Commit Graph

50 Commits

Author SHA1 Message Date
gnuxie
58e36d4e23 Factor out protected rooms config management from Mjolnir.
The combination of `resyncJoinedRooms`, `unprotectedWatchedListRooms`,
`explicitlyProtectedRoomIds`, `protectedJoinedRoomIds` was incomprehensible.
https://github.com/matrix-org/mjolnir/issues/370

Separating out the management of `explicitlyProtectedRoomIds`, then
making sure all policy lists have to be explicitly protected
(in either setting of `config.protectAllJoinedRooms`) will make
this code much much simpler.
We will later change the `status` command to explicitly show
which lists are watched and which are watched and protected.
2022-10-19 15:21:51 +01:00
Gnuxie
f5a1a39861
audit yarn.lock (#356)
### Auditing the lock file

```
npm install --package-lock-only
npm audit fix
rm yarn.lock
yarn import
```

```
npm audit

json-schema  <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
  jsprim  0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim

minimist  <1.2.6
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist

nanoid  3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix`
node_modules/nanoid
node_modules/postcss/node_modules/nanoid
  mocha  8.2.0 - 9.1.4
  Depends on vulnerable versions of nanoid
  node_modules/mocha

5 vulnerabilities (2 moderate, 3 critical)

To address all issues, run:
  npm audit fix
```

### minimist

minimist@1.2.5
used by mocha, tslint and matrix-bot-sdk@0.5.19

via
```
MatrixClient::replyHtmlText
MatrixClient::replyHtmlNotice
MatrixClient::sendHtmlNotice
MatrixClient::sendHtmlTex
```

none of which we use.

### nanoid

As for nanoid this is used by mocha.
It's also used by postcss vis the bot sdk

```
├─┬ matrix-bot-sdk@0.5.19
│ └─┬ sanitize-html@2.7.1
│   └─┬ postcss@8.4.16
│     ├── nanoid@3.3.4

```
though unless i'm missing something nanoid@3.3.4 doesn't fit into the vulnerable versions  `3.0.0 - 3.1.30`


### json-schema

As for json-schema, it is used by jsprim@1.4.2 within 'validateJsonObjectJS'.
fortunately we depend on jsprim via the http-signatures@1.2.0 package which only use jsprim for rfc1123.
(which request depends upon in the matrix-bot-sdk).

```
├─┬ matrix-bot-sdk@0.5.19
│ ├─┬ request@2.88.2
│ │ ├─┬ http-signature@1.2.0
│ │ │ ├─┬ jsprim@1.4.2
│ │ │ │ ├── json-schema@0.4.0
2022-08-16 18:49:33 +01:00
Jess Porter
4376679b99
load config yaml manually, remove more references to static config (#347) 2022-08-16 15:51:18 +01:00
David Teller
cb34af02c6
Revert "Fix: roomMemberTest off-by-one error (#319)" (#323)
This reverts commit d8aac434f1.
2022-07-05 15:29:01 +02:00
David Teller
d8aac434f1
Fix: roomMemberTest off-by-one error (#319) 2022-07-05 14:38:53 +02:00
Jonathan de Jong
cc9f393ed7
fix CI (#282)
ts-mocha has also been updated to make running locally possible (else it gives a confusing error that tsconfig.json is not "json" or the likes)
2022-05-03 11:20:40 +01:00
dependabot[bot]
31ef9065da
Bump minimist from 1.2.5 to 1.2.6 (#260)
Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 to 1.2.6.
- [Release notes](https://github.com/substack/minimist/releases)
- [Commits](https://github.com/substack/minimist/compare/1.2.5...1.2.6)

---
updated-dependencies:
- dependency-name: minimist
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-03-25 10:05:23 +00:00
David Teller
e05616b327
New command !mjolnir since <date or duration> <kick | ban | show> <limit> [reason] [...rooms] (#238)
A new command `since` to affect all users who have joined a protected room since a given date.
2022-03-21 10:39:15 +01:00
David Teller
26ae55cd24
A command to show when users in a given room have joined (#225) 2022-03-07 11:34:25 +01:00
David Teller
82a2e63d23
A room Protection designed to measure lag in a room (#217) 2022-02-24 13:43:31 +01:00
gnuxie
9e96d399c0 Remove axios from the test suite, it is unnecessary.
It's probably also got problems.
2022-01-25 18:22:34 +00:00
dependabot[bot]
4490f9ba82 Bump follow-redirects from 1.14.4 to 1.14.7
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.14.4 to 1.14.7.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.14.4...v1.14.7)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-17 12:22:15 +01:00
David Teller
a21415a04c
Give the ability to moderators to react quickly to /report abuse reports. (#137) 2021-11-09 13:15:49 +01:00
David Teller
06e5f00b2d
Intercept /report and display human-readable abuse reports in the moderation room - Resolves #38 (#135)
* Intercept /report and display human-readable abuse reports in the moderation room - Resolves #38
2021-10-07 14:42:08 +02:00
gnuxie
ac075fd22e Remove dependencies from old test harness 2021-09-27 15:33:15 +01:00
gnuxie
b0ee846534 Update package.json and yarn.lock to include harness dependencies. 2021-09-24 18:25:27 +01:00
Travis Ralston
7ca0b2d39b Clean up lockfile 2021-08-17 09:26:47 -06:00
Travis Ralston
37031764ac
Merge pull request #117 from matrix-org/yoric/delete-rooms-api
Replace shutdown_room API with DELETE /_synapse/admin/v1/rooms/<room_…
2021-08-17 09:23:55 -06:00
David Teller
62b30b19d9 Replace shutdown_room API with DELETE /_synapse/admin/v1/rooms/<room_id> - Resolves #76, closes #96
As per https://github.com/matrix-org/synapse/issues/9052, shutdown_room is going away, to be replaced with DELETE /_synapse/admin/v1/rooms/<room_id>.
2021-08-17 12:54:24 +02:00
dependabot[bot]
4401cd9637
Bump path-parse from 1.0.6 to 1.0.7
Bumps [path-parse](https://github.com/jbgutierrez/path-parse) from 1.0.6 to 1.0.7.
- [Release notes](https://github.com/jbgutierrez/path-parse/releases)
- [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7)

---
updated-dependencies:
- dependency-name: path-parse
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-08-11 12:33:46 +00:00
Travis Ralston
ff4cbc018f Update matrix-bot-sdk and use request cleaning function 2021-07-01 15:11:27 -06:00
Travis Ralston
d7bacad85c Update packages 2021-07-01 13:45:28 -06:00
Neil Middleton
793c9304e0
Merge branch 'nm/jun21-dependency-update' into dependabot/npm_and_yarn/y18n-4.0.3 2021-06-24 16:40:50 +01:00
Neil Middleton
c85b922343
Merge pull request #2 from neilmiddleton/dependabot/npm_and_yarn/postcss-7.0.36
Bump postcss from 7.0.18 to 7.0.36
2021-06-24 16:40:12 +01:00
Neil Middleton
265045a835
Merge pull request #3 from neilmiddleton/dependabot/npm_and_yarn/lodash-4.17.21
Bump lodash from 4.17.19 to 4.17.21
2021-06-24 16:39:51 +01:00
dependabot[bot]
0dba1ea709
Bump glob-parent from 5.1.1 to 5.1.2
Bumps [glob-parent](https://github.com/gulpjs/glob-parent) from 5.1.1 to 5.1.2.
- [Release notes](https://github.com/gulpjs/glob-parent/releases)
- [Changelog](https://github.com/gulpjs/glob-parent/blob/main/CHANGELOG.md)
- [Commits](https://github.com/gulpjs/glob-parent/compare/v5.1.1...v5.1.2)

---
updated-dependencies:
- dependency-name: glob-parent
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-24 15:36:43 +00:00
dependabot[bot]
104ae039a5
Bump postcss from 7.0.18 to 7.0.36
Bumps [postcss](https://github.com/postcss/postcss) from 7.0.18 to 7.0.36.
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/postcss/compare/7.0.18...7.0.36)

---
updated-dependencies:
- dependency-name: postcss
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-24 15:36:40 +00:00
dependabot[bot]
8f4fd808a7
Bump lodash from 4.17.19 to 4.17.21
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.19 to 4.17.21.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.19...4.17.21)

---
updated-dependencies:
- dependency-name: lodash
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-24 15:36:40 +00:00
dependabot[bot]
d5f3003c71
Bump y18n from 4.0.0 to 4.0.3
Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.3.
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/y18n-v4.0.3/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/compare/v4.0.0...y18n-v4.0.3)

---
updated-dependencies:
- dependency-name: y18n
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2021-06-24 15:36:38 +00:00
David Teller
5c4cee8780 Bumping dependency y18n
There's a high severity CVE for y18n < 4.0.1.
2021-04-14 11:06:52 +02:00
dependabot[bot]
339475fcc9
Bump yargs-parser from 13.1.1 to 13.1.2
Bumps [yargs-parser](https://github.com/yargs/yargs-parser) from 13.1.1 to 13.1.2.
- [Release notes](https://github.com/yargs/yargs-parser/releases)
- [Changelog](https://github.com/yargs/yargs-parser/blob/master/docs/CHANGELOG-full.md)
- [Commits](https://github.com/yargs/yargs-parser/commits)

Signed-off-by: dependabot[bot] <support@github.com>
2020-09-11 22:55:29 +00:00
dependabot[bot]
7d1fc1fe4d
Bump lodash from 4.17.15 to 4.17.19
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.15 to 4.17.19.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.15...4.17.19)

Signed-off-by: dependabot[bot] <support@github.com>
2020-07-18 09:14:24 +00:00
Travis Ralston
47dfdf5b33 Upgrade packages 2020-05-11 21:38:20 -06:00
Travis Ralston
46bc6a1a0f Bump bot-sdk version to handle published aliases better 2020-05-11 21:31:47 -06:00
Travis Ralston
f897f8eb47 Update packages 2020-04-14 16:17:05 -06:00
Travis Ralston
790d1f2ff0 Update matrix-bot-sdk 2020-02-13 14:23:10 -07:00
Travis Ralston
60083b49f4 Update matrix-bot-sdk package 2020-02-12 15:05:52 -07:00
Travis Ralston
c0365416fa Add an option to protect all joined rooms 2020-01-21 15:19:03 -07:00
Travis Ralston
4f8b55c45f Update matrix-bot-sdk 2019-12-04 18:46:00 -07:00
Travis Ralston
66a5775136 Make the [un]ban command smarter
Fixes https://github.com/matrix-org/mjolnir/issues/11
2019-11-13 21:38:19 -07:00
Travis Ralston
863f7025ee Update bot-sdk to beta 14 2019-11-07 11:00:29 -07:00
Travis Ralston
8d1111b056 Upgrade to bot-sdk beta 13 for dependency problem 2019-11-06 19:29:17 -07:00
Travis Ralston
05aedcafb7 Upgrade to beta.12 of the bot-sdk 2019-11-06 15:37:43 -07:00
Travis Ralston
2dcce018d0 Upgrade to bot-sdk beta 11 2019-10-31 10:55:55 -06:00
Travis Ralston
644c19694e Update matrix-bot-sdk to v0.4.0-beta.10 2019-10-31 10:15:52 -06:00
Travis Ralston
4434b5440e Upgrade matrix-bot-sdk to beta 9 2019-10-30 14:37:08 -06:00
Travis Ralston
5409f4916a Add a way to actually unban people 2019-10-10 12:37:42 +01:00
Travis Ralston
afba792fa8 Upgrade matrix-bot-sdk
Fixes https://github.com/matrix-org/mjolnir/issues/1
2019-10-08 01:28:20 +01:00
Travis Ralston
fa1ad260f1 Add a command to dump the rules the bot is using 2019-09-27 15:57:39 -06:00
Travis Ralston
ed6f37be2b Absolute bare minimum for a bot 2019-09-25 20:13:20 -06:00