fix(backend): happy-domで外部HTMLをパースする際に関連リソースが読み込まれる問題を修正 (#14521)

* bump happy-dom, disable all JS&c when parsing

version 10 didn't quite support disabling all of that

I have tested that `MfmService` (the other code that uses `happy-dom`)
still works fine: the RSS feed for a user is generated correctly, with
HTML rendered from MFM

(cherry picked from commit 26e0412fbb)

* Update Changelog

* lint

* fix possible memory leak

---------

Co-authored-by: dakkar <dakkar@thenautilus.net>
This commit is contained in:
かっこかり 2024-09-15 12:30:27 +09:00 committed by GitHub
parent e0f54d6a68
commit be0906a6c7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 47 additions and 10 deletions

View File

@ -13,6 +13,8 @@
### Server ### Server
- Fix: ファイルがサイズの制限を超えてアップロードされた際にエラーを返さなかった問題を修正 - Fix: ファイルがサイズの制限を超えてアップロードされた際にエラーを返さなかった問題を修正
- Fix: 外部ページを解析する際に、ページに紐づけられた関連リソースも読み込まれてしまう問題を修正
(Cherry-picked from https://activitypub.software/TransFem-org/Sharkey/-/commit/26e0412fbb91447c37e8fb06ffb0487346063bb8)
## 2024.8.0 ## 2024.8.0

View File

@ -119,7 +119,7 @@
"fluent-ffmpeg": "2.1.3", "fluent-ffmpeg": "2.1.3",
"form-data": "4.0.0", "form-data": "4.0.0",
"got": "14.4.2", "got": "14.4.2",
"happy-dom": "10.0.3", "happy-dom": "15.6.1",
"hpagent": "1.2.0", "hpagent": "1.2.0",
"htmlescape": "1.1.1", "htmlescape": "1.1.1",
"http-link-header": "1.1.3", "http-link-header": "1.1.3",

View File

@ -207,8 +207,28 @@ export class ApRequestService {
if ((contentType ?? '').split(';')[0].trimEnd().toLowerCase() === 'text/html' && _followAlternate === true) { if ((contentType ?? '').split(';')[0].trimEnd().toLowerCase() === 'text/html' && _followAlternate === true) {
const html = await res.text(); const html = await res.text();
const window = new Window(); const window = new Window({
settings: {
disableJavaScriptEvaluation: true,
disableJavaScriptFileLoading: true,
disableCSSFileLoading: true,
disableComputedStyleRendering: true,
handleDisabledFileLoadingAsSuccess: true,
navigation: {
disableMainFrameNavigation: true,
disableChildFrameNavigation: true,
disableChildPageNavigation: true,
disableFallbackToSetURL: true,
},
timer: {
maxTimeout: 0,
maxIntervalTime: 0,
maxIntervalIterations: 0,
},
},
});
const document = window.document; const document = window.document;
try {
document.documentElement.innerHTML = html; document.documentElement.innerHTML = html;
const alternate = document.querySelector('head > link[rel="alternate"][type="application/activity+json"]'); const alternate = document.querySelector('head > link[rel="alternate"][type="application/activity+json"]');
@ -218,6 +238,11 @@ export class ApRequestService {
return await this.signedGet(href, user, false); return await this.signedGet(href, user, false);
} }
} }
} catch (e) {
// something went wrong parsing the HTML, ignore the whole thing
} finally {
window.close();
}
} }
//#endregion //#endregion

View File

@ -246,8 +246,8 @@ importers:
specifier: 14.4.2 specifier: 14.4.2
version: 14.4.2 version: 14.4.2
happy-dom: happy-dom:
specifier: 10.0.3 specifier: 15.6.1
version: 10.0.3 version: 15.6.1
hpagent: hpagent:
specifier: 1.2.0 specifier: 1.2.0
version: 1.2.0 version: 1.2.0
@ -7782,6 +7782,10 @@ packages:
happy-dom@10.0.3: happy-dom@10.0.3:
resolution: {integrity: sha512-WkCP+Z5fX6U5PY+yHP3ElV5D9PoxRAHRWPFq3pG9rg/6Hjf5ak7dozAgSCywsTRUq2qfa8vV8OQvUy5pRXy8EQ==} resolution: {integrity: sha512-WkCP+Z5fX6U5PY+yHP3ElV5D9PoxRAHRWPFq3pG9rg/6Hjf5ak7dozAgSCywsTRUq2qfa8vV8OQvUy5pRXy8EQ==}
happy-dom@15.6.1:
resolution: {integrity: sha512-dsMHLsJHZYhXeExP47B2siAfKNVxptlwFss3/bq/9sG3iBt0P2WYFBq68JgMR5vB5gsN2Ev0feTTPD/+rosUNQ==}
engines: {node: '>=18.0.0'}
har-schema@2.0.0: har-schema@2.0.0:
resolution: {integrity: sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==} resolution: {integrity: sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==}
engines: {node: '>=4'} engines: {node: '>=4'}
@ -20289,6 +20293,12 @@ snapshots:
whatwg-encoding: 2.0.0 whatwg-encoding: 2.0.0
whatwg-mimetype: 3.0.0 whatwg-mimetype: 3.0.0
happy-dom@15.6.1:
dependencies:
entities: 4.5.0
webidl-conversions: 7.0.0
whatwg-mimetype: 3.0.0
har-schema@2.0.0: {} har-schema@2.0.0: {}
har-validator@5.1.5: har-validator@5.1.5: