mirrors/signal-desktop
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 2 Wiki Activity Actions
6089 commits 1 branch 193 tags 8.7 GiB
Commit graph

23 commits

Author SHA1 Message Date
Scott Nonnenberg
e10ae03bb7
 		Create group link previews; don't open Signal links in browser first; allow ephemeral download of previously-error'd pack 2021-02-10 16:39:26 -06:00
Evan Hahn
8bfaf598af Add license headers across the project 2020-11-04 13:03:13 -06:00
Evan Hahn
f21dad1519 Mark long hrefs or those with invalid characters as sneaky 2020-10-12 18:10:08 -04:00
Evan Hahn
693deaebe8 Remove IP addresses from "sneaky" link detection 2020-10-12 18:10:08 -04:00
Evan Hahn
313faab774 Outbound link previews 2020-10-12 18:10:08 -04:00
Chris Svenningsen
8a2c17f65f Apply new ESLint rules to legacy code 2020-09-09 17:34:57 -07:00
Chris Svenningsen
5b1536cc02 Initial move towards new ESLint config supporting TS 
Co-authored-by: Sidney Keese <sidney@carbonfive.com>
 2020-09-01 17:11:16 -04:00
Evan Hahn
2e1e6e847a Widen the set of link previews which can be received 2020-09-01 17:10:18 -04:00
Evan Hahn
45d829e439 Improved link verification logic. 2020-08-28 15:42:24 -04:00
Ken Powers
980862768b Linkify URLs containing @ 2020-04-29 17:42:41 -07:00
Scott Nonnenberg
9ab54b9b83 Move web_api.js and js/modules/crypto.js to TypeScript 2020-04-15 14:44:51 -07:00
Ken Powers
f0028a5cfe Don't linkify invalid URLs 2020-02-19 15:22:37 -08:00
Scott Nonnenberg
f5be32ba14 Simplify linkification filter - check for ASCII/non-ASCII only 2019-12-18 14:45:11 -05:00
Scott Nonnenberg
8590a047c7 Change domain for sharing sticker packs 2019-11-13 19:12:36 -05:00
Disconnect3d
fa4b2d412f Fix SUPPORTED_MEDIA_DOMAINS regex whitelist (#3459) 
The `SUPPORTED_MEDIA_DOMAINS` regex whitelist, used to check if media link comes from trusted hosts is invalid. It does not expose a security risk or I couldn't find an example for such as of now, but if someone would add a subdomain host to it using the same pattern, it would.

A counter example below:
```js
const SUPPORTED_MEDIA_DOMAINS = /^([^.]+\.)*(ytimg.com|cdninstagram.com|redd.it|imgur.com|fbcdn.net|pinimg.com)$/i;

console.log('Testing redd.it: ' + SUPPORTED_MEDIA_DOMAINS.test('redd.it'));
console.log('Testing reddjit: ' + SUPPORTED_MEDIA_DOMAINS.test('reddjit'));
```

Output:
```
$ node example.js
Testing redd.it: true
Testing reddjit: true
```

---

To be more clear, if someone would extend the regex in the future with e.g. `media.redd.it`, an attacker would be able to create a `mediaXredd.it` domain and bypass the whitelist.

---

A visualisation of the incorrect regex can be found on https://regexper.com/#%5E%28%5B%5E.%5D%2B%5C.%29*%28ytimg.com%7Ccdninstagram.com%7Credd.it%7Cimgur.com%7Cfbcdn.net%7Cpinimg.com%29%24

The issue has been found with LGTM: https://lgtm.com/projects/g/signalapp/Signal-Desktop/snapshot/b626ef0b64bfa9867daff876a7cc680bc236897c/files/js/modules/link_previews.js?sort=name&dir=ASC&mode=heatmap#xdabadfc2bf20f0c3:1
 2019-07-16 13:28:16 -07:00
Ken Powers
29de50c12a Stickers 
Co-authored-by: scott@signal.org
Co-authored-by: ken@signal.org
 2019-05-16 16:10:37 -07:00
Michael Walker
4a8e0bd466 Add pinterest domain and asset domains for link preview support 
Co-authored-by: ken@signal.org
Co-authored-by: @cmswalker
 2019-05-16 15:43:29 -07:00
Scott Nonnenberg
b3ac1373fa Move left pane entirely to React 2019-03-12 17:44:14 -07:00
Scott Nonnenberg
ae161c6cf6 Update to Electron 4.x 2019-03-12 17:44:14 -07:00
Scott Nonnenberg
ae2db9f09a Improve handling for URLs composed of mixed character sets 2019-03-12 17:44:14 -07:00
Scott Nonnenberg
858c7e629f Fine-tune linkification technique for link previews 2019-02-11 18:32:05 -08:00
Scott Nonnenberg
0d7480bd92 A number of small fixes for Link Previews 2019-02-05 13:55:55 -08:00
Scott Nonnenberg
813924685e Link Previews 2019-01-29 13:53:14 -08:00