Skip to content

[Autofic] Security Patch 2025-07-24 #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jungyun404 wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[Autofic] Security Patch 2025-07-24 #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e4e62ff
[Autofic] Create package.json and CI workflow
jungyun404 Jul 24, 2025
a774cc7
[Autofic] 2 malicious code detected!!
jungyun404 Jul 24, 2025
c2307e5
chore: remove CI workflow before upstream PR
jungyun404 Jul 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 14 additions & 2 deletions src/routes.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,14 @@
var util = require('util');
var _ = require('lodash');
var models = require('./models');
var rateLimit = require('express-rate-limit');

// Rate limiter middleware
const createAccountLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // limit each IP to 100 requests per windowMs
message: "Too many accounts created from this IP, please try again after 15 minutes"
});

/*
* GET playnow.
Expand Down Expand Up @@ -104,14 +112,18 @@ exports.signup = function(req, res) {
* POST create-account.
*/

exports.createAccount = function(req, res) {
exports.createAccount = [createAccountLimiter, function(req, res) {
var reportError = function(msg) {
req.flash('error', msg);
return res.redirect('/signup');
};
var username = req.body.username,
password = req.body.password;

if (typeof username !== 'string' || typeof password !== 'string') {
return reportError('Invalid input type.');
}

if (!username || !password) {
return reportError('Both username and password are required.');
} else if (username.length < 2 || username.length > 32) {
Expand All @@ -137,7 +149,7 @@ exports.createAccount = function(req, res) {
return reportError('That username is already in use.');
}
});
};
}];

/*
* GET admin page.
Expand Down
7 changes: 4 additions & 3 deletions src/server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

var express = require('express');
var io = require('socket.io');
var http = require('http');
var https = require('https'); // Changed from http to https
var helmet = require('helmet');

var path = require('path');
Expand Down Expand Up @@ -59,7 +59,7 @@ var SwiftCODE = function() {
* Listen on the configured port and IP
*/
self.listen = function() {
self.server = http.createServer(self.app);
self.server = https.createServer(self.app); // Changed from http.createServer to https.createServer

// Socket.IO server needs to listen in the same block as the HTTP
// server, or you'll get listen EACCES errors (due to Node's context
Expand Down Expand Up @@ -181,7 +181,8 @@ var SwiftCODE = function() {
store: self.sessionstore,
secret: self.config.sessionSecret,
cookie: {
maxAge: 60 * 60 * 1000 // 1 hour
maxAge: 60 * 60 * 1000, // 1 hour
secure: true // Added secure attribute to cookies
}
}));
self.app.use(flash());
Expand Down