security fix

2026-01-22 10:23:56 +00:00 · 2025-09-19 17:15:59 +03:00
parent f4e84e46cc
commit 672ddff9f8
7 changed files with 31 additions and 17 deletions
--- a/src/main/events/catalogue/save-game-shop-assets.ts
+++ b/src/main/events/catalogue/save-game-shop-assets.ts
@@ -10,14 +10,15 @@ const saveGameShopAssets = async (
 ): Promise<void> => {
  const key = levelKeys.game(shop, objectId);
  const existingAssets = await gamesShopAssetsSublevel.get(key);
-  
+
  // Preserve existing title if it differs from the incoming title (indicating it was customized)
-  const shouldPreserveTitle = existingAssets?.title && existingAssets.title !== assets.title;
-  
-  return gamesShopAssetsSublevel.put(key, { 
-    ...existingAssets, 
+  const shouldPreserveTitle =
+    existingAssets?.title && existingAssets.title !== assets.title;
+
+  return gamesShopAssetsSublevel.put(key, {
+    ...existingAssets,
    ...assets,
-    title: shouldPreserveTitle ? existingAssets.title : assets.title
+    title: shouldPreserveTitle ? existingAssets.title : assets.title,
  });
 };

--- a/src/main/events/library/get-library.ts
+++ b/src/main/events/library/get-library.ts
@@ -24,7 +24,8 @@ const getLibrary = async (): Promise<LibraryGame[]> => {
              download: download ?? null,
              ...gameAssets,
              // Ensure compatibility with LibraryGame type
-              libraryHeroImageUrl: game.libraryHeroImageUrl ?? gameAssets?.libraryHeroImageUrl,
+              libraryHeroImageUrl:
+                game.libraryHeroImageUrl ?? gameAssets?.libraryHeroImageUrl,
            } as LibraryGame;
          })
      );
--- a/src/main/events/library/update-game-custom-assets.ts
+++ b/src/main/events/library/update-game-custom-assets.ts
@@ -21,9 +21,16 @@ const updateGameCustomAssets = async (
  const updatedGame = {
    ...existingGame,
    title,
-    customIconUrl: customIconUrl !== undefined ? customIconUrl : existingGame.customIconUrl,
-    customLogoImageUrl: customLogoImageUrl !== undefined ? customLogoImageUrl : existingGame.customLogoImageUrl,
-    customHeroImageUrl: customHeroImageUrl !== undefined ? customHeroImageUrl : existingGame.customHeroImageUrl,
+    customIconUrl:
+      customIconUrl !== undefined ? customIconUrl : existingGame.customIconUrl,
+    customLogoImageUrl:
+      customLogoImageUrl !== undefined
+        ? customLogoImageUrl
+        : existingGame.customLogoImageUrl,
+    customHeroImageUrl:
+      customHeroImageUrl !== undefined
+        ? customHeroImageUrl
+        : existingGame.customHeroImageUrl,
  };

  await gamesSublevel.put(gameKey, updatedGame);
@@ -42,4 +49,4 @@ const updateGameCustomAssets = async (
  return updatedGame;
 };

-registerEvent("updateGameCustomAssets", updateGameCustomAssets);
+registerEvent("updateGameCustomAssets", updateGameCustomAssets);
--- a/src/main/index.ts
+++ b/src/main/index.ts
@@ -69,8 +69,9 @@ app.whenReady().then(async () => {
      request.url.slice("gradient:".length)
    );

+    // Fixed regex to prevent ReDoS - removed nested quantifiers and backtracking
    const match = gradientCss.match(
-      /linear-gradient\(([^,]+),\s*([^,]+),\s*([^)]+)\)/
+      /^linear-gradient\(([^,()]+),\s*([^,()]+),\s*([^,()]+)\)$/
    );

    let direction = "45deg";