From 9b4649fe1370657229c53ce55aed1610634d8d75 Mon Sep 17 00:00:00 2001
From: seoonju <tjswn9477@gmail.com>
Date: Thu, 24 Jul 2025 11:05:42 +0900
Subject: [PATCH 1/3] [Autofic] Create package.json and CI workflow

---
 .github/workflows/pr_notify.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 .github/workflows/pr_notify.yml

diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml
new file mode 100644
index 0000000..2b34036
--- /dev/null
+++ b/.github/workflows/pr_notify.yml
@@ -0,0 +1,20 @@
+name: PR Notifier
+
+on:
+  pull_request:
+    types: [opened, reopened, closed]
+
+jobs:
+  notify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Notify Discord
+        env:
+          DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
+        run: |
+          curl -H "Content-Type: application/json"           -d '{"content": "🔔 Pull Request [${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }}) by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}'           $DISCORD_WEBHOOK_URL
+      - name: Notify Slack
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        run: |
+          curl -H "Content-Type: application/json"           -d '{"text": ":bell: Pull Request <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}> by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}'           $SLACK_WEBHOOK_URL

From 890fca7cbfe58e1991e50c8d4e83082b3fd2f470 Mon Sep 17 00:00:00 2001
From: seoonju <tjswn9477@gmail.com>
Date: Thu, 24 Jul 2025 11:05:45 +0900
Subject: [PATCH 2/3] [Autofic] 2 malicious code detected!!

---
 app.js                     | 14 ++++++++++++++
 public/static/js/create.js |  7 ++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/app.js b/app.js
index 75b36b6..5e92754 100644
--- a/app.js
+++ b/app.js
@@ -5,6 +5,8 @@ and send out links to your friends.
 
 var sys = require("sys");
 var express = require("express");
+var helmet = require("helmet");
+var rateLimit = require("express-rate-limit");
 var app = express.createServer();
 
 // Configuration
@@ -15,6 +17,16 @@ app.use(express.bodyParser());
 app.set("view engine", "ejs");
 app.set("view options", { layout: false });
 
+// Disable X-Powered-By header
+app.use(helmet.hidePoweredBy());
+
+// Rate limiting middleware
+const limiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 100 // limit each IP to 100 requests per windowMs
+});
+app.use(limiter);
+
 // Routes
 app.get("/", function(req, res) {
     var xsrf = generateId();
@@ -30,6 +42,8 @@ app.post("/room", function(req, res) {
     if (!xsrf || !matchXsrf || !(xsrf == matchXsrf))
         return res.send({ error: "Unauthorized"}, 403);
     var name = req.body.name;
+    if (typeof name !== 'string') // Type checking
+        return res.send({ error: "Invalid name type."}, 400);
     res.header('content-type', 'application/json');
     name = name.replace(/^\s+|\s+$/, "");
     if (!name || name.length < 4 || name.replace(/^[\w\s]+$/, "") != "")
diff --git a/public/static/js/create.js b/public/static/js/create.js
index 3624ac8..3821261 100644
--- a/public/static/js/create.js
+++ b/public/static/js/create.js
@@ -22,7 +22,12 @@ Create = {
     },
 
     success: function(data) {
-        window.location.href = data.url;
+        var url = data.url;
+        if (url && url.startsWith('/')) { // Ensure the URL is relative
+            window.location.href = url;
+        } else {
+            alert("Invalid redirect URL");
+        }
     },
 
     error: function(data) {

From e8e1d518a40e2a59d2050744b081a0173d21f6bc Mon Sep 17 00:00:00 2001
From: seoonju <tjswn9477@gmail.com>
Date: Thu, 24 Jul 2025 11:06:02 +0900
Subject: [PATCH 3/3] chore: remove CI workflow before upstream PR

---
 .github/workflows/pr_notify.yml | 20 --------------------
 1 file changed, 20 deletions(-)
 delete mode 100644 .github/workflows/pr_notify.yml

diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml
deleted file mode 100644
index 2b34036..0000000
--- a/.github/workflows/pr_notify.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: PR Notifier
-
-on:
-  pull_request:
-    types: [opened, reopened, closed]
-
-jobs:
-  notify:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Notify Discord
-        env:
-          DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
-        run: |
-          curl -H "Content-Type: application/json"           -d '{"content": "🔔 Pull Request [${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }}) by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}'           $DISCORD_WEBHOOK_URL
-      - name: Notify Slack
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-        run: |
-          curl -H "Content-Type: application/json"           -d '{"text": ":bell: Pull Request <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}> by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}'           $SLACK_WEBHOOK_URL