From 38d4a7fd56fe8fb9b027e16f27e907c865a9c754 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Tue, 20 May 2025 21:21:42 -0400 Subject: [PATCH 1/6] don't recursively render note previews --- packages/frontend/src/components/MkNote.vue | 4 +++- .../frontend/src/components/MkNoteDetailed.vue | 4 +++- packages/frontend/src/components/SkNote.vue | 4 +++- .../frontend/src/components/SkNoteDetailed.vue | 4 +++- .../frontend/src/components/SkOldNoteWindow.vue | 6 ++++-- packages/frontend/src/pages/chat/XMessage.vue | 2 +- .../frontend/src/utility/get-self-note-ids.ts | 17 +++++++++++++++++ 7 files changed, 34 insertions(+), 7 deletions(-) create mode 100644 packages/frontend/src/utility/get-self-note-ids.ts diff --git a/packages/frontend/src/components/MkNote.vue b/packages/frontend/src/components/MkNote.vue index 3418676d58..dcf477f74d 100644 --- a/packages/frontend/src/components/MkNote.vue +++ b/packages/frontend/src/components/MkNote.vue @@ -95,7 +95,7 @@ SPDX-License-Identifier: AGPL-3.0-only
- +
diff --git a/packages/frontend/src/utility/get-self-note-ids.ts b/packages/frontend/src/utility/get-self-note-ids.ts new file mode 100644 index 0000000000..b847615a06 --- /dev/null +++ b/packages/frontend/src/utility/get-self-note-ids.ts @@ -0,0 +1,17 @@ +/* + * SPDX-FileCopyrightText: hazelnoot and other Sharkey contributors + * SPDX-License-Identifier: AGPL-3.0-only + */ + +import type * as Misskey from 'misskey-js'; + +/** + * Gets IDs of notes that are visibly the "same" as the current note. + * These are IDs that should not be recursively resolved when starting from the provided note as entry. + */ +export function getSelfNoteIds(note: Misskey.entities.Note): string[] { + const ids = [note.id]; // Regular note + if (note.renote) ids.push(note.renote.id); // Renote or quote + if (note.renote?.renote) ids.push(note.renote.renote.id); // Renote *of* a quote + return ids; +} From dc1adcc4918cb8019c3263c99503460431d3516b Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Tue, 20 May 2025 21:37:25 -0400 Subject: [PATCH 2/6] skip resolving preview when a link is known to be recursive --- packages/frontend/src/components/MkNote.vue | 3 +- .../src/components/MkNoteDetailed.vue | 7 ++-- packages/frontend/src/components/SkNote.vue | 3 +- .../src/components/SkNoteDetailed.vue | 7 ++-- .../src/components/SkOldNoteWindow.vue | 9 +++--- .../src/utility/extract-preview-urls.ts | 32 +++++++++++++++++++ .../src/utility/extract-url-from-mfm.ts | 1 + 7 files changed, 49 insertions(+), 13 deletions(-) create mode 100644 packages/frontend/src/utility/extract-preview-urls.ts diff --git a/packages/frontend/src/components/MkNote.vue b/packages/frontend/src/components/MkNote.vue index dcf477f74d..2ffa2778fc 100644 --- a/packages/frontend/src/components/MkNote.vue +++ b/packages/frontend/src/components/MkNote.vue @@ -236,6 +236,7 @@ import { useRouter } from '@/router.js'; import SkMutedNote from '@/components/SkMutedNote.vue'; import SkNoteTranslation from '@/components/SkNoteTranslation.vue'; import { getSelfNoteIds } from '@/utility/get-self-note-ids.js'; +import { extractPreviewUrls } from '@/utility/extract-preview-urls.js'; const props = withDefaults(defineProps<{ note: Misskey.entities.Note; @@ -303,7 +304,7 @@ const galleryEl = useTemplateRef('galleryEl'); const isMyRenote = $i && ($i.id === note.value.userId); const showContent = ref(prefer.s.uncollapseCW); const parsed = computed(() => appearNote.value.text ? mfm.parse(appearNote.value.text) : null); -const urls = computed(() => parsed.value ? extractUrlFromMfm(parsed.value).filter((url) => appearNote.value.renote?.url !== url && appearNote.value.renote?.uri !== url) : null); +const urls = computed(() => parsed.value ? extractPreviewUrls(props.note, parsed.value) : null); const selfNoteIds = computed(() => getSelfNoteIds(props.note)); const isLong = shouldCollapsed(appearNote.value, urls.value ?? []); const collapsed = ref(prefer.s.expandLongNote && appearNote.value.cw == null && isLong ? false : appearNote.value.cw == null && isLong); diff --git a/packages/frontend/src/components/MkNoteDetailed.vue b/packages/frontend/src/components/MkNoteDetailed.vue index c05b8afcfb..f5f4bb64ec 100644 --- a/packages/frontend/src/components/MkNoteDetailed.vue +++ b/packages/frontend/src/components/MkNoteDetailed.vue @@ -286,6 +286,7 @@ import { DI } from '@/di.js'; import SkMutedNote from '@/components/SkMutedNote.vue'; import SkNoteTranslation from '@/components/SkNoteTranslation.vue'; import { getSelfNoteIds } from '@/utility/get-self-note-ids.js'; +import { extractPreviewUrls } from '@/utility/extract-preview-urls.js'; const props = withDefaults(defineProps<{ note: Misskey.entities.Note; @@ -338,10 +339,10 @@ const isDeleted = ref(false); const renoted = ref(false); const translation = ref(null); const translating = ref(false); -const parsed = appearNote.value.text ? mfm.parse(appearNote.value.text) : null; -const urls = parsed ? extractUrlFromMfm(parsed).filter((url) => appearNote.value.renote?.url !== url && appearNote.value.renote?.uri !== url) : null; +const parsed = computed(() => appearNote.value.text ? mfm.parse(appearNote.value.text) : null); +const urls = computed(() => parsed.value ? extractPreviewUrls(props.note, parsed.value) : null); const selfNoteIds = computed(() => getSelfNoteIds(props.note)); -const animated = computed(() => parsed ? checkAnimationFromMfm(parsed) : null); +const animated = computed(() => parsed.value ? checkAnimationFromMfm(parsed.value) : null); const allowAnim = ref(prefer.s.advancedMfm && prefer.s.animatedMfm); const showTicker = (prefer.s.instanceTicker === 'always') || (prefer.s.instanceTicker === 'remote' && appearNote.value.user.instance); const conversation = ref([]); diff --git a/packages/frontend/src/components/SkNote.vue b/packages/frontend/src/components/SkNote.vue index 49ed815af8..621f732caa 100644 --- a/packages/frontend/src/components/SkNote.vue +++ b/packages/frontend/src/components/SkNote.vue @@ -236,6 +236,7 @@ import { useRouter } from '@/router.js'; import SkMutedNote from '@/components/SkMutedNote.vue'; import SkNoteTranslation from '@/components/SkNoteTranslation.vue'; import { getSelfNoteIds } from '@/utility/get-self-note-ids.js'; +import { extractPreviewUrls } from '@/utility/extract-preview-urls.js'; const props = withDefaults(defineProps<{ note: Misskey.entities.Note; @@ -303,7 +304,7 @@ const galleryEl = useTemplateRef('galleryEl'); const isMyRenote = $i && ($i.id === note.value.userId); const showContent = ref(prefer.s.uncollapseCW); const parsed = computed(() => appearNote.value.text ? mfm.parse(appearNote.value.text) : null); -const urls = computed(() => parsed.value ? extractUrlFromMfm(parsed.value).filter((url) => appearNote.value.renote?.url !== url && appearNote.value.renote?.uri !== url) : null); +const urls = computed(() => parsed.value ? extractPreviewUrls(props.note, parsed.value) : null); const selfNoteIds = computed(() => getSelfNoteIds(props.note)); const isLong = shouldCollapsed(appearNote.value, urls.value ?? []); const collapsed = ref(prefer.s.expandLongNote && appearNote.value.cw == null && isLong ? false : appearNote.value.cw == null && isLong); diff --git a/packages/frontend/src/components/SkNoteDetailed.vue b/packages/frontend/src/components/SkNoteDetailed.vue index 7dab05d157..e96c80e3d4 100644 --- a/packages/frontend/src/components/SkNoteDetailed.vue +++ b/packages/frontend/src/components/SkNoteDetailed.vue @@ -291,6 +291,7 @@ import { DI } from '@/di.js'; import SkMutedNote from '@/components/SkMutedNote.vue'; import SkNoteTranslation from '@/components/SkNoteTranslation.vue'; import { getSelfNoteIds } from '@/utility/get-self-note-ids.js'; +import { extractPreviewUrls } from '@/utility/extract-preview-urls'; const props = withDefaults(defineProps<{ note: Misskey.entities.Note; @@ -344,10 +345,10 @@ const isDeleted = ref(false); const renoted = ref(false); const translation = ref(null); const translating = ref(false); -const parsed = appearNote.value.text ? mfm.parse(appearNote.value.text) : null; -const urls = parsed ? extractUrlFromMfm(parsed).filter((url) => appearNote.value.renote?.url !== url && appearNote.value.renote?.uri !== url) : null; +const parsed = computed(() => appearNote.value.text ? mfm.parse(appearNote.value.text) : null); +const urls = computed(() => parsed.value ? extractPreviewUrls(props.note, parsed.value) : null); const selfNoteIds = computed(() => getSelfNoteIds(props.note)); -const animated = computed(() => parsed ? checkAnimationFromMfm(parsed) : null); +const animated = computed(() => parsed.value ? checkAnimationFromMfm(parsed.value) : null); const allowAnim = ref(prefer.s.advancedMfm && prefer.s.animatedMfm ? true : false); const showTicker = (prefer.s.instanceTicker === 'always') || (prefer.s.instanceTicker === 'remote' && appearNote.value.user.instance); const conversation = ref([]); diff --git a/packages/frontend/src/components/SkOldNoteWindow.vue b/packages/frontend/src/components/SkOldNoteWindow.vue index 50c500dbea..b6dbec81c5 100644 --- a/packages/frontend/src/components/SkOldNoteWindow.vue +++ b/packages/frontend/src/components/SkOldNoteWindow.vue @@ -86,7 +86,6 @@ import MkPoll from '@/components/MkPoll.vue'; import MkUrlPreview from '@/components/MkUrlPreview.vue'; import MkInstanceTicker from '@/components/MkInstanceTicker.vue'; import { userPage } from '@/filters/user.js'; -import { extractUrlFromMfm } from '@/utility/extract-url-from-mfm.js'; import { i18n } from '@/i18n.js'; import { deepClone } from '@/utility/clone.js'; import { dateTimeFormat } from '@/utility/intl-const.js'; @@ -94,6 +93,7 @@ import { prefer } from '@/preferences'; import { getPluginHandlers } from '@/plugin.js'; import SkNoteTranslation from '@/components/SkNoteTranslation.vue'; import { getSelfNoteIds } from '@/utility/get-self-note-ids'; +import { extractPreviewUrls } from '@/utility/extract-preview-urls.js'; const props = defineProps<{ note: Misskey.entities.Note; @@ -142,14 +142,13 @@ const isRenote = ( ); const el = shallowRef(); -let appearNote = computed(() => isRenote ? note.value.renote as Misskey.entities.Note : note.value); -const renoteUrl = appearNote.value.renote ? appearNote.value.renote.url : null; -const renoteUri = appearNote.value.renote ? appearNote.value.renote.uri : null; +const appearNote = computed(() => isRenote ? note.value.renote as Misskey.entities.Note : note.value); +const parsed = computed(() => appearNote.value.text ? mfm.parse(appearNote.value.text) : null); const showContent = ref(false); const translation = ref(null); const translating = ref(false); -const urls = appearNote.value.text ? extractUrlFromMfm(mfm.parse(appearNote.value.text)).filter(u => u !== renoteUrl && u !== renoteUri) : null; +const urls = computed(() => parsed.value ? extractPreviewUrls(props.note, parsed.value) : null); const selfNoteIds = computed(() => getSelfNoteIds(props.note)); const showTicker = (prefer.s.instanceTicker === 'always') || (prefer.s.instanceTicker === 'remote' && appearNote.value.user.instance); diff --git a/packages/frontend/src/utility/extract-preview-urls.ts b/packages/frontend/src/utility/extract-preview-urls.ts new file mode 100644 index 0000000000..e14ed68f27 --- /dev/null +++ b/packages/frontend/src/utility/extract-preview-urls.ts @@ -0,0 +1,32 @@ +/* + * SPDX-FileCopyrightText: hazelnoot and other Sharkey contributors + * SPDX-License-Identifier: AGPL-3.0-only + */ + +import { host } from '@@/js/config.js'; +import type * as Misskey from 'misskey-js'; +import type * as mfm from '@transfem-org/sfm-js'; +import { extractUrlFromMfm } from '@/utility/extract-url-from-mfm.js'; + +/** + * Extracts all previewable URLs from a note. + */ +export function extractPreviewUrls(note: Misskey.entities.Note, contents: mfm.MfmNode[]): string[] { + const links = extractUrlFromMfm(contents); + return links.filter(url => + // Remote note + url !== note.url && + url !== note.uri && + // Local note + url !== `https://${host}/notes/${note.id}` && + // Remote renote or quote + url !== note.renote?.url && + url !== note.renote?.uri && + // Local renote or quote + url !== `https://${host}/notes/${note.renote?.id}` && + // Remote renote *of* a quote + url !== note.renote?.renote?.url && + url !== note.renote?.renote?.uri && + // Local renote *of* a quote + url !== `https://${host}/notes/${note.renote?.renote?.id}`); +} diff --git a/packages/frontend/src/utility/extract-url-from-mfm.ts b/packages/frontend/src/utility/extract-url-from-mfm.ts index baebbff8ae..e1b9df138e 100644 --- a/packages/frontend/src/utility/extract-url-from-mfm.ts +++ b/packages/frontend/src/utility/extract-url-from-mfm.ts @@ -10,6 +10,7 @@ import { unique } from '@/utility/array.js'; // [ http://a/#1, http://a/#2, http://b/#3 ] => [ http://a/#1, http://b/#3 ] const removeHash = (x: string) => x.replace(/#[^#]*$/, ''); +// TODO this is O(n^2) which could introduce a frontend DoS with a large enough character limit export function extractUrlFromMfm(nodes: mfm.MfmNode[], respectSilentFlag = true): string[] { const urlNodes = mfm.extract(nodes, (node) => { return (node.type === 'url') || (node.type === 'link' && (!respectSilentFlag || !node.props.silent)); From e74fde8b31062a3691ed9bae4d37aaaea4b269ff Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Tue, 20 May 2025 22:33:14 -0400 Subject: [PATCH 3/6] optimize extractUrlFromMfm --- .../src/utility/extract-url-from-mfm.ts | 36 ++++++++++++------- 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/packages/frontend/src/utility/extract-url-from-mfm.ts b/packages/frontend/src/utility/extract-url-from-mfm.ts index e1b9df138e..260dba030e 100644 --- a/packages/frontend/src/utility/extract-url-from-mfm.ts +++ b/packages/frontend/src/utility/extract-url-from-mfm.ts @@ -4,22 +4,34 @@ */ import * as mfm from '@transfem-org/sfm-js'; -import { unique } from '@/utility/array.js'; // unique without hash // [ http://a/#1, http://a/#2, http://b/#3 ] => [ http://a/#1, http://b/#3 ] -const removeHash = (x: string) => x.replace(/#[^#]*$/, ''); +const removeHash = (x: string) => { + if (URL.canParse(x)) { + const url = new URL(x); + url.hash = ''; + return url.toString(); + } else { + return x.replace(/#[^#]*$/, ''); + } +}; -// TODO this is O(n^2) which could introduce a frontend DoS with a large enough character limit export function extractUrlFromMfm(nodes: mfm.MfmNode[], respectSilentFlag = true): string[] { - const urlNodes = mfm.extract(nodes, (node) => { - return (node.type === 'url') || (node.type === 'link' && (!respectSilentFlag || !node.props.silent)); - }); - const urls: string[] = unique(urlNodes.map(x => x.props.url)); + const urls = new Map(); - return urls.reduce((array, url) => { - const urlWithoutHash = removeHash(url); - if (!array.map(x => removeHash(x)).includes(urlWithoutHash)) array.push(url); - return array; - }, [] as string[]); + // Single iteration pass to avoid potential DoS in maliciously-constructed notes. + for (const node of nodes) { + if ((node.type === 'url') || (node.type === 'link' && (!respectSilentFlag || !node.props.silent))) { + const url = (node as mfm.MfmUrl | mfm.MfmLink).props.url; + const key = removeHash(url); + + // Keep the first match only, to preserve existing behavior. + if (!urls.has(key)) { + urls.set(key, url); + } + } + } + + return Array.from(urls.values()); } From 28551c810309c69c8cc58fbc254507e705e8fa05 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 21 May 2025 08:27:23 -0400 Subject: [PATCH 4/6] use config.url instead of "https://${config.host}" --- packages/backend/src/server/web/ClientServerService.ts | 1 + packages/backend/src/server/web/views/info-card.pug | 2 +- packages/frontend/src/components/MkNote.vue | 4 ++-- packages/frontend/src/components/MkNoteDetailed.vue | 4 ++-- packages/frontend/src/components/MkNoteSub.vue | 4 ++-- packages/frontend/src/components/MkPoll.vue | 4 ++-- packages/frontend/src/components/SkNote.vue | 4 ++-- packages/frontend/src/components/SkNoteDetailed.vue | 4 ++-- packages/frontend/src/components/SkNoteSub.vue | 4 ++-- packages/frontend/src/pages/note.vue | 4 ++-- packages/frontend/src/utility/extract-preview-urls.ts | 8 ++++---- 11 files changed, 22 insertions(+), 21 deletions(-) diff --git a/packages/backend/src/server/web/ClientServerService.ts b/packages/backend/src/server/web/ClientServerService.ts index 1321cf6338..c40d042fa4 100644 --- a/packages/backend/src/server/web/ClientServerService.ts +++ b/packages/backend/src/server/web/ClientServerService.ts @@ -890,6 +890,7 @@ export class ClientServerService { return await reply.view('info-card', { version: this.config.version, host: this.config.host, + url: this.config.url, meta: this.meta, originalUsersCount: await this.usersRepository.countBy({ host: IsNull() }), originalNotesCount: await this.notesRepository.countBy({ userHost: IsNull() }), diff --git a/packages/backend/src/server/web/views/info-card.pug b/packages/backend/src/server/web/views/info-card.pug index 4a9d00a596..0a95ea7b17 100644 --- a/packages/backend/src/server/web/views/info-card.pug +++ b/packages/backend/src/server/web/views/info-card.pug @@ -43,7 +43,7 @@ html } body - a#a(href=`https://${host}` target="_blank") + a#a(href=url target="_blank") header#banner(style=`background-image: url(${meta.bannerUrl})`) div#title= meta.name || host div#content diff --git a/packages/frontend/src/components/MkNote.vue b/packages/frontend/src/components/MkNote.vue index 2ffa2778fc..6a356ffd37 100644 --- a/packages/frontend/src/components/MkNote.vue +++ b/packages/frontend/src/components/MkNote.vue @@ -184,7 +184,7 @@ import * as mfm from '@transfem-org/sfm-js'; import * as Misskey from 'misskey-js'; import { isLink } from '@@/js/is-link.js'; import { shouldCollapsed } from '@@/js/collapsed.js'; -import { host } from '@@/js/config.js'; +import * as config from '@@/js/config.js'; import { computeMergedCw } from '@@/js/compute-merged-cw.js'; import type { Ref } from 'vue'; import type { MenuItem } from '@/types/menu.js'; @@ -328,7 +328,7 @@ const allowAnim = ref(prefer.s.advancedMfm && prefer.s.animatedMfm); const pleaseLoginContext = computed(() => ({ type: 'lookup', - url: appearNote.value.url ?? appearNote.value.uri ?? `https://${host}/notes/${appearNote.value.id}`, + url: appearNote.value.url ?? appearNote.value.uri ?? `${config.url}/notes/${appearNote.value.id}`, })); const mergedCW = computed(() => computeMergedCw(appearNote.value)); diff --git a/packages/frontend/src/components/MkNoteDetailed.vue b/packages/frontend/src/components/MkNoteDetailed.vue index f5f4bb64ec..92a3c7b5cc 100644 --- a/packages/frontend/src/components/MkNoteDetailed.vue +++ b/packages/frontend/src/components/MkNoteDetailed.vue @@ -236,7 +236,7 @@ import { computed, inject, onMounted, provide, ref, useTemplateRef, watch } from import * as mfm from '@transfem-org/sfm-js'; import * as Misskey from 'misskey-js'; import { isLink } from '@@/js/is-link.js'; -import { host } from '@@/js/config.js'; +import * as config from '@@/js/config.js'; import { computeMergedCw } from '@@/js/compute-merged-cw.js'; import type { OpenOnRemoteOptions } from '@/utility/please-login.js'; import type { Paging } from '@/components/MkPagination.vue'; @@ -375,7 +375,7 @@ let renoting = false; const pleaseLoginContext = computed(() => ({ type: 'lookup', - url: appearNote.value.url ?? appearNote.value.uri ?? `https://${host}/notes/${appearNote.value.id}`, + url: appearNote.value.url ?? appearNote.value.uri ?? `${config.url}/notes/${appearNote.value.id}`, })); const keymap = { diff --git a/packages/frontend/src/components/MkNoteSub.vue b/packages/frontend/src/components/MkNoteSub.vue index eb72939bf1..b6a18ccab6 100644 --- a/packages/frontend/src/components/MkNoteSub.vue +++ b/packages/frontend/src/components/MkNoteSub.vue @@ -81,7 +81,7 @@ SPDX-License-Identifier: AGPL-3.0-only import { computed, ref, shallowRef, watch } from 'vue'; import * as Misskey from 'misskey-js'; import { computeMergedCw } from '@@/js/compute-merged-cw.js'; -import { host } from '@@/js/config.js'; +import * as config from '@@/js/config.js'; import type { Visibility } from '@/utility/boost-quote.js'; import type { OpenOnRemoteOptions } from '@/utility/please-login.js'; import MkNoteHeader from '@/components/MkNoteHeader.vue'; @@ -150,7 +150,7 @@ const isRenote = ( const pleaseLoginContext = computed(() => ({ type: 'lookup', - url: appearNote.value.url ?? appearNote.value.uri ?? `https://${host}/notes/${appearNote.value.id}`, + url: appearNote.value.url ?? appearNote.value.uri ?? `${config.url}/notes/${appearNote.value.id}`, })); async function addReplyTo(replyNote: Misskey.entities.Note) { diff --git a/packages/frontend/src/components/MkPoll.vue b/packages/frontend/src/components/MkPoll.vue index 07febacc36..72f3ced088 100644 --- a/packages/frontend/src/components/MkPoll.vue +++ b/packages/frontend/src/components/MkPoll.vue @@ -33,7 +33,7 @@ SPDX-License-Identifier: AGPL-3.0-only