Giter Club home page Giter Club logo

michalspacek.cz's People

Contributors

dependabot[bot] avatar lulco avatar spaze avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

pavelwitassek dheia lulco pkepka step-security-bot

michalspacek.cz's Issues

Migrate away from Font Awesome

Font Awesome is an awesome font icon collection but

  1. requires payment or attribution
  2. it's quite a lot of JS/CSS (I extract the icons used to make the size smaller but still)
  3. sometimes causes flickering when icons are loaded
  4. missing icons are detected too late (no easy static analysis possible)

I should migrate away from it, I quite like @zraly's Humbleicons. They're SVG, can be embedded in HTML & MIT-licensed (although it's not mentioned on the site itself).

Need to explore whether the Humbleicons collection has all icons I use, or whether there are some viable alternatives. Currently, I use these icons, as extracted with spaze/fa-extract:

Used icons: array (
  'fas' =>
  array (
    0 => 'asterisk',
    1 => 'bolt',
    2 => 'calendar',
    3 => 'check',
    4 => 'coins',
    5 => 'external-link-square-alt',
    6 => 'flag',
    7 => 'images',
    8 => 'key',
    9 => 'link',
    10 => 'map-marker-alt',
    11 => 'microphone',
    12 => 'moon',
    13 => 'plus',
    14 => 'project-diagram',
    15 => 'rss-square',
    16 => 'sun',
    17 => 'tag',
    18 => 'tags',
    19 => 'times',
    20 => 'video',
    21 => 'wifi',
  ),
  'far' =>
  array (
    0 => 'comment',
    1 => 'comment-alt',
  ),
  'fab' =>
  array (
    0 => 'creative-commons',
    1 => 'creative-commons-by',
  ),
)

Pulse Passwords history only shows the first history record

For example
image

but all the HTML is there

image

this is because here

michalspacek.cz/site/public/www.michalspacek.cz/i/js/pulse.js

Line 4 in 8af731b

const element = this.dataset.open ? document.querySelector(this.dataset.open) : this.parentElement.nextElementSibling.matches('.expandable') ? this.parentElement.nextElementSibling : null;

the nextElementSibling matches only the next sibling, and not all next siblings. Will have to write some more code to get all next siblings and remove the hidden attribute from all of them

Introduced in #105 which was to close #99.

upstream sent more data than specified in "Content-Length" header while reading upstream

My /var/log/nginx/error.log contains a lot of

2021/12/29 07:36:55 [warn] 2119123#2119123: *27 upstream sent more data than specified in "Content-Length" header while reading upstream, client: 127.0.0.1, server: michalspacek.cz, request: "GET /exporty/clanky HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.1-fpm-michalspacek.cz.sock:", host: "www.michalspacek.cz"

The URL works fine, it's just that there's a lot of those in the log.

After a lot of experimentation, I was able to reproduce it with

curl -si --http1.1 --header "if-modified-since: Sat, 26 Jan 2022 20:29:14 GMT" --header "accept-encoding: gzip" https://www.michalspacek.cz/exporty/clanky

(All those options are required as specified, except the date which needs to be specified in a way to trigger HTTP 304, ant the accept-encoding: gzip header can be replaced with --compressed option).

Running:

PHP 8.1.0 (cli) (built: Nov 25 2021 20:22:03) (NTS)

nginx version: nginx/1.21.5

As strange as it seems, looks like nginx requires Content-Length header from upstream when using gzip/deflate compression and PHP/framework doesn't send it for HTTP 304 responses. Adding the header in the framework's lastModified method here

michalspacek.cz/site/vendor/nette/http/src/Http/Context.php

Line 40 in 1c78dd8

public function isModified($lastModified = null, string $etag = null): bool

would be doable but there's some exception for sending Content-Length header with compression enabled here:

michalspacek.cz/site/vendor/nette/http/src/Http/Response.php

Lines 94 to 95 in 4fdf2b9

} elseif (strcasecmp($name, 'Content-Length') === 0 && ini_get('zlib.output_compression')) {
// ignore, PHP bug #44164

and this would need to be changed and possibly the exception removed if the bug doesn't apply anymore in supported PHP versions.

Or compression can be disabled for 304s.

TypeError `UpcKeys::__construct()`: Argument #1 must be of type `RouterInterface`, array given

Partial stack trace:

File: .../srv/www/michalspacek.cz/site/app/UpcKeys/UpcKeys.php:36

26:        /** @var RouterInterface[] */
27:        private array $routers;
28:    
29:        /** @var string[]|null */
30:        private ?array $prefixes = null;
31:    
32:        /** @var array<string, array<int, string>>|null */
33:        private ?array $modelsWithPrefixes = null;
34:    
35:    
36:        public function __construct(RouterInterface ...$routers)
37:        {
38:            foreach ($routers as $router) {
39:                $this->routers[$router::class] = $router;
40:            }
.../temp/cache/nette.configurator/Container_109e499896.php:2782
2772:    
2773:    
2774:        public function createService0126(): MichalSpacekCz\UpcKeys\Ubee
2775:        {
2776:            return new MichalSpacekCz\UpcKeys\Ubee($this->getService('database.upcKeys.context'), 'Ubee EVW3226', ['UAAP']);
2777:        }
2778:    
2779:    
2780:        public function createService0127(): MichalSpacekCz\UpcKeys\UpcKeys
2781:        {
2782:            return new MichalSpacekCz\UpcKeys\UpcKeys(routers: [$this->getService('0125'), $this->getService('0126')]);
2783:        }
2784:    
2785:    
2786:        public function createService0128(): MichalSpacekCz\User\Manager

I think this started after updating nette/di in #93, there was a change in handling variadics in 3.1.2.

Previously, the generated container looked like:

	public function createService0127(): MichalSpacekCz\UpcKeys\UpcKeys
	{
		return new MichalSpacekCz\UpcKeys\UpcKeys($this->getService('0125'), $this->getService('0126'));
	}

now it looks like

	public function createService0127(): MichalSpacekCz\UpcKeys\UpcKeys
	{
		return new MichalSpacekCz\UpcKeys\UpcKeys(routers: [$this->getService('0125'), $this->getService('0126')]);
	}

PHPStan Latte `$level++`

The app is running PHPStan on level 8 for quite some time already (5cc25c4) and now even on level 9 #147, so let's see how far I can bring the Latte extensions.

PHPStan Latte Levels and PRs:

Lnil:

L0:

L1:

L2:

L3:

L4:

L5:

L6:

L7:

L8:

L9:

+ Bleeding Edge:

Some ๐Ÿ›๐Ÿ›๐Ÿ› discovered later by for example newer versions of the PHPStan Latte extension

Scanning alert - Token-Permissions

Tracking issue for:

Blog post preview in admin throws 500

Typed property MichalSpacekCz\Articles\Blog\BlogPost::$edits must not be accessed before initialization
File: .../Articles/Blog/BlogPostPreview.php:34

A regression introduced in #137 commit 18b1d2a, here:

-		$template->edits = $post->postId ? $this->blogPosts->getEdits($post->postId) : [];
+		$template->edits = $post->postId ? $post->edits : [];

GitHub Actions deprecations

GitHub is deprecating and subsequently removing some Actions functionality I use, see for example these workflow run annotations.

  1. "Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Please update the following actions to use Node.js 16" ("We plan to migrate all actions to run on Node16 by Summer 2023.")
    Should update these actions:

    • actions/checkout (to 3.0+)
    • actions/cache (to 3.0+)
    • actions/upload-artifact (to 3.1.1+)

  2. "The set-output command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/" (Resolved in actions/upload-artifact 3.1.1, updating to that or newer version will remove the warnings)

  3. "The save-state command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/" (This is resolved in actions/cache 3.0.11, updating as per 1. will remove the annotation warnings)

GitHub Actions deprecations part II

In #37/#39 I've upgraded some GitHub Actions to not throw deprecation warnings but some actions are still using those deprecated commands and runtimes:

These should be upgraded too, once their new versions become available.

DOM XSS sink when previewing a blog post

DOM XSS sink here:

michalspacek.cz/site/public/www.michalspacek.cz/i/js/admin.js

Line 188 in 60b3d84

preview.innerHTML = data.formatted;

The report

{
    "blockedURL": "trusted-types-sink",
    "columnNumber": 23,
    "disposition": "report",
    "documentURL": "https://admin.michalspacek.cz/blog/edit/74",
    "effectiveDirective": "require-trusted-types-for",
    "lineNumber": 207,
    "originalPolicy": "require-trusted-types-for 'script'; report-uri https://plz.report-uri.com/r/default/csp/enforce; report-to default",
    "referrer": "https://admin.michalspacek.cz/blog",
    "sample": "Element innerHTML|<div id=\"header-icons\">\n\t<div>\n<svg xmln",
    "sourceFile": "https://www.michalspacek.cz/i/build/zG-zkuF9IZW6XMjdV7Tl2ALNoo7Rdp59drTXxSR5AOo.js",
    "statusCode": 200
}

Remove init from the custom Latte linter script

Once moved to Latter 3.0.1 or newer, remove the initialization part from latte-lint

michalspacek.cz/site/bin/latte-lint.php

Lines 19 to 23 in 1bedcc6

pcntl_signal(SIGINT, function (): void {
pcntl_signal(SIGINT, SIG_DFL);
echo "Terminated\n";
exit(1);
});

Because it has been moved to the Linter class here nette/latte@58f9974

This can also be removed then

michalspacek.cz/site/phpstan.neon

Lines 7 to 12 in 1bedcc6

disallowedFunctionCalls:
# local disallowed-calls.neon
-
function: 'pcntl_*()'
allowIn:
- bin/latte-lint.php

Certmonitor false positive errors for newly issued certs

Certmonitor started throwing errors for newly issued certificates:

2023-07-05T04:52:34+02:00 xss.sk ERROR: Logged certificate's notAfter (2023-10-01T13:28:25+02:00, in 88 days) doesn't match 52.211.207.55 certificate's notAfter (2023-10-01T13:28:25+00:00, in 88 days)

That's a regression introduced in #155 commit da519cb, here:

-			$start = NetteDateTime::from($cert['start']);
-			$expiry = NetteDateTime::from($cert['expiry']);

and here:

+					'not_before' => $cert->getNotBefore(),
+					'not_after' => $cert->getNotAfter(),

The server is running with timezone Europe/Prague set, not UTC, so the timezone was lost with that change. Logged certificates don't have timestamp saved with their not before/not after.

Scanning alert - Pinned-Dependencies

Tracking issue for:

`TrustedScriptURL` required for PGP encryption

After #96, when visiting https://www.michalspacek.cz/pgp, Chrome says

xEaskxPEAg5Szxqu7HN-bNgegbp8vkqEhZ9a56vVXy8.js:37 [Report Only] This document requires 'TrustedScriptURL' assignment.

This is where I load OpenPGP.js asynchronously, when clicking the Encrypt button, or focusing the text area etc.:
image
image

script element's src attribute is considered a DOM XSS injection sink, so either a TrustedScriptURL object created by createScriptURL() is required or the loading should be refactored somehow.

I could start using Trusted Types but would need to still support browsers that do not yet support it (e.g. Firefox) but frankly, this isn't a user input as such (although I understand why the violation is triggered) so I'd rather not complicate it.

Maybe just moving the <script> tag from <head> and loading both encryption.js & openpgp.js at the bottom of the page would be enough.

This way, each page visit would load openpgp.js as opposed to loading it only when clicking the button/the textarea, but it wouldn't block the renderer. Bandwidth-wise, I've saved a lot more by dropping jQuery in #57.

Private methods cannot be final on PHP 8.3.2

Running tests on PHP 8.3.2 gives:

-- FAILED: Tls/CertificateFactoryTest.phpt
   Exited with error code 255 (expected 0)

   Warning: Private methods cannot be final as they are never overridden by other classes in /home/runner/work/michalspacek.cz/michalspacek.cz/site/vendor/nette/di/src/DI/Config/Helpers.php on line 19

   Warning: Private methods cannot be final as they are never overridden by other classes in /home/runner/work/michalspacek.cz/michalspacek.cz/site/vendor/nette/schema/src/Schema/Helpers.php on line 19

See php/php-src#13177 & php/php-src#12857

This was fixed in nette/utils 4.0.4 by just removing the final keyword nette/utils@fba3961 (which is valid, see the PHP bugs).

SessionSection __get/__set etc. deprecated

nette/http 3.2 has deprecated magic accessors & ArrayAccess in SessionSection. I've updated to the version in #52.

Psalm (#205) detects it, and shows the info when executed as ./vendor/bin/psalm.phar --show-info=true:

INFO: DeprecatedMethod - app/Www/Presenters/TrainingsPresenter.php:119:15 - The method Nette\Http\SessionSection::__get has been marked as deprecated (see https://psalm.dev/001)
                                $session->application,

Enable Latte strict parsing

With

latte:
	strictParsing: true

in here somewhere

michalspacek.cz/site/config/common.neon

Lines 38 to 39 in 906f34b

latte:
strictTypes: true

Also enable strict mode for the linter, there's a new constructor param now:
nette/latte@10a57e1#diff-7bddd570477ad9caaa114109f50c895a48508b1b966b7dae4ae67dad34e5bb48R28

And also the script uses --strict param:
nette/latte@57ed322
which I should probably also add it to the workflow file, possibly hardcode it.

See https://blog.nette.org/en/latte-news-linter-and-strict-mode

PHPStan Latte feedback

Hi, we are collecting interesting errors which phpstan-latte found in our applications. I want to ask you if there were some real bugs found or just some annoying errors which ment you have to rewrite your working app.

ShouldNotHappenException No original request where 404 should be returned

After #155, MichalSpacekCz\ShouldNotHappenException: No original request is thrown in

michalspacek.cz/site/app/Application/AppRequest.php

Line 20 in 9331ce5

throw new ShouldNotHappenException('No original request');

When visiting URLs like https://www.michalspacek.cz/.env

This is because previously a different exception was thrown and catch'd:

michalspacek.cz/site/app/Www/Presenters/ErrorPresenter.php

Line 74 in ac1c604

throw new InvalidLinkException('No request');

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.