fix: upgrade sequelize to latest version to fix CVE

Signed-off-by: BoHong Li <a60814billy@gmail.com>
2025-05-14 15:14:56 -04:00 · 2019-04-12 12:05:32 +08:00 · 2019-04-12 12:05:32 +08:00 · 63c96e7359
commit 63c96e7359
parent 02929cd4bf
6 changed files with 796 additions and 789 deletions
--- a/lib/models/user.js
+++ b/lib/models/user.js
@ -52,119 +52,118 @@ module.exports = function (sequelize, DataTypes) {
    password: {
      type: Sequelize.TEXT
    }
-  }, {
-    instanceMethods: {
-      verifyPassword: function (attempt) {
-        return scrypt.verify(Buffer.from(this.password, 'hex'), attempt)
-      }
-    },
-    classMethods: {
-      associate: function (models) {
-        User.hasMany(models.Note, {
-          foreignKey: 'ownerId',
-          constraints: false
-        })
-        User.hasMany(models.Note, {
-          foreignKey: 'lastchangeuserId',
-          constraints: false
-        })
-      },
-      getProfile: function (user) {
-        if (!user) {
-          return null
-        }
-        return user.profile ? User.parseProfile(user.profile) : (user.email ? User.parseProfileByEmail(user.email) : null)
-      },
-      parseProfile: function (profile) {
-        try {
-          profile = JSON.parse(profile)
-        } catch (err) {
-          logger.error(err)
-          profile = null
-        }
-        if (profile) {
-          profile = {
-            name: profile.displayName || profile.username,
-            photo: User.parsePhotoByProfile(profile),
-            biggerphoto: User.parsePhotoByProfile(profile, true)
-          }
-        }
-        return profile
-      },
-      parsePhotoByProfile: function (profile, bigger) {
-        var photo = null
-        switch (profile.provider) {
-          case 'facebook':
-            photo = 'https://graph.facebook.com/' + profile.id + '/picture'
-            if (bigger) photo += '?width=400'
-            else photo += '?width=96'
-            break
-          case 'twitter':
-            photo = 'https://twitter.com/' + profile.username + '/profile_image'
-            if (bigger) photo += '?size=original'
-            else photo += '?size=bigger'
-            break
-          case 'github':
-            photo = 'https://avatars.githubusercontent.com/u/' + profile.id
-            if (bigger) photo += '?s=400'
-            else photo += '?s=96'
-            break
-          case 'gitlab':
-            photo = profile.avatarUrl
-            if (photo) {
-              if (bigger) photo = photo.replace(/(\?s=)\d*$/i, '$1400')
-              else photo = photo.replace(/(\?s=)\d*$/i, '$196')
-            } else {
-              photo = generateAvatarURL(profile.username)
-            }
-            break
-          case 'mattermost':
-            photo = profile.avatarUrl
-            if (photo) {
-              if (bigger) photo = photo.replace(/(\?s=)\d*$/i, '$1400')
-              else photo = photo.replace(/(\?s=)\d*$/i, '$196')
-            } else {
-              photo = generateAvatarURL(profile.username)
-            }
-            break
-          case 'dropbox':
-            photo = generateAvatarURL('', profile.emails[0].value, bigger)
-            break
-          case 'google':
-            photo = profile.photos[0].value
-            if (bigger) photo = photo.replace(/(\?sz=)\d*$/i, '$1400')
-            else photo = photo.replace(/(\?sz=)\d*$/i, '$196')
-            break
-          case 'ldap':
-            photo = generateAvatarURL(profile.username, profile.emails[0], bigger)
-            break
-          case 'saml':
-            photo = generateAvatarURL(profile.username, profile.emails[0], bigger)
-            break
-          default:
-            photo = generateAvatarURL(profile.username)
-            break
-        }
-        return photo
-      },
-      parseProfileByEmail: function (email) {
-        return {
-          name: email.substring(0, email.lastIndexOf('@')),
-          photo: generateAvatarURL('', email, false),
-          biggerphoto: generateAvatarURL('', email, true)
-        }
-      }
-    }
  })

-  function updatePasswordHashHook (user, options, done) {
+  User.prototype.verifyPassword = function (attempt) {
+    return scrypt.verify(Buffer.from(this.password, 'hex'), attempt)
+  }
+
+  User.associate = function (models) {
+    User.hasMany(models.Note, {
+      foreignKey: 'ownerId',
+      constraints: false
+    })
+    User.hasMany(models.Note, {
+      foreignKey: 'lastchangeuserId',
+      constraints: false
+    })
+  }
+  User.getProfile = function (user) {
+    if (!user) {
+      return null
+    }
+    return user.profile ? User.parseProfile(user.profile) : (user.email ? User.parseProfileByEmail(user.email) : null)
+  }
+  User.parseProfile = function (profile) {
+    try {
+      profile = JSON.parse(profile)
+    } catch (err) {
+      logger.error(err)
+      profile = null
+    }
+    if (profile) {
+      profile = {
+        name: profile.displayName || profile.username,
+        photo: User.parsePhotoByProfile(profile),
+        biggerphoto: User.parsePhotoByProfile(profile, true)
+      }
+    }
+    return profile
+  }
+  User.parsePhotoByProfile = function (profile, bigger) {
+    var photo = null
+    switch (profile.provider) {
+      case 'facebook':
+        photo = 'https://graph.facebook.com/' + profile.id + '/picture'
+        if (bigger) photo += '?width=400'
+        else photo += '?width=96'
+        break
+      case 'twitter':
+        photo = 'https://twitter.com/' + profile.username + '/profile_image'
+        if (bigger) photo += '?size=original'
+        else photo += '?size=bigger'
+        break
+      case 'github':
+        photo = 'https://avatars.githubusercontent.com/u/' + profile.id
+        if (bigger) photo += '?s=400'
+        else photo += '?s=96'
+        break
+      case 'gitlab':
+        photo = profile.avatarUrl
+        if (photo) {
+          if (bigger) photo = photo.replace(/(\?s=)\d*$/i, '$1400')
+          else photo = photo.replace(/(\?s=)\d*$/i, '$196')
+        } else {
+          photo = generateAvatarURL(profile.username)
+        }
+        break
+      case 'mattermost':
+        photo = profile.avatarUrl
+        if (photo) {
+          if (bigger) photo = photo.replace(/(\?s=)\d*$/i, '$1400')
+          else photo = photo.replace(/(\?s=)\d*$/i, '$196')
+        } else {
+          photo = generateAvatarURL(profile.username)
+        }
+        break
+      case 'dropbox':
+        photo = generateAvatarURL('', profile.emails[0].value, bigger)
+        break
+      case 'google':
+        photo = profile.photos[0].value
+        if (bigger) photo = photo.replace(/(\?sz=)\d*$/i, '$1400')
+        else photo = photo.replace(/(\?sz=)\d*$/i, '$196')
+        break
+      case 'ldap':
+        photo = generateAvatarURL(profile.username, profile.emails[0], bigger)
+        break
+      case 'saml':
+        photo = generateAvatarURL(profile.username, profile.emails[0], bigger)
+        break
+      default:
+        photo = generateAvatarURL(profile.username)
+        break
+    }
+    return photo
+  }
+  User.parseProfileByEmail = function (email) {
+    return {
+      name: email.substring(0, email.lastIndexOf('@')),
+      photo: generateAvatarURL('', email, false),
+      biggerphoto: generateAvatarURL('', email, true)
+    }
+  }
+
+  function updatePasswordHashHook (user, options) {
    // suggested way to hash passwords to be able to do this asynchronously:
    // @see https://github.com/sequelize/sequelize/issues/1821#issuecomment-44265819
-    if (!user.changed('password')) { return done() }

-    scrypt.kdf(user.getDataValue('password'), { logN: 15 }).then(keyBuf => {
+    if (!user.changed('password')) {
+      return Promise.resolve()
+    }
+
+    return scrypt.kdf(user.getDataValue('password'), { logN: 15 }).then(keyBuf => {
      user.setDataValue('password', keyBuf.toString('hex'))
-      done()
    })
  }