From a6e257f502296495cf2c1bdc7565e9ce34848506 Mon Sep 17 00:00:00 2001 From: Amelia Yukii Date: Thu, 1 Feb 2024 15:06:21 +0000 Subject: [PATCH] Merge branch 'feture/code-injection-fix' into 'develop' CVE: Fixed code injection from twitter import See merge request TransFem-org/Sharkey!390 (cherry picked from commit 127f8556d409a1082f0050a7ebf57ba846263f6f) 2a8e93e4 Fixed code injection from twitter import --- .../processors/ImportNotesProcessorService.ts | 42 +++++++++++-------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/packages/backend/src/queue/processors/ImportNotesProcessorService.ts b/packages/backend/src/queue/processors/ImportNotesProcessorService.ts index 03a0e951b3..d64a861b03 100644 --- a/packages/backend/src/queue/processors/ImportNotesProcessorService.ts +++ b/packages/backend/src/queue/processors/ImportNotesProcessorService.ts @@ -130,6 +130,17 @@ export class ImportNotesProcessorService { return typeof obj[Symbol.iterator] === 'function'; } + private parseTwitterFile(str : string) : null | [{ tweet: any }] { + const removed = str.replace(new RegExp('window\\.YTD\\.tweets\\.part0 = ', 'g'), ''); + + try { + return JSON.parse(removed); + } catch (error) { + //The format is not what we expected. Either this file was tampered with or twitters exports changed + return null; + } + } + @bindThis public async process(job: Bull.Job): Promise { this.logger.info(`Starting note import of ${job.data.user.id} ...`); @@ -175,23 +186,20 @@ export class ImportNotesProcessorService { try { this.logger.succ(`Unzipping to ${outputPath}`); ZipReader.withDestinationPath(outputPath).viaBuffer(await fs.promises.readFile(destPath)); - const fakeWindow: any = { - window: { - YTD: { - tweets: { - part0: {}, - }, - }, - }, - }; - const script = new vm.Script(fs.readFileSync(outputPath + '/data/tweets.js', 'utf-8')); - const context = vm.createContext(fakeWindow); - script.runInContext(context); - const tweets = Object.keys(fakeWindow.window.YTD.tweets.part0).reduce((m, key, i, obj) => { - return m.concat(fakeWindow.window.YTD.tweets.part0[key].tweet); - }, []); - const processedTweets = await this.recreateChain(['id_str'], ['in_reply_to_status_id_str'], tweets, false); - this.queueService.createImportTweetsToDbJob(job.data.user, processedTweets, null); + + const unprocessedTweetJson = this.parseTwitterFile(fs.readFileSync(outputPath + '/data/tweets.js', 'utf-8')); + + //Make sure that it isnt null (because if something went wrong in parseTwitterFile it returns null) + if (unprocessedTweetJson) { + const tweets = Object.keys(unprocessedTweetJson).reduce((m, key, i, obj) => { + return m.concat(unprocessedTweetJson[i].tweet); + }, []); + + const processedTweets = await this.recreateChain(['id_str'], ['in_reply_to_status_id_str'], tweets, false); + this.queueService.createImportTweetsToDbJob(job.data.user, processedTweets, null); + } else { + this.logger.warn('Failed to import twitter notes due to malformed file'); + } } finally { cleanup(); }