Skip to content

Release v1.3.16

Choose a tag to compare

View all tags
@github-actions github-actions released this 05 Oct 01:21
· 0 commits to f241df2f41143a5aefe0293be683b6edca6d71c5 since this release
v1.3.16
6c3f1ff

Security

  • Fixed critical dependency vulnerabilities (Multiple CVEs)
    • Backend Go dependencies:
      • Updated golang.org/x/image from v0.0.0-20191009 to v0.30.0
        • Fixed CVE-2024-24792: Panic when parsing invalid palette-color images (High Severity)
        • Fixed TIFF decoder vulnerabilities: unlimited compressed tile data, excessive CPU consumption (Medium)
        • Fixed uncontrolled resource consumption in image processing (Medium)
      • Updated github.com/disintegration/imaging from v1.6.2 (latest stable)
        • Mitigated crash when processing crafted TIFF files (Low)
    • Frontend npm dependencies:
      • Updated next from 15.4.3 to 15.4.7
        • Fixed SSRF vulnerability in middleware redirect handling (Medium - CVE pending)
        • Fixed cache key confusion in Image Optimization API (Medium - CVE pending)
        • Fixed content injection vulnerability in image optimization (Medium - CVE pending)
      • Enforced d3-color@3.1.0+ via package overrides
        • Fixed ReDoS vulnerability in rgb()/hrc() functions (High - GHSA-36jr-mh4h-2g58)
        • Applied to all transitive dependencies (d3@7.9.0, react-simple-maps@3.0.0)
      • Enforced prismjs@1.30.0+ via package overrides
        • Fixed DOM Clobbering XSS vulnerability (Medium - CVE-2024-53382)
        • Applied to react-syntax-highlighter and refractor dependencies
  • Fixed iframe XSS vulnerabilities in video embed components (High Severity)
    • Added sandbox attribute to YouTube and Bilibili iframe embeds
    • Sandbox permissions: allow-scripts allow-same-origin allow-presentation (minimal required permissions)
    • Prevents form submission, top navigation hijacking, and unauthorized JavaScript execution
  • Enhanced URL validation for video embeds (Medium Severity)
    • YouTube: Strict 11-character videoId format validation ([a-zA-Z0-9_-]{11})
    • Bilibili: Fixed-length BV ID validation (12 chars: BV[a-zA-Z0-9]{10})
    • Bilibili: av ID length limit (1-10 digits)
    • Prevents DoS attacks via extremely long video IDs
    • Prevents URL fragment injection and XSS via malformed videoIds
  • Minimized iframe permissions (Medium Severity)
    • Removed clipboard-write permission (prevents clipboard data exfiltration)
    • Removed accelerometer, gyroscope, web-share (unnecessary for video playback)
    • Retained only essential permissions: autoplay, encrypted-media, picture-in-picture
  • Improved referrer privacy (Low Severity)
    • YouTube: Added referrerPolicy="no-referrer-when-downgrade"
    • Bilibili: Retained referrerPolicy="no-referrer" for maximum privacy

Added

  • Duplicate video prevention (Medium Priority)
    • URL-based duplicate detection when adding online videos
    • User-friendly error message with auto-dismiss (5 seconds)
    • Multi-language support for error messages (Chinese/English/Japanese)
  • UUID-based video identification (High Priority)
    • Unique identifiers using crypto.randomUUID() for each online video
    • Prevents deletion conflicts when duplicate URLs exist
    • Automatic data migration for existing videos without UUIDs
  • Custom delete confirmation dialogs (High Priority)
    • Replaced browser native confirm() with custom DeleteConfirmationDialog component
    • Requires typed confirmation text to prevent accidental deletions
    • Displays item name (video title or filename) in confirmation dialog
    • Consistent professional UI design across the platform
    • Supports multi-language (Chinese/English/Japanese)
    • Applied to both online video deletion and uploaded media deletion
  • Unified media sorting (Medium Priority)
    • Online videos now appear in "All" category tab
    • Mixed sorting of uploaded media and online videos by timestamp
    • Added created_at timestamp field to OnlineVideo interface
    • Automatic timestamp migration for existing videos (preserves relative order)
    • Supports sorting by date, size, and name across all media types

Changed

  • Security Layer 0 (Dependency Security): Updated all vulnerable dependencies to patched versions
  • Defense-in-depth: Go image library updates complement existing metadata stripping mechanism (media.go:401-455)
  • All frontend dependency vulnerabilities resolved (npm audit: 0 vulnerabilities)
  • Security Layer 1: Strict regex patterns for video URL validation
  • Security Layer 2: iframe sandbox attribute with minimal permissions
  • Security Layer 3: Minimized allow attribute permissions
  • Security Layer 4: referrerPolicy to protect user privacy
  • Media library rendering: Unified display logic for uploaded and online media in "All" tab
  • Video deletion workflow: Now uses state-managed dialogs instead of blocking browser prompts
  • Media file deletion workflow: Now uses state-managed dialogs with error handling

Fixed

  • Online videos not displaying in "All" category (High Priority)
    • Modified fetchMedia() to always load online videos regardless of selectedType
    • Online videos now properly appear alongside uploaded media
  • Online videos always appearing last (High Priority)
    • Implemented unified sorting logic using UnifiedMediaItem type
    • Changed rendering to iterate sorted items directly in "All" mode
    • Videos now correctly sort by timestamp with uploaded media
  • Unable to delete duplicate URL videos (Medium Priority)
    • Changed deletion identifier from url to uuid
    • Resolved confusion when multiple videos share the same URL

Technical Details

  • Dependency Updates:
    • Go 1.23.3 compatibility: golang.org/x/image updated to v0.30.0 (v0.31.0 requires Go 1.24+)
    • Package overrides ensure all nested dependencies use secure versions
    • Backward compatible: All tests passing, build successful
  • Security Enhancements:
    • Addresses iframe-based XSS attack vectors identified in CVE-2025-31008
    • Complies with OWASP Top 10 - A03:2021 Injection
    • Complies with OWASP Top 10 - A05:2021 Security Misconfiguration
    • Aligns with 2025 iframe security best practices (sandbox + CSP)
  • Files Modified:
    • Frontend: youtube-embed.tsx (enhanced URL validation +8 lines, added sandbox +3 attributes)
    • Frontend: bilibili-embed.tsx (enhanced URL validation +14 lines, added sandbox +1 attribute)
    • Frontend: video-add.tsx (+UUID generation, removed created_at field from interface)
    • Frontend: page.tsx (media library - +unified sorting logic ~60 lines, +delete dialogs ~40 lines, +UUID migration)
    • Frontend: delete-confirmation-dialog.tsx (existing component, reused)
    • Translations: zh.json, en.json, ja.json (+6 new keys for delete dialogs and duplicate error)
    • Backend: go.mod, go.sum (dependency updates)
    • Frontend: package.json (dependency updates + overrides)
  • Zero breaking changes - backward compatible
  • All builds pass with no ESLint errors
  • Data migration: Automatic UUID and timestamp addition to existing online videos

Notes

  • Sandbox attribute restricts iframe capabilities while allowing video playback
  • allow-scripts: Required for video player JavaScript
  • allow-same-origin: Required for player API calls to YouTube/Bilibili
  • allow-presentation: Required for fullscreen functionality
  • Removed permissions prevent malicious actions: form submission, clipboard access, navigation hijacking
  • URL validation prevents injection of malformed or excessively long video IDs
  • Defense-in-depth: Multiple layers (URL validation + sandbox + minimal permissions)
  • UUID generation uses Web Crypto API (crypto.randomUUID())
  • Timestamps use ISO 8601 format (new Date().toISOString())
  • Delete confirmation requires exact text match (case-insensitive): "删除"/"delete"/"削除"
  • Old videos without timestamps receive retroactive timestamps in reverse order to preserve sort order
Assets 2
Loading