The `SUPPORTED_MEDIA_DOMAINS` regex whitelist, used to check if media link comes from trusted hosts is invalid. It does not expose a security risk or I couldn't find an example for such as of now, but if someone would add a subdomain host to it using the same pattern, it would.
A counter example below:
```js
const SUPPORTED_MEDIA_DOMAINS = /^([^.]+\.)*(ytimg.com|cdninstagram.com|redd.it|imgur.com|fbcdn.net|pinimg.com)$/i;
console.log('Testing redd.it: ' + SUPPORTED_MEDIA_DOMAINS.test('redd.it'));
console.log('Testing reddjit: ' + SUPPORTED_MEDIA_DOMAINS.test('reddjit'));
```
Output:
```
$ node example.js
Testing redd.it: true
Testing reddjit: true
```
---
To be more clear, if someone would extend the regex in the future with e.g. `media.redd.it`, an attacker would be able to create a `mediaXredd.it` domain and bypass the whitelist.
---
A visualisation of the incorrect regex can be found on https://regexper.com/#%5E%28%5B%5E.%5D%2B%5C.%29*%28ytimg.com%7Ccdninstagram.com%7Credd.it%7Cimgur.com%7Cfbcdn.net%7Cpinimg.com%29%24
The issue has been found with LGTM: b626ef0b64/files/js/modules/link_previews.js (xdabadfc2bf20f0c3):1
* Add new requiredProtocolVersion field to DataMessage
* Message.requiredProtocolVersion, warning if version mot supported
* Update strings; limit width; new left pane preview text
* Handle incoming padded attachments
* Attachments v2 - multipart form POST, and direct CDN GET access
* Pad outgoing attachments before encryption (disabled for now)
Remove Android length warning
Handle incoming long message attachments
Show long download pending status in message bubble
Fix the width of the smallest spinner
Remove Android length warning from HTML templates
Also:
- visually distinguish any reference we couldn't verify on receipt
- show toast on quote click if we can't scroll to message
- toast visuals redesigned to match rest of app
Quite a few other fixes, including:
- Sending to contact with no avatar yet (not synced from mobile)
- Left pane doesn't update quickly or at all on new message
- Left pane doesn't show sent or error status
Also:
- Contributing.md: Ensure set of linux dev dependencies is complete
Also:
- New schema version 8 with video/image thumbnails, screenshots, sizes
- Upgrade messages not at current schema version when loading messages
to show in conversation
- New MessageDetail react component
- New ConversationHeader react component
UI now in separate renderer:
- the permissions popup
- settings dialog
- debug log dialog
- about window
Couple bug fixes:
- About Window: Fix 'escape' to close window
- Remove outdated dist/copy tasks from Gruntfile
Eslintified settings_view.js
For an easier implementation, we change our original definition of
`initializeAttachmentMetadata`. This means we have to re-run it marked as
version 6 and mark schema version 5 as deprecated as its definition has changed.
We missed a couple directories with previous attempts to turn this on
globally: app/ and libtextsecure/
Not to mention files in places we didn't expect: ts files that weren't
in the ts directory!
This turns prettier on for every file we care about (js, ts, tsx, md)
everywhere in the project but for a few key parts.
When indexing message attachment metadata using numeric indexes such as:
```javascript
{
conversationId: '+12223334455',
received_at: 123,
attachments: […],
numAttachments: 2,
},
{
conversationId: '+12223334455',
received_at: 456,
attachments: [],
numAttachments: 0,
}
{
conversationId: '+12223334455',
received_at: 789,
attachments: [],
numAttachments: 1,
}
```
It creates an index as follows:
```
[conversationId, received_at, numAttachments]
['+12223334455', 123, 2]
['+12223334455', 456, 0]
['+12223334455', 789, 1]
```
This means a query such as…
```
lowerBound: ['+12223334455', 0, 1 ]
upperBound: ['+12223334455', Number.MAX_VALUE, Number.MAX_VALUE]
```
…will return all three original entries because they span the `received_at`
from `0` through `Number.MAX_VALUE`. One workaround is to index booleans using
`1 | undefined` where `1` is included in the index and `undefined` is not, but
that way we lose the ability to query for the `false` value. Instead, we flip
adjust the index to `[conversationId, hasAttachments, received_at]` and can
then query messages with attachments using
```
[conversationId, 1 /* hasAttachments */, 0 /* received_at */]
[conversationId, 1 /* hasAttachments */, Number.MAX_VALUE /* received_at */]
```
- messages.getQuoteObjectUrl: early return
- backup.js: explaining variables for long if statement
- types/messages.js: Log if thumbnail has neither data nor path
- sendmessage.js:
- remove extraneous logging
- fix indentation
- upload attachments and thumbnails in parallel
- preload: don't load fs for tests, just fse
- _conversation.scss: split two selectors into two lines, 0px -> 0
- backup_test.js: use fse.existsSync and comment twoSlashes regex
- network_tests_view_test.js: Comment duplicate assignment to window.getSocketStatus
1. MessageReceiver always pulls down thumbnails included in quotes
2. Message.upgradeSchema has a new schema that puts all thumbnails on
disk just like happens with full attachments.
3. handleDataMessage pipes quote from dataMessage into the final message
destined for the database
Quite a bit of change here.
First, the basics:
- New dependencies were added: react, typescript, tslint, and react-styleguidist
- A new npm script: transpile. It uses typescript to process .tsx files in js/react, putting .js files next to the original file. It's part of the watch functionality of grunt dev as well as the default task run with just grunt (used to build the app prior to release). A lighter-weight to get watch behavior when just working on React components is to run yarn transpile --watch.
- yarn run clean-transpile will remove generated .js files
Style guide via react-styleguidist. Example site: https://react-styleguidist.js.org/examples/basic/
- Start with yarn styleguide
- Component.md files right next to the .tsx file
- jsdoc-style comments are picked up and added to the generated part of the styleguide - the overall summary and a table listing methods and properties of the component
- It has hot-reloading!
- It uses webpack, which means that our app now pulls in webpack though we don't use it to generate anything for the production app.
- I did a bunch of work to enable the use of Backbone views in this context, which will allow us to move smoothly from the old world to the new. First, add all the permutations in the old way, and then slowly start to re-render those same views with React.
A bit of dependency cleanup to enable use in React components:
- moment was moved from our Bower dependencies to our npm dependencies, so it can be used in React components not running in a browser window.
- i18n was moved into the new commonjs format, so it can be used in React components even if window is not available.
Lastly, a bit of Gruntfile cleanup:
- Removal of Chrome App-era modifications of background.js
- Make jshint/jscs watch more targeted, since more and more we'll be using other tools
Introduce placeholder migrations for Backbone models so they never implicitly
run migrations whenever they are `fetch`ed. We prefer to run our migrations
explicitly upon app startup and then let Backbone models be (slightly) dumb(er)
models, without inadvertently triggering migrations.