В общем такое дело, я проспал закрытие своего хостера, сервера погашены, бэкапов нет. А там недавно сертификаты обновились по крону. Можно их как-то восстановить из старых или уже всё?
Я обнаружил странности в коде bastyon-chat, который интегрирует клиент Element и использует своё шифрование.
В src/application/pcrypto.js (ссылка) я обратил внимание на:
var salt = "PR7srzZt4EfcNb3s27grgmiG8aB9vYNV82";
Главная странность в этой функции (поправил форматирование для вставки):
var eaac = {
aeskeysls: function (time, block, users, v) {
if (!time) time = 0;
if (!block) {
if (!pcrypto.core.mtrx.kit.tetatetchat(chat)) {
block = 10;
} else {
block = pcrypto.currentblock.height;
}
}
var k = ((users ? 'ul+' + orderedIdsHash(users) : period(time)) + "-" + block) + '-' + (v || self.version);
var ek = `${lcachekey + pcrypto.user.userinfo.id}-${k}`
if (!lsspromises[ek]) {
lsspromises[ek] = ls.get(ek)
.then((keys) => {
const keysPrepared = convert.aeskeys.out(keys);
return { keys: keysPrepared, k };
})
.catch(async (e) => {
const keysPrepared = eaac.aeskeys(time, block, users, v);
if (self.preparedUsers(time).length > 1) {
const itemId = ek;
await ls
.set(itemId, convert.aeskeys.inp(keysPrepared))
.catch(() => { });
}
return { keys: keysPrepared, k };
}).finally(() => {
delete lsspromises[ek]
});
}
return lsspromises[ek]
},
aeskeys: function (time, block, users, v) {
if (!time) time = 0;
if (!block) block = pcrypto.currentblock.height;
return eaa.aeskeys(time, block, users, v);
},
};
И вызове этой функции в разных участках кода:
let { keys } = await eaac.aeskeysls(undefined, undefined, undefined, version || undefined);
В любом случае, это известные значения. Я не уверен только насчёт того, откуда берётся version в некоторых местах:
v = f.deep(event, "content.info.secrets.version") || f.deep(event, "content.info.secrets.v") ||
f.deep(event, "content.pbody.secrets.version") || f.deep(event, "content.pbody.secrets.v") || 1
С зависимостями тоже всё плохо:
$ npm audit
# npm audit report
axios <=0.21.1
Severity: high
Axios vulnerable to Server-Side Request Forgery - https://github.com/advisories/GHSA-4w2v-q235-vp99
axios Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
Depends on vulnerable versions of follow-redirects
No fix available
node_modules/@nelsonomuto/axios-request-timeout/node_modules/axios
@nelsonomuto/axios-request-timeout *
Depends on vulnerable versions of axios
node_modules/@nelsonomuto/axios-request-timeout
ejs <3.1.7
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
fix available via `npm audit fix`
node_modules/ejs
webpack-bundle-analyzer 1.3.0 - 3.9.0
Depends on vulnerable versions of ejs
node_modules/@vue/cli-service/node_modules/webpack-bundle-analyzer
follow-redirects <=1.14.7
Severity: high
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
No fix available
node_modules/@nelsonomuto/axios-request-timeout/node_modules/follow-redirects
glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @vue/cli-service@5.0.8, which is a breaking change
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
webpack-dev-server 2.0.0-beta - 4.7.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of selfsigned
node_modules/webpack-dev-server
@vue/cli-service <=5.0.0-rc.3
Depends on vulnerable versions of @intervolga/optimize-cssnano-plugin
Depends on vulnerable versions of @vue/cli-plugin-router
Depends on vulnerable versions of @vue/cli-plugin-vuex
Depends on vulnerable versions of @vue/cli-shared-utils
Depends on vulnerable versions of copy-webpack-plugin
Depends on vulnerable versions of cssnano
Depends on vulnerable versions of globby
Depends on vulnerable versions of html-webpack-plugin
Depends on vulnerable versions of webpack-bundle-analyzer
Depends on vulnerable versions of webpack-dev-server
node_modules/@vue/cli-service
@vue/cli-plugin-babel 3.4.0 - 4.5.19
Depends on vulnerable versions of @vue/cli-service
Depends on vulnerable versions of @vue/cli-shared-utils
node_modules/@vue/cli-plugin-babel
@vue/cli-plugin-vuex <=4.5.19
Depends on vulnerable versions of @vue/cli-service
node_modules/@vue/cli-plugin-vuex
copy-webpack-plugin 5.0.1 - 5.1.2
Depends on vulnerable versions of glob-parent
node_modules/copy-webpack-plugin
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
node_modules/fast-glob
globby 8.0.0 - 9.2.0
Depends on vulnerable versions of fast-glob
node_modules/globby
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install @vue/cli-service@5.0.8, which is a breaking change
node_modules/html-webpack-plugin/node_modules/json5
loader-utils <=1.4.0
Depends on vulnerable versions of json5
node_modules/html-webpack-plugin/node_modules/loader-utils
html-webpack-plugin 2.0.2 - 3.2.0
Depends on vulnerable versions of loader-utils
node_modules/html-webpack-plugin
node-forge <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
fix available via `npm audit fix --force`
Will install @vue/cli-service@5.0.8, which is a breaking change
node_modules/node-forge
selfsigned 1.1.1 - 1.10.14
Depends on vulnerable versions of node-forge
node_modules/selfsigned
node-sass 1.2.3 - 7.0.3
Severity: high
Improper Certificate Validation in node-sass - https://github.com/advisories/GHSA-r8f7-9pfq-mjmv
Depends on vulnerable versions of meow
Depends on vulnerable versions of node-gyp
Depends on vulnerable versions of request
Depends on vulnerable versions of sass-graph
fix available via `npm audit fix --force`
Will install node-sass@9.0.0, which is a breaking change
node_modules/node-sass
sass-loader 0.4.0-beta.1 - 6.0.7 || 8.0.0 - 10.2.1 || 11.0.0 - 12.3.0
Depends on vulnerable versions of node-sass
node_modules/sass-loader
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install @vue/cli-service@5.0.8, which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano-preset-default <=4.0.8
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano-preset-default
@intervolga/optimize-cssnano-plugin >=1.0.2
Depends on vulnerable versions of cssnano
Depends on vulnerable versions of cssnano-preset-default
node_modules/@intervolga/optimize-cssnano-plugin
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install node-sass@9.0.0, which is a breaking change
node_modules/request
@vue/cli-shared-utils <=4.5.19
Depends on vulnerable versions of request
node_modules/@vue/cli-shared-utils
@vue/cli-plugin-router <=4.5.19
Depends on vulnerable versions of @vue/cli-service
Depends on vulnerable versions of @vue/cli-shared-utils
node_modules/@vue/cli-plugin-router
node-gyp <=7.1.2
Depends on vulnerable versions of request
Depends on vulnerable versions of semver
Depends on vulnerable versions of tar
node_modules/node-gyp
scss-tokenizer <=0.4.2
Severity: high
Regular expression denial of service in scss-tokenizer - https://github.com/advisories/GHSA-7mwh-4pqv-wmr8
fix available via `npm audit fix --force`
Will install node-sass@9.0.0, which is a breaking change
node_modules/scss-tokenizer
sass-graph 2.2.0 - 4.0.0
Depends on vulnerable versions of scss-tokenizer
node_modules/sass-graph
semver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install node-sass@9.0.0, which is a breaking change
node_modules/copy-webpack-plugin/node_modules/semver
node_modules/cross-spawn/node_modules/semver
node_modules/less/node_modules/semver
node_modules/node-gyp/node_modules/semver
node_modules/normalize-package-data/node_modules/semver
node_modules/semver
node_modules/terser-webpack-plugin/node_modules/semver
node_modules/ts-loader/node_modules/semver
swiper <6.5.1
Severity: critical
Prototype Pollution in swiper - https://github.com/advisories/GHSA-p3hc-fv2j-rp68
fix available via `npm audit fix --force`
Will install swiper@10.2.0, which is a breaking change
node_modules/swiper
vue-awesome-swiper <=4.1.1
Depends on vulnerable versions of swiper
node_modules/vue-awesome-swiper
tar <=4.4.17
Severity: high
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-qq89-hq3f-393p
fix available via `npm audit fix --force`
Will install node-sass@9.0.0, which is a breaking change
node_modules/tar
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install node-sass@9.0.0, which is a breaking change
node_modules/tough-cookie
trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix --force`
Will install node-sass@9.0.0, which is a breaking change
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/meow
yaml 2.0.0-5 - 2.2.1
Severity: high
Uncaught Exception in yaml - https://github.com/advisories/GHSA-f9xv-q969-pqx4
fix available via `npm audit fix`
node_modules/yaml
45 vulnerabilities (1 low, 6 moderate, 28 high, 10 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Человеку свойственно ошибаться. Поэтому, если у кого-то есть желание поковыряться в коде, хотелось бы получить подтверждение или опровержение моих выводов относительно того, что шифрование скомпрометировано и сообщения можно дешифровать. Также не понятно, отключено ли оригинальное e2e шифрование Matrix в этой поделке.
Астероиды — простая 2D анти-стресс игра, в которой нужно стрелять из пушки по камням. Основная кампания длится около получаса, после чего игрок может продолжить на дополнительном блоке уровней «дзен». Желающие могут повысить для себя сложность, руководствуясь статистикой (например, не пропускать астероиды наверх). Игра вышла для Linux и Windows, но также доступна онлайн.
Установить игру можно следующим образом:
yay -S asteroids-bingodot --path ./path-to-sources. Им же можно запустить pck-файл: godot --main-pack ./Asteroids.pck.Игра написана на свободном движке Godot 3.5.1, а для создания ресурсов использовались Krita и LMMS.
Игра распространяется под лицензиями:
Вместе с игрой вышел инструмент сборки Godot-проектов для построения CI — godot-build, также распространяемый под свободной лицензией GNU GPLv3.
>>> Подробности
не смог осилить dpkg-buildpackage под арчем, в конечном итоге он стал ругаться на зависимости, которых нет, потому что это арч
есть ли способ сборки без секса? ci какой-нибудь? я не хочу ставить виртуалку и писать скрипты
нужно именно собрать сорцы и выгрузить через dput, а не просто скомпилить deb (это легко делается с помощью dpkg-deb)
Пока не хочу оформлять новость, нужно разгрести баги и опакетить игру, чтобы её было удобно устанавливать.
Игра нуждается в тесте. Например, я не знаю, нужно ли мне что-то исправить в уровнях. В общем, жду критику. За сервер извиняюсь, на нормальный денег нет.
Код под GPL v3.