diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
deleted file mode 100644
index b7ad2f868d..0000000000
--- a/.github/workflows/codeql-analysis.yml
+++ /dev/null
@@ -1,70 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL"
-
-on:
- push:
- branches: [ master ]
- pull_request:
- # The branches below must be a subset of the branches above
- branches: [ master ]
- schedule:
- - cron: '18 19 * * 1'
-
-jobs:
- analyze:
- name: Analyze
- runs-on: ubuntu-latest
- permissions:
- actions: read
- contents: read
- security-events: write
-
- strategy:
- fail-fast: false
- matrix:
- language: [ 'javascript', 'python' ]
- # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
- # Learn more about CodeQL language support at https://git.io/codeql-language-support
-
- steps:
- - name: Checkout repository
- uses: actions/checkout@v2
-
- # Initializes the CodeQL tools for scanning.
- - name: Initialize CodeQL
- uses: github/codeql-action/init@v1
- with:
- languages: ${{ matrix.language }}
- # If you wish to specify custom queries, you can do so here or in a config file.
- # By default, queries listed here will override any specified in a config file.
- # Prefix the list here with "+" to use these queries and those in the config file.
- # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
- # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
- # If this step fails, then you should remove it and run the build manually (see below)
- - name: Autobuild
- uses: github/codeql-action/autobuild@v1
-
- # âšī¸ Command-line programs to run using the OS shell.
- # đ https://git.io/JvXDl
-
- # âī¸ If the Autobuild fails above, remove it and uncomment the following three lines
- # and modify them (or add more) to build your code if your project
- # uses a compiled language
-
- #- run: |
- # make bootstrap
- # make release
-
- - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v1
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 87af761118..d5f6da0a60 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -42,7 +42,7 @@ jobs:
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
- uses: github/codeql-action/init@v1
+ uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
- uses: github/codeql-action/autobuild@v1
+ uses: github/codeql-action/autobuild@v2
# âšī¸ Command-line programs to run using the OS shell.
# đ https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
# make release
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v1
+ uses: github/codeql-action/analyze@v2
\ No newline at end of file
diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml
index 4cfa76d5b8..726eb0c3fe 100644
--- a/.github/workflows/ossar.yml
+++ b/.github/workflows/ossar.yml
@@ -22,6 +22,8 @@ jobs:
# OSSAR runs on windows-latest.
# ubuntu-latest and macos-latest support coming soon
runs-on: windows-latest
+ permissions:
+ security-events: write
steps:
- name: Checkout repository
@@ -44,6 +46,6 @@ jobs:
# Upload results to the Security tab
- name: Upload OSSAR results
- uses: github/codeql-action/upload-sarif@v1
+ uses: github/codeql-action/upload-sarif@v2
with:
- sarif_file: ${{ steps.ossar.outputs.sarifFile }}
+ sarif_file: ${{ steps.ossar.outputs.sarifFile }}
\ No newline at end of file
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 0000000000..b4eacda945
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,14 @@
+name: "run_tests.py"
+
+on: [push, pull_request]
+
+jobs:
+ analyze:
+ runs-on: ubuntu-20.04
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v2
+ - name: run_tests.py
+ run: |
+ ./run_tests.py
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 691c16797e..ac99b2d205 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,6 +2,7 @@ version: '2.3'
services:
files:
+ container_name: "rDrama"
build:
context: .
volumes:
diff --git a/files/helpers/const.py b/files/helpers/const.py
index 72a9ae29ba..7d0b2fe9da 100644
--- a/files/helpers/const.py
+++ b/files/helpers/const.py
@@ -26,25 +26,18 @@ AJ_REPLACEMENTS = {
' YOUR ': " YOU'RE ",
' TO ': " TOO ",
+
+ 'anybody': 'anypony',
+ 'everybody': 'everypony',
+
+ 'Anybody': 'Anypony',
+ 'Everybody': 'Everypony',
+
+ 'ANYBODY': 'ANYPONY',
+ 'EVERYBODY': 'EVERYPONY',
}
-if SITE_NAME == 'Cringetopia':
- SLURS = {
- "retarded": "neurodivergent",
- "retard": "neurodivergent",
- "faggot": "cute twink",
- "fag": "cute twink",
- "n1gger": "đ",
- "nlgger": "đ",
- "nigger": "đ",
- "uss liberty incident": "tragic accident aboard the USS Liberty",
- "lavon affair": "Lavon Misunderstanding",
- "i hate marsey": "i love marsey",
- "autistic": "neurodivergent",
- "holohoax": "i tried to claim the Holocaust didn't happen because I am a pencil-dicked imbecile and the word filter caught me lol",
- "i hate carp": "i love Carp",
- "heil hitler": "hello kitty", }
-else:
+if SITE_NAME == 'rDrama':
SLURS = {
"california": "commiefornia",
"hollywood": "hollyweird",
@@ -95,9 +88,9 @@ else:
"pedocord": "discord (actually a pretty cool service)",
"i hate carp": "i love Carp",
"manlet": "little king",
- "gamer": "g\*mer",
- "journalist": "journ\*list",
- "journalism": "journ\*lism",
+ "gamer": "g*mer",
+ "journalist": "journ*list",
+ "journalism": "journ*lism",
"wuhan flu": "SARS-CoV-2 syndemic",
"china flu": "SARS-CoV-2 syndemic",
"china virus": "SARS-CoV-2 syndemic",
@@ -111,6 +104,23 @@ else:
" pedo ": " libertarian ",
" pedos ": " libertarians ",
}
+else:
+ SLURS = {
+ "retarded": "neurodivergent",
+ "retard": "neurodivergent",
+ "faggot": "cute twink",
+ "fag": "cute twink",
+ "n1gger": "đ",
+ "nlgger": "đ",
+ "nigger": "đ",
+ "uss liberty incident": "tragic accident aboard the USS Liberty",
+ "lavon affair": "Lavon Misunderstanding",
+ "i hate marsey": "i love marsey",
+ "autistic": "neurodivergent",
+ "holohoax": "i tried to claim the Holocaust didn't happen because I am a pencil-dicked imbecile and the word filter caught me lol",
+ "i hate carp": "i love Carp",
+ "heil hitler": "hello kitty",
+ }
single_words = "|".join([slur.lower() for slur in SLURS.keys()])
diff --git a/files/helpers/sanitize.py b/files/helpers/sanitize.py
index 89b5d5b594..d45cec26ef 100644
--- a/files/helpers/sanitize.py
+++ b/files/helpers/sanitize.py
@@ -42,8 +42,7 @@ def allowed_attributes(tag, name, value):
if name == 'loading' and value == 'lazy': return True
if name == 'referrpolicy' and value == 'no-referrer': return True
if name == 'data-bs-toggle' and value == 'tooltip': return True
- if name in ['alt','title','g','b','pat']: return True
- if name == 'class' and value == 'pat-hand': return True
+ if name in ['alt','title','g','b']: return True
return False
if tag == 'lite-youtube':
@@ -71,7 +70,6 @@ def allowed_attributes(tag, name, value):
return False
if tag == 'span':
- if name == 'class' and value in ['pat-container', 'pat-hand']: return True
if name == 'data-bs-toggle' and value == 'tooltip': return True
if name == 'title': return True
if name == 'alt': return True
@@ -81,8 +79,17 @@ def allowed_attributes(tag, name, value):
url_re = build_url_re(tlds=TLDS, protocols=['http', 'https'])
def callback(attrs, new=False):
+ if (None, "href") not in attrs:
+ return # Incorrect tag
+
href = attrs[(None, "href")]
+ # \ in href right after / makes most browsers ditch site hostname and allows for a host injection bypassing the check, see cool
+ if "\\" in href:
+ attrs["_text"] = href # Laugh at this user
+ del attrs[(None, "href")] # Make unclickable and reset harmful payload
+ return attrs
+
if not href.startswith('/') and not href.startswith(f'{SITE_FULL}/'):
attrs[(None, "target")] = "_blank"
attrs[(None, "rel")] = "nofollow noopener noreferrer"
@@ -117,17 +124,16 @@ def render_emoji(html, regexp, edit, marseys_used=set(), b=False):
if emoji.endswith('pat'):
if path.isfile(f"files/assets/images/emojis/{emoji.replace('pat','')}.webp"):
- attrs += ' pat'
- emoji_html = f'{emoji_partial_pat.format(old, f"/e/{emoji[:-3]}.webp", attrs)}'
+ emoji_html = f'
{emoji_partial_pat.format(old, f"/e/{emoji[:-3]}.webp", attrs)}'
elif emoji.startswith('@'):
if u := get_user(emoji[1:-3], graceful=True):
- attrs += ' pat'
- emoji_html = f'
{emoji_partial_pat.format(old, f"/pp/{u.id}", attrs)}'
+ emoji_html = f'
{emoji_partial_pat.format(old, f"/pp/{u.id}", attrs)}'
elif path.isfile(f'files/assets/images/emojis/{emoji}.webp'):
emoji_html = emoji_partial.format(old, f'/e/{emoji}.webp', attrs)
if emoji_html:
+ marseys_used.add(emoji)
html = re.sub(f'(?\1', title)
- title = bleach.clean(title, tags=['img','del'], attributes=allowed_attributes_emojis, protocols=['http','https'])
+ title = bleach.clean(title, tags=['img','del','span'], attributes=allowed_attributes_emojis, protocols=['http','https'])
signal.alarm(0)
diff --git a/files/routes/settings.py b/files/routes/settings.py
index 36f177e678..85c144c8ef 100644
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@@ -788,8 +788,8 @@ def settings_name_change(v):
return redirect("/settings/profile")
@app.post("/settings/song_change")
-@limiter.limit("2/second;10/day")
-@limiter.limit("2/second;10/day", key_func=lambda:f'{request.host}-{session.get("lo_user")}')
+@limiter.limit("3/second;10/day")
+@limiter.limit("3/second;10/day", key_func=lambda:f'{request.host}-{session.get("lo_user")}')
@auth_required
def settings_song_change(v):
song=request.values.get("song").strip()
diff --git a/files/routes/static.py b/files/routes/static.py
index ca077dff18..32d9c51b2b 100644
--- a/files/routes/static.py
+++ b/files/routes/static.py
@@ -244,8 +244,8 @@ def cached_chart(kind, site):
)
today_cutoff = calendar.timegm(midnight_this_morning)
- if kind == "daily": day_cutoffs = [today_cutoff - 86400 * i for i in range(47)][1:]
- else: day_cutoffs = [today_cutoff - 86400 * 7 * i for i in range(47)][1:]
+ if kind == "daily": day_cutoffs = [today_cutoff - 86400 * i for i in range(55)][1:]
+ else: day_cutoffs = [today_cutoff - 86400 * 7 * i for i in range(55)][1:]
day_cutoffs.insert(0, calendar.timegm(now))
diff --git a/files/templates/authforms.html b/files/templates/authforms.html
index 2d6cd37908..79d60118ce 100644
--- a/files/templates/authforms.html
+++ b/files/templates/authforms.html
@@ -15,7 +15,7 @@
{% if v %}
-
+
{% if v.agendaposter %}
-
+
{% endif %}
diff --git a/files/templates/chat.html b/files/templates/chat.html
index a35fbb4b78..cf697f29a4 100644
--- a/files/templates/chat.html
+++ b/files/templates/chat.html
@@ -14,7 +14,7 @@