From 837a45bd98bd2ef519341eed18be37694c4b05c0 Mon Sep 17 00:00:00 2001 From: ThatOneCalculator Date: Fri, 16 Jun 2023 00:13:41 -0700 Subject: [PATCH] refactor: :safety_vest: replace js-yaml with yaml Technically mitigates CVE-2023-2251, but users never input YAML to Calckey. Still, this does no harm, and it's a good idea to keep dependencies like these up-to-date, as js-yaml was last updated 2 years ago. --- locales/index.js | 108 ++++++++++++++++------------ package.json | 4 +- packages/backend/package.json | 5 +- packages/backend/src/config/load.ts | 4 +- pnpm-lock.yaml | 24 +++---- 5 files changed, 81 insertions(+), 64 deletions(-) diff --git a/locales/index.js b/locales/index.js index 7399bb5a1..0f84c02b4 100644 --- a/locales/index.js +++ b/locales/index.js @@ -2,59 +2,79 @@ * Languages Loader */ -const fs = require('fs'); -const yaml = require('js-yaml'); -let languages = [] -let languages_custom = [] +const fs = require("fs"); +const yaml = require("yaml"); -const merge = (...args) => args.reduce((a, c) => ({ - ...a, - ...c, - ...Object.entries(a) - .filter(([k]) => c && typeof c[k] === 'object') - .reduce((a, [k, v]) => (a[k] = merge(v, c[k]), a), {}) -}), {}); +const languages = []; +const languages_custom = []; +const merge = (...args) => + args.reduce( + (a, c) => ({ + ...a, + ...c, + ...Object.entries(a) + .filter(([k]) => c && typeof c[k] === "object") + .reduce((a, [k, v]) => ((a[k] = merge(v, c[k])), a), {}), + }), + {} + ); fs.readdirSync(__dirname).forEach((file) => { - if (file.includes('.yml')){ - file = file.slice(0, file.indexOf('.')) - languages.push(file); + if (file.includes(".yml")) { + locale = file.slice(0, file.indexOf(".")); + languages.push(locale); } -}) +}); -fs.readdirSync(__dirname + '/../custom/locales').forEach((file) => { - if (file.includes('.yml')){ - file = file.slice(0, file.indexOf('.')) - languages_custom.push(file); +fs.readdirSync(`${__dirname}/../custom/locales`).forEach((file) => { + if (file.includes(".yml")) { + customLocale = file.slice(0, file.indexOf(".")); + languages_custom.push(customLocale); } -}) +}); const primaries = { - 'en': 'US', - 'ja': 'JP', - 'zh': 'CN', + en: "US", + ja: "JP", + zh: "CN", }; -// 何故か文字列にバックスペース文字が混入することがあり、YAMLが壊れるので取り除く -const clean = (text) => text.replace(new RegExp(String.fromCodePoint(0x08), 'g'), ''); +const locales = languages.reduce( + (a, c) => + (a[c] = yaml.parse(fs.readFileSync(`${__dirname}/${c}.yml`, "utf-8"))) || + {}, + a +); +const locales_custom = languages_custom.reduce( + (a, c) => + (a[c] = yaml.parse( + fs.readFileSync(`${__dirname}/../custom/locales/${c}.yml`, "utf-8") + )) || {}, + a +); +Object.assign(locales, locales_custom); -const locales = languages.reduce((a, c) => (a[c] = yaml.load(clean(fs.readFileSync(`${__dirname}/${c}.yml`, 'utf-8'))) || {}, a), {}); -const locales_custom = languages_custom.reduce((a, c) => (a[c] = yaml.load(clean(fs.readFileSync(`${__dirname}/../custom/locales/${c}.yml`, 'utf-8'))) || {}, a), {}); -Object.assign(locales, locales_custom) - -module.exports = Object.entries(locales) - .reduce((a, [k ,v]) => (a[k] = (() => { - const [lang] = k.split('-'); - switch (k) { - case 'ja-JP': return v; - case 'ja-KS': - case 'en-US': return merge(locales['ja-JP'], v); - default: return merge( - locales['ja-JP'], - locales['en-US'], - locales[`${lang}-${primaries[lang]}`] || {}, - v - ); - } - })(), a), {}); +module.exports = Object.entries(locales).reduce( + (a, [k, v]) => ( + (a[k] = (() => { + const [lang] = k.split("-"); + switch (k) { + case "ja-JP": + return v; + case "ja-KS": + case "en-US": + return merge(locales["ja-JP"], v); + default: + return merge( + locales["ja-JP"], + locales["en-US"], + locales[`${lang}-${primaries[lang]}`] || {}, + v + ); + } + })()), + a + ), + {} +); diff --git a/package.json b/package.json index 42a18a33c..381884dcb 100644 --- a/package.json +++ b/package.json @@ -40,8 +40,8 @@ "@bull-board/ui": "5.2.0", "@napi-rs/cli": "^2.16.1", "@tensorflow/tfjs": "^3.21.0", - "js-yaml": "4.1.0", - "seedrandom": "^3.0.5" + "seedrandom": "^3.0.5", + "yaml": "^2.3.1" }, "devDependencies": { "@types/gulp": "4.0.10", diff --git a/packages/backend/package.json b/packages/backend/package.json index 2a19b916c..86ad0bace 100644 --- a/packages/backend/package.json +++ b/packages/backend/package.json @@ -75,7 +75,6 @@ "ioredis": "5.3.2", "ip-cidr": "3.0.11", "is-svg": "4.3.2", - "js-yaml": "4.1.0", "jsdom": "20.0.3", "jsonld": "8.2.0", "jsrsasign": "10.6.1", @@ -137,7 +136,8 @@ "uuid": "9.0.0", "web-push": "3.6.1", "websocket": "1.0.34", - "xev": "3.0.2" + "xev": "3.0.2", + "yaml": "^2.3.1" }, "devDependencies": { "@swc/cli": "^0.1.62", @@ -148,7 +148,6 @@ "@types/cbor": "6.0.0", "@types/escape-regexp": "0.0.1", "@types/fluent-ffmpeg": "2.1.20", - "@types/js-yaml": "4.0.5", "@types/jsdom": "20.0.1", "@types/jsonld": "1.5.8", "@types/jsrsasign": "10.5.4", diff --git a/packages/backend/src/config/load.ts b/packages/backend/src/config/load.ts index 9b8ee5edb..2ffe570b4 100644 --- a/packages/backend/src/config/load.ts +++ b/packages/backend/src/config/load.ts @@ -5,7 +5,7 @@ import * as fs from "node:fs"; import { fileURLToPath } from "node:url"; import { dirname } from "node:path"; -import * as yaml from "js-yaml"; +import { parse } from "yaml"; import type { Source, Mixin } from "./types.js"; const _filename = fileURLToPath(import.meta.url); @@ -32,7 +32,7 @@ export default function load() { "utf-8", ), ); - const config = yaml.load(fs.readFileSync(path, "utf-8")) as Source; + const config = parse(fs.readFileSync(path, "utf-8")) as Source; const mixin = {} as Mixin; diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index e1c51be05..f2eef2ca4 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -23,12 +23,12 @@ importers: '@tensorflow/tfjs': specifier: ^3.21.0 version: 3.21.0(seedrandom@3.0.5) - js-yaml: - specifier: 4.1.0 - version: 4.1.0 seedrandom: specifier: ^3.0.5 version: 3.0.5 + yaml: + specifier: ^2.3.1 + version: 2.3.1 devDependencies: '@types/gulp': specifier: 4.0.10 @@ -216,9 +216,6 @@ importers: is-svg: specifier: 4.3.2 version: 4.3.2 - js-yaml: - specifier: 4.1.0 - version: 4.1.0 jsdom: specifier: 20.0.3 version: 20.0.3 @@ -405,6 +402,9 @@ importers: xev: specifier: 3.0.2 version: 3.0.2 + yaml: + specifier: ^2.3.1 + version: 2.3.1 optionalDependencies: '@swc/core-android-arm64': specifier: 1.3.11 @@ -437,9 +437,6 @@ importers: '@types/fluent-ffmpeg': specifier: 2.1.20 version: 2.1.20 - '@types/js-yaml': - specifier: 4.0.5 - version: 4.0.5 '@types/jsdom': specifier: 20.0.1 version: 20.0.1 @@ -3277,10 +3274,6 @@ packages: pretty-format: 27.5.1 dev: true - /@types/js-yaml@4.0.5: - resolution: {integrity: sha512-FhpRzf927MNQdRZP0J5DLIdTXhjLYzeUTmLAu69mnVksLH9CJY3IuSeEgbKUki7GQZm0WqDkGzyxju2EZGD2wA==} - dev: true - /@types/jsdom@20.0.1: resolution: {integrity: sha512-d0r18sZPmMQr1eG35u12FZfhIXNrnsPU/g5wvRKCUf/tOGilKKwYMYGqh33BNR6ba+2gkHw1EUiHoN3mn7E5IQ==} dependencies: @@ -15738,6 +15731,11 @@ packages: resolution: {integrity: sha512-2PTINUwsRqSd+s8XxKaJWQlUuEMHJQyEuh2edBbW8KNJz0SJPwUSD2zRWqezFEdN7IzAgeuYHFUCF7o8zRdZ0A==} dev: false + /yaml@2.3.1: + resolution: {integrity: sha512-2eHWfjaoXgTBC2jNM1LRef62VQa0umtvRiDSk6HSzW7RvS5YtkabJrwYLLEKWBc8a5U2PTSCs+dJjUTJdlHsWQ==} + engines: {node: '>= 14'} + dev: false + /yargs-parser@18.1.3: resolution: {integrity: sha512-o50j0JeToy/4K6OZcaQmW6lyXXKhq7csREXcDwk2omFPJEwUNOVtJKvmDr9EI1fAJZUyZcRF7kxGBWmRXudrCQ==} engines: {node: '>=6'}