Merge pull request #1949 from marcschaeferger-org/fix-security/other

Fix multiple reported Security Issues
2026-01-28 22:00:51 +00:00 · 2025-12-06 11:24:01 -05:00
parent ccb17cdbbf 336d31ce39
commit dbc046397b
3 changed files with 5 additions and 4 deletions
--- a/server/db/names.ts
+++ b/server/db/names.ts
@@ -1,6 +1,7 @@
 import { join } from "path";
 import { readFileSync } from "fs";
 import { db, resources, siteResources } from "@server/db";
+import { randomInt } from "crypto";
 import { exitNodes, sites } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import { __DIRNAME } from "@server/lib/consts";
@@ -99,10 +100,10 @@ export async function getUniqueExitNodeEndpointName(): Promise<string> {
 export function generateName(): string {
    const name = (
        names.descriptors[
-            Math.floor(Math.random() * names.descriptors.length)
+            randomInt(names.descriptors.length)
        ] +
        "-" +
-        names.animals[Math.floor(Math.random() * names.animals.length)]
+        names.animals[randomInt(names.animals.length)]
    )
        .toLowerCase()
        .replace(/\s/g, "-");
--- a/server/lib/validators.ts
+++ b/server/lib/validators.ts
@@ -68,7 +68,7 @@ export function isUrlValid(url: string | undefined) {
    if (!url) return true; // the link is optional in the schema so if it's empty it's valid
    var pattern = new RegExp(
        "^(https?:\\/\\/)?" + // protocol
-            "((([a-z\\d]([a-z\\d-]*[a-z\\d])*)\\.)+[a-z]{2,}|" + // domain name
+            "(((?:[a-z\\d-]{1,61}[a-z\\d])\\.)+[a-z]{2,}|" + // domain name
            "((\\d{1,3}\\.){3}\\d{1,3}))" + // OR ip (v4) address
            "(\\:\\d+)?(\\/[-a-z\\d%_.~+]*)*" + // port and path
            "(\\?[;&a-z\\d%_.~+=-]*)?" + // query string