iarv/gitea-mirror
1
0
Fork 1
mirror of https://github.com/RayLabsHQ/gitea-mirror.git synced 2026-03-28 17:42:38 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix security alerts

Browse Source
This commit is contained in:
Arunavo Ray
2026-03-18 20:10:31 +05:30
parent 5f77fceaca
commit 9d131b9a09
4 changed files with 33 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Dockerfile
View File

@@ -2,7 +2,7 @@
FROM oven/bun:1.3.10-debian AS base FROM oven/bun:1.3.10-debian AS base
WORKDIR /app WORKDIR /app
RUN apt-get update && apt-get install -y --no-install-recommends \ RUN apt-get update && apt-get -y upgrade && apt-get install -y --no-install-recommends \
python3 make g++ gcc wget sqlite3 openssl ca-certificates \ python3 make g++ gcc wget sqlite3 openssl ca-certificates \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
@@ -28,7 +28,7 @@ RUN bun install --production --omit=peer --frozen-lockfile
# ---------------------------- # ----------------------------
# Build git-lfs from source with patched Go to resolve Go stdlib CVEs # Build git-lfs from source with patched Go to resolve Go stdlib CVEs
FROM debian:trixie-slim AS git-lfs-builder FROM debian:trixie-slim AS git-lfs-builder
RUN apt-get update && apt-get install -y --no-install-recommends \ RUN apt-get update && apt-get -y upgrade && apt-get install -y --no-install-recommends \
wget ca-certificates git make \ wget ca-certificates git make \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
ARG GO_VERSION=1.25.8 ARG GO_VERSION=1.25.8
@@ -50,7 +50,7 @@ RUN git clone --branch "v${GIT_LFS_VERSION}" --depth 1 https://github.com/git-lf
# ---------------------------- # ----------------------------
FROM oven/bun:1.3.10-debian AS runner FROM oven/bun:1.3.10-debian AS runner
WORKDIR /app WORKDIR /app
RUN apt-get update && apt-get install -y --no-install-recommends \ RUN apt-get update && apt-get -y upgrade && apt-get install -y --no-install-recommends \
git wget sqlite3 openssl ca-certificates \ git wget sqlite3 openssl ca-certificates \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
COPY --from=git-lfs-builder /usr/local/bin/git-lfs /usr/local/bin/git-lfs COPY --from=git-lfs-builder /usr/local/bin/git-lfs /usr/local/bin/git-lfs

6
bun.lock
View File

@@ -83,7 +83,7 @@
"overrides": { "overrides": {
"@esbuild-kit/esm-loader": "npm:tsx@^4.21.0", "@esbuild-kit/esm-loader": "npm:tsx@^4.21.0",
"devalue": "^5.6.4", "devalue": "^5.6.4",
"fast-xml-parser": "^5.5.5", "fast-xml-parser": "^5.5.6",
"node-forge": "^1.3.3", "node-forge": "^1.3.3",
"rollup": ">=4.59.0", "rollup": ">=4.59.0",
"svgo": "^4.0.1", "svgo": "^4.0.1",
@@ -957,9 +957,9 @@
"fast-uri": ["fast-uri@3.1.0", "", {}, "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA=="], "fast-uri": ["fast-uri@3.1.0", "", {}, "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA=="],
"fast-xml-builder": ["fast-xml-builder@1.1.3", "", { "dependencies": { "path-expression-matcher": "^1.1.3" } }, "sha512-1o60KoFw2+LWKQu3IdcfcFlGTW4dpqEWmjhYec6H82AYZU2TVBXep6tMl8Z1Y+wM+ZrzCwe3BZ9Vyd9N2rIvmg=="], "fast-xml-builder": ["fast-xml-builder@1.1.4", "", { "dependencies": { "path-expression-matcher": "^1.1.3" } }, "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg=="],
"fast-xml-parser": ["fast-xml-parser@5.5.5", "", { "dependencies": { "fast-xml-builder": "^1.1.3", "path-expression-matcher": "^1.1.3", "strnum": "^2.1.2" }, "bin": { "fxparser": "src/cli/cli.js" } }, "sha512-NLY+V5NNbdmiEszx9n14mZBseJTC50bRq1VHsaxOmR72JDuZt+5J1Co+dC/4JPnyq+WrIHNM69r0sqf7BMb3Mg=="], "fast-xml-parser": ["fast-xml-parser@5.5.6", "", { "dependencies": { "fast-xml-builder": "^1.1.4", "path-expression-matcher": "^1.1.3", "strnum": "^2.1.2" }, "bin": { "fxparser": "src/cli/cli.js" } }, "sha512-3+fdZyBRVg29n4rXP0joHthhcHdPUHaIC16cuyyd1iLsuaO6Vea36MPrxgAzbZna8lhvZeRL8Bc9GP56/J9xEw=="],
"fdir": ["fdir@6.5.0", "", { "peerDependencies": { "picomatch": "^3 || ^4" }, "optionalPeers": ["picomatch"] }, "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg=="], "fdir": ["fdir@6.5.0", "", { "peerDependencies": { "picomatch": "^3 || ^4" }, "optionalPeers": ["picomatch"] }, "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg=="],

2
package.json
View File

@@ -46,7 +46,7 @@
"overrides": { "overrides": {
"@esbuild-kit/esm-loader": "npm:tsx@^4.21.0", "@esbuild-kit/esm-loader": "npm:tsx@^4.21.0",
"devalue": "^5.6.4", "devalue": "^5.6.4",
"fast-xml-parser": "^5.5.5", "fast-xml-parser": "^5.5.6",
"node-forge": "^1.3.3", "node-forge": "^1.3.3",
"svgo": "^4.0.1", "svgo": "^4.0.1",
"rollup": ">=4.59.0" "rollup": ">=4.59.0"

28
src/lib/notification-service.ts
View File

@@ -6,6 +6,31 @@ import { db, configs } from "@/lib/db";
import { eq } from "drizzle-orm"; import { eq } from "drizzle-orm";
import { decrypt } from "@/lib/utils/encryption"; import { decrypt } from "@/lib/utils/encryption";
function sanitizeTestNotificationError(error: unknown): string {
if (!(error instanceof Error)) {
return "Failed to send test notification";
}
const safeErrorPatterns = [
/topic is required/i,
/url and token are required/i,
/unknown provider/i,
/bad request/i,
/unauthorized/i,
/forbidden/i,
/not found/i,
/timeout/i,
/network error/i,
/invalid/i,
];
if (safeErrorPatterns.some((pattern) => pattern.test(error.message))) {
return error.message;
}
return "Failed to send test notification";
}
/** /**
* Sends a notification using the configured provider. * Sends a notification using the configured provider.
* NEVER throws -- all errors are caught and logged. * NEVER throws -- all errors are caught and logged.
@@ -63,8 +88,7 @@ export async function testNotification(
} }
return { success: true }; return { success: true };
} catch (error) { } catch (error) {
const message = error instanceof Error ? error.message : String(error); return { success: false, error: sanitizeTestNotificationError(error) };
return { success: false, error: message };
} }
} }