Commit Graph

99 Commits

Author SHA1 Message Date
Anders Kaseorg 68cfcd6446 CVE-2020-9444: Prevent reverse tabnabbing attacks.
While we could fix this issue by changing the markdown processor,
doing so is not a robust solution, because even a momentary bug in the
markdown processor could allow cached messages that do not follow our
security policy.

This change ensures that even if our markdown processor has bugs that
result in rendered content that does not properly follow our policy of
using rel="noopener noreferrer" on links, we'll still do something
reasonable.

Co-authored-by: Tim Abbott <tabbott@zulipchat.com>
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-04-01 14:01:45 -07:00
Anders Kaseorg dbffb2a614 js: Convert _.extend to spread syntax or Object.assign.
This is not always a behavior-preserving translation: _.extend mutates
its first argument.  However, the code does not always appear to have
been written to expect that.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-02-25 14:09:39 -08:00
shubhamgupta2956 a05f633fc1 util: Replace util.set_message_topic().
Replace `util.set_message_topic(message, topic)` with `message.topic =
topic`.

Fixes #13931
2020-02-21 09:53:45 -05:00
shubhamgupta2956 efda2684ea util: Replace util.get_message_topic().
Replace `util.get_message_topic(message)` with `message.topic`.

Fixes #13931
2020-02-21 09:53:45 -05:00
Steve Howell cb91b7f312 util: Kill off set_topic_links/get_topic_links.
These functions were just shims that were
used in the somewhat painful migration from
subject_* to topic_*.

The commit 4572be8c27
fixed it so that the client never needs to
deal with "subject_links".

So now we just go back to simpler code:

    message.topic_links = links
    links = message.topic_links
2020-02-15 21:15:48 +00:00
Steve Howell 39405fccdc util: Prepare to remove get_message_topic().
I am not quite ready to declare victory on
the subject/topic migration, but we are super
close.  In this commit I bump a blueslip
warning to a blueslip error, so that we'll
be notified of any codepath that is still
using the janky fall-back-to-subject defensive
code here.

If we go a couple days without any errors, then
we can remove the blueslip warning and the
defensive code immediately and then inline
the callers at our leisure.  I wouldn't be
wildly against keeping these wrappers in some
parts of the code, but that debate is out of
the scope of this immediate fix, and I haven't
thought hard about it yet.

We can basically sweep set_message_topic() now,
if we wanted to, since it's truly just a one-liner.
(At one point it was encapsulating something
like `message.subject = foo`).

This required a tiny change to compose_fade
test setup.
2020-02-15 21:14:00 +00:00
Steve Howell c9a52411ae util: Kill off rtrim() helper.
I am 99% sure we can rely on trimRight() and
trim() being available in all browsers that
we support.  I verified in FF.

This removes the util dependency from both
modules touched here.
2020-02-15 12:20:20 -08:00
Steve Howell 9ab07d1038 util.js: Remove util from window.
We now treat util like a leaf module and
use "require" to import it everywhere it's used.

An earlier version of this commit moved
util into our "shared" library, but we
decided to wait on that.  Once we're ready
to do that, we should only need to do a
simple search/replace on various
require/zrequire statements plus a small
tweak to one of the custom linter checks.

It turns out we don't really need util.js
for our most immediate code-sharing goal,
which is to reuse our markdown code on
mobile.  There's a little bit of cleanup
still remaining to break the dependency,
but it's minor.

The util module still calls the global
blueslip module in one place, but that
code is about to be removed in the next
few commits.

I am pretty confident that once we start
sharing things like the typeahead code
more aggressively, we'll start having
dependencies on util.  The module is barely
more than 300 lines long, so we'll probably
just move the whole thing into shared
rather than break it apart.  Also, we
can continue to nibble away at the
cruftier parts of the module.
2020-02-15 12:20:20 -08:00
Anders Kaseorg 207a734d46 util: Remove unused escape_html function.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-02-13 17:50:59 -08:00
Anders Kaseorg 146f5cd600 util: Convert selected_hash from object to Set.
Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-02-12 10:39:01 -08:00
Anders Kaseorg 4948240619 js: Convert _.filter(a, …) to a.filter(…).
And convert the corresponding function expressions to arrow style
while we’re here.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-02-10 14:08:12 -08:00
Anders Kaseorg ac7b09d57e js: Convert _.map(a, …) to a.map(…).
And convert the corresponding function expressions to arrow style
while we’re here.

import * as babelParser from "recast/parsers/babel";
import * as recast from "recast";
import * as tsParser from "recast/parsers/typescript";
import { builders as b, namedTypes as n } from "ast-types";
import K from "ast-types/gen/kinds";
import fs from "fs";
import path from "path";
import process from "process";

const checkExpression = (node: n.Node): node is K.ExpressionKind =>
  n.Expression.check(node);

for (const file of process.argv.slice(2)) {
  console.log("Parsing", file);
  const ast = recast.parse(fs.readFileSync(file, { encoding: "utf8" }), {
    parser: path.extname(file) === ".ts" ? tsParser : babelParser,
  });
  let changed = false;

  recast.visit(ast, {
    visitCallExpression(path) {
      const { callee, arguments: args } = path.node;
      if (
        n.MemberExpression.check(callee) &&
        !callee.computed &&
        n.Identifier.check(callee.object) &&
        callee.object.name === "_" &&
        n.Identifier.check(callee.property) &&
        callee.property.name === "map" &&
        args.length === 2 &&
        checkExpression(args[0]) &&
        checkExpression(args[1])
      ) {
        const [arr, fn] = args;
        path.replace(
          b.callExpression(b.memberExpression(arr, b.identifier("map")), [
            n.FunctionExpression.check(fn) ||
            n.ArrowFunctionExpression.check(fn)
              ? b.arrowFunctionExpression(
                  fn.params,
                  n.BlockStatement.check(fn.body) &&
                    fn.body.body.length === 1 &&
                    n.ReturnStatement.check(fn.body.body[0])
                    ? fn.body.body[0].argument || b.identifier("undefined")
                    : fn.body
                )
              : fn,
          ])
        );
        changed = true;
      }
      this.traverse(path);
    },
  });

  if (changed) {
    console.log("Writing", file);
    fs.writeFileSync(file, recast.print(ast).code, { encoding: "utf8" });
  }
}

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-02-10 14:08:12 -08:00
Anders Kaseorg 719546641f js: Convert a.indexOf(…) !== -1 to a.includes(…).
Babel polyfills this for us for Internet Explorer.

import * as babelParser from "recast/parsers/babel";
import * as recast from "recast";
import * as tsParser from "recast/parsers/typescript";
import { builders as b, namedTypes as n } from "ast-types";
import K from "ast-types/gen/kinds";
import fs from "fs";
import path from "path";
import process from "process";

const checkExpression = (node: n.Node): node is K.ExpressionKind =>
  n.Expression.check(node);

for (const file of process.argv.slice(2)) {
  console.log("Parsing", file);
  const ast = recast.parse(fs.readFileSync(file, { encoding: "utf8" }), {
    parser: path.extname(file) === ".ts" ? tsParser : babelParser,
  });
  let changed = false;

  recast.visit(ast, {
    visitBinaryExpression(path) {
      const { operator, left, right } = path.node;
      if (
        n.CallExpression.check(left) &&
        n.MemberExpression.check(left.callee) &&
        !left.callee.computed &&
        n.Identifier.check(left.callee.property) &&
        left.callee.property.name === "indexOf" &&
        left.arguments.length === 1 &&
        checkExpression(left.arguments[0]) &&
        ((["===", "!==", "==", "!=", ">", "<="].includes(operator) &&
          n.UnaryExpression.check(right) &&
          right.operator == "-" &&
          n.Literal.check(right.argument) &&
          right.argument.value === 1) ||
          ([">=", "<"].includes(operator) &&
            n.Literal.check(right) &&
            right.value === 0))
      ) {
        const test = b.callExpression(
          b.memberExpression(left.callee.object, b.identifier("includes")),
          [left.arguments[0]]
        );
        path.replace(
          ["!==", "!=", ">", ">="].includes(operator)
            ? test
            : b.unaryExpression("!", test)
        );
        changed = true;
      }
      this.traverse(path);
    },
  });

  if (changed) {
    console.log("Writing", file);
    fs.writeFileSync(file, recast.print(ast).code, { encoding: "utf8" });
  }
}

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2020-02-10 14:08:12 -08:00
Vishnu KS 4572be8c27 api: Rename subject_links to topic_links.
Fixes #13588
2020-02-07 14:35:22 -08:00
Vaibhav Raj Singh 1fa46b1963 compose: Improved warning for wildcard mentions.
Edited the warning to clearly state that most members/most stream members
will be notified on using wildcard mentions, along with the specific
mention (e.g. @ALL, @everyone and @stream).

Did a separate check for all wildcard mentions in util.js and stored the
corresponding mention in wildcard_mention inside compose.js.

Fixes: #13636
2020-01-31 12:24:35 -08:00
Steve Howell 8c0b0092a9 Extract util.escape_html. 2020-01-30 13:11:32 -08:00
Steve Howell 16ae53890b refactor: Move util.prefix_sort to typeahead.triage. 2020-01-28 12:48:02 -08:00
Steve Howell d3e961e179 performance: Improve prefix_sort.
We only convert the query to lowercase outside the
loop for an Nx speedup, where N = number of items.

And then we use startsWith instead of indexOf, which
means we don't senselessly search entire strings
for matches.

(We've had startsWith polyfills for a while now.)

Unfortunately, unless a string start with the
exact casing of the query, we still create an
entire lowercase copy of the string for the case
insensitive match.  For the English use case
(and many other languages), we could further
optimize this by slicing the string before
converting it to lowercase.

Unfortunately, you have languages like German
with the straße/STRASSE problem.  It's not clear
to me how we handle them with the current code,
but I don't want to break that yet.
2020-01-28 13:49:03 +00:00
Steve Howell 10e75e6df5 refactor: Clean up prefix_sort get_item usage.
We use the nice es6 syntax to create the get_item
helpers (in the callers and for the default
value in the function).

Also we use better es6 style for the looping.
2020-01-28 13:07:25 +00:00
Anders Kaseorg 28f3dfa284 js: Automatically convert var to let and const in most files.
This commit was originally automatically generated using `tools/lint
--only=eslint --fix`.  It was then modified by tabbott to contain only
changes to a set of files that are unlikely to result in significant
merge conflicts with any open pull request, excluding about 20 files.
His plan is to merge the remaining changes with more precise care,
potentially involving merging parts of conflicting pull requests
before running the `eslint --fix` operation.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
2019-11-03 12:42:39 -08:00
Anders Kaseorg d17b577d0c js: Purge useless IIFEs.
With webpack, variables declared in each file are already file-local
(Global variables need to be explicitly exported), so these IIFEs are
no longer needed.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
2019-10-25 13:51:21 -07:00
Nikhil-Vats 38be5ea743 message_edit_history: Add UI for seeing topic edits.
Users can previously see only message content edits, this will enable
them to see topic edits too in the same section, fixes #3731.

Fixes #3731.
2019-03-25 15:10:47 -07:00
Steve Howell 37c78abe14 frontend: Use topic on message.
This seems like a small change (apart from all the
test changes), but it fundamentally changes how
the app finds "topic" on message objects.  Now
all code that used to set "subject" now sets "topic"
on message-like objects.  We convert incoming messages
to have topic, and we write to "topic" all the way up
to hitting the server (which now accepts "topic" on
incoming endpoints).

We fall back to subject as needed, but the code will
emit a warning that should be heeded--the "subject"
field is prone to becoming stale for things like
topic changes.
2019-01-07 19:20:56 -08:00
Steve Howell 0c668d13b6 subject -> topic: Make get_event_topic() more flexible. 2019-01-01 20:52:10 -08:00
Steve Howell dc5321fed3 message_edit: Add util.get_edit_event_topic(). 2018-12-29 14:14:43 -08:00
Steve Howell 9b4f804fd1 message_edit: Add util.get_edit_event_orig_topic().
This extracts this bit of parsing logic for message_edit events.
2018-12-29 14:14:40 -08:00
Steve Howell 773e85309c topics: Make util more flexible about subject/topic. 2018-12-29 11:40:57 -08:00
Steve Howell 4e0969bb49 Rename util.set_topic -> set_message_topic(). 2018-12-29 11:38:39 -08:00
Steve Howell 4b2181ffa2 Rename util.get_topic -> get_message_topic().
The specific name will help us when we fully cut
over to "topic" on message objects.
2018-12-29 11:38:39 -08:00
Steve Howell 2fdb44803d filter: Eliminate a few "subject" references.
This continues the effort to isolate "subject" references
to util calls.

Also, we fix a comment.

Finally, we use canonicalized operators in a switch
statement.
2018-12-29 11:38:39 -08:00
Steve Howell 057ee6633a reload: Use "topic" to encode compose topic. 2018-12-16 11:26:18 -08:00
Steve Howell 9861cdfeb6 drafts: Use "topic" internally.
We still have to support "subject" for old drafts,
but we write "topic" for new drafts.
2018-12-16 11:26:18 -08:00
Steve Howell 68d81cb25b subject -> topic: Fix respond_to_message(). 2018-11-16 11:11:40 -08:00
Steve Howell 82b9f2a3db subject -> topic: Fix create_message_object(). 2018-11-16 11:11:40 -08:00
Steve Howell 55362263dd Isolate/eliminate uses of "match_subject". 2018-11-16 11:05:43 -08:00
Steve Howell 89c278d1e5 Isolate/eliminate use of "subject_links".
For message groups, I just changed the internal name
to "topic_links".

For uses of "subject_links" that are tied to how the
server names fields, I introduced these wrappers:

    * util.set_topic_links(obj, topic_links)
    * util.get_topic_links(obj)

These can be used for either messages or events.
2018-11-16 11:05:43 -08:00
Steve Howell 95490e98c9 Break emoji_picker dependency inside util.js.
We don't need util.js to be depending on emoji_picker.js.

The function emoji_prefix_sort is only used
in typeahead_helper, so I just moved the implemenation
to there.
2018-08-04 07:59:42 -07:00
Armaan Ahluwalia 6d255efe4c app: Prepare JS files for consumption by webpack.
This commit prepares the frontend code to be consumed by webpack.

It is a hack: In theory, modules should be declaring and importing the
modules they depend on and the globals they expose directly.

However, that requires significant per-module work, which we don't
really want to block moving our toolchain to webpack on.

So we expose the modules by setting window.varName = varName; as
needed in the js files.
2018-07-05 10:53:36 +02:00
Shubham Dhama 80a2d5bc59 eslint: Enable `conditionalAssign` config of no-trailing-spaces rule. 2018-06-11 07:51:24 -04:00
Shubham Dhama dcb6254a4e eslint: Enable `no-extra-parens` rule.
Following sub-configuration is disabled:
                "nestedBinaryExpressions": false,
2018-06-11 07:51:24 -04:00
Shubham Padia f6f4a3f50a browser-support: Replace occurrences of `.includes` in static/js/*.
Fixes #9649.
`.includes` is not supported in Internet Explorer.
Replace `.includes` with `.indexOf() !== -1`.
2018-06-03 14:30:22 -07:00
Tim Abbott 4d0e64ee41 js: Fix some invalid whitespace.
These were detected using eslint.
2018-05-06 12:38:44 -07:00
Steve Howell 76b97d8b54 refactor: Add util.sorted_ids().
We borrowed this from typing_data.js and gave it a slightly
different name (sorted -> sorted_ids).
2018-05-02 09:16:24 -07:00
Utkarsh Patil 955d03b8a0 emoji: Prefix sort for emojis.
Emoji prefix sort for "popular emojis first". Fixes #7625.
2018-04-21 22:28:45 -07:00
Shubham Dhama b650b6b38c markdown: Add @stream as an alias for @all.
Fixes: #8930.
2018-04-09 16:35:14 -07:00
Shubham Dhama a32e1eb913 markdown: Require double-asterisk around all mentions.
This enforces `**` around all the mentions including "at-all" and
"at-everyone" mentions. Hence this makes `@all` and `@everyone`
invalid mentions, resulting into proper syntax for these mentions as
`@**all**` and `@**everyone**` respectively.

Note from tabbott: This removes an old feature/syntax, which made
sense back when @Tim was also a way to mention a user with Tim as
their first name.  Given how nice typeahead is now, the user part of
the feature was removed a while ago; this should have gone at the same
time.

Fixes: #8143.
2018-02-16 11:45:08 -08:00
Cory Lynch b13265d135 util: Remove execute_early.
This function was removed in favor of loading everything in
ui_init.js. The asynchronous nature of jQuery 3 document-ready
events may cause an undesirable order in which these are executed.
2017-07-04 13:54:33 -07:00
Tejas Kasetty 27009e9708 util.js: Fix prefix_sort logic to not mutate input.
In prefix sort, shifting of objs list to iterate through the elements
caused the 'emoji_show_list' to be emptied each time it was passed as
argument for sorting.

This modifies prefix sort to prevent it from modifying the objs list passed
as argument - changed it to normal iteration rather than popping
the elements from objs list.
2017-06-07 21:54:07 -07:00
Joshua Pan ccd880094e util.js: Refactor util.strcmp into util.make_strcmp. 2017-06-07 19:45:46 -05:00
Joshua Pan 73ea9079b9 Move preview_node() to blueslip.js. 2017-06-07 19:45:46 -05:00