triplea-game / dice-server-js Goto Github PK
View Code? Open in Web Editor NEWThe new TripleA dice server powered by Node.js
License: GNU Affero General Public License v3.0
The new TripleA dice server powered by Node.js
License: GNU Affero General Public License v3.0
Just noticed that the current MARTI allows the client to pass a custom subject for the mail being sent.
Of course we should limit it to a fixed amount of chars so this feature can't be abused to send spam.
Also user input should probably get escaped, just to be sure.
Note to myself:
The max and times parameter for rolls should be limited to 100 each, so we generate a number between 0 and 10000 per request, no more.
Just thought about it: The Front-End should currently be vulnerable to XSS.
Not really a security concern because this software doesn't use sensitive data like passwords and everything that could be done via an injected script could as well just be done using a normal request without any further authorization.
But really in the end parameter input should be sanitized, the HTML should be escaped.
The only thing to discuss is whether or not we should do the escaping in the actual template or the users.js module, both would be possible, liquid provides an easy "escape"-filter while node doesn't really have a built-in function for that but it would be a single place to fix everything at the cost of a potentially higher complexity for more complicated URL parameters.
I was thinking about this for quite some time now.
The "To: " field in the SMTP protocol allows a comma separated to send an emial to multiple recipients at once.
I don't think there's a limit to this, so a maliciously crafted parameter could trick the server into sending a registration email to hundreds of people using just a single request.
Likely not what we want, even if this wouldn't even have a drawback for those people.
I haven't really found a definite answer to the question how one would escape such an input, MARTI simply splits an input string at whitespaces, not more and merges the resulting arrays afterwards, as If it's designed for more than 2 emails.
Ideas?
@ssoloff Unrelated to that:
I'm mostly done with the "backend" for now, it would be nice if you could have an in-depth look at the logic and escaping of user-input once I documented how the routes work, to make sure I haven't accidentally built in any obvious security-realted design flaw.
The readme could use the following items to help document how to operate this dice server:
(readme audit ticket where we discussed what should be in each readme: triplea-game/triplea#3289)
Currently the server expects this sort of config:
email: {
display: {
server: {
protocol: 'http',
host: 'localhost',
port: 7654,
baseurl: '',
},
},
},
It would be much better, if simply
email: {
display: {
server: 'http://localhost/'
},
},
could be used instead, all we do is append the path anyways
error-handler.js
file was my "might finish sometime" attempt to adress this, haven't had the time./api
prefix an html page based on the JSON should be displayed instead of the raw JSONconfig.json
needs to be created manually, we should provide a setup command or something similarMath.random()
to generate our numbers, but on crypto.randomBytes()
instead.A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.