backups/grapevine
1
0
Fork 0
mirror of https://gitlab.computer.surgery/matrix/grapevine.git synced 2025-12-16 23:31:24 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
grapevine/Cargo.toml
Charles Hall a60501189d
prevent xss via user-uploaded media 
Previously, `Content-Disposition` was always set to `inline`, even for
HTML, which means that XSS could be easily acheived by uploading
malicious HTML and getting someone to click on the Matrix HTTP API link
for that piece of media. Now, we have an allowlist of safe values for
`Content-Type` that use `inline` while everything else defaults to
`attachment`, including HTML and SVG, which prevents XSS.

We also set the `Content-Security-Policy` header because why not.

A `set_header_or_panic` function is introduced to do what it says in
case Ruma begins providing better or worse values for the relevant
headers in the future. The safest way to handle such a case is simply
to panic.
2024-05-19 21:05:02 -07:00

146 lines
5 KiB
TOML
Raw Blame History

# Keep alphabetically sorted
[workspace.lints.rust]
elided_lifetimes_in_paths = "warn"
explicit_outlives_requirements = "warn"
macro_use_extern_crate = "warn"
missing_abi = "warn"
noop_method_call = "warn"
pointer_structural_match = "warn"
single_use_lifetimes = "warn"
unreachable_pub = "warn"
unsafe_op_in_unsafe_fn = "warn"
unused_extern_crates = "warn"
unused_import_braces = "warn"
unused_lifetimes = "warn"
unused_macro_rules = "warn"
unused_qualifications = "warn"
[workspace.lints.clippy]
# Groups. Keep alphabetically sorted
pedantic = "warn"
# Lints. Keep alphabetically sorted
as_conversions = "warn"
assertions_on_result_states = "warn"
dbg_macro = "warn"
default_union_representation = "warn"
deref_by_slicing = "warn"
empty_drop = "warn"
empty_structs_with_brackets = "warn"
error_impl_error = "warn"
filetype_is_file = "warn"
float_cmp_const = "warn"
format_push_string = "warn"
get_unwrap = "warn"
if_then_some_else_none = "warn"
impl_trait_in_params = "warn"
let_underscore_must_use = "warn"
lossy_float_literal = "warn"
mem_forget = "warn"
missing_assert_message = "warn"
mod_module_files = "warn"
multiple_inherent_impl = "warn"
mutex_atomic = "warn"
negative_feature_names = "warn"
pub_without_shorthand = "warn"
rc_buffer = "warn"
rc_mutex = "warn"
redundant_feature_names = "warn"
redundant_type_annotations = "warn"
ref_patterns = "warn"
rest_pat_in_fully_bound_structs = "warn"
same_name_method = "warn"
semicolon_inside_block = "warn"
str_to_string = "warn"
string_add = "warn"
string_lit_chars_any = "warn"
string_slice = "warn"
string_to_string = "warn"
suspicious_xor_used_as_pow = "warn"
tests_outside_test_module = "warn"
try_err = "warn"
undocumented_unsafe_blocks = "warn"
unnecessary_safety_comment = "warn"
unnecessary_safety_doc = "warn"
unnecessary_self_imports = "warn"
unneeded_field_pattern = "warn"
unseparated_literal_suffix = "warn"
verbose_file_reads = "warn"
wildcard_dependencies = "warn"
# TODO: Remove these:
missing_errors_doc = "allow"
missing_panics_doc = "allow"
[package]
name = "grapevine"
description = "A Matrix homeserver written in Rust"
license = "Apache-2.0"
version = "0.1.0"
edition = "2021"
# See also `rust-toolchain.toml`
rust-version = "1.75.0"
[lints]
workspace = true
# Keep sorted
[dependencies]
async-trait = "0.1.68"
axum = { version = "0.6.18", default-features = false, features = ["form", "headers", "http1", "http2", "json", "matched-path"] }
axum-server = { version = "0.5.1", features = ["tls-rustls"] }
base64 = "0.21.2"
bytes = "1.4.0"
clap = { version = "4.3.0", default-features = false, features = ["std", "derive", "help", "usage", "error-context", "string"] }
figment = { version = "0.10.8", features = ["env", "toml"] }
futures-util = { version = "0.3.28", default-features = false }
hmac = "0.12.1"
html-escape = "0.2.13"
http = "0.2.9"
hyper = "0.14.26"
image = { version = "0.24.6", default-features = false, features = ["jpeg", "png", "gif"] }
jsonwebtoken = "9.2.0"
lru-cache = "0.1.2"
num_cpus = "1.15.0"
opentelemetry = { version = "0.18.0", features = ["rt-tokio"] }
opentelemetry-jaeger = { version = "0.17.0", features = ["rt-tokio"] }
parking_lot = { version = "0.12.1", optional = true }
phf = { version = "0.11.2", features = ["macros"] }
rand = "0.8.5"
regex = "1.8.1"
reqwest = { version = "0.11.18", default-features = false, features = ["rustls-tls-native-roots", "socks"] }
ring = "0.17.7"
rocksdb = { package = "rust-rocksdb", version = "0.25.0", features = ["lz4", "multi-threaded-cf", "zstd"], optional = true }
ruma = { git = "https://github.com/ruma/ruma", rev = "5495b85aa311c2805302edb0a7de40399e22b397", features = ["compat", "rand", "appservice-api-c", "client-api", "federation-api", "push-gateway-api-c", "state-res", "unstable-msc2448", "unstable-msc3575", "unstable-exhaustive-types", "ring-compat", "unstable-unspecified" ] }
rusqlite = { version = "0.29.0", optional = true, features = ["bundled"] }
rust-argon2 = "1.0.0"
sd-notify = { version = "0.4.1", optional = true }
serde = { version = "1.0.163", features = ["rc"] }
serde_html_form = "0.2.0"
serde_json = { version = "1.0.96", features = ["raw_value"] }
serde_yaml = "0.9.21"
sha-1 = "0.10.1"
thiserror = "1.0.40"
thread_local = "1.1.7"
tikv-jemallocator = { version = "0.5.0", features = ["unprefixed_malloc_on_supported_platforms"], optional = true }
tokio = { version = "1.28.1", features = ["fs", "macros", "signal", "sync"] }
tower = { version = "0.4.13", features = ["util"] }
tower-http = { version = "0.4.1", features = ["add-extension", "cors", "sensitive-headers", "trace", "util"] }
tracing = { version = "0.1.37", features = [] }
tracing-flame = "0.2.0"
tracing-opentelemetry = "0.18.0"
tracing-subscriber = { version = "0.3.17", features = ["env-filter"] }
trust-dns-resolver = "0.22.0"
[target.'cfg(unix)'.dependencies]
nix = { version = "0.28", features = ["resource"] }
[features]
default = ["rocksdb", "sqlite", "systemd"]
# Keep sorted
jemalloc = ["dep:tikv-jemallocator"]
rocksdb = ["dep:rocksdb"]
sqlite = ["dep:rusqlite", "dep:parking_lot", "tokio/signal"]
systemd = ["dep:sd-notify"]
Reference in a new issue View git blame Copy permalink