updating from dev

This commit is contained in:
2026-05-04 04:24:18 +02:00
parent 46afca976d
commit 2f1e42343b
76 changed files with 5554 additions and 2527 deletions

View File

@@ -11,7 +11,7 @@ import cfg from "../config.mjs";
import security from "../security.mjs";
import crypto from "crypto";
import path from "path";
import { getManualApproval, setManualApproval, getMinTags, setMinTags, getRegistrationOpen, setRegistrationOpen, getTrustedUploads, setTrustedUploads } from "../settings.mjs";
import { getManualApproval, setManualApproval, getMinTags, setMinTags, getRegistrationOpen, setRegistrationOpen, getTrustedUploads, setTrustedUploads, getEnablePdf, setEnablePdf } from "../settings.mjs";
export default (router, tpl) => {
router.get(/^\/login(\/)?$/, async (req, res) => {
@@ -84,9 +84,10 @@ export default (router, tpl) => {
const stamp = ~~(Date.now() / 1e3);
// F-015: Clean up stale non-KMSI sessions unused for 7 days (on login)
await db`
delete from user_sessions
where last_action <= ${(Date.now() - 6048e5)}
where last_used <= ${stamp - 604800}
and kmsi = 0
`;
@@ -578,7 +579,7 @@ export default (router, tpl) => {
router.post(/^\/admin\/settings\/?$/, lib.auth, async (req, res) => {
const manual_approval = req.post.manual_approval === 'on' ? 'true' : 'false';
const registration_open = req.post.registration_open === 'on' ? 'true' : 'false';
const min_tags = parseInt(req.post.min_tags) || 3;
const min_tags = isNaN(parseInt(req.post.min_tags)) ? 3 : Math.max(0, parseInt(req.post.min_tags));
const trusted_uploads = Math.max(0, parseInt(req.post.trusted_uploads) ?? 3);
await db`INSERT INTO site_settings (key, value) VALUES ('manual_approval', ${manual_approval}) ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value`;
@@ -622,7 +623,7 @@ const page = Math.max(1, parseInt(req.url.qs?.page) || 1);
WITH filtered_users AS (
SELECT
u.id, u.login, u.user, u.email, u.created_at, u.banned, u.is_moderator, u.admin, u.activated,
uo.avatar_file, uo.display_name,
uo.avatar_file, uo.display_name, uo.force_comment_display_mode, uo.comment_display_mode,
(SELECT token FROM invite_tokens WHERE used_by = u.id ORDER BY created_at DESC LIMIT 1) as reg_method
FROM "user" u
LEFT JOIN user_options uo ON uo.user_id = u.id
@@ -632,7 +633,7 @@ const page = Math.max(1, parseInt(req.url.qs?.page) || 1);
SELECT
NULL::int as id, i.username as login, i.username as "user", 'Legacy Account' as email,
to_timestamp(MIN(i.stamp)) as created_at, false as banned, false as is_moderator, false as admin, true as activated,
NULL::text as avatar_file, NULL::varchar as display_name, 'Legacy' as reg_method
NULL::text as avatar_file, NULL::varchar as display_name, 0 as force_comment_display_mode, 0 as comment_display_mode, 'Legacy' as reg_method
FROM items i
WHERE NOT EXISTS (SELECT 1 FROM "user" u WHERE u.login = i.username OR u.user = i.username)
${q ? db`AND (i.username ILIKE ${'%' + lib.escapeLike(q) + '%'})` : db``}
@@ -761,6 +762,40 @@ const page = Math.max(1, parseInt(req.url.qs?.page) || 1);
}
});
router.post(/^\/api\/v2\/admin\/users\/lock-layout\/?$/, lib.auth, async (req, res) => {
try {
const { user_id, mode, lock } = req.post;
if (!user_id) throw new Error('Missing user_id');
const isLocked = lock === true || lock === 'true' || lock === 1;
const targetMode = parseInt(mode, 10);
const updateData = { force_comment_display_mode: isLocked ? 1 : 0 };
if (!isNaN(targetMode)) updateData.comment_display_mode = targetMode;
const result = await db`
UPDATE user_options
SET ${db(updateData)}
WHERE user_id = ${+user_id}
RETURNING user_id
`;
if (!result.length) throw new Error('User options not found');
// Log it in audit
await audit.log(req.session.id, isLocked ? 'lock_user_layout' : 'unlock_user_layout', 'user', +user_id, { mode: targetMode });
return res.writeHead(200, { 'Content-Type': 'application/json' }).end(JSON.stringify({
success: true,
msg: 'User layout ' + (isLocked ? 'locked' : 'unlocked') + '.',
force_comment_display_mode: isLocked ? 1 : 0,
comment_display_mode: targetMode
}));
} catch (err) {
return res.writeHead(200, { 'Content-Type': 'application/json' }).end(JSON.stringify({ success: false, msg: err.message }));
}
});
router.post(/^\/api\/v2\/admin\/users\/delete\/?$/, lib.auth, async (req, res) => {
try {
const { user_id } = req.post;
@@ -815,8 +850,11 @@ const page = Math.max(1, parseInt(req.url.qs?.page) || 1);
ghostSlugs.add(finalSlug);
if (hall.custom_image) {
const oldPath = path.join(CUSTOM_DIR, `u_${targetId}_${hall.slug}.webp`);
const newPath = path.join(CUSTOM_DIR, `u_${ghostId}_${finalSlug}.webp`);
// F-004 Security: Sanitize slugs before constructing file paths
const safeSlug = path.basename(hall.slug);
const safeFinalSlug = path.basename(finalSlug);
const oldPath = path.join(CUSTOM_DIR, `u_${targetId}_${safeSlug}.webp`);
const newPath = path.join(CUSTOM_DIR, `u_${ghostId}_${safeFinalSlug}.webp`);
try {
await fs.rename(oldPath, newPath);
} catch (e) {
@@ -1192,5 +1230,16 @@ const page = Math.max(1, parseInt(req.url.qs?.page) || 1);
});
});
// Chat Manager
router.get(/^\/admin\/chat\/?$/, lib.auth, async (req, res) => {
res.reply({
body: tpl.render('admin/chat', {
session: req.session,
totals: await lib.countf0cks(),
tmp: null
}, req)
});
});
return router;
};
}

View File

@@ -28,7 +28,7 @@ export default (router, tpl) => {
contextUrl = contextUrl.replace(new RegExp(`/${req.params.itemid}$`), `/${query.mime}/${req.params.itemid}`);
}
console.log(`[${new Date().toISOString()}] [AJAX] Starting item load for ${req.params.itemid}`);
if (cfg.main.development) console.log(`[${new Date().toISOString()}] [AJAX] Starting item load for ${req.params.itemid}`);
const isRandom = query.random === '1' || req.cookies.random_mode === '1';
@@ -145,7 +145,7 @@ export default (router, tpl) => {
const paginationHtml = tpl.render('snippets/pagination', data, req);
const tAjaxRender = Date.now();
console.log(`[${new Date().toISOString()}] [AJAX] Complete request for ${req.params.itemid} in ${tAjaxRender - tAjaxStart}ms
if (cfg.main.development) console.log(`[${new Date().toISOString()}] [AJAX] Complete request for ${req.params.itemid} in ${tAjaxRender - tAjaxStart}ms
- getf0ck: ${tAjaxFetch - tAjaxStart}ms
- Comments/Sub: ${tAjaxAux - tAjaxFetch}ms
- Render: ${tAjaxRender - tAjaxAux}ms`);

View File

@@ -11,8 +11,17 @@ import { parseMultipart, collectBody } from '../../multipart.mjs';
const allowedMimes = ["audio", "image", "video", "%"];
const globalfilter = cfg.nsfp?.length ? cfg.nsfp.map(n => `tag_id = ${n}`).join(' or ') : null;
const metaCache = new Map();
const MAX_META_CACHE = 2000;
export default router => {
// Ensure cache table exists
db`CREATE TABLE IF NOT EXISTS meta_cache (
url TEXT PRIMARY KEY,
data JSONB,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
)`.catch(err => console.error('[META-CACHE] Table creation failed:', err));
router.group(/^\/api\/v2/, group => {
const ytRegex = /(?:youtube\.com\/\S*(?:(?:\/e(?:mbed))?\/|watch\/?\?(?:\S*?&?v\=))|youtu\.be\/)([a-zA-Z0-9_-]{6,11})/i;
@@ -282,6 +291,8 @@ export default router => {
}
});
// F-002 Security: Require authentication to prevent SSRF via arbitrary URL fetching.
// Guests use cached entries from DB (populated by authenticated user requests).
group.get(/\/meta\/fetch$/, lib.loggedin, async (req, res) => {
if (!cfg.websrv.web_meta_extraction) {
return res.json({ success: false, msg: 'Metadata extraction is disabled' }, 403);
@@ -290,6 +301,38 @@ export default router => {
const url = req.url.qs.url;
if (!url) return res.json({ success: false, msg: 'URL required' }, 400);
if (metaCache.has(url)) {
return res.json({ success: true, meta: metaCache.get(url) });
}
// Check DB cache for persistence across restarts
try {
const cached = await db`SELECT data FROM meta_cache WHERE url = ${url} LIMIT 1`;
if (cached.length > 0) {
const meta = cached[0].data;
metaCache.set(url, meta); // update in-memory cache
return res.json({ success: true, meta });
}
} catch (err) {
console.error('[META-CACHE] DB lookup failed:', err);
}
const setCache = async (u, m) => {
if (!m || !m.title) return;
metaCache.set(u, m);
if (metaCache.size > MAX_META_CACHE) {
const first = metaCache.keys().next().value;
metaCache.delete(first);
}
// Persist to DB
try {
await db`INSERT INTO meta_cache (url, data) VALUES (${u}, ${m})
ON CONFLICT (url) DO UPDATE SET data = EXCLUDED.data, created_at = CURRENT_TIMESTAMP`;
} catch (err) {
console.error('[META-CACHE] DB save failed:', err);
}
};
if (/\.(mp4|webm|mp3|ogg|opus|flac|m4a|mkv|jpg|jpeg|png|gif|webp|swf)$/i.test(url)) {
return res.json({ success: false, msg: 'Metadata extraction skipped for direct media URLs' }, 400);
}
@@ -314,13 +357,15 @@ export default router => {
if (oembedOut && oembedOut.trim()) {
const data = JSON.parse(oembedOut);
if (data.title) {
const meta = {
title: data.title,
site_name: 'youtube.com',
author: data.author_name || 'Unknown'
};
await setCache(url, meta);
return res.json({
success: true,
meta: {
title: data.title,
site_name: 'youtube.com',
author: data.author_name || 'Unknown'
}
meta
});
}
}
@@ -354,13 +399,15 @@ export default router => {
}
if (title) {
const meta = {
title: title,
site_name: lines[2] ? lines[2].trim() : 'Media Site',
author: lines[1] ? lines[1].trim() : 'Unknown'
};
await setCache(url, meta);
return res.json({
success: true,
meta: {
title: title,
site_name: lines[2] ? lines[2].trim() : 'Media Site',
author: lines[1] ? lines[1].trim() : 'Unknown'
}
meta
});
}
} catch (err) {
@@ -402,6 +449,7 @@ export default router => {
return res.json({ success: false, msg: 'Reddit bot protection encountered' }, 403);
}
await setCache(url, meta);
return res.json({ success: true, meta });
}
} catch (err) {
@@ -663,7 +711,7 @@ export default router => {
reply.success = true;
reply.suggestions = search(q, searchString);
} catch (err) {
reply.error = err.msg;
reply.error = 'Tag suggestion error';
}
return res.json(reply);
@@ -688,7 +736,7 @@ export default router => {
`;
return res.json({ success: true, suggestions: users });
} catch (err) {
return res.json({ success: false, error: err.message, suggestions: [] });
return res.json({ success: false, error: 'User suggestion error', suggestions: [] });
}
});

View File

@@ -1,6 +1,8 @@
import db from '../../sql.mjs';
import lib from '../../lib.mjs';
import cfg from '../../config.mjs';
import fs from 'fs/promises';
import path from 'path';
// Note: Avatar upload/delete is handled by middleware in index.mjs via avatar_handler.mjs
// These routes remain for other settings API endpoints
@@ -443,6 +445,20 @@ export default router => {
group.put(/\/font/, lib.loggedin, async (req, res) => {
const { font } = req.post;
// F-023 Security: Validate font against actual files on disk
// The font value is rendered into CSS url() in header.html, so it must be a real filename
if (font) {
const fontsDir = path.join(path.resolve(), 'public/s/fonts');
try {
const available = (await fs.readdir(fontsDir)).filter(f => /\.(ttf|otf|woff2?)$/i.test(f));
if (!available.includes(font)) {
return res.json({ success: false, msg: 'Invalid font selection' }, 400);
}
} catch {
return res.json({ success: false, msg: 'Font directory unavailable' }, 500);
}
}
try {
await db`
update user_options
@@ -517,23 +533,25 @@ export default router => {
// Update Ruffle (Flash) preferences
group.put(/\/ruffle/, lib.loggedin, async (req, res) => {
const ruffle_volume = parseFloat(req.post.ruffle_volume);
const ruffle_background = req.post.ruffle_background === 'true' || req.post.ruffle_background === true;
const ruffle_volume = req.post.ruffle_volume !== undefined ? parseFloat(req.post.ruffle_volume) : undefined;
if (isNaN(ruffle_volume) || ruffle_volume < 0 || ruffle_volume > 1) {
if (ruffle_volume !== undefined && (isNaN(ruffle_volume) || ruffle_volume < 0 || ruffle_volume > 1)) {
return res.json({ success: false, msg: 'Invalid volume: must be 0-1' }, 400);
}
try {
const updateData = { ruffle_background };
if (ruffle_volume !== undefined) updateData.ruffle_volume = ruffle_volume;
await db`
update user_options
set ruffle_volume = ${ruffle_volume},
ruffle_background = ${ruffle_background}
set ${db(updateData)}
where user_id = ${+req.session.id}
`;
if (req.session) {
req.session.ruffle_volume = ruffle_volume;
req.session.ruffle_background = ruffle_background;
if (ruffle_volume !== undefined) req.session.ruffle_volume = ruffle_volume;
}
return res.json({ success: true, ruffle_volume, ruffle_background }, 200);
} catch (e) {
@@ -639,6 +657,62 @@ export default router => {
}
});
// Update comment display mode preference
group.put(/\/comment_display_mode/, lib.loggedin, async (req, res) => {
const mode = parseInt(req.post.mode, 10);
if (isNaN(mode) || (mode !== 0 && mode !== 1)) {
return res.json({ success: false, msg: 'Invalid mode' }, 400);
}
// Check if mode is forced
const forced = (await db`select force_comment_display_mode from user_options where user_id = ${+req.session.id}`)[0]?.force_comment_display_mode;
if (forced) {
return res.json({ success: false, msg: 'Comment layout is locked for your account.' }, 403);
}
try {
await db`
update user_options
set comment_display_mode = ${mode}
where user_id = ${+req.session.id}
`;
if (req.session) req.session.comment_display_mode = mode;
return res.json({ success: true, mode }, 200);
} catch (e) {
console.error('Update comment_display_mode error:', e);
return res.json({ success: false, msg: 'Error updating preference' }, 500);
}
});
// Update notification preferences (Consolidated Endpoint)
group.post('/notifications', lib.loggedin, async (req, res) => {
const { key, value } = req.post;
const allowedKeys = ['receive_system_notifications', 'receive_user_notifications', 'do_not_disturb'];
if (!allowedKeys.includes(key)) {
return res.json({ success: false, msg: 'Invalid preference key' }, 400);
}
const boolValue = value === true || value === 'true';
try {
await db`
update user_options
set ${db({ [key]: boolValue }, key)}
where user_id = ${+req.session.id}
`;
if (req.session) req.session[key] = boolValue;
await db`SELECT pg_notify('profile_update', ${JSON.stringify({ user_id: req.session.id, [key]: boolValue })})`;
return res.json({ success: true, [key]: boolValue }, 200);
} catch (e) {
console.error(`Update notification preference (${key}) error:`, e);
return res.json({ success: false, msg: 'Error updating preference' }, 500);
}
});
return group;
});

View File

@@ -79,7 +79,7 @@ export default router => {
const isDuplicate = err.code === '23505' || err.constraint?.includes('tags_assign');
return res.json({
success: false,
msg: isDuplicate ? 'Tag already exists' : err.message,
msg: isDuplicate ? 'Tag already exists' : 'Failed to add tag',
tags: await lib.getTags(postid)
});
}
@@ -124,7 +124,7 @@ export default router => {
return res.json({ success: true, rating_tag_id: nextTagId, rating_label: label, rating_class: cls });
} catch (err) {
return res.json({ success: false, msg: err.message });
return res.json({ success: false, msg: 'Failed to update rating' });
}
});

View File

@@ -54,14 +54,13 @@ import { getManualApproval, getMinTags, getBypassDuplicateCheck } from "../../se
// Collect request body as buffer with debug logging
const collectBody = (req) => {
return new Promise((resolve, reject) => {
console.log('[UPLOAD DEBUG] collectBody started');
if (cfg.main.development) console.log('[UPLOAD DEBUG] collectBody started');
const chunks = [];
req.on('data', chunk => {
// console.log(`[UPLOAD DEBUG] chunk received: ${chunk.length} bytes`);
chunks.push(chunk);
});
req.on('end', () => {
console.log(`[UPLOAD DEBUG] Stream ended. Total size: ${chunks.reduce((acc, c) => acc + c.length, 0)}`);
if (cfg.main.development) console.log(`[UPLOAD DEBUG] Stream ended. Total size: ${chunks.reduce((acc, c) => acc + c.length, 0)}`);
resolve(Buffer.concat(chunks));
});
req.on('error', err => {
@@ -71,7 +70,7 @@ const collectBody = (req) => {
// Ensure stream is flowing
if (req.isPaused()) {
console.log('[UPLOAD DEBUG] Stream was paused, resuming...');
if (cfg.main.development) console.log('[UPLOAD DEBUG] Stream was paused, resuming...');
req.resume();
}
});
@@ -230,16 +229,11 @@ export default router => {
// Download YouTube thumbnail as our thumbnail
try {
const thumbUrl = `https://img.youtube.com/vi/${videoId}/hqdefault.jpg`;
const tDir = isApprovalRequired ? path.join(cfg.paths.pending, 't') : cfg.paths.t;
const tmpThumb = path.join(cfg.paths.tmp, `${itemid}_yt.jpg`);
await queue.spawn('wget', ['-q', thumbUrl, '-O', tmpThumb]);
await queue.spawn('magick', [tmpThumb, '-resize', '128x128^', '-gravity', 'center', '-crop', '128x128+0+0', '+repage', path.join(tDir, `${itemid}.webp`)]);
await fs.unlink(tmpThumb).catch(() => {});
await queue.genThumbnail(filename, 'video/youtube', itemid, ytUrl, isApprovalRequired);
} catch (err) {
console.error('[UPLOAD-URL] YouTube thumbnail error:', err);
const tDir = isApprovalRequired ? path.join(cfg.paths.pending, 't') : cfg.paths.t;
await queue.spawn('magick', ['./mugge.png', path.join(tDir, `${itemid}.webp`)]).catch(() => {});
await queue.spawn('magick', ['-size', '128x128', 'xc:#1a1a1a', '-gravity', 'center', '-fill', '#666', '-pointsize', '20', '-annotate', '0', 'YouTube', path.join(tDir, `${itemid}.webp`)]).catch(() => {});
}
// Assign rating tag
@@ -317,8 +311,8 @@ export default router => {
// Priority 2: Extract HTTP codes
const httpCode = msg.match(/HTTP Error (\d+)/i)?.[1]
|| msg.match(/\b(4\d{2}|5\d{2})\b/)?.[1]
|| null;
|| msg.match(/status code (\d{3})/i)?.[1]
|| (msg.match(/\b(4\d{2}|5\d{2})\b/)?.[1] !== '537' ? msg.match(/\b(4\d{2}|5\d{2})\b/)?.[1] : null);
if (httpCode) return `Download/Process failed (HTTP ${httpCode})`;
// Priority 3: Sanitize raw queue.spawn errors
@@ -355,7 +349,7 @@ export default router => {
'-o', path.join(cfg.paths.tmp, `${uuid}.%(ext)s`),
'--print', 'after_move:filepath',
'--merge-output-format', 'mp4'
])).stdout.trim();
])).stdout.trim().split('\n').map(l => l.trim()).filter(l => l.length > 0).pop();
} catch (err) {
console.warn(`[UPLOAD-URL-ASYNC] Stage 1 failed: ${err.message}`);
if (isInstagram) throw new Error(sanitizeError(err));
@@ -367,9 +361,10 @@ export default router => {
'--max-filesize', `${maxfilesize / 1024}k`,
'-o', path.join(cfg.paths.tmp, `${uuid}.%(ext)s`),
'--print', 'after_move:filepath'
])).stdout.trim();
])).stdout.trim().split('\n').map(l => l.trim()).filter(l => l.length > 0).pop();
} catch (err2) {
console.warn(`[UPLOAD-URL-ASYNC] Stage 2 failed: ${err2.message}`);
console.log(`[UPLOAD-URL-ASYNC] Starting Stage 3 (curl) fallback for ${url}`);
const fallbackTmp = path.join(cfg.paths.tmp, `${uuid}.tmp`);
let referer = url;
try {
@@ -380,7 +375,7 @@ export default router => {
} catch (e) {}
const curlArgs = [
'-s', '-f', '-L', url, '-o', fallbackTmp,
'-s', '-S', '-f', '-L', url, '-o', fallbackTmp,
'--max-filesize', `${maxfilesize}`,
'--connect-timeout', '30',
'--max-time', '300',

View File

@@ -84,6 +84,10 @@ export default (router, tpl) => {
if (!req.session) {
return res.reply({ code: 401, body: JSON.stringify({ success: false, msg: 'Login required' }) });
}
// F-007 Security: Block banned users from chatting
if (req.session.banned) {
return res.reply({ code: 403, body: JSON.stringify({ success: false, msg: 'You are banned' }) });
}
const message = (req.post?.message || '').trim();
if (!message || message.length > MAX_MSG_LEN) {

View File

@@ -61,6 +61,43 @@ export default (router, tpl) => {
}
});
// Get a single comment by ID
router.get(/\/api\/comment\/(?<id>\d+)/, async (req, res) => {
const id = req.params.id;
// Require login unless comments are public
if (!req.session && cfg.main.hide_comments_from_public) {
return res.reply({
code: 401,
headers: { 'Content-Type': 'application/json; charset=utf-8' },
body: JSON.stringify({ success: false, message: "Unauthorized" })
});
}
try {
const comment = await f0cklib.getComment(id);
if (!comment) {
return res.reply({
code: 404,
headers: { 'Content-Type': 'application/json; charset=utf-8' },
body: JSON.stringify({ success: false, message: "Comment not found" })
});
}
return res.reply({
headers: { 'Content-Type': 'application/json; charset=utf-8' },
body: JSON.stringify({ success: true, comment })
});
} catch (err) {
console.error(err);
return res.reply({
code: 500,
headers: { 'Content-Type': 'application/json; charset=utf-8' },
body: JSON.stringify({ success: false, message: "Database error" })
});
}
});
// Browse User Comments
router.get(/\/user\/(?<user>[^\/]+)\/comments/, async (req, res) => {
const user = decodeURIComponent(req.params.user);
@@ -207,7 +244,7 @@ export default (router, tpl) => {
}
}
console.log("DEBUG: POST /api/comments");
if (cfg.main.development) console.log("DEBUG: POST /api/comments");
// Use standard framework parsing
const body = req.post || {};
@@ -218,7 +255,7 @@ export default (router, tpl) => {
? parseFloat(body.video_time)
: null;
console.log("DEBUG: Posting comment:", { item_id, parent_id, content: content?.substring(0, 20) });
if (cfg.main.development) console.log("DEBUG: Posting comment:", { item_id, parent_id, content: content?.substring(0, 20) });
if (!content || !content.trim()) {
return res.reply({ body: JSON.stringify({ success: false, message: "Empty comment" }) });
@@ -444,7 +481,7 @@ export default (router, tpl) => {
router.post(/\/api\/comments\/(?<id>\d+)\/delete/, async (req, res) => {
if (!req.session) return res.reply({ code: 401, body: JSON.stringify({ success: false }) });
const commentId = req.params.id;
console.log(`[DEBUG] Attempting to delete comment ${commentId} by user ${req.session.id} (mod: ${req.session.is_moderator})`);
if (cfg.main.development) console.log(`[DEBUG] Attempting to delete comment ${commentId} by user ${req.session.id} (mod: ${req.session.is_moderator})`);
try {
const comment = await db`SELECT content, item_id, user_id FROM comments WHERE id = ${commentId}`;

View File

@@ -32,6 +32,11 @@ export default (router, tpl) => {
if (!req.session || !req.session.admin) {
return res.reply({ code: 403, body: JSON.stringify({ success: false, message: "Forbidden" }) });
}
// F-031 Security: CSRF validation for destructive admin action
const csrfToken = req.headers['x-csrf-token'];
if (!req.session.csrf_token || !csrfToken || csrfToken !== req.session.csrf_token) {
return res.reply({ code: 403, body: JSON.stringify({ success: false, message: "Invalid CSRF token" }) });
}
const id = req.params.id;
try {

View File

@@ -11,6 +11,34 @@ import { getManualApproval, getBypassDuplicateCheck } from "../settings.mjs";
*/
export default (router) => {
// --- F-001 Security: Per-user rate limiter for proxy routes ---
const proxyRateMap = new Map();
const PROXY_RATE_LIMIT = 5000; // max requests per window
const PROXY_RATE_WINDOW = 600000; // 10 minute window
const proxyRateLimit = (req, res) => {
if (!req.session) return true; // loggedin middleware handles auth; this is just a guard
const key = req.session.id;
const now = Date.now();
let entry = proxyRateMap.get(key);
if (!entry || now - entry.start > PROXY_RATE_WINDOW) {
entry = { start: now, count: 0 };
proxyRateMap.set(key, entry);
}
entry.count++;
if (entry.count > PROXY_RATE_LIMIT) {
res.reply({ code: 429, headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ success: false, msg: 'Rate limit exceeded' }) });
return false;
}
return true;
};
// Periodic cleanup to prevent memory leak
setInterval(() => {
const now = Date.now();
for (const [k, v] of proxyRateMap) {
if (now - v.start > PROXY_RATE_WINDOW * 2) proxyRateMap.delete(k);
}
}, PROXY_RATE_WINDOW * 2);
/**
* Helper to fetch data (JSON or Buffer) using curl if a proxy is configured.
* This ensures we respect the SOCKS5 proxy for all external 4chan requests.
@@ -39,7 +67,8 @@ export default (router) => {
// GET /api/v2/scroller/external/4chan/:board/:tid
// Proxies 4chan thread JSON
router.get(/^\/api\/v2\/scroller\/external\/4chan\/(?<board>[a-z0-9]+)\/(?<tid>\d+)\/?$/, async (req, res) => {
router.get(/^\/api\/v2\/scroller\/external\/4chan\/(?<board>[a-z0-9]+)\/(?<tid>\d+)\/?$/, lib.loggedin, async (req, res) => {
if (!proxyRateLimit(req, res)) return;
const { board, tid } = req.params || {};
if (!board || !tid) {
@@ -84,7 +113,7 @@ export default (router) => {
// POST /api/v2/scroller/external/rehost-meta
// Given item IDs, return their metadata (username, avatar, timestamp)
router.post(/^\/api\/v2\/scroller\/external\/rehost-meta\/?$/, async (req, res) => {
router.post(/^\/api\/v2\/scroller\/external\/rehost-meta\/?$/, lib.loggedin, async (req, res) => {
const ids = (req.post?.ids || '').split(',').map(Number).filter(n => n > 0);
if (!ids.length) return res.reply({ headers: { 'Content-Type': 'application/json' }, body: '{}' });
@@ -96,7 +125,8 @@ export default (router) => {
uo.avatar_file, uo.avatar,
(SELECT ta.tag_id FROM tags_assign ta
WHERE ta.item_id = i.id AND ta.tag_id = ANY(${ratingTagIds}::int[])
ORDER BY ta.tag_id LIMIT 1) AS rating_tag_id
ORDER BY ta.tag_id LIMIT 1) AS rating_tag_id,
(SELECT COUNT(*) FROM comments WHERE comments.item_id = i.id AND comments.is_deleted = false) AS comment_count
FROM items i
LEFT JOIN "user" u ON u."user" = i.username
LEFT JOIN user_options uo ON uo.user_id = u.id
@@ -113,7 +143,8 @@ export default (router) => {
avatar: r.avatar_file ? `/a/${r.avatar_file}` : (r.avatar ? `/t/${r.avatar}.webp` : '/a/default.png'),
stamp: r.stamp,
rating_class,
rating_label
rating_label,
comment_count: +r.comment_count || 0
};
});
return res.reply({
@@ -128,7 +159,8 @@ export default (router) => {
// GET /api/v2/scroller/external/4chan/:board/catalog
// Proxies 4chan board catalog JSON
router.get(/^\/api\/v2\/scroller\/external\/4chan\/(?<board>[a-z0-9]+)\/catalog\/?$/, async (req, res) => {
router.get(/^\/api\/v2\/scroller\/external\/4chan\/(?<board>[a-z0-9]+)\/catalog\/?$/, lib.loggedin, async (req, res) => {
if (!proxyRateLimit(req, res)) return;
const { board } = req.params || {};
if (!board) return res.reply({ code: 400, body: JSON.stringify({ success: false }) });
@@ -165,7 +197,8 @@ export default (router) => {
// GET /api/v2/scroller/external/4chan/:board/find/:postno
// Resolves a post number to its parent thread ID
router.get(/^\/api\/v2\/scroller\/external\/4chan\/(?<board>[a-z0-9]+)\/find\/(?<postno>\d+)\/?$/, async (req, res) => {
router.get(/^\/api\/v2\/scroller\/external\/4chan\/(?<board>[a-z0-9]+)\/find\/(?<postno>\d+)\/?$/, lib.loggedin, async (req, res) => {
if (!proxyRateLimit(req, res)) return;
const { board, postno } = req.params || {};
if (!board || !postno) return res.reply({ code: 400, body: JSON.stringify({ success: false }) });
@@ -223,11 +256,25 @@ export default (router) => {
// GET /api/v2/scroller/external/4chan/:board/media/:file
// Proxies 4chan media — streams directly to client for fast playback start
router.get(/^\/api\/v2\/scroller\/external\/4chan\/(?<board>[a-z0-9]+)\/media\/(?<file>[^/]+)$/, async (req, res) => {
const { board, file } = req.params || {};
const url = `https://i.4cdn.org/${board}/${file}`;
// F-001: Allowed file extensions for the media proxy (prevents abuse as generic proxy)
const ALLOWED_MEDIA_EXTS = ['jpg', 'jpeg', 'png', 'gif', 'webp', 'webm', 'mp4'];
const ext = file.split('.').pop();
router.get(/^\/api\/v2\/scroller\/external\/4chan\/(?<board>[a-z0-9]+)\/media\/(?<file>[^/]+)$/, lib.loggedin, async (req, res) => {
if (!proxyRateLimit(req, res)) return;
const { board, file } = req.params || {};
// Validate file extension against whitelist
const ext = (file.split('.').pop() || '').toLowerCase();
if (!ALLOWED_MEDIA_EXTS.includes(ext)) {
return res.reply({ code: 400, headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ success: false, msg: 'Disallowed file type' }) });
}
// Validate filename doesn't contain path traversal
if (file.includes('..') || file.includes('/') || file.includes('\\')) {
return res.reply({ code: 400, headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ success: false, msg: 'Invalid filename' }) });
}
const url = `https://i.4cdn.org/${board}/${file}`;
const mimes = {
'jpg': 'image/jpeg', 'jpeg': 'image/jpeg', 'png': 'image/png',
'gif': 'image/gif', 'webp': 'image/webp',
@@ -275,6 +322,13 @@ export default (router) => {
const { url, rating: initialRating, tags: tagsRaw, comment, is_oc } = req.post || {};
if (!url) return res.reply({ code: 400, body: JSON.stringify({ success: false, msg: 'URL is required' }) });
// F-014 Security: Restrict rehost to 4chan media URLs only
const is4chanUrl = /^https?:\/\/(i\.4cdn\.org|boards\.4cdn\.org)\//i.test(url)
|| /\/api\/v2\/scroller\/external\/4chan\/[a-z0-9]+\/media\//i.test(url);
if (!is4chanUrl) {
return res.reply({ code: 400, body: JSON.stringify({ success: false, msg: 'Only 4chan media URLs are supported for rehosting' }) });
}
const board = url.match(/boards\.4cdn\.org\/([a-z0-9]+)\//)?.[1]
|| url.match(/i\.4cdn\.org\/([a-z0-9]+)\//)?.[1]
@@ -327,6 +381,11 @@ export default (router) => {
const repost = await queue.checkrepostsum(checksum);
if (repost) {
await fs.unlink(finalTmp).catch(() => {});
// Auto-subscribe user to the existing item they attempted to rehost
try {
await db`INSERT INTO comment_subscriptions (user_id, item_id) VALUES (${session.id}, ${repost}) ON CONFLICT (user_id, item_id) DO UPDATE SET is_subscribed = true`;
} catch (e) { console.error('[REHOST] Auto-subscribe (repost) error:', e); }
return res.reply({
code: 200,
headers: { 'Content-Type': 'application/json' },
@@ -342,6 +401,11 @@ export default (router) => {
const phashMatch = await queue.checkrepostphash(phash);
if (phashMatch) {
await fs.unlink(finalTmp).catch(() => {});
// Auto-subscribe user to the existing item they attempted to rehost (visual match)
try {
await db`INSERT INTO comment_subscriptions (user_id, item_id) VALUES (${session.id}, ${phashMatch}) ON CONFLICT (user_id, item_id) DO UPDATE SET is_subscribed = true`;
} catch (e) { console.error('[REHOST] Auto-subscribe (phash repost) error:', e); }
return res.reply({
code: 200,
headers: { 'Content-Type': 'application/json' },
@@ -377,6 +441,11 @@ export default (router) => {
RETURNING id
`;
// Automatically subscribe user to the new item
try {
await db`INSERT INTO comment_subscriptions (user_id, item_id) VALUES (${session.id}, ${itemid}) ON CONFLICT (user_id, item_id) DO UPDATE SET is_subscribed = true`;
} catch (e) { console.error('[REHOST] Auto-subscribe (new item) error:', e); }
// Process thumbnail
try {
await queue.genThumbnail(filename, mime, itemid, url, isApprovalRequired);
@@ -458,7 +527,7 @@ export default (router) => {
return res.reply({
code: 500,
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ success: false, msg: err.message })
body: JSON.stringify({ success: false, msg: 'Rehost failed' })
});
}
});

View File

@@ -40,7 +40,7 @@ export default (router, tpl) => {
// Hall Thumbnail Route
router.get(/^\/hall_image\/(?<hallSlug>.+)$/, async (req, res) => {
const hallSlug = decodeURIComponent(req.params.hallSlug);
const hallSlug = path.basename(decodeURIComponent(req.params.hallSlug));
const mode = +(req.url.qs?.m ?? 0);
const CACHE_DIR = path.join(cfg.paths.s, '../hall_cache');

View File

@@ -241,8 +241,8 @@ export default (router, tpl) => {
data.total = 0;
data.success = true;
if (!data.link) {
if (req.params.hall) data.link = { main: '/h/' + req.params.hall + '/', path: 'p/', suffix: '' };
else if (req.params.tag) data.link = { main: '/tag/' + req.params.tag + '/', path: 'p/', suffix: '' };
if (req.params.hall) data.link = { main: '/h/' + encodeURIComponent(req.params.hall) + '/', path: 'p/', suffix: '' };
else if (req.params.tag) data.link = { main: '/tag/' + encodeURIComponent(req.params.tag) + '/', path: 'p/', suffix: '' };
else data.link = { main: '/', path: 'p/', suffix: '' };
}
data.tmp = data.tmp || {};

View File

@@ -35,6 +35,11 @@ export default (router, tpl) => {
if (!req.session || !req.session.admin) {
return res.reply({ code: 403, body: JSON.stringify({ success: false, message: "Forbidden" }) });
}
// F-031 Security: CSRF validation for destructive admin action
const csrfToken = req.headers['x-csrf-token'];
if (!req.session.csrf_token || !csrfToken || csrfToken !== req.session.csrf_token) {
return res.reply({ code: 403, body: JSON.stringify({ success: false, message: "Invalid CSRF token" }) });
}
const id = req.params.id;
try {

View File

@@ -38,170 +38,8 @@ export default (router, tpl) => {
});
});
// Approval Queue (Ported/Shared from Admin)
// Approval Queue (View only — GET is safe, no state change)
router.get(/^\/mod\/approve\/?/, lib.modAuth, async (req, res) => {
// Quick Approve Action
if (req.url.qs?.id) {
const id = +req.url.qs.id;
const f0ck = await db`
select i.dest, i.mime, i.username, i.id, ta.tag_id
from "items" i
left join tags_assign ta on ta.item_id = i.id and ta.tag_id in (1, 2)
where i.id = ${id} and i.active = false
limit 1
`;
if (f0ck.length === 0) {
return res.reply({ body: `f0ck ${id}: f0ck not found` });
}
// Fetch uploader details for audit log
let uploaderInfo = {};
try {
const uploader = await db`select id, "user" as username from "user" where login = ${f0ck[0].username} or "user" = ${f0ck[0].username} limit 1`;
if (uploader.length > 0) {
uploaderInfo = { uploader_id: uploader[0].id, uploader_name: uploader[0].username };
}
} catch (err) { }
// ACTION: Approve
// We only proceed with side-effects (notifications/webhooks) if the update actually changed active=false to active=true.
// This prevents duplicate webhooks from double-clicks or race conditions.
const result = await db`update "items" set active = true, is_deleted = false where id = ${id} and active = false`;
if (result.count === 1) {
await audit.log(req.session.id, 'approve_item', 'item', id, { filename: f0ck[0].dest, ...uploaderInfo });
// Notify User (WebSocket/Internal)
try {
const uploader = await db`select id from "user" where login = ${f0ck[0].username} or "user" = ${f0ck[0].username} limit 1`;
if (uploader.length > 0) {
await db`
INSERT INTO notifications (user_id, type, reference_id, item_id)
VALUES (${uploader[0].id}, 'approve', 0, ${id})
`;
}
} catch (err) {
console.error('[MOD APPROVE] Failed to notify user:', err);
}
// Push to Discord Webhook (Direct)
try {
const discordClient = cfg.clients.find(c => c.type === 'discord');
if (discordClient && discordClient.webhook_url) {
const message = `${f0ck[0].username} uploaded a new video ${cfg.main.url.full}/${id}`;
const payload = JSON.stringify({ content: message });
const url = new URL(discordClient.webhook_url);
const options = {
hostname: url.hostname,
path: url.pathname + url.search,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': Buffer.byteLength(payload)
}
};
const reqDiscord = https.request(options, (resDiscord) => {
if (resDiscord.statusCode >= 400) {
console.error(`[MOD APPROVE] Webhook returned status ${resDiscord.statusCode}`);
}
});
reqDiscord.on('error', (err) => {
console.error('[MOD APPROVE] Webhook failed:', err);
});
reqDiscord.write(payload);
reqDiscord.end();
}
} catch (err) {
console.error('[MOD APPROVE] Discord Webhook error:', err);
}
// Push to Matrix Channel
try {
const matrixCfg = cfg.clients.find(c => c.type === 'matrix');
if (matrixCfg?.notification_channel_id && router.self?.bot?.clients) {
const clients = await Promise.all(router.self.bot.clients);
const matrixWrapper = clients.find(c => c.type === 'matrix');
if (matrixWrapper?.client) {
const message = `${f0ck[0].username} uploaded a new video ${cfg.main.url.full}/${id}`;
await matrixWrapper.client.send(matrixCfg.notification_channel_id, message);
console.log(`[MOD APPROVE] Matrix notification sent for item ${id}`);
}
}
} catch (err) {
console.error('[MOD APPROVE] Matrix notification error:', err);
}
// Broadcast new_item event for live grid updates
try {
await db`SELECT pg_notify('new_item', ${JSON.stringify({
id: id,
dest: f0ck[0].dest,
mime: f0ck[0].mime,
username: f0ck[0].username,
tag_id: f0ck[0].tag_id,
is_oc: !!f0ck[0].is_oc
})})`;
} catch (err) {
console.error('[MOD APPROVE] new_item notify failed:', err);
}
}
// Move files to public location
const movePaths = [
{ b: path.join(cfg.paths.pending, 'b', f0ck[0].dest), t: path.join(cfg.paths.pending, 't', `${id}.webp`), ca: path.join(cfg.paths.pending, 'ca', `${id}.webp`) },
{ b: path.join(cfg.paths.deleted, 'b', f0ck[0].dest), t: path.join(cfg.paths.deleted, 't', `${id}.webp`), ca: path.join(cfg.paths.deleted, 'ca', `${id}.webp`) }
];
for (const p of movePaths) {
try {
await fs.access(p.b);
console.log(`[MOD APPROVE] Moving files for item ${id} from ${p.b.includes('pending') ? 'pending' : 'deleted'}`);
const moveSafe = async (src, dst) => {
try {
const lstat = await fs.lstat(src);
if (lstat.isSymbolicLink()) {
const target = await fs.readlink(src);
const absTarget = path.resolve(path.dirname(src), target);
const relTarget = path.relative(path.dirname(dst), absTarget);
await fs.symlink(relTarget, dst);
await fs.unlink(src).catch(() => {});
} else {
await fs.copyFile(src, dst);
await fs.unlink(src).catch(() => {});
}
} catch (e) {
console.warn(`[MOD APPROVE ERROR] Failed to move ${src} to ${dst}:`, e.message);
}
};
const bDst = path.join(cfg.paths.b, f0ck[0].dest);
const tDst = path.join(cfg.paths.t, `${id}.webp`);
const blurDst = path.join(cfg.paths.t, `${id}_blur.webp`);
const caDst = path.join(cfg.paths.ca, `${id}.webp`);
await moveSafe(p.b, bDst);
await moveSafe(p.t, tDst);
const blurSrc = p.t.replace('.webp', '_blur.webp');
await moveSafe(blurSrc, blurDst);
if (f0ck[0].mime.startsWith('audio')) {
await moveSafe(p.ca, caDst);
}
break;
} catch (e) { }
}
if (req.headers['x-requested-with'] === 'XMLHttpRequest' || (req.headers.accept && req.headers.accept.includes('application/json'))) {
const body = JSON.stringify({ success: true, item_id: id, msg: "Item approved" });
return res.writeHead(200, { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }).end(body);
}
return res.writeHead(302, { "Location": `/${id}` }).end();
}
// View Queue
const page = +req.url.qs.page || 1;
const limit = 20;
@@ -267,10 +105,190 @@ export default (router, tpl) => {
});
});
// Deny / Delete Item
router.get(/^\/mod\/deny\/?/, lib.modAuth, async (req, res) => {
if (!req.url.qs?.id) return res.reply({ success: false, msg: "No ID provided" });
const id = +req.url.qs.id;
// F-005 Security: Approve action — POST with CSRF protection
router.post(/^\/mod\/approve\/?/, lib.modAuth, async (req, res) => {
const id = +(req.post?.id || 0);
if (!id) {
const body = JSON.stringify({ success: false, msg: 'No ID provided' });
return res.writeHead(400, { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }).end(body);
}
const f0ck = await db`
select i.dest, i.mime, i.username, i.id, ta.tag_id
from "items" i
left join tags_assign ta on ta.item_id = i.id and ta.tag_id in (1, 2)
where i.id = ${id} and i.active = false
limit 1
`;
if (f0ck.length === 0) {
const body = JSON.stringify({ success: false, msg: `f0ck ${id}: f0ck not found` });
return res.writeHead(404, { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }).end(body);
}
// Fetch uploader details for audit log
let uploaderInfo = {};
try {
const uploader = await db`select id, "user" as username from "user" where login = ${f0ck[0].username} or "user" = ${f0ck[0].username} limit 1`;
if (uploader.length > 0) {
uploaderInfo = { uploader_id: uploader[0].id, uploader_name: uploader[0].username };
}
} catch (err) { }
// ACTION: Approve
// We only proceed with side-effects (notifications/webhooks) if the update actually changed active=false to active=true.
// This prevents duplicate webhooks from double-clicks or race conditions.
const result = await db`update "items" set active = true, is_deleted = false where id = ${id} and active = false`;
if (result.count === 1) {
await audit.log(req.session.id, 'approve_item', 'item', id, { filename: f0ck[0].dest, ...uploaderInfo });
// Notify User (WebSocket/Internal)
try {
const uploader = await db`select id from "user" where login = ${f0ck[0].username} or "user" = ${f0ck[0].username} limit 1`;
if (uploader.length > 0) {
await db`
INSERT INTO notifications (user_id, type, reference_id, item_id)
VALUES (${uploader[0].id}, 'approve', 0, ${id})
`;
}
} catch (err) {
console.error('[MOD APPROVE] Failed to notify user:', err);
}
// Push to Discord Webhook (Direct)
try {
const discordClient = cfg.clients.find(c => c.type === 'discord');
if (discordClient && discordClient.webhook_url) {
const message = `${f0ck[0].username} uploaded a new video ${cfg.main.url.full}/${id}`;
const payload = JSON.stringify({ content: message });
const url = new URL(discordClient.webhook_url);
const options = {
hostname: url.hostname,
path: url.pathname + url.search,
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Content-Length': Buffer.byteLength(payload)
}
};
const reqDiscord = https.request(options, (resDiscord) => {
if (resDiscord.statusCode >= 400) {
console.error(`[MOD APPROVE] Webhook returned status ${resDiscord.statusCode}`);
}
});
reqDiscord.on('error', (err) => {
console.error('[MOD APPROVE] Webhook failed:', err);
});
reqDiscord.write(payload);
reqDiscord.end();
}
} catch (err) {
console.error('[MOD APPROVE] Discord Webhook error:', err);
}
// Push to Matrix Channel
try {
const matrixCfg = cfg.clients.find(c => c.type === 'matrix');
if (matrixCfg?.notification_channel_id && router.self?.bot?.clients) {
const clients = await Promise.all(router.self.bot.clients);
const matrixWrapper = clients.find(c => c.type === 'matrix');
if (matrixWrapper?.client) {
const message = `${f0ck[0].username} uploaded a new video ${cfg.main.url.full}/${id}`;
await matrixWrapper.client.send(matrixCfg.notification_channel_id, message);
console.log(`[MOD APPROVE] Matrix notification sent for item ${id}`);
}
}
} catch (err) {
console.error('[MOD APPROVE] Matrix notification error:', err);
}
// Broadcast new_item event for live grid updates
try {
await db`SELECT pg_notify('new_item', ${JSON.stringify({
id: id,
dest: f0ck[0].dest,
mime: f0ck[0].mime,
username: f0ck[0].username,
tag_id: f0ck[0].tag_id,
is_oc: !!f0ck[0].is_oc
})})`;
} catch (err) {
console.error('[MOD APPROVE] new_item notify failed:', err);
}
}
// Move files to public location
const movePaths = [
{ b: path.join(cfg.paths.pending, 'b', f0ck[0].dest), t: path.join(cfg.paths.pending, 't', `${id}.webp`), ca: path.join(cfg.paths.pending, 'ca', `${id}.webp`) },
{ b: path.join(cfg.paths.deleted, 'b', f0ck[0].dest), t: path.join(cfg.paths.deleted, 't', `${id}.webp`), ca: path.join(cfg.paths.deleted, 'ca', `${id}.webp`) }
];
const isYouTube = f0ck[0].mime === 'video/youtube';
for (const p of movePaths) {
try {
if (isYouTube) {
await fs.access(p.t);
} else {
await fs.access(p.b);
}
console.log(`[MOD APPROVE] Moving files for item ${id} from ${p.b.includes('pending') ? 'pending' : 'deleted'}`);
const moveSafe = async (src, dst) => {
try {
const lstat = await fs.lstat(src);
if (lstat.isSymbolicLink()) {
const target = await fs.readlink(src);
const absTarget = path.resolve(path.dirname(src), target);
const relTarget = path.relative(path.dirname(dst), absTarget);
await fs.symlink(relTarget, dst);
await fs.unlink(src).catch(() => {});
} else {
await fs.copyFile(src, dst);
await fs.unlink(src).catch(() => {});
}
} catch (e) {
if (e.code !== 'ENOENT') {
console.warn(`[MOD APPROVE ERROR] Failed to move ${src} to ${dst}:`, e.message);
}
}
};
const bDst = path.join(cfg.paths.b, f0ck[0].dest);
const tDst = path.join(cfg.paths.t, `${id}.webp`);
const blurDst = path.join(cfg.paths.t, `${id}_blur.webp`);
const caDst = path.join(cfg.paths.ca, `${id}.webp`);
if (!isYouTube) {
await moveSafe(p.b, bDst);
}
await moveSafe(p.t, tDst);
const blurSrc = p.t.replace('.webp', '_blur.webp');
await moveSafe(blurSrc, blurDst);
if (f0ck[0].mime.startsWith('audio')) {
await moveSafe(p.ca, caDst);
}
break;
} catch (e) { }
}
if (req.headers['x-requested-with'] === 'XMLHttpRequest' || (req.headers.accept && req.headers.accept.includes('application/json'))) {
const body = JSON.stringify({ success: true, item_id: id, msg: "Item approved" });
return res.writeHead(200, { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }).end(body);
}
return res.writeHead(302, { "Location": `/${id}` }).end();
});
// F-005 Security: Deny action — POST with CSRF protection
router.post(/^\/mod\/deny\/?/, lib.modAuth, async (req, res) => {
const id = +(req.post?.id || 0);
if (!id) {
const body = JSON.stringify({ success: false, msg: 'No ID provided' });
return res.writeHead(400, { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }).end(body);
}
const f0ck = await db`select id, dest, mime, is_deleted, active, username from "items" where id = ${id} limit 1`;
if (f0ck.length > 0) {
@@ -339,7 +357,7 @@ export default (router, tpl) => {
} catch (e) { }
}
const reason = req.url.qs?.reason || "Denied by moderator";
const reason = req.post?.reason || "Denied by moderator";
await db`update "items" set is_deleted = true, active = false where id = ${id}`;
@@ -541,8 +559,14 @@ export default (router, tpl) => {
// Supports /mod/pending/b/filename.ext (Binaries)
// Supports /mod/pending/t/id.webp (Thumbnails)
router.get(/^\/mod\/pending\/(?<type>[btca])\/(?<file>.+)/, lib.modAuth, async (req, res) => {
const { type, file } = req.params;
const filePath = path.join(cfg.paths.pending, type, file);
const { type } = req.params;
// F-003 Security: Sanitize file parameter to prevent path traversal
const file = path.basename(req.params.file);
const baseDir = path.resolve(cfg.paths.pending, type);
const filePath = path.resolve(baseDir, file);
if (!filePath.startsWith(baseDir + path.sep) && filePath !== baseDir) {
return res.writeHead(403).end('Forbidden');
}
try {
const stats = await fs.stat(filePath);
@@ -552,7 +576,8 @@ export default (router, tpl) => {
const mimeType = {
'mp4': 'video/mp4', 'webm': 'video/webm',
'jpg': 'image/jpeg', 'jpeg': 'image/jpeg',
'png': 'image/png', 'gif': 'image/gif', 'webp': 'image/webp'
'png': 'image/png', 'gif': 'image/gif', 'webp': 'image/webp',
'pdf': 'application/pdf'
}[ext] || 'application/octet-stream';
if (range) {
@@ -577,7 +602,7 @@ export default (router, tpl) => {
(await import('fs')).createReadStream(filePath).pipe(res);
}
} catch (err) {
console.error(err);
if (err.code !== 'ENOENT') console.error(err);
res.writeHead(404).end('File not found');
}
});
@@ -586,10 +611,15 @@ export default (router, tpl) => {
// Supports /mod/deleted/b/filename.ext (Binaries)
// Supports /mod/deleted/t/id.webp (Thumbnails)
router.get(/^\/mod\/deleted\/(?<type>[bt])\/(?<file>.+)/, lib.modAuth, async (req, res) => {
const file = decodeURIComponent(req.params.file);
// F-003 Security: Sanitize file parameter to prevent path traversal
const file = path.basename(decodeURIComponent(req.params.file));
const type = req.params.type; // 'b' or 't'
console.log(`[MOD_STREAM] Request: type=${type}, file=${file}, range=${req.headers.range || 'none'}`);
const filePath = path.join(cfg.paths.deleted, type, file);
const baseDir = path.resolve(cfg.paths.deleted, type);
const filePath = path.resolve(baseDir, file);
if (!filePath.startsWith(baseDir + path.sep) && filePath !== baseDir) {
return res.writeHead(403).end('Forbidden');
}
try {
const stat = await fs.stat(filePath);
@@ -599,7 +629,8 @@ export default (router, tpl) => {
const mimeType = {
'mp4': 'video/mp4', 'webm': 'video/webm',
'jpg': 'image/jpeg', 'jpeg': 'image/jpeg',
'png': 'image/png', 'gif': 'image/gif', 'webp': 'image/webp'
'png': 'image/png', 'gif': 'image/gif', 'webp': 'image/webp',
'pdf': 'application/pdf'
}[ext] || 'application/octet-stream';
if (range) {
@@ -624,7 +655,7 @@ export default (router, tpl) => {
(await import('fs')).createReadStream(filePath).pipe(res);
}
} catch (err) {
console.error(err);
if (err.code !== 'ENOENT') console.error(err);
res.writeHead(404).end('File not found');
}
});
@@ -656,7 +687,7 @@ export default (router, tpl) => {
const body = JSON.stringify({ success: true, count });
return res.writeHead(200, { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }).end(body);
} catch (err) {
const body = JSON.stringify({ success: false, msg: err.message });
const body = JSON.stringify({ success: false, msg: 'Purge failed' });
return res.writeHead(500, { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }).end(body);
}
});

View File

@@ -10,20 +10,26 @@ const activeTabs = new Map(); // sessionId -> tabId
function broadcastChatPresence() {
const seen = new Set();
const users = [];
const guestIps = new Set();
for (const client of clients) {
if (client.userId && !seen.has(client.userId)) {
seen.add(client.userId);
users.push({
username: client.username,
display_name: client.display_name,
avatar_file: client.avatar_file,
avatar: client.avatar,
username_color: client.username_color
});
if (client.userId) {
if (!seen.has(client.userId)) {
seen.add(client.userId);
users.push({
username: client.username,
display_name: client.display_name,
avatar_file: client.avatar_file,
avatar: client.avatar,
username_color: client.username_color
});
}
} else if (client.ip) {
guestIps.add(client.ip);
}
}
const guestCount = guestIps.size;
for (const client of clients) {
client.send({ type: 'global_chat_presence', data: { users } });
client.send({ type: 'global_chat_presence', data: { users, guestCount } });
}
}
@@ -41,9 +47,16 @@ db.listen('notifications', (payload) => {
try {
const data = JSON.parse(payload);
const userId = data.user_id;
const SYSTEM_TYPES = ['upload_success', 'upload_error'];
const USER_TYPES = ['comment', 'comment_reply', 'mention', 'subscription', 'upload_comment'];
for (const client of clients) {
if (client.userId === userId) {
// Do Not Disturb takes absolute priority for standard notifications
if (client.do_not_disturb === true) continue;
if (SYSTEM_TYPES.includes(data.type) && client.receive_system_notifications === false) continue;
if (USER_TYPES.includes(data.type) && client.receive_user_notifications === false) continue;
client.send({ type: 'notify', data });
}
}
@@ -73,6 +86,11 @@ db.listen('profile_update', (payload) => {
const data = JSON.parse(payload);
for (const client of clients) {
if (client.userId === data.user_id) {
// Sync notification preferences to client object for real-time filtering
if (data.receive_system_notifications !== undefined) client.receive_system_notifications = data.receive_system_notifications;
if (data.receive_user_notifications !== undefined) client.receive_user_notifications = data.receive_user_notifications;
if (data.do_not_disturb !== undefined) client.do_not_disturb = data.do_not_disturb;
client.send({ type: 'profile_update', data });
}
}
@@ -217,6 +235,9 @@ db.listen('private_message', (payload) => {
// Only send to the recipient — sender already knows they sent it
for (const client of clients) {
if (client.userId === data.recipient_id) {
// Silenced by DND
if (client.do_not_disturb === true) continue;
client.send({ type: 'private_message', data: {
id: data.id,
sender_id: data.sender_id,
@@ -293,6 +314,19 @@ db.listen('global_chat_background', (payload) => {
}
}).catch(err => console.error('DB Listen global_chat_background error:', err));
// Global listener for rethumb live updates
db.listen('rethumb', (payload) => {
try {
const data = JSON.parse(payload);
console.log(`[SSE] Broadcasting rethumb (id: ${data.item_id}) to ${clients.size} clients`);
for (const client of clients) {
client.send({ type: 'rethumb', data });
}
} catch (e) {
console.error('Rethumb broadcast error:', e);
}
}).catch(err => console.error('DB Listen rethumb error:', err));
// Global listener for chat topic changes
db.listen('global_chat_topic', (payload) => {
try {
@@ -391,7 +425,15 @@ export default (router, tpl) => {
LEFT JOIN user_options uo ON u.id = uo.user_id
LEFT JOIN items i ON n.item_id = i.id
WHERE n.user_id = ${req.session.id} AND n.is_read = false
AND (n.type IN ('admin_pending', 'deny', 'item_deleted', 'report') OR i.id IS NULL OR (i.active = true AND i.is_deleted = false))
AND (n.type IN ('admin_pending', 'deny', 'item_deleted', 'report', 'approve')
OR (
${req.session.do_not_disturb !== true} AND (
(n.type IN ('upload_success', 'upload_error') AND ${req.session.receive_system_notifications !== false})
OR (n.type IN ('comment', 'comment_reply', 'mention', 'subscription', 'upload_comment') AND ${req.session.receive_user_notifications !== false})
)
)
)
AND (n.item_id IS NULL OR (i.active = true AND i.is_deleted = false) OR n.type IN ('admin_pending', 'deny', 'item_deleted', 'report'))
ORDER BY n.created_at DESC
LIMIT 1000
`;
@@ -510,8 +552,12 @@ export default (router, tpl) => {
avatar_file: req.session?.avatar_file || null,
avatar: req.session?.avatar || null,
username_color: req.session?.username_color || null,
receive_system_notifications: req.session?.receive_system_notifications !== false,
receive_user_notifications: req.session?.receive_user_notifications !== false,
do_not_disturb: req.session?.do_not_disturb === true,
sessionId,
tabId,
ip: req.headers['x-forwarded-for'] || req.socket.remoteAddress,
send: (data) => {
try {
res.write(`data: ${JSON.stringify(data)}\n\n`);

View File

@@ -315,7 +315,7 @@ export default (router, tpl) => {
return res.reply({
code: 500,
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ success: false, items: [], error: e.message })
body: JSON.stringify({ success: false, items: [], error: 'Feed error' })
});
}
});

View File

@@ -68,10 +68,10 @@ export default (router, tpl) => {
from "items"
join "tags_assign" on "tags_assign".item_id = "items".id
join "tags" on "tags".id = "tags_assign".tag_id
where lower("tags".tag) in (${db(lowerTags)})
where "tags".normalized = ANY(ARRAY(SELECT slugify(x) FROM unnest(${tags}::text[]) AS x))
and "items".active = true
group by "items".id
having count(distinct lower("tags".tag)) = ${lowerTags.length}
having count(distinct "tags".normalized) = ${tags.length}
) sub
`;
total = countResult.length > 0 ? countResult[0].total : 0;
@@ -85,10 +85,10 @@ export default (router, tpl) => {
from "items"
join "tags_assign" on "tags_assign".item_id = "items".id
join "tags" on "tags".id = "tags_assign".tag_id
where lower("tags".tag) in (${db(lowerTags)})
where "tags".normalized = ANY(ARRAY(SELECT slugify(x) FROM unnest(${tags}::text[]) AS x))
and "items".active = true
group by "items".id
having count(distinct lower("tags".tag)) = ${lowerTags.length}
having count(distinct "tags".normalized) = ${tags.length}
order by "items".id desc
offset ${offset}
limit ${_eps}
@@ -119,26 +119,34 @@ export default (router, tpl) => {
}
}
else {
total = (await db`
select count(*) as total
from "tags"
left join "tags_assign" on "tags_assign".tag_id = "tags".id
left join "items" on "items".id = "tags_assign".item_id
where "tags".tag ilike ${'%' + tag + '%'}
group by "items".id, "tags".tag
`).length;
const q = '%' + tag + '%';
const countResult = await db`
select count(*) as total from (
select 1
from "items"
join "tags_assign" on "tags_assign".item_id = "items".id
join "tags" on "tags".id = "tags_assign".tag_id
where ("tags".tag ilike ${q} or "tags".normalized like '%' || slugify(${tag}) || '%')
and "items".active = true
group by "items".id
) sub
`;
total = countResult.length > 0 ? parseInt(countResult[0].total) : 0;
const pages = +Math.ceil(total / _eps);
const act_page = Math.min(pages, page || 1);
const offset = Math.max(0, (act_page - 1) * _eps);
const rows = await db`
select "items".id, "items".username, "items".mime, "tags".tag
from "tags"
left join "tags_assign" on "tags_assign".tag_id = "tags".id
left join "items" on "items".id = "tags_assign".item_id
where "tags".tag ilike ${'%' + tag + '%'} and "items".active = true
group by "items".id, "tags".tag
select "items".id, "items".username, "items".mime, min("tags".tag) as tag
from "items"
join "tags_assign" on "tags_assign".item_id = "items".id
join "tags" on "tags".id = "tags_assign".tag_id
where ("tags".tag ilike ${q} or "tags".normalized like '%' || slugify(${tag}) || '%')
and "items".active = true
group by "items".id
order by "items".id desc
offset ${offset}
limit ${_eps}
`;

View File

@@ -38,7 +38,7 @@ export default (router, tpl) => {
res.setHeader('Expires', '0');
res.setHeader('Surrogate-Control', 'no-store');
console.log('Rendering settings. Excluded tags:', excluded_tags);
res.reply({
body: tpl.render('settings', {

View File

@@ -21,7 +21,7 @@ export default (router, tpl) => {
const offset = (page - 1) * eps;
try {
console.log('[DEBUG SUB] Fetching subscriptions for user', req.session.id, 'page', page);
if (cfg.main.development) console.log('[DEBUG SUB] Fetching subscriptions for user', req.session.id, 'page', page);
const countRes = await db`
SELECT count(*) as total
@@ -41,7 +41,7 @@ export default (router, tpl) => {
ORDER BY s.created_at DESC
LIMIT ${eps} OFFSET ${offset}
`;
console.log('[DEBUG SUB] Found', subs.length, 'subscriptions out of', total);
if (cfg.main.development) console.log('[DEBUG SUB] Found', subs.length, 'subscriptions out of', total);
const items = subs.map(i => ({
id: i.id,

View File

@@ -157,6 +157,25 @@ export default (router, tpl) => {
data.hidePagination = true;
data.session = req.session ? { ...req.session } : false;
// Precompute boolean helpers for template @if() — must match index.mjs pattern
if (data.item) {
const session = data.session;
const item = data.item;
data.is_mod_or_admin = !!(session && (session.admin || session.is_moderator));
data.can_manage_item = !!(session && (session.admin || session.is_moderator || session.user === item.username));
data.can_extract_meta = !!(item.mime && item.mime.indexOf('flash') === -1 && item.mime.indexOf('youtube') === -1);
data.user_has_favorited = !!(session && Array.isArray(item.favorites) && item.favorites.some(f => f.user === session.user));
data.halls_slugs = Array.isArray(item.halls) ? item.halls.map(h => h.slug).join(',') : '';
data.user_halls_slugs = Array.isArray(item.user_halls) ? item.user_halls.map(h => h.slug).join(',') : '';
data.item_rating_class = item.is_nsfl ? 'is-nsfl' : (item.is_nsfw ? 'is-nsfw' : (item.is_sfw ? 'is-sfw' : 'is-untagged'));
data.item_rating_label = item.is_nsfl ? 'NSFL' : (item.is_nsfw ? 'NSFW' : (item.is_sfw ? 'SFW' : '?'));
data.item_username_lower = (item.username || '').toLowerCase();
data.is_flash_item = !!(item.mime && (item.mime.indexOf('flash') !== -1 || item.mime.indexOf('shockwave') !== -1));
data.current_hall_slug = (data.tmp && data.tmp.hall && typeof data.tmp.hall === 'object') ? data.tmp.hall.slug : (data.tmp && data.tmp.hall ? data.tmp.hall : '');
data.current_user_hall_slug = (data.tmp && data.tmp.userHall && typeof data.tmp.userHall === 'object') ? data.tmp.userHall.slug : (data.tmp && data.tmp.userHall ? data.tmp.userHall : '');
data.current_user_hall_owner = (data.tmp && data.tmp.userHallOwner) ? data.tmp.userHallOwner : '';
}
// Precompute hall display
if (data.item?.halls?.length) {
data.item.primaryHall = data.item.halls[0];
@@ -168,17 +187,26 @@ export default (router, tpl) => {
if (req.session || !cfg.main.hide_comments_from_public) {
if (req.session?.id) f0cklib.markNotificationsRead(req.session.id, req.params.itemid).catch(() => {});
const useLegacy = req.session
? (req.session.use_new_layout === false)
: (cfg.websrv.default_layout === 'legacy');
const sort = useLegacy ? 'old' : 'new';
data.comments = await f0cklib.getComments(req.params.itemid, sort, false);
data.isSubscribed = req.session ? await f0cklib.getSubscriptionStatus(req.session.id, req.params.itemid) : false;
data.commentsJSON = Buffer.from(JSON.stringify(data.comments || [])).toString('base64');
// xD Score
const commentsForScore = await f0cklib.getComments(req.params.itemid, 'old', false);
const xdScore = f0cklib.computeXdScore(commentsForScore);
const xdMeta = f0cklib.xdScoreMeta(xdScore);
data.item.xd_score = xdScore;
data.item.xd_tier = xdMeta.tier;
data.item.xd_label = xdMeta.label;
// Comments loaded async by client
data.commentsJSON = null;
data.comments = [];
} else {
data.comments = [];
data.isSubscribed = false;
data.commentsJSON = Buffer.from('[]').toString('base64');
data.commentsJSON = null;
data.item.xd_score = 0;
data.item.xd_tier = 0;
data.item.xd_label = '';
}
return res.reply({ body: tpl.render('item', data, req) });
@@ -188,11 +216,13 @@ export default (router, tpl) => {
router.get(/^\/user_hall_image\/(?<userId>\d+)\/(?<slug>.+)$/, async (req, res) => {
const userId = +req.params.userId;
const slug = decodeURIComponent(req.params.slug);
// F-016 Security: Sanitize slug to prevent path traversal
const safeSlug = path.basename(slug);
const mode = +(req.url.qs?.m ?? 0);
const CUSTOM_DIR = path.join(cfg.paths.s, '../hall_custom');
const CACHE_DIR = path.join(cfg.paths.s, '../hall_cache');
const customPath = path.join(CUSTOM_DIR, `u_${userId}_${slug}.webp`);
const customPath = path.join(CUSTOM_DIR, `u_${userId}_${safeSlug}.webp`);
try {
// 1. Serve custom image if present
@@ -207,7 +237,7 @@ export default (router, tpl) => {
} catch (_) { /* no custom image */ }
// 2. Check mosaic cache
const hash = createHash('md5').update(`uh_${userId}_${slug}_${mode}`).digest('hex');
const hash = createHash('md5').update(`uh_${userId}_${safeSlug}_${mode}`).digest('hex');
const cachePath = path.join(CACHE_DIR, `${hash}.webp`);
try {
await fs.access(cachePath);
@@ -316,8 +346,10 @@ export default (router, tpl) => {
const result = await f0cklib.deleteUserHall(targetUserId, slug);
// Clean up custom image if it exists
// F-016 Security: Sanitize slug to prevent path traversal in file deletion
const safeSlug = path.basename(slug);
const CUSTOM_DIR = path.join(cfg.paths.s, '../hall_custom');
fs.unlink(path.join(CUSTOM_DIR, `u_${targetUserId}_${slug}.webp`)).catch(() => {});
fs.unlink(path.join(CUSTOM_DIR, `u_${targetUserId}_${safeSlug}.webp`)).catch(() => {});
return res.writeHead(result.success ? 200 : 404, { 'Content-Type': 'application/json' })
.end(JSON.stringify(result));
@@ -380,12 +412,14 @@ export default (router, tpl) => {
.end(JSON.stringify({ success: false, msg: 'Hall not found' }));
}
// F-016 Security: Sanitize slug to prevent path traversal in file deletion
const safeSlug = path.basename(slug);
const CUSTOM_DIR = path.join(cfg.paths.s, '../hall_custom');
const CACHE_DIR = path.join(cfg.paths.s, '../hall_cache');
await fs.unlink(path.join(CUSTOM_DIR, `u_${req.session.id}_${slug}.webp`)).catch(() => {});
await fs.unlink(path.join(CUSTOM_DIR, `u_${req.session.id}_${safeSlug}.webp`)).catch(() => {});
// Clear mosaic cache entries for all modes
for (const m of [0, 1, 2]) {
const h = createHash('md5').update(`uh_${req.session.id}_${slug}_${m}`).digest('hex');
const h = createHash('md5').update(`uh_${req.session.id}_${safeSlug}_${m}`).digest('hex');
await fs.unlink(path.join(CACHE_DIR, `${h}.webp`)).catch(() => {});
}
await db`UPDATE user_halls SET custom_image = false WHERE id = ${hall.id}`;