From 91910002c8c3b5e9d05d4fc774f59d8b566a09c2 Mon Sep 17 00:00:00 2001 From: Esurio/1673beta <60435625+1673beta@users.noreply.github.com> Date: Fri, 5 Jul 2024 13:12:54 +0900 Subject: [PATCH 1/3] Nyan (#68) * fix: nyan * fix: nyan --------- Co-authored-by: Esurio --- packages/backend/package.json | 1 + packages/backend/src/misc/sql-like-escape.ts | 2 +- .../src/server/oauth/OAuth2ProviderService.ts | 6 ++ pnpm-lock.yaml | 99 +++++++++++-------- 4 files changed, 66 insertions(+), 42 deletions(-) diff --git a/packages/backend/package.json b/packages/backend/package.json index b2018fa7a3..dc823a9f5a 100644 --- a/packages/backend/package.json +++ b/packages/backend/package.json @@ -79,6 +79,7 @@ "@fastify/express": "3.0.0", "@fastify/http-proxy": "9.5.0", "@fastify/multipart": "8.2.0", + "@fastify/rate-limit": "^9.1.0", "@fastify/static": "7.0.3", "@fastify/view": "9.1.0", "@google-cloud/logging": "^10.5.0", diff --git a/packages/backend/src/misc/sql-like-escape.ts b/packages/backend/src/misc/sql-like-escape.ts index 0c05255674..ffe61670ee 100644 --- a/packages/backend/src/misc/sql-like-escape.ts +++ b/packages/backend/src/misc/sql-like-escape.ts @@ -4,5 +4,5 @@ */ export function sqlLikeEscape(s: string) { - return s.replace(/([%_])/g, '\\$1'); + return s.replace(/([%_\\])/g, '\\$1'); } diff --git a/packages/backend/src/server/oauth/OAuth2ProviderService.ts b/packages/backend/src/server/oauth/OAuth2ProviderService.ts index fdad6e452b..3885c5845e 100644 --- a/packages/backend/src/server/oauth/OAuth2ProviderService.ts +++ b/packages/backend/src/server/oauth/OAuth2ProviderService.ts @@ -13,6 +13,7 @@ import oauth2orize, { type OAuth2, AuthorizationError, ValidateFunctionArity2, O import oauth2Pkce from 'oauth2orize-pkce'; import fastifyCors from '@fastify/cors'; import fastifyView from '@fastify/view'; +import rateLimit from '@fastify/rate-limit'; import pug from 'pug'; import bodyParser from 'body-parser'; import fastifyExpress from '@fastify/express'; @@ -393,6 +394,11 @@ export class OAuth2ProviderService { }, }); + fastify.register(rateLimit, { + max: 100, + timeWindow: '1 hour' + }); + await fastify.register(fastifyExpress); fastify.use('/authorize', this.#server.authorize(((areq, done) => { (async (): Promise> => { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 766852f415..de933f42f9 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -113,6 +113,9 @@ importers: '@fastify/multipart': specifier: 8.2.0 version: 8.2.0 + '@fastify/rate-limit': + specifier: ^9.1.0 + version: 9.1.0 '@fastify/static': specifier: 7.0.3 version: 7.0.3 @@ -2702,6 +2705,9 @@ packages: '@fastify/multipart@8.2.0': resolution: {integrity: sha512-OZ8nsyyoS2TV7Yeu3ZdrdDGsKUTAbfjrKC9jSxGgT2qdgek+BxpWX31ZubTrWMNZyU5xwk4ox6AvTjAbYWjrWg==} + '@fastify/rate-limit@9.1.0': + resolution: {integrity: sha512-h5dZWCkuZXN0PxwqaFQLxeln8/LNwQwH9popywmDCFdKfgpi4b/HoMH1lluy6P+30CG9yzzpSpwTCIPNB9T1JA==} + '@fastify/reply-from@9.8.0': resolution: {integrity: sha512-bPNVaFhEeNI0Lyl6404YZaPFokudCplidE3QoOcr78yOy6H9sYw97p5KPYvY/NJNUHfFtvxOaSAHnK+YSiv/Mg==} @@ -11578,6 +11584,9 @@ packages: vue-component-type-helpers@2.0.22: resolution: {integrity: sha512-gPr2Ba7efUwy/Vfbuf735bHSVdN4ycoZUCHfypkI33M9DUH+ieRblLLVM2eImccFYaWNWwEzURx02EgoXDBmaQ==} + vue-component-type-helpers@2.0.26: + resolution: {integrity: sha512-sO9qQ8oC520SW6kqlls0iqDak53gsTVSrYylajgjmkt1c0vcgjsGSy1KzlDrbEx8pm02IEYhlUkU5hCYf8rwtg==} + vue-demi@0.14.8: resolution: {integrity: sha512-Uuqnk9YE9SsWeReYqK2alDI5YzciATE0r2SkA6iMAtuXvNTMNACJLJEXNXaEy94ECuBe4Sk6RzRU80kjdbIo1Q==} engines: {node: '>=12'} @@ -12375,7 +12384,7 @@ snapshots: '@babel/traverse': 7.24.7 '@babel/types': 7.24.7 convert-source-map: 2.0.0 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) gensync: 1.0.0-beta.2 json5: 2.2.3 semver: 6.3.1 @@ -12435,7 +12444,7 @@ snapshots: '@babel/core': 7.24.7 '@babel/helper-compilation-targets': 7.24.7 '@babel/helper-plugin-utils': 7.24.7 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) lodash.debounce: 4.0.8 resolve: 1.22.8 transitivePeerDependencies: @@ -13179,7 +13188,7 @@ snapshots: '@babel/helper-split-export-declaration': 7.24.7 '@babel/parser': 7.24.7 '@babel/types': 7.24.7 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) globals: 11.12.0 transitivePeerDependencies: - supports-color @@ -13563,7 +13572,7 @@ snapshots: '@eslint/eslintrc@2.1.4': dependencies: ajv: 6.12.6 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) espree: 9.6.1 globals: 13.24.0 ignore: 5.3.1 @@ -13643,6 +13652,12 @@ snapshots: secure-json-parse: 2.7.0 stream-wormhole: 1.1.0 + '@fastify/rate-limit@9.1.0': + dependencies: + '@lukeed/ms': 2.0.2 + fastify-plugin: 4.5.1 + toad-cache: 3.7.0 + '@fastify/reply-from@9.8.0': dependencies: '@fastify/error': 3.4.1 @@ -13787,7 +13802,7 @@ snapshots: '@humanwhocodes/config-array@0.11.14': dependencies: '@humanwhocodes/object-schema': 2.0.3 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) minimatch: 3.1.2 transitivePeerDependencies: - supports-color @@ -14437,7 +14452,7 @@ snapshots: '@opensearch-project/opensearch@2.10.0': dependencies: aws4: 1.13.0 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) hpagent: 1.2.0 json11: 1.1.2 ms: 2.1.3 @@ -15992,7 +16007,7 @@ snapshots: ts-dedent: 2.2.0 type-fest: 2.19.0 vue: 3.4.26(typescript@5.4.5) - vue-component-type-helpers: 2.0.22 + vue-component-type-helpers: 2.0.26 transitivePeerDependencies: - encoding - supports-color @@ -16731,7 +16746,7 @@ snapshots: '@typescript-eslint/type-utils': 6.11.0(eslint@8.53.0)(typescript@5.3.3) '@typescript-eslint/utils': 6.11.0(eslint@8.53.0)(typescript@5.3.3) '@typescript-eslint/visitor-keys': 6.11.0 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) eslint: 8.53.0 graphemer: 1.4.0 ignore: 5.3.1 @@ -16751,7 +16766,7 @@ snapshots: '@typescript-eslint/type-utils': 7.1.0(eslint@8.57.0)(typescript@5.3.3) '@typescript-eslint/utils': 7.1.0(eslint@8.57.0)(typescript@5.3.3) '@typescript-eslint/visitor-keys': 7.1.0 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) eslint: 8.57.0 graphemer: 1.4.0 ignore: 5.3.1 @@ -16771,7 +16786,7 @@ snapshots: '@typescript-eslint/type-utils': 7.7.1(eslint@8.57.0)(typescript@5.4.5) '@typescript-eslint/utils': 7.7.1(eslint@8.57.0)(typescript@5.4.5) '@typescript-eslint/visitor-keys': 7.7.1 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) eslint: 8.57.0 graphemer: 1.4.0 ignore: 5.3.1 @@ -16789,7 +16804,7 @@ snapshots: '@typescript-eslint/types': 6.11.0 '@typescript-eslint/typescript-estree': 6.11.0(typescript@5.3.3) '@typescript-eslint/visitor-keys': 6.11.0 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) eslint: 8.53.0 optionalDependencies: typescript: 5.3.3 @@ -16802,7 +16817,7 @@ snapshots: '@typescript-eslint/types': 7.1.0 '@typescript-eslint/typescript-estree': 7.1.0(typescript@5.3.3) '@typescript-eslint/visitor-keys': 7.1.0 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) eslint: 8.57.0 optionalDependencies: typescript: 5.3.3 @@ -16815,7 +16830,7 @@ snapshots: '@typescript-eslint/types': 7.7.1 '@typescript-eslint/typescript-estree': 7.7.1(typescript@5.4.5) '@typescript-eslint/visitor-keys': 7.7.1 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) eslint: 8.57.0 optionalDependencies: typescript: 5.4.5 @@ -16846,7 +16861,7 @@ snapshots: dependencies: '@typescript-eslint/typescript-estree': 6.11.0(typescript@5.3.3) '@typescript-eslint/utils': 6.11.0(eslint@8.53.0)(typescript@5.3.3) - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) eslint: 8.53.0 ts-api-utils: 1.3.0(typescript@5.3.3) optionalDependencies: @@ -16858,7 +16873,7 @@ snapshots: dependencies: '@typescript-eslint/typescript-estree': 7.1.0(typescript@5.3.3) '@typescript-eslint/utils': 7.1.0(eslint@8.57.0)(typescript@5.3.3) - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) eslint: 8.57.0 ts-api-utils: 1.3.0(typescript@5.3.3) optionalDependencies: @@ -16870,7 +16885,7 @@ snapshots: dependencies: '@typescript-eslint/typescript-estree': 7.7.1(typescript@5.4.5) '@typescript-eslint/utils': 7.7.1(eslint@8.57.0)(typescript@5.4.5) - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) eslint: 8.57.0 ts-api-utils: 1.3.0(typescript@5.4.5) optionalDependencies: @@ -16890,7 +16905,7 @@ snapshots: dependencies: '@typescript-eslint/types': 5.62.0 '@typescript-eslint/visitor-keys': 5.62.0 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) globby: 11.1.0 is-glob: 4.0.3 semver: 7.6.2 @@ -16904,7 +16919,7 @@ snapshots: dependencies: '@typescript-eslint/types': 6.11.0 '@typescript-eslint/visitor-keys': 6.11.0 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) globby: 11.1.0 is-glob: 4.0.3 semver: 7.6.2 @@ -16918,7 +16933,7 @@ snapshots: dependencies: '@typescript-eslint/types': 7.1.0 '@typescript-eslint/visitor-keys': 7.1.0 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) globby: 11.1.0 is-glob: 4.0.3 minimatch: 9.0.3 @@ -16933,7 +16948,7 @@ snapshots: dependencies: '@typescript-eslint/types': 7.7.1 '@typescript-eslint/visitor-keys': 7.7.1 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) globby: 11.1.0 is-glob: 4.0.3 minimatch: 9.0.4 @@ -17306,13 +17321,13 @@ snapshots: agent-base@6.0.2: dependencies: - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) transitivePeerDependencies: - supports-color agent-base@7.1.1: dependencies: - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) transitivePeerDependencies: - supports-color @@ -18685,7 +18700,7 @@ snapshots: detect-port@1.6.1: dependencies: address: 1.2.2 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) transitivePeerDependencies: - supports-color @@ -18932,7 +18947,7 @@ snapshots: esbuild-register@3.5.0(esbuild@0.20.2): dependencies: - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) esbuild: 0.20.2 transitivePeerDependencies: - supports-color @@ -19227,7 +19242,7 @@ snapshots: ajv: 6.12.6 chalk: 4.1.2 cross-spawn: 7.0.3 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) doctrine: 3.0.0 escape-string-regexp: 4.0.0 eslint-scope: 7.2.2 @@ -19270,7 +19285,7 @@ snapshots: ajv: 6.12.6 chalk: 4.1.2 cross-spawn: 7.0.3 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) doctrine: 3.0.0 escape-string-regexp: 4.0.0 eslint-scope: 7.2.2 @@ -20248,14 +20263,14 @@ snapshots: dependencies: '@tootallnate/once': 2.0.0 agent-base: 6.0.2 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) transitivePeerDependencies: - supports-color http-proxy-agent@7.0.2: dependencies: agent-base: 7.1.1 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) transitivePeerDependencies: - supports-color @@ -20294,14 +20309,14 @@ snapshots: https-proxy-agent@5.0.1: dependencies: agent-base: 6.0.2 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) transitivePeerDependencies: - supports-color https-proxy-agent@7.0.4: dependencies: agent-base: 7.1.1 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) transitivePeerDependencies: - supports-color @@ -20409,7 +20424,7 @@ snapshots: dependencies: '@ioredis/commands': 1.2.0 cluster-key-slot: 1.1.2 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) denque: 2.1.0 lodash.defaults: 4.2.0 lodash.isarguments: 3.1.0 @@ -20674,7 +20689,7 @@ snapshots: istanbul-lib-source-maps@4.0.1: dependencies: - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) istanbul-lib-coverage: 3.2.2 source-map: 0.6.1 transitivePeerDependencies: @@ -21797,7 +21812,7 @@ snapshots: micromark@4.0.0: dependencies: '@types/debug': 4.1.12 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) decode-named-character-reference: 1.0.2 devlop: 1.1.0 micromark-core-commonmark: 2.0.1 @@ -23422,7 +23437,7 @@ snapshots: require-in-the-middle@7.3.0: dependencies: - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) module-details-from-path: 1.0.3 resolve: 1.22.8 transitivePeerDependencies: @@ -23480,7 +23495,7 @@ snapshots: retry-request@5.0.2: dependencies: - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) extend: 3.0.2 transitivePeerDependencies: - supports-color @@ -23732,7 +23747,7 @@ snapshots: dependencies: '@hapi/hoek': 10.0.1 '@hapi/wreck': 18.1.0 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) joi: 17.13.3 transitivePeerDependencies: - supports-color @@ -23830,7 +23845,7 @@ snapshots: socks-proxy-agent@8.0.3: dependencies: agent-base: 7.1.1 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) socks: 2.8.3 transitivePeerDependencies: - supports-color @@ -24477,7 +24492,7 @@ snapshots: chalk: 4.1.2 cli-highlight: 2.1.11 dayjs: 1.11.11 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) dotenv: 16.4.5 glob: 10.3.12 mkdirp: 2.1.6 @@ -24684,7 +24699,7 @@ snapshots: vite-node@0.34.6(@types/node@20.12.7)(sass@1.76.0)(terser@5.30.3): dependencies: cac: 6.7.14 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) mlly: 1.7.1 pathe: 1.1.2 picocolors: 1.0.1 @@ -24733,7 +24748,7 @@ snapshots: acorn-walk: 8.3.3 cac: 6.7.14 chai: 4.4.1 - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) local-pkg: 0.4.3 magic-string: 0.30.10 pathe: 1.1.2 @@ -24795,6 +24810,8 @@ snapshots: vue-component-type-helpers@2.0.22: {} + vue-component-type-helpers@2.0.26: {} + vue-demi@0.14.8(vue@3.4.26(typescript@5.4.5)): dependencies: vue: 3.4.26(typescript@5.4.5) @@ -24817,7 +24834,7 @@ snapshots: vue-eslint-parser@9.4.2(eslint@8.57.0): dependencies: - debug: 4.3.5(supports-color@5.5.0) + debug: 4.3.5(supports-color@8.1.1) eslint: 8.57.0 eslint-scope: 7.2.2 eslint-visitor-keys: 3.4.3 From 2d604908f287ab17cb7ed00e489f26fd199f5812 Mon Sep 17 00:00:00 2001 From: Esurio Date: Fri, 5 Jul 2024 04:18:12 +0000 Subject: [PATCH 2/3] Update CHANGELOG --- CHANGELOG_engawa.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG_engawa.md b/CHANGELOG_engawa.md index e768db17d8..89f02af550 100644 --- a/CHANGELOG_engawa.md +++ b/CHANGELOG_engawa.md @@ -29,6 +29,8 @@ ### Server - 管理者アカウントを別サーバーに移行できるように - APIドキュメントをRedocからscalarにして軽量化 +- fix: OAuthにレートリミットがかかっていない問題 +- fix: SQLエスケープが不完全な問題 ### Misc From e4a1e3aac30ba18df6ec23a9553615decfb56451 Mon Sep 17 00:00:00 2001 From: Esurio Date: Fri, 5 Jul 2024 04:22:56 +0000 Subject: [PATCH 3/3] fix: await --- packages/backend/src/server/oauth/OAuth2ProviderService.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/backend/src/server/oauth/OAuth2ProviderService.ts b/packages/backend/src/server/oauth/OAuth2ProviderService.ts index 3885c5845e..8c653bc286 100644 --- a/packages/backend/src/server/oauth/OAuth2ProviderService.ts +++ b/packages/backend/src/server/oauth/OAuth2ProviderService.ts @@ -394,7 +394,7 @@ export class OAuth2ProviderService { }, }); - fastify.register(rateLimit, { + await fastify.register(rateLimit, { max: 100, timeWindow: '1 hour' });