From 63c96e7359fff1cbb6198ac0d684cff0cc675667 Mon Sep 17 00:00:00 2001 From: BoHong Li Date: Fri, 12 Apr 2019 12:05:32 +0800 Subject: fix: upgrade sequelize to latest version to fix CVE Signed-off-by: BoHong Li --- lib/models/user.js | 207 ++++++++++++++++++++++++++--------------------------- 1 file changed, 103 insertions(+), 104 deletions(-) (limited to 'lib/models/user.js') diff --git a/lib/models/user.js b/lib/models/user.js index 3daae45b..50c78108 100644 --- a/lib/models/user.js +++ b/lib/models/user.js @@ -52,119 +52,118 @@ module.exports = function (sequelize, DataTypes) { password: { type: Sequelize.TEXT } - }, { - instanceMethods: { - verifyPassword: function (attempt) { - return scrypt.verify(Buffer.from(this.password, 'hex'), attempt) + }) + + User.prototype.verifyPassword = function (attempt) { + return scrypt.verify(Buffer.from(this.password, 'hex'), attempt) + } + + User.associate = function (models) { + User.hasMany(models.Note, { + foreignKey: 'ownerId', + constraints: false + }) + User.hasMany(models.Note, { + foreignKey: 'lastchangeuserId', + constraints: false + }) + } + User.getProfile = function (user) { + if (!user) { + return null + } + return user.profile ? User.parseProfile(user.profile) : (user.email ? User.parseProfileByEmail(user.email) : null) + } + User.parseProfile = function (profile) { + try { + profile = JSON.parse(profile) + } catch (err) { + logger.error(err) + profile = null + } + if (profile) { + profile = { + name: profile.displayName || profile.username, + photo: User.parsePhotoByProfile(profile), + biggerphoto: User.parsePhotoByProfile(profile, true) } - }, - classMethods: { - associate: function (models) { - User.hasMany(models.Note, { - foreignKey: 'ownerId', - constraints: false - }) - User.hasMany(models.Note, { - foreignKey: 'lastchangeuserId', - constraints: false - }) - }, - getProfile: function (user) { - if (!user) { - return null - } - return user.profile ? User.parseProfile(user.profile) : (user.email ? User.parseProfileByEmail(user.email) : null) - }, - parseProfile: function (profile) { - try { - profile = JSON.parse(profile) - } catch (err) { - logger.error(err) - profile = null - } - if (profile) { - profile = { - name: profile.displayName || profile.username, - photo: User.parsePhotoByProfile(profile), - biggerphoto: User.parsePhotoByProfile(profile, true) - } - } - return profile - }, - parsePhotoByProfile: function (profile, bigger) { - var photo = null - switch (profile.provider) { - case 'facebook': - photo = 'https://graph.facebook.com/' + profile.id + '/picture' - if (bigger) photo += '?width=400' - else photo += '?width=96' - break - case 'twitter': - photo = 'https://twitter.com/' + profile.username + '/profile_image' - if (bigger) photo += '?size=original' - else photo += '?size=bigger' - break - case 'github': - photo = 'https://avatars.githubusercontent.com/u/' + profile.id - if (bigger) photo += '?s=400' - else photo += '?s=96' - break - case 'gitlab': - photo = profile.avatarUrl - if (photo) { - if (bigger) photo = photo.replace(/(\?s=)\d*$/i, '$1400') - else photo = photo.replace(/(\?s=)\d*$/i, '$196') - } else { - photo = generateAvatarURL(profile.username) - } - break - case 'mattermost': - photo = profile.avatarUrl - if (photo) { - if (bigger) photo = photo.replace(/(\?s=)\d*$/i, '$1400') - else photo = photo.replace(/(\?s=)\d*$/i, '$196') - } else { - photo = generateAvatarURL(profile.username) - } - break - case 'dropbox': - photo = generateAvatarURL('', profile.emails[0].value, bigger) - break - case 'google': - photo = profile.photos[0].value - if (bigger) photo = photo.replace(/(\?sz=)\d*$/i, '$1400') - else photo = photo.replace(/(\?sz=)\d*$/i, '$196') - break - case 'ldap': - photo = generateAvatarURL(profile.username, profile.emails[0], bigger) - break - case 'saml': - photo = generateAvatarURL(profile.username, profile.emails[0], bigger) - break - default: - photo = generateAvatarURL(profile.username) - break + } + return profile + } + User.parsePhotoByProfile = function (profile, bigger) { + var photo = null + switch (profile.provider) { + case 'facebook': + photo = 'https://graph.facebook.com/' + profile.id + '/picture' + if (bigger) photo += '?width=400' + else photo += '?width=96' + break + case 'twitter': + photo = 'https://twitter.com/' + profile.username + '/profile_image' + if (bigger) photo += '?size=original' + else photo += '?size=bigger' + break + case 'github': + photo = 'https://avatars.githubusercontent.com/u/' + profile.id + if (bigger) photo += '?s=400' + else photo += '?s=96' + break + case 'gitlab': + photo = profile.avatarUrl + if (photo) { + if (bigger) photo = photo.replace(/(\?s=)\d*$/i, '$1400') + else photo = photo.replace(/(\?s=)\d*$/i, '$196') + } else { + photo = generateAvatarURL(profile.username) } - return photo - }, - parseProfileByEmail: function (email) { - return { - name: email.substring(0, email.lastIndexOf('@')), - photo: generateAvatarURL('', email, false), - biggerphoto: generateAvatarURL('', email, true) + break + case 'mattermost': + photo = profile.avatarUrl + if (photo) { + if (bigger) photo = photo.replace(/(\?s=)\d*$/i, '$1400') + else photo = photo.replace(/(\?s=)\d*$/i, '$196') + } else { + photo = generateAvatarURL(profile.username) } - } + break + case 'dropbox': + photo = generateAvatarURL('', profile.emails[0].value, bigger) + break + case 'google': + photo = profile.photos[0].value + if (bigger) photo = photo.replace(/(\?sz=)\d*$/i, '$1400') + else photo = photo.replace(/(\?sz=)\d*$/i, '$196') + break + case 'ldap': + photo = generateAvatarURL(profile.username, profile.emails[0], bigger) + break + case 'saml': + photo = generateAvatarURL(profile.username, profile.emails[0], bigger) + break + default: + photo = generateAvatarURL(profile.username) + break } - }) + return photo + } + User.parseProfileByEmail = function (email) { + return { + name: email.substring(0, email.lastIndexOf('@')), + photo: generateAvatarURL('', email, false), + biggerphoto: generateAvatarURL('', email, true) + } + } - function updatePasswordHashHook (user, options, done) { + function updatePasswordHashHook (user, options) { // suggested way to hash passwords to be able to do this asynchronously: // @see https://github.com/sequelize/sequelize/issues/1821#issuecomment-44265819 - if (!user.changed('password')) { return done() } - scrypt.kdf(user.getDataValue('password'), { logN: 15 }).then(keyBuf => { + if (!user.changed('password')) { + return Promise.resolve() + } + + return scrypt.kdf(user.getDataValue('password'), { logN: 15 }).then(keyBuf => { user.setDataValue('password', keyBuf.toString('hex')) - done() }) } -- cgit v1.2.3