[fix] image routes

.github/dependabot.yml

@@ -1,49 +1,19 @@
 version: 2
 updates:
-  # Schedule for checking updates
-  schedule:
-    interval: daily
-
-  # CSS dependencies
-  - package-ecosystem: "npm"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    labels:
-      - "css"
-    allowed-updates:
-      - match:
-          update-type: "all"
-
-  # JavaScript dependencies
-  - package-ecosystem: "npm"
+# Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "daily"
-    labels:
-      - "javascript"
-    allowed-updates:
-      - match:
-          update-type: "all"
-
-  # Other dependencies
+
+    # Maintain dependencies for npm
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "daily"
-    labels:
-      - "other"
-    allowed-updates:
-      - match:
-          update-type: "all"
 
   # Docker dependencies
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
       interval: "daily"
-    labels:
-      - "docker"
-    allowed-updates:
-      - match:
-          update-type: "all"

.github/workflows/ci.yml

@@ -1,5 +1,8 @@
 name: CI
-
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   push:
     branches: [ main ]
@@ -16,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Setup Node.js
         uses: actions/setup-node@v4

Dockerfile

@@ -1,6 +1,6 @@
 #https://hub.docker.com/_/node/
 #https://github.com/GoogleContainerTools/distroless/blob/main/README.md
-FROM node:24.4-alpine3.21 AS build
+FROM node:24.6-alpine3.21 AS build
 WORKDIR /wikiless
 COPY . /wikiless
 RUN npm install --omit=optional

README.md

@@ -5,10 +5,11 @@
 
 **Wikiless** is a free, open-source alternative Wikipedia front-end focused on privacy. The project aims to provide users with a more private and anonymous browsing experience by minimizing data collection and tracking.
 
-## Key Features
+### Features
 - **Privacy-Focused:** Designed to enhance user privacy by limiting data tracking.
 - **Open Source:** Available for anyone to contribute and improve.
 - **Alternative Front-End:** Provides a different interface to access Wikipedia content.
+- **Censorship-Resistant:** Provides another way to access Wikipedia in multiple blocked countries.
 
 ## Installation
 

SECURITY.md

@@ -8,7 +8,7 @@ We release patches for security vulnerabilities in the following versions:
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 0.1.3   | :white_check_mark: |
+| 0.1.4   | :white_check_mark: |
 
 ## Reporting a Vulnerability
 

docker-compose.yml

@@ -1,3 +1,5 @@
+version: "3.9"
+
 services:
   wikiless:
     build:

package.json

@@ -10,7 +10,7 @@
     "express": "^5.1.0",
     "got": "^14.4.7",
     "node-html-parser": "^7.0.1",
-    "redis": "^5.6.1"
+    "redis": "^5.8.2"
   },
   "devDependencies": {
     "jest": "^30.0.5",

src/routes.js

@@ -1,6 +1,7 @@
 module.exports = (app, utils) => {
   const config = require('../wikiless.config')
   const path = require('path')
+  const crypto = require('crypto');
 
   app.all(/.*/, (req, res, next) => {
     let themeOverride = req.query.theme
@@ -84,11 +85,20 @@ module.exports = (app, utils) => {
     return next()
   })
 
+  function md5HashParts(fileName) {
+    const normalized = fileName.replace(/ /g, '_');
+    const h = crypto.createHash('md5').update(normalized, 'utf8').digest('hex');
+    return [h[0], h.slice(0,2)];
+  }
+
+
   app.get('/wiki/:page/:sub_page', (req, res, next) => {
     const pageName = req.params.page;
     if (pageName && pageName.startsWith('File:')) {
-        const encodedFileName = encodeURIComponent(pageName.split(':')[1])
-        const mediaPath = `/media/wikipedia/commons/thumb/${encodedFileName}`
+        const rawName = pageName.split(':')[1];
+        const encodedFileName = encodeURIComponent(rawName);
+        const [h1, h2] = md5HashParts(rawName);
+        const mediaPath = `/media/wikipedia/commons/${h1}/${h2}/${encodedFileName}`;
         return res.redirect(mediaPath)
     }
     return handleWikiPage(req, res, '/wiki/')
@@ -97,8 +107,10 @@ module.exports = (app, utils) => {
   app.get('/wiki/:page', (req, res, next) => {
     const pageName = req.params.page;
     if (pageName && pageName.startsWith('File:')) {
-        const encodedFileName = encodeURIComponent(pageName.split(':')[1])
-        const mediaPath = `/media/wikipedia/commons/thumb/${encodedFileName}`
+        const rawName = pageName.split(':')[1];
+        const encodedFileName = encodeURIComponent(rawName);
+        const [h1, h2] = md5HashParts(rawName);
+        const mediaPath = `/media/wikipedia/commons/${h1}/${h2}/${encodedFileName}`;
         return res.redirect(mediaPath)
     }
     return handleWikiPage(req, res, '/wiki/')
@@ -158,6 +170,18 @@ module.exports = (app, utils) => {
     return res.send(preferencesPage(req, res))
   })
 
+  // Helper to validate safe redirect paths
+  function isSafeRedirectPath(path) {
+    // Must start with a single slash, not double slash, not contain backslash, not contain protocol
+    return (
+      typeof path === 'string' &&
+      path.startsWith('/') &&
+      !path.startsWith('//') &&
+      !path.includes('\\') &&
+      !/^\/(http|https):/.test(path)
+    );
+  }
+
   app.post('/preferences', (req, res, next) => {
     const theme = req.body.theme
     const default_lang = req.body.default_lang
@@ -166,7 +190,7 @@ module.exports = (app, utils) => {
     res.cookie('theme', theme, { maxAge: 365 * 24 * 60 * 60 * 1000, httpOnly: true })
     res.cookie('default_lang', default_lang, { maxAge: 365 * 24 * 60 * 60 * 1000, httpOnly: true })
 
-    if(back === 'undefined' || !back.startsWith('/')) {
+    if (!isSafeRedirectPath(back)) {
       back = '/'
     }
 

src/utils.js

@@ -194,7 +194,7 @@ module.exports = function(redis) {
       data.html = data.html.replace(wikimedia_regex, '/media')
 
       // replace wiki links
-      const wiki_href_regx = /(href=\"(https:|http:|)\/\/([A-z.-]+\.)?(wikipedia.org|wikimedia.org|wikidata.org|mediawiki.org))/gm
+      const wiki_href_regx = /(href=\"(https:|http:|)\/\/([A-Za-z.-]+\.)?(wikipedia\.org|wikimedia\.org|wikidata\.org|mediawiki\.org))/gm
       data.html = data.html.replace(wiki_href_regx, 'href="')
 
       try {

static/about.html

@@ -32,6 +32,6 @@ <h1>About</h1>
     <hr>
     <a href="/" rel="noreferrer" target="_blank">Go Back</a>
     <h4>Wikiless version</h4>
-    <p>0.1.3</p>
+    <p>0.1.4</p>
   </body>
 </html>