From e4e62ff6bbf8d2ec72074f8976211cecabd86f36 Mon Sep 17 00:00:00 2001 From: JungYunji Date: Thu, 24 Jul 2025 14:01:49 +0900 Subject: [PATCH 1/3] [Autofic] Create package.json and CI workflow --- .github/workflows/pr_notify.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/pr_notify.yml diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml new file mode 100644 index 0000000..2b34036 --- /dev/null +++ b/.github/workflows/pr_notify.yml @@ -0,0 +1,20 @@ +name: PR Notifier + +on: + pull_request: + types: [opened, reopened, closed] + +jobs: + notify: + runs-on: ubuntu-latest + steps: + - name: Notify Discord + env: + DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} + run: | + curl -H "Content-Type: application/json" -d '{"content": "🔔 Pull Request [${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }}) by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $DISCORD_WEBHOOK_URL + - name: Notify Slack + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + run: | + curl -H "Content-Type: application/json" -d '{"text": ":bell: Pull Request <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}> by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $SLACK_WEBHOOK_URL From a774cc7e8cae48bd9589f679c7cc6c8f1d5056fd Mon Sep 17 00:00:00 2001 From: JungYunji Date: Thu, 24 Jul 2025 14:01:56 +0900 Subject: [PATCH 2/3] [Autofic] 2 malicious code detected!! --- src/routes.js | 16 ++++++++++++++-- src/server.js | 7 ++++--- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/src/routes.js b/src/routes.js index de82ea4..1e5893d 100644 --- a/src/routes.js +++ b/src/routes.js @@ -3,6 +3,14 @@ var util = require('util'); var _ = require('lodash'); var models = require('./models'); +var rateLimit = require('express-rate-limit'); + +// Rate limiter middleware +const createAccountLimiter = rateLimit({ + windowMs: 15 * 60 * 1000, // 15 minutes + max: 100, // limit each IP to 100 requests per windowMs + message: "Too many accounts created from this IP, please try again after 15 minutes" +}); /* * GET playnow. @@ -104,7 +112,7 @@ exports.signup = function(req, res) { * POST create-account. */ -exports.createAccount = function(req, res) { +exports.createAccount = [createAccountLimiter, function(req, res) { var reportError = function(msg) { req.flash('error', msg); return res.redirect('/signup'); @@ -112,6 +120,10 @@ exports.createAccount = function(req, res) { var username = req.body.username, password = req.body.password; + if (typeof username !== 'string' || typeof password !== 'string') { + return reportError('Invalid input type.'); + } + if (!username || !password) { return reportError('Both username and password are required.'); } else if (username.length < 2 || username.length > 32) { @@ -137,7 +149,7 @@ exports.createAccount = function(req, res) { return reportError('That username is already in use.'); } }); -}; +}]; /* * GET admin page. diff --git a/src/server.js b/src/server.js index 4b98537..4793a6b 100755 --- a/src/server.js +++ b/src/server.js @@ -3,7 +3,7 @@ var express = require('express'); var io = require('socket.io'); -var http = require('http'); +var https = require('https'); // Changed from http to https var helmet = require('helmet'); var path = require('path'); @@ -59,7 +59,7 @@ var SwiftCODE = function() { * Listen on the configured port and IP */ self.listen = function() { - self.server = http.createServer(self.app); + self.server = https.createServer(self.app); // Changed from http.createServer to https.createServer // Socket.IO server needs to listen in the same block as the HTTP // server, or you'll get listen EACCES errors (due to Node's context @@ -181,7 +181,8 @@ var SwiftCODE = function() { store: self.sessionstore, secret: self.config.sessionSecret, cookie: { - maxAge: 60 * 60 * 1000 // 1 hour + maxAge: 60 * 60 * 1000, // 1 hour + secure: true // Added secure attribute to cookies } })); self.app.use(flash()); From c2307e574de478a3ac4b99cd20a0341fb271041a Mon Sep 17 00:00:00 2001 From: JungYunji Date: Thu, 24 Jul 2025 14:02:15 +0900 Subject: [PATCH 3/3] chore: remove CI workflow before upstream PR --- .github/workflows/pr_notify.yml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 .github/workflows/pr_notify.yml diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml deleted file mode 100644 index 2b34036..0000000 --- a/.github/workflows/pr_notify.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: PR Notifier - -on: - pull_request: - types: [opened, reopened, closed] - -jobs: - notify: - runs-on: ubuntu-latest - steps: - - name: Notify Discord - env: - DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} - run: | - curl -H "Content-Type: application/json" -d '{"content": "🔔 Pull Request [${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }}) by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $DISCORD_WEBHOOK_URL - - name: Notify Slack - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - run: | - curl -H "Content-Type: application/json" -d '{"text": ":bell: Pull Request <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}> by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $SLACK_WEBHOOK_URL