docs: add TZ environment variable to README#155
Merged
Conversation
Add documentation for the TZ environment variable which is used by the auto-acknowledge feature to format message timestamps. Without this documentation, users may not know they can customize the timezone for auto-acknowledge responses. Fixes #154 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Contributor
|
Claude finished @Yeraze's task —— View job PR Review: TZ Environment Variable DocumentationI've completed my review of this documentation addition. Here's my comprehensive feedback: Todo List:
Code Quality and Best Practices ✅
Accuracy and Completeness ✅
Documentation Quality ✅
No Issues Found
Minor Suggestions
SummaryThis is a high-quality documentation addition that:
Recommendation: Approve - This PR successfully documents an existing environment variable that was previously undocumented, improving user experience for those wanting to customize timezone display in auto-acknowledge messages. |
4 tasks
Yeraze
added a commit
that referenced
this pull request
Oct 12, 2025
Co-authored-by: Claude <noreply@anthropic.com>
Yeraze
added a commit
that referenced
this pull request
Oct 29, 2025
Co-authored-by: Claude <noreply@anthropic.com>
Yeraze
added a commit
that referenced
this pull request
Jun 18, 2026
…#152/153/155/156) (#3544) * fix(security): use RE2 for user-supplied regexes to eliminate ReDoS (#3543) Resolves the two high-severity CodeQL js/regex-injection alerts (#153, #155) by compiling all user/admin-supplied regular expressions with RE2, a linear-time engine immune to catastrophic backtracking. The previous heuristic guards (length caps + nested-quantifier checks) reduced but could not eliminate the risk, and CodeQL (correctly) kept flagging the user→RegExp dataflow. - New src/utils/safeRegex.ts: compileUserRegex(pattern, flags) wraps RE2 and returns a RegExp-compatible matcher (test/exec/match/replace). RE2 rejects backreferences and lookaround — the intended trade-off — so callers keep their existing try/catch to treat unsupported patterns as "invalid regex". - Convert every user-supplied regex site, validation AND execution: - server.ts: remote(-localstats) name-filter validation (2 sites). - services/database.ts: the name-filter execution sites that actually match node names (traceroute + localstats union filters) — the real ReDoS surface CodeQL didn't reach through the settings store. - routes/scriptRoutes.ts + meshtasticManager.ts: auto-responder trigger and auto-acknowledge pattern matching. - Dockerfile: add build-base + python3 to the builder stage so re2 (native) can compile from source where no prebuilt exists (Alpine/musl arm). Builder stage only — not in the runtime image. Tests: new safeRegex suite asserts linear-time behaviour on the classic (a+)+$ ReDoS pattern and rejection of backreference/lookaround. Full suite green. The two non-regex alerts are handled separately: #152 (frontend routing, not a security gate) dismissed as false-positive; #156 (authenticated admin script import, path-sanitized) dismissed as by-design. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * address review: convert remaining regex sites to RE2; harden tests/docs (#3544) Claude review feedback on the RE2 security PR: 1. autoAckRegex.ts:69 — convert the MeshCore auto-ack pattern compile to compileUserRegex (the charset allowlist/length/shape guards stay as a fast pre-rejection). Residual ReDoS surface CodeQL may not flag through the barrier, now closed for consistency. 2. settingsRoutes.ts:215 — convert the regex-validation compile to compileUserRegex so stored patterns are guaranteed RE2-compatible. 3. safeRegex.ts — document that the result is not `instanceof RegExp` and that length bounding stays the caller's responsibility; add a test asserting `.source`/`.flags` behave. 4. safeRegex.test.ts — raise the ReDoS timing threshold to 1000ms and use a larger input, so the assertion can't flake on loaded CI runners. 5. Dockerfile — clarify the builder comment (build-base is the new compiler; python3 is node-gyp's other requirement). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
TZenvironment variable in the README's Environment Variables tableDetails
The
TZenvironment variable is used by thecheckAutoAcknowledge()function insrc/server/meshtasticManager.ts:3143to format message timestamps in auto-acknowledge responses. Without this documentation, users may not be aware they can customize the timezone for these automated messages.This change adds:
America/New_York(matching the code default)Test plan
Fixes #154
🤖 Generated with Claude Code