix * 🎨 * 🎨 * 🎨 * 🎨 * Captchaがリセットされない問題を修正 * 次の処理をsignin apiから読み取るように * Add Comments * fix * fix test * attempt to fix test * fix test * fix test * fix test * fix * fix test * fix: 一部のエラーがちゃんと出るように * Update Changelog * 🎨 * 🎨 * remove border --------- Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
* New translations ja-jp.yml (Chinese Traditional) * New translations ja-jp.yml (Korean) * New translations ja-jp.yml (Chinese Simplified) * New translations ja-jp.yml (English) * New translations ja-jp.yml (Chinese Traditional) * New translations ja-jp.yml (Korean) * New translations ja-jp.yml (Chinese Simplified) * New translations ja-jp.yml (Chinese Simplified)
* fix(frontend): ログイン画面でキャプチャが表示されない問題を修正 * rename
* fix: signin の資格情報が足りないだけの場合はエラーにせず200を返すように * run api extractor * fix * fix * fix test * /signin -> /signin-flow * fix * fix lint * rename * fix * fix
…dev#14698) * feat(backend): 通報および通報解決時に送出されるSystemWebhookにユーザ情報を含めるようにする * テスト送信もペイロード形式を合わせる * add spaces * fix test
…dev#15033) * fix(backend): アドレス入力で直接ユーザのプロフィールページを表示した際、前提データが足りず描画に失敗する * fix CHANGELOG.md
…sskey-dev#15044) * fix(frontend): サーバードキュメントとMisskey関連リソースとの間にdividerが入らないことがある問題を修正 * Update Changelog
* check harder for connectibility `allSettled` does not throw if a promise is rejected, so `check_connect` never actually failed * Update Changelog --------- Co-authored-by: dakkar <dakkar@thenautilus.net>
* Resolve frontend/backend contradiction for home visibility embeds This now uses the same check from `packages/frontend/src/scripts/get-note-menu.ts` * Update Changelog --------- Co-authored-by: CenTdemeern1 <timo.herngreen@gmail.com>
misskey-dev#15101) * fix(frontend): ノートがログインしているユーザーしか見れない場合にログインをキャンセルすると一切の処理が停止する問題を修正 * Update Changelog --------- Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
* チャンネル一覧の列を最大3列にした (Otaku-Social#13) * fix * fix * fix * 🎨 * fix * 🎨 * Update Changelog * Update Changelog * 要らない_marginを消す --------- Co-authored-by: tmorio <morikapusan@morikapu-denki.com>
* fix(frontend): 絵文字管理画面で絵文字が表示されないことがある問題を修正 * Update Changelog * optimize
* fix(frontend): serverContextの型エラーを修正 * add comment
* enhance: 照会の失敗理由を表示するように * Update Changelog * fix * fix test * lookupErrors-> remoteLookupErrors
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: randomString(), | ||
| on: ['abuseReport'], | ||
| url: WEBHOOK_HOST, | ||
| secret: randomString(), |
Check failure
Code scanning / CodeQL
Insecure randomness
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI over 1 year ago
To fix the problem, we need to replace the use of Math.random() with a cryptographically secure random number generator. In Node.js, we can use the crypto module's randomBytes function to generate secure random values. We will modify the randomString function to use crypto.randomBytes instead of Math.random().
- Import the
cryptomodule in theutils.tsfile. - Modify the
randomStringfunction to usecrypto.randomBytesto generate random values.
| @@ -8,3 +8,3 @@ | ||
| import { basename, isAbsolute } from 'node:path'; | ||
| import { randomUUID } from 'node:crypto'; | ||
| import { randomUUID, randomBytes } from 'node:crypto'; | ||
| import { inspect } from 'node:util'; | ||
| @@ -122,5 +122,6 @@ | ||
| export function randomString(chars = 'abcdefghijklmnopqrstuvwxyz0123456789', length = 16) { | ||
| const randomBytes = crypto.randomBytes(length); | ||
| let randomString = ''; | ||
| for (let i = 0; i < length; i++) { | ||
| randomString += chars[Math.floor(Math.random() * chars.length)]; | ||
| randomString += chars[randomBytes[i] % chars.length]; | ||
| } |
| name: randomString(), | ||
| on: ['userCreated'], | ||
| url: WEBHOOK_HOST, | ||
| secret: randomString(), |
Check failure
Code scanning / CodeQL
Insecure randomness
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI over 1 year ago
To fix the problem, we need to replace the use of Math.random() with a cryptographically secure random number generator. In Node.js, we can use the crypto module's randomBytes function to generate secure random values. We will update the randomString function to use crypto.randomBytes instead of Math.random().
- Update the
randomStringfunction inpackages/backend/test/utils.tsto usecrypto.randomBytes. - Import the
cryptomodule inpackages/backend/test/utils.ts.
| @@ -121,6 +121,9 @@ | ||
|
|
||
| import { randomBytes } from 'node:crypto'; | ||
|
|
||
| export function randomString(chars = 'abcdefghijklmnopqrstuvwxyz0123456789', length = 16) { | ||
| let randomString = ''; | ||
| const bytes = randomBytes(length); | ||
| for (let i = 0; i < length; i++) { | ||
| randomString += chars[Math.floor(Math.random() * chars.length)]; | ||
| randomString += chars[bytes[i] % chars.length]; | ||
| } |
| name: randomString(), | ||
| on: ['abuseReport'], | ||
| url: 'https://example.com', | ||
| secret: randomString(), |
Check failure
Code scanning / CodeQL
Insecure randomness
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI over 1 year ago
To fix the problem, we need to replace the use of Math.random() with a cryptographically secure random number generator. In Node.js, we can use the crypto module's randomBytes function to generate secure random values. We will modify the randomString function to use crypto.randomBytes instead of Math.random().
| @@ -121,6 +121,9 @@ | ||
|
|
||
| import { randomBytes } from 'crypto'; | ||
|
|
||
| export function randomString(chars = 'abcdefghijklmnopqrstuvwxyz0123456789', length = 16) { | ||
| let randomString = ''; | ||
| const bytes = randomBytes(length); | ||
| for (let i = 0; i < length; i++) { | ||
| randomString += chars[Math.floor(Math.random() * chars.length)]; | ||
| randomString += chars[bytes[i] % chars.length]; | ||
| } |
| }); | ||
|
|
||
| beforeEach(async () => { | ||
| const uid = idService.gen(); |
Check failure
Code scanning / CodeQL
Insecure randomness
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI over 1 year ago
To fix the problem, we need to replace the use of Math.random() with a cryptographically secure random number generator. In Node.js, we can use the crypto module's randomBytes function to generate secure random values. We will modify the getRandom() function in packages/backend/src/misc/id/meid.ts to use crypto.randomBytes instead of Math.random().
| @@ -5,2 +5,4 @@ | ||
|
|
||
| import { randomBytes } from 'crypto'; | ||
|
|
||
| const CHARS = '0123456789abcdef'; | ||
| @@ -23,5 +25,6 @@ | ||
| let str = ''; | ||
| const randomValues = randomBytes(12); | ||
|
|
||
| for (let i = 0; i < 12; i++) { | ||
| str += CHARS[Math.floor(Math.random() * CHARS.length)]; | ||
| str += CHARS[randomValues[i] % CHARS.length]; | ||
| } |
| name: randomString(), | ||
| on: ['abuseReport'], | ||
| url: 'https://example.com', | ||
| secret: randomString(), |
Check failure
Code scanning / CodeQL
Insecure randomness
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI over 1 year ago
To fix the problem, we need to replace the use of Math.random() in the randomString function with a cryptographically secure random number generator. In Node.js, we can use the crypto module's randomBytes function to generate secure random values. We will update the randomString function to use crypto.randomBytes instead of Math.random().
| @@ -121,6 +121,9 @@ | ||
|
|
||
| import { randomBytes } from 'crypto'; | ||
|
|
||
| export function randomString(chars = 'abcdefghijklmnopqrstuvwxyz0123456789', length = 16) { | ||
| let randomString = ''; | ||
| const bytes = randomBytes(length); | ||
| for (let i = 0; i < length; i++) { | ||
| randomString += chars[Math.floor(Math.random() * chars.length)]; | ||
| randomString += chars[bytes[i] % chars.length]; | ||
| } |
| name: randomString(), | ||
| on: ['abuseReport'], | ||
| url: 'https://example.com', | ||
| secret: randomString(), |
Check failure
Code scanning / CodeQL
Insecure randomness
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI over 1 year ago
To fix the problem, we need to replace the use of Math.random() in the randomString function with a cryptographically secure random number generator. In Node.js, we can use the crypto module's randomBytes function to achieve this. This change will ensure that the generated random strings are not predictable.
- Modify the
randomStringfunction inpackages/backend/test/utils.tsto usecrypto.randomBytesinstead ofMath.random(). - Import the
cryptomodule in the same file.
| @@ -8,3 +8,3 @@ | ||
| import { basename, isAbsolute } from 'node:path'; | ||
| import { randomUUID } from 'node:crypto'; | ||
| import { randomUUID, randomBytes } from 'node:crypto'; | ||
| import { inspect } from 'node:util'; | ||
| @@ -122,5 +122,6 @@ | ||
| export function randomString(chars = 'abcdefghijklmnopqrstuvwxyz0123456789', length = 16) { | ||
| const randomBytes = crypto.randomBytes(length); | ||
| let randomString = ''; | ||
| for (let i = 0; i < length; i++) { | ||
| randomString += chars[Math.floor(Math.random() * chars.length)]; | ||
| randomString += chars[randomBytes[i] % chars.length]; | ||
| } |
| name: randomString(), | ||
| on: ['abuseReport'], | ||
| url: 'https://example.com', | ||
| secret: randomString(), |
Check failure
Code scanning / CodeQL
Insecure randomness
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI over 1 year ago
To fix the problem, we need to replace the use of Math.random() in the randomString function with a cryptographically secure random number generator. In Node.js, we can use the crypto module's randomBytes function to achieve this. This change will ensure that the generated strings are not predictable and are suitable for use in security-sensitive contexts.
| @@ -121,6 +121,9 @@ | ||
|
|
||
| import { randomBytes } from 'node:crypto'; | ||
|
|
||
| export function randomString(chars = 'abcdefghijklmnopqrstuvwxyz0123456789', length = 16) { | ||
| let randomString = ''; | ||
| const bytes = randomBytes(length); | ||
| for (let i = 0; i < length; i++) { | ||
| randomString += chars[Math.floor(Math.random() * chars.length)]; | ||
| randomString += chars[bytes[i] % chars.length]; | ||
| } |
| name: randomString(), | ||
| on: ['mention'], | ||
| url: 'https://example.com', | ||
| secret: randomString(), |
Check failure
Code scanning / CodeQL
Insecure randomness
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI over 1 year ago
To fix the problem, we need to replace the use of Math.random() in the randomString function with a cryptographically secure random number generator. In Node.js, we can use the crypto module's randomBytes function to generate secure random values. We will modify the randomString function to use crypto.randomBytes instead of Math.random().
| @@ -121,6 +121,9 @@ | ||
|
|
||
| import { randomBytes } from 'crypto'; | ||
|
|
||
| export function randomString(chars = 'abcdefghijklmnopqrstuvwxyz0123456789', length = 16) { | ||
| let randomString = ''; | ||
| const bytes = randomBytes(length); | ||
| for (let i = 0; i < length; i++) { | ||
| randomString += chars[Math.floor(Math.random() * chars.length)]; | ||
| randomString += chars[bytes[i] % chars.length]; | ||
| } |
| const user = await usersRepository | ||
| .insert({ | ||
| id: id, | ||
| username: `user_${id}`, |
Check failure
Code scanning / CodeQL
Insecure randomness
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI over 1 year ago
To fix the problem, we need to replace the use of Math.random() with a cryptographically secure pseudo-random number generator. In Node.js, we can use the crypto module's randomBytes function to generate secure random values. We will modify the getRandom function in packages/backend/src/misc/id/meid.ts to use crypto.randomBytes instead of Math.random(). This change will ensure that the generated IDs are not predictable and are suitable for use in security-sensitive contexts.
| @@ -6,2 +6,3 @@ | ||
| const CHARS = '0123456789abcdef'; | ||
| import { randomBytes } from 'crypto'; | ||
|
|
||
| @@ -22,2 +23,3 @@ | ||
| function getRandom() { | ||
| const bytes = randomBytes(12); | ||
| let str = ''; | ||
| @@ -25,3 +27,3 @@ | ||
| for (let i = 0; i < 12; i++) { | ||
| str += CHARS[Math.floor(Math.random() * CHARS.length)]; | ||
| str += CHARS[bytes[i] % CHARS.length]; | ||
| } |
| .insert({ | ||
| id: id, | ||
| username: `user_${id}`, | ||
| usernameLower: `user_${id}`.toLowerCase(), |
Check failure
Code scanning / CodeQL
Insecure randomness
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI over 1 year ago
To fix the problem, we need to replace the use of Math.random() with a cryptographically secure random number generator. In Node.js, we can use the crypto module's randomBytes function to generate secure random values. This change will ensure that the generated IDs are not predictable.
- Replace the
getRandomfunction inpackages/backend/src/misc/id/meid.tsto usecrypto.randomBytesinstead ofMath.random(). - Update the import statements to include the
cryptomodule.
| @@ -21,7 +21,10 @@ | ||
|
|
||
| import { randomBytes } from 'crypto'; | ||
|
|
||
| function getRandom() { | ||
| let str = ''; | ||
| const bytes = randomBytes(12); | ||
|
|
||
| for (let i = 0; i < 12; i++) { | ||
| str += CHARS[Math.floor(Math.random() * CHARS.length)]; | ||
| str += CHARS[bytes[i] % CHARS.length]; | ||
| } |
|
replaced to #946 |
20 participants
What
Why
Additional info (optional)
Checklist