Thomas Lynch
9491d60aec
socket.io, redis adapter, client and gulpfile update
3 years ago
Thomas Lynch
01915f6377
npm update && npm audit fix
3 years ago
Thomas Lynch
42eb51c498
npm audit fix again
3 years ago
Thomas Lynch
5686c293c9
npm audit fix 1/3, still 2 more waiting for upstream pm2
3 years ago
Thomas Lynch
ce69aaee7d
i hate life
4 years ago
Thomas Lynch
05f1353205
package lock
4 years ago
Thomas Lynch
e103c71478
publish scoped gulp-pug package to use gulp 3, 3.0.2 to fix vuln that this POS outdated package wont update
4 years ago
Thomas Lynch
fc525c6a04
update package.json
4 years ago
Thomas Lynch
67e50bdb8e
dont duplicate codethemes, improve gulpfile and theme helper
...
now only css files are listed as themes, othe extensions are copied to /file
and gulp-replace is used to prepend /file/ to all the url( paths in the codethemes
4 years ago
Thomas Lynch
edd2f0392d
npm update
4 years ago
Thomas Lynch
2d26328dc9
update package lock
4 years ago
Thomas Lynch
5ff814de62
npm audit fix https://npmjs.com/advisories/1594
4 years ago
Thomas Lynch
56562a9e52
update deps
4 years ago
Thomas Lynch
e65015540a
run npm audit fix
4 years ago
Thomas Lynch
c6f9744013
ran npm audit fix
4 years ago
Thomas Lynch
4ebea1c084
ran npm audit fix
4 years ago
Thomas Lynch
9215dcbf17
test only, blockhash option
4 years ago
Thomas Lynch
0bc6a80c96
update deps
4 years ago
Thomas Lynch
22f582f3a7
Insecure tripcodes reference #282
4 years ago
Thomas Lynch
ecb9550693
update some deps
4 years ago
Thomas Lynch
26dd43f251
update express-fileupload middleware to fix issue with abort event incorrectly deleting temp files between file upload middleware and later middlewares
4 years ago
Thomas Lynch
48d6721ecc
update deps
4 years ago
Thomas Lynch
f212f67aa4
update package lock
4 years ago
Thomas Lynch
24574862a2
Add file-type moodule to check file mime types strictly, with 2 optiosn in config about it
...
Update express-fileupload dependency to clean tempfiles on numFilesLimitHandler
Add a proper error message for max num files instead of allowing unlimited and limiting in board post method
4 years ago
Thomas Lynch
7d87819ad4
Update node-fetch dependency for security advisory https://npmjs.com/advisories/1556
4 years ago
Thomas Lynch
f5e44011dd
npm audit fix
4 years ago
Thomas Lynch
2d1af818aa
Update some deps
4 years ago
some random guy
e30ec2737e
normalize IP addresses
...
Currently jschan takes the IP address as a string from the `X-Real-Ip` header,
which based on the frontend proxy configuration, OS settings, etc. can take
various forms:
IPv4 addresses can be given in normal IPv4 dotted notation (e.g. `1.2.3.4`) or
as an IPv4-mapped IPv6 address (e.g. `::ffff:1.2.3.4`). The problem is, that in
the latter case, node's `isIP` will report 6, so the code will try to split it
along colons, breaking hrange and qrange.
With IPv6 addresses, it's possible to elide runs of zeroes, so `::1` and
`0:0:0:0:0:0:0:1` (and also `0000:0000:0000:0000:0000:0000:0000:0001`)
represents the same address. Since it's pretty easy to get a /64 IPv6 block, a
spammer can abuse it, by spamming from `a🅱️ c:d::1` (`qrange=a🅱️ c:d`,
`hrange=a🅱️ c`), then from `a🅱️ c:d::1:1` (`qrange=a🅱️ c:d:`, `hrange=a🅱️ c`),
`a🅱️ c:d::1:1:1` (`qrange=a🅱️ c:d::1`, `hrange=a🅱️ c:d`) and
`a🅱️ c:d:1:1:1:1` (`qrange=a🅱️ c:d:1:1`, `hrange=a🅱️ c:d`). He practically got
two hranges and qrange is pretty much pointless for IPv6 addresses.
This change uses the `ip6addr` package to parse IP addresses and convert it to
some canonical form. This means:
* IPv4 and IPv4-mapped IPv6 addresses are converted to normal IPv4 notation.
* Zero are not elided in IPv6 (so you'll never see `::`).
* IPv6 addresses are not zero padded (so `..:1` instead of `..:0001`).
* Even though it's not documented, it seems like `ip6addr` always generates
lower-case letters.
This will unfortunately mean that some IP hashes may change after the update.
Normal IPv4 hashes will most probably remain the same though.
4 years ago
Thomas Lynch
1f7e670c7c
modlog records for non-delete actions now link to posts closes #193
4 years ago
Thomas Lynch
8935ca5c28
Customisable header for IP and country code, and improve how country names are handled
4 years ago
Thomas Lynch
f4717b35a3
explicit version for express-fileupload, which should now be fixed
4 years ago
Thomas Lynch
39bbedfe53
Get session in websocket
4 years ago
Thomas Lynch
9f47b05f0d
update deps
4 years ago
Thomas Lynch
ce0bfab6c2
switch to getting packages from gitgud.io
4 years ago
Thomas Lynch
708a6e0b9b
remove dupe dependency with same path
4 years ago
dependabot-preview[bot]
d4705d6f3c
Bump bcrypt from 4.0.1 to 5.0.0 ( #166 )
...
Bumps [bcrypt](https://github.com/kelektiv/node.bcrypt.js ) from 4.0.1 to 5.0.0.
- [Release notes](https://github.com/kelektiv/node.bcrypt.js/releases )
- [Changelog](https://github.com/kelektiv/node.bcrypt.js/blob/master/CHANGELOG.md )
- [Commits](https://github.com/kelektiv/node.bcrypt.js/compare/v4.0.1...v5.0.0 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
4 years ago
dependabot-preview[bot]
bd427b929e
Bump socket.io-redis from 5.2.0 to 5.3.0 ( #159 )
...
Bumps [socket.io-redis](https://github.com/socketio/socket.io-redis ) from 5.2.0 to 5.3.0.
- [Release notes](https://github.com/socketio/socket.io-redis/releases )
- [Changelog](https://github.com/socketio/socket.io-redis/blob/master/CHANGELOG.md )
- [Commits](https://github.com/socketio/socket.io-redis/compare/5.2.0...5.3.0 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
4 years ago
dependabot-preview[bot]
ec76dfa0fe
Bump sanitize-html from 1.25.0 to 1.26.0 ( #157 )
...
Bumps [sanitize-html](https://github.com/apostrophecms/sanitize-html ) from 1.25.0 to 1.26.0.
- [Release notes](https://github.com/apostrophecms/sanitize-html/releases )
- [Changelog](https://github.com/apostrophecms/sanitize-html/blob/master/CHANGELOG.md )
- [Commits](https://github.com/apostrophecms/sanitize-html/commits )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
4 years ago
dependabot-preview[bot]
285bee3f31
Bump fs-extra from 9.0.0 to 9.0.1 ( #156 )
...
Bumps [fs-extra](https://github.com/jprichardson/node-fs-extra ) from 9.0.0 to 9.0.1.
- [Release notes](https://github.com/jprichardson/node-fs-extra/releases )
- [Changelog](https://github.com/jprichardson/node-fs-extra/blob/master/CHANGELOG.md )
- [Commits](https://github.com/jprichardson/node-fs-extra/compare/9.0.0...9.0.1 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
4 years ago
dependabot-preview[bot]
523d0975f7
Bump ioredis from 4.17.1 to 4.17.3 ( #150 )
...
Bumps [ioredis](https://github.com/luin/ioredis ) from 4.17.1 to 4.17.3.
- [Release notes](https://github.com/luin/ioredis/releases )
- [Changelog](https://github.com/luin/ioredis/blob/master/Changelog.md )
- [Commits](https://github.com/luin/ioredis/compare/v4.17.1...v4.17.3 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
4 years ago
dependabot-preview[bot]
0351b9c688
Bump sanitize-html from 1.24.0 to 1.25.0 ( #151 )
...
Bumps [sanitize-html](https://github.com/apostrophecms/sanitize-html ) from 1.24.0 to 1.25.0.
- [Release notes](https://github.com/apostrophecms/sanitize-html/releases )
- [Changelog](https://github.com/apostrophecms/sanitize-html/blob/master/CHANGELOG.md )
- [Commits](https://github.com/apostrophecms/sanitize-html/commits )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
4 years ago
fatchan
eed27c414a
Update package-lock.json closes #148
4 years ago
Thomas Lynch
b32f3a76c0
bring across dependabot merges ( #147 )
...
* Bump ioredis from 4.16.3 to 4.17.1
Bumps [ioredis](https://github.com/luin/ioredis ) from 4.16.3 to 4.17.1.
- [Release notes](https://github.com/luin/ioredis/releases )
- [Changelog](https://github.com/luin/ioredis/blob/master/Changelog.md )
- [Commits](https://github.com/luin/ioredis/compare/v4.16.3...v4.17.1 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
* Bump sanitize-html from 1.23.0 to 1.24.0
Bumps [sanitize-html](https://github.com/apostrophecms/sanitize-html ) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/apostrophecms/sanitize-html/releases )
- [Changelog](https://github.com/apostrophecms/sanitize-html/blob/master/CHANGELOG.md )
- [Commits](https://github.com/apostrophecms/sanitize-html/commits )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
* Bump pug from 2.0.4 to 3.0.0
Bumps [pug](https://github.com/pugjs/pug ) from 2.0.4 to 3.0.0.
- [Release notes](https://github.com/pugjs/pug/releases )
- [Commits](https://github.com/pugjs/pug/compare/pug@2.0.4...pug@3.0.0 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
* Bump mongodb from 3.5.7 to 3.5.8
Bumps [mongodb](https://github.com/mongodb/node-mongodb-native ) from 3.5.7 to 3.5.8.
- [Release notes](https://github.com/mongodb/node-mongodb-native/releases )
- [Changelog](https://github.com/mongodb/node-mongodb-native/blob/master/CHANGES_3.0.0.md )
- [Commits](https://github.com/mongodb/node-mongodb-native/compare/v3.5.7...v3.5.8 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
4 years ago
dependabot-preview[bot]
ec2f3a68c7
Bump mongodb from 3.5.7 to 3.5.8
...
Bumps [mongodb](https://github.com/mongodb/node-mongodb-native ) from 3.5.7 to 3.5.8.
- [Release notes](https://github.com/mongodb/node-mongodb-native/releases )
- [Changelog](https://github.com/mongodb/node-mongodb-native/blob/master/CHANGES_3.0.0.md )
- [Commits](https://github.com/mongodb/node-mongodb-native/compare/v3.5.7...v3.5.8 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
4 years ago
dependabot-preview[bot]
c1ea23a6a8
Bump pug from 2.0.4 to 3.0.0
...
Bumps [pug](https://github.com/pugjs/pug ) from 2.0.4 to 3.0.0.
- [Release notes](https://github.com/pugjs/pug/releases )
- [Commits](https://github.com/pugjs/pug/compare/pug@2.0.4...pug@3.0.0 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
4 years ago
dependabot-preview[bot]
f5961af0b0
Bump sanitize-html from 1.23.0 to 1.24.0
...
Bumps [sanitize-html](https://github.com/apostrophecms/sanitize-html ) from 1.23.0 to 1.24.0.
- [Release notes](https://github.com/apostrophecms/sanitize-html/releases )
- [Changelog](https://github.com/apostrophecms/sanitize-html/blob/master/CHANGELOG.md )
- [Commits](https://github.com/apostrophecms/sanitize-html/commits )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
4 years ago
dependabot-preview[bot]
c73c306068
Bump ioredis from 4.16.3 to 4.17.1
...
Bumps [ioredis](https://github.com/luin/ioredis ) from 4.16.3 to 4.17.1.
- [Release notes](https://github.com/luin/ioredis/releases )
- [Changelog](https://github.com/luin/ioredis/blob/master/Changelog.md )
- [Commits](https://github.com/luin/ioredis/compare/v4.16.3...v4.17.1 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
4 years ago
dependabot-preview[bot]
d72e9e9df4
Bump highlight.js from 10.0.2 to 10.0.3
...
Bumps [highlight.js](https://github.com/highlightjs/highlight.js ) from 10.0.2 to 10.0.3.
- [Release notes](https://github.com/highlightjs/highlight.js/releases )
- [Changelog](https://github.com/highlightjs/highlight.js/blob/10.0.3/CHANGES.md )
- [Commits](https://github.com/highlightjs/highlight.js/compare/10.0.2...10.0.3 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
4 years ago
dependabot-preview[bot]
4e0915b172
Bump bull from 3.13.0 to 3.14.0
...
Bumps [bull](https://github.com/OptimalBits/bull ) from 3.13.0 to 3.14.0.
- [Release notes](https://github.com/OptimalBits/bull/releases )
- [Changelog](https://github.com/OptimalBits/bull/blob/develop/CHANGELOG.md )
- [Commits](https://github.com/OptimalBits/bull/compare/v3.13.0...v3.14.0 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
4 years ago
dependabot-preview[bot]
2576586e51
Bump highlight.js from 10.0.1 to 10.0.2
...
Bumps [highlight.js](https://github.com/highlightjs/highlight.js ) from 10.0.1 to 10.0.2.
- [Release notes](https://github.com/highlightjs/highlight.js/releases )
- [Changelog](https://github.com/highlightjs/highlight.js/blob/master/CHANGES.md )
- [Commits](https://github.com/highlightjs/highlight.js/compare/10.0.1...10.0.2 )
Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
4 years ago