DatseMultimediaSites
/
Sharkey
mirror of https://activitypub.software/TransFem-org/Sharkey.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
29,006 Commits 60 Branches 923 Tags 254 MiB
Commit Graph

3163 Commits

Author SHA1 Message Date
Hazelnoot 4e0f7ced84 preserve the raw URI in parseUri 2024-11-20 22:02:31 -05:00
Julia 41536480ce merge: Bump develop version (!766) 
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/766
 2024-11-21 02:58:28 +00:00
Julia Johannesen 6027b516e1
Fix `.punyHost` misuse 2024-11-20 21:24:35 -05:00
Julia Johannesen 36af07abe2
Fix another style error 2024-11-20 20:31:22 -05:00
かっこかり 53e827b18c
fix(backend): fix security patches (#15008) 2024-11-21 10:30:30 +09:00
Julia Johannesen 23c4aa2571
Fix style error 2024-11-20 20:24:59 -05:00
Julia Johannesen 1758f29364
Fix error in test function calls 2024-11-20 20:16:43 -05:00
Julia Johannesen fa3cf6c299
Fix type error in security fixes 2024-11-20 20:06:46 -05:00
Hazelnoot b0834ebf55 prevent DoS from spammed media proxy requests 2024-11-20 19:37:38 -05:00
syuilo 0f59adc436 fix ap/show 2024-11-21 09:25:18 +09:00
syuilo 9fdabe3666 fix(backend): use atomic command to improve security 
Co-Authored-By: Acid Chicken <root@acid-chicken.com>
 2024-11-21 09:22:15 +09:00
Julia Johannesen 8e90484b3e
Bump version 2024-11-20 19:21:57 -05:00
rectcoordsystem 776f6fd1f5
fix(backend): allow fetchSummaryFromProxy, trueMail to access local addresses 2024-11-20 19:17:25 -05:00
rectcoordsystem 7b3e3f8e25
fix(backend): add isLocalAddressAllowed option to getAgentByUrl and send (HttpRequestService) 2024-11-20 19:17:25 -05:00
rectcoordsystem 360d71278a
fix(backend): lint and typecheck 2024-11-20 19:17:25 -05:00
rectcoordsystem 663c06be00
Apply suggestions from code review 
Co-authored-by: anatawa12 <anatawa12@icloud.com>
 2024-11-20 19:17:25 -05:00
rectcoordsystem 7ccccf5545
fix(backend): allow accessing private IP when testing 2024-11-20 19:17:25 -05:00
rectcoordsystem f36f4b5398
fix(backend): check target IP before sending HTTP request 2024-11-20 19:17:25 -05:00
Julia Johannesen cc4e99fdde
fix: Try using `CacheService` to avoid excess db lookups 
This isn't perfect, theoretically if some massive number of users
blocked the user making this request the set lookup could take a long
amount of time, but eh, it works, and that scenario is highly unlikely.
 2024-11-20 19:17:25 -05:00
Julia Johannesen 5764fa55cb
fix: primitives 25-33: proper local instance checks 2024-11-20 19:17:25 -05:00
Julia Johannesen 74565f67f7
fix: primitives 21, 22, and 23: reuse resolver 
This also increases the default `recursionLimit` for `Resolver`, as it
theoretically will go higher that it previously would and could possibly
fail on non-malicious collection activities.
 2024-11-20 19:17:25 -05:00
Julia Johannesen 408e782507
fix: primitive 19 & 20: respect blocks and hide more 
Ideally, the user property should also be hidden (as leaving it in leaks
information slightly), but given the schema of the note endpoint, I
don't think that would be possible without introducing some kind of
"ghost" user, who is attributed for posts by users who have you blocked.
 2024-11-20 19:17:25 -05:00
Julia Johannesen cbf8cc376e
fix: primitive 18: `ap/get` bypasses access checks 
One might argue that we could make this one actually preform access
checks against the returned activity object, but I feel like that's a
lot more work than just restricting it to administrators, since, to me
at least, it seems more like a debugging tool than anything else.
 2024-11-20 19:17:25 -05:00
Julia Johannesen c04f344049
fix: primitive 13: check attribution against actor in notes 2024-11-20 19:17:25 -05:00
Julia Johannesen b9080da75d
fix: code style for primitive 17 2024-11-20 19:17:24 -05:00
Laura Hausmann 4d925fc086
fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array 2024-11-20 19:17:24 -05:00
Laura Hausmann b74e2e9167
fix: primitive 16: improper same-origin validation for user uri and url 2024-11-20 19:17:24 -05:00
Laura Hausmann ebea1a2962
fix: primitive 15: improper same-origin validation for note uri and url 2024-11-20 19:17:24 -05:00
Julia Johannesen 4c432c07cb
fix: code style for primitive 14 2024-11-20 19:17:24 -05:00
Laura Hausmann 322b3b677f
fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections 2024-11-20 19:17:24 -05:00
Julia Johannesen 1c7e05ce9e
fix: primitive 7 & 12: prevent poll spoofing 2024-11-20 19:17:24 -05:00
Laura Hausmann 9ab25ede28
fix: primitives 9, 10 & 11: http signature validation doesn't enforce required headers or specify auth header name 2024-11-20 19:17:24 -05:00
Laura Hausmann 174dfb83d0
fix: primitive 6: reject anonymous objects that were fetched by their id 2024-11-20 19:17:24 -05:00
Laura Hausmann ad8e8793c7
fix: primitives 5 & 8: reject activities with non-string identifiers 2024-11-20 19:17:24 -05:00
Laura Hausmann 1e14612f0e
fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities 2024-11-20 19:17:24 -05:00
Laura Hausmann 9090b745e6
fix: primitive 3: validation of non-final url 2024-11-20 19:17:24 -05:00
Laura Hausmann d883934826
fix: primitive 2: acceptance of cross-origin alternate links 2024-11-20 19:17:23 -05:00
rectcoordsystem 090e9392cd
Merge commit from fork 
* fix(backend): check target IP before sending HTTP request

* fix(backend): allow accessing private IP when testing

* Apply suggestions from code review

Co-authored-by: anatawa12 <anatawa12@icloud.com>

* fix(backend): lint and typecheck

* fix(backend): add isLocalAddressAllowed option to getAgentByUrl and send (HttpRequestService)

* fix(backend): allow fetchSummaryFromProxy, trueMail to access local addresses

---------

Co-authored-by: anatawa12 <anatawa12@icloud.com>
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
 2024-11-21 08:27:09 +09:00
Julia b9cb949eb1
Merge commit from fork 
* Fix poll update spoofing

* fix: Disallow negative poll counts

---------

Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
 2024-11-21 08:24:50 +09:00
Julia 5f675201f2
Merge commit from fork 
* enhance: Add a few validation fixes from Sharkey

See the original MR on the GitLab instance:
https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484

Co-Authored-By: Dakkar <dakkar@thenautilus.net>

* fix: primitive 2: acceptance of cross-origin alternate

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 3: validation of non-final url

* fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities

* fix: primitives 5 & 8: reject activities with non
string identifiers

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 6: reject anonymous objects that were fetched by their id

* fix: primitives 9, 10 & 11: http signature validation
doesn't enforce required headers or specify auth header name

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections

* fix: code style for primitive 14

* fix: primitive 15: improper same-origin validation for
note uri and url

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 16: improper same-origin validation for user uri and url

* fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array

* fix: code style for primitive 17

* fix: check attribution against actor in notes

While this isn't strictly required to fix the exploits at hand, this
mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a
preemptive countermeasure.

* fix: primitive 18: `ap/get` bypasses access checks

One might argue that we could make this one actually preform access
checks against the returned activity object, but I feel like that's a
lot more work than just restricting it to administrators, since, to me
at least, it seems more like a debugging tool than anything else.

* fix: primitive 19 & 20: respect blocks and hide more

Ideally, the user property should also be hidden (as leaving it in leaks
information slightly), but given the schema of the note endpoint, I
don't think that would be possible without introducing some kind of
"ghost" user, who is attributed for posts by users who have you blocked.

* fix: primitives 21, 22, and 23: reuse resolver

This also increases the default `recursionLimit` for `Resolver`, as it
theoretically will go higher that it previously would and could possibly
fail on non-malicious collection activities.

* fix: primitives 25-33: proper local instance checks

* revert: fix: primitive 19 & 20

This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c.

---------

Co-authored-by: Dakkar <dakkar@thenautilus.net>
Co-authored-by: Laura Hausmann <laura@hausmann.dev>
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
 2024-11-21 08:20:09 +09:00
Sayamame-beans aa48a0e207
Fix: リノートミュートが新規投稿通知に対して作用していなかった問題を修正 (#15006) 
* fix(backend): renoteMute doesn't work for note notification

* docs(changelog): update changelog
 2024-11-21 08:00:50 +09:00
syuilo f0c3a4cc0b
perf(frontend): reduce api requests for non-logged-in enviroment (#15001) 
* wip

* Update CHANGELOG.md

* wip
 2024-11-21 07:58:34 +09:00
Julia Johannesen fb54546573
Fix linter error in emojis endpoint 2024-11-20 01:17:24 -05:00
Julia 9e0b759197 merge: Bump develop version (!757) 
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/757
 2024-11-20 05:56:55 +00:00
Hazelnoot d150e92f41 prevent DoS from spammed media proxy requests 2024-11-19 23:31:59 -05:00
zawa-ch. 763c708253
Fix(backend): アカウント削除のモデレーションログが動作していないのを修正 (#14996) (#14997) 
* アカウント削除のモデレーションログが動作していないのを修正

* update CHANGELOG
 2024-11-19 21:12:40 +09:00
おさむのひと 7b9c884a5d
refactor(backend): SystemWebhookで送信されるペイロードの型を追加 (#14980) 2024-11-19 10:41:39 +09:00
饺子w (Yumechi) e800c0f85a
fix(backend): お知らせ作成時に画像URL入力欄を空欄に変更できないのを修正 (#14990) 
* fix(backend): アナウンスメントを作成ときに画像URLを後悔できないのを修正

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>

* Update CHANGELOG.md

Co-authored-by: おさむのひと <46447427+samunohito@users.noreply.github.com>

---------

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
Co-authored-by: おさむのひと <46447427+samunohito@users.noreply.github.com>
 2024-11-19 10:29:42 +09:00
dakkar 482538c7f8 merge: make emoji categories and names case insensitive. (!746) 
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/746

Approved-by: Hazelnoot <acomputerdog@gmail.com>
Approved-by: dakkar <dakkar@thenautilus.net>
 2024-11-17 13:22:39 +00:00
Hazelnoot 1bfb0dc395 merge: check harder for connectibility (!737) 
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/737

Approved-by: Hazelnoot <acomputerdog@gmail.com>
Approved-by: Marie <github@yuugi.dev>
 2024-11-17 00:40:52 +00:00
Hazelnoot da2dfee0a8 merge: Remove check to prevent admin reporting (Fixes #757) (!727) 
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/727

Closes #757

Approved-by: Julia <julia@insertdomain.name>
Approved-by: Marie <github@yuugi.dev>
Approved-by: Hazelnoot <acomputerdog@gmail.com>
 2024-11-17 00:39:08 +00:00
CDN b3c2de2b26
fix(backend): fallback sharedInbox to null in ApPersonService (#14970) 2024-11-16 18:53:28 +09:00
piuvas eaad96aae3
edit query 2024-11-15 13:40:53 -03:00
syuilo eef0c895bc use execa 8.0.1 
#14966
 2024-11-15 19:48:31 +09:00
syuilo d9d92bcfbf Revert "use nodemon 3.0.2" 
This reverts commit ce1f84e5a3.
 2024-11-15 19:40:12 +09:00
syuilo ce1f84e5a3 use nodemon 3.0.2 
#14966
 2024-11-15 19:33:50 +09:00
かっこかり c0d1682604
feat: 送信したフォローリクエストを確認できるように (#14856) 
* FEAT: Allow users to view pending follow requests they sent

This commit implements the `following/requests/sent` interface firstly
implemented on Firefish, and provides a UI interface to view the pending
follow requests users sent.

* ux: should not show follow requests tab when have no pending sent follow req

* fix default followreq tab

* fix default followreq tab

* restore missing hasPendingReceivedFollowRequest in navbar

* refactor

* use tabler icons

* tweak design

* Revert "ux: should not show follow requests tab when have no pending sent follow req"

This reverts commit e580b92c37f27c2849c6d27e22ca4c47086081bb.

* Update Changelog

* Update Changelog

* change tab titles

---------

Co-authored-by: Lhc_fl <lhcfl@outlook.com>
Co-authored-by: Hazelnoot <acomputerdog@gmail.com>
 2024-11-15 17:30:54 +09:00
syuilo e26e24b610
update deps (#14950) 
* update deps

* wip

* Revert "wip"

This reverts commit 393de249fe248ae181221266e0b7828a3ac53152.

* wip

* wip

* wip

* wip
 2024-11-15 17:22:00 +09:00
dakkar fdad036912 Merge branch 'develop' into feature/2024.10 2024-11-13 11:45:10 +00:00
饺子w (Yumechi) a11b77a415
fix(backend): Webhook Test一致性 (#14863) 
* fix(backend): Webhook Test一致性

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>

* UserWebhookPayload<'followed'> 修正

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>

---------

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
 2024-11-12 09:51:18 +09:00
かっこかり 4a62051ce7
fix(backend): ローカルユーザーへのメンションを含むノートが連合される際に正しいURLに変換されないことがある問題を修正 (#14879) 
* fix: make sure mentions of local users get rendered correctly during AP delivery (resolves #645)

* Update Changelog

* indent

---------

Co-authored-by: Laura Hausmann <laura@hausmann.dev>
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
 2024-11-09 10:58:09 +09:00
momoirodouhu a4c5ce1413
enhance(backend) : リモートユーザーの照会をオリジナルにリダイレクトするように (#12892) (#14897) 
* enhance(backend) : リモートユーザーの照会をオリジナルにリダイレクトするように (#12892)

* オリジンリダイレクトのテストをtodoとして追加。

e2eテストにリモートユーザー考慮のテストがなさそうなので。

次のコマンドで動くことは確認済みです。
curl "http://localhost:3000/@foo@bar" -H "accept: application/activity+json" -L

* Acctのパースを既存のパーサーでするように修正

* lint
 2024-11-09 10:54:44 +09:00
かっこかり e75b62f3f5
enhance(frontend): 個別お知らせページではmetaタグを出力するように (#14902) 
* enhance(frontend): 個別お知らせページではmetaタグを出力するように

* Update Changelog
 2024-11-09 10:53:09 +09:00
かっこかり 98b4717c45
fix(backend): SQLのサニタイズを強化 (#14920) 
* Fix code scanning alert no. 28: Incomplete string escaping or encoding (MisskeyIO#800)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
(cherry picked from commit 443335c662b14f609d6a81a8f3807e95709aebc1)

* ✌️

---------

Co-authored-by: あわわわとーにゅ <17376330+u1-liquid@users.noreply.github.com>
 2024-11-09 10:51:28 +09:00
Caramel 03559156b9 Improve performance of notes/following API 2024-11-09 00:32:03 +01:00
dakkar f17d716d61 fix upstream linting 2024-11-08 17:53:42 +00:00
dakkar 0a15ffba55 remove duplicate import 2024-11-08 17:53:34 +00:00
dakkar 41ac75a113 fix uses of renamed method 
`FederatedInstanceService.fetch` will now just load from the DB, it
won't do anything if the instance is not already there
 2024-11-08 16:45:51 +00:00
dakkar ec875d9c40 fix merge mistakes in `admin/accounts/create.ts` 2024-11-08 16:09:02 +00:00
dakkar ffebe778d4 copy changes from NoteCreate to NoteEdit 2024-11-08 15:55:50 +00:00
dakkar f079edaf3c Merge tag '2024.10.1' into feature/2024.10 2024-11-08 15:52:37 +00:00
4ster1sk 794cb9ffe2
fix(backend): followedMessageではなくdescriptionになっていたのを修正 (#14908) 2024-11-07 17:16:51 +09:00
4ster1sk bca690f256
fix(backend): フォロワーへのメッセージの絵文字をemojisに含めるように (#14904) 2024-11-07 15:10:10 +09:00
かっこかり b1c82213a3
fix(backend): FTT無効時にユーザーリストタイムラインが使用できない問題を修正 (#14878) 
* fix: return getfromdb when FanoutTimeline is not enabled

* Update Changelog

* fix

---------

Co-authored-by: Lhc_fl <lhcfl@outlook.com>
 2024-11-06 22:01:21 +09:00
dakkar 9fe5dc679a check harder for connectibility 
`allSettled` does not throw if a promise is rejected, so
`check_connect` never actually failed
 2024-11-05 14:21:58 +00:00
Kio! 8477909af2 Update report-abuse.ts 2024-11-03 19:50:25 +00:00
Julia e783359aca merge: Revert "Experimental: dont mark backfetched notes as silent" (!703) 
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/703

Approved-by: Julia <julia@insertdomain.name>
Approved-by: Hazelnoot <acomputerdog@gmail.com>
Approved-by: Marie <github@yuugi.dev>
 2024-11-03 19:39:00 +00:00
かっこかり 6718a54f6f
fix(backend): ノートを連合する際にリモートユーザーのacctの大小文字を区別して処理している問題を修正 (#14880) 
* fix: make sure outgoing remote mentions get resolved correctly if referenced with non-canonical casing (resolves #646)

* Update Changelog

* Update Changelog

* indent

---------

Co-authored-by: Laura Hausmann <laura@hausmann.dev>
 2024-11-03 08:26:51 +09:00
Hazelnoot ddf572c22f fix lint errors in FollowingEntityService.ts 2024-11-02 17:43:11 -04:00
Hazel K 37fd454f70 factor out shared code 2024-11-02 17:39:16 -04:00
Hazel K 3a72bf453a respect following privacy settings 2024-11-02 17:39:16 -04:00
Hazel K 65d81a4ae2 Revert "fix incorrect populated object in followers endpoint" 
This reverts commit 7b9473bf4c0b55facede0e1d1e33297d14184110.
 2024-11-02 17:39:16 -04:00
Hazel K 8f0df1f01c check for blocks in following / followers endpoints 2024-11-02 17:39:16 -04:00
Hazel K c566fa1f36 require auth for followers & following endpoints 2024-11-02 17:39:16 -04:00
Marie b8b077cbad chore: replace recaptcha with frc 2024-11-02 11:02:13 +00:00
Marie d786e96c2b
upd: add FriendlyCaptcha as a captcha solution 
FriendlyCaptcha is a german captcha solution which is GDPR compliant and has a non-commerical free license
 2024-11-02 02:20:35 +01:00
Hazelnoot ade801ec58 check token permissions in admin/accounts/create.ts 2024-11-01 10:12:28 -04:00
Hazelnoot 37ff2bb0ca always approve the first / root user 2024-11-01 09:29:40 -04:00
Hazelnoot f36a1a5701 allow admins to create approved users 2024-11-01 09:29:40 -04:00
Julia 1520bc1715 merge: Split character limits between local and remote notes (resolves #723) (!669) 
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/669

Closes #723

Approved-by: dakkar <dakkar@thenautilus.net>
Approved-by: Julia <julia@insertdomain.name>
 2024-10-29 03:04:25 +00:00
かっこかり f30d19051f
enhance(backend): check_connect.js で全RedisとDBへの接続を確認するように (#14853) 
* fix race conditions in check_connect.js

(cherry picked from commit 524ddb9677)

* fix

* Update Changelog

---------

Co-authored-by: Hazelnoot <acomputerdog@gmail.com>
 2024-10-28 21:06:54 +09:00
Tamme Schichler 8eb7749e44
fix(backend): Accept arrays in ActivityPub `icon` and `image` properties (#14825) 
This is allowed according to the Activity vocabulary: https://www.w3.org/TR/activitystreams-vocabulary/#dfn-icon
The issue is noticeable in combination with Bridgy Fed: https://github.com/snarfed/bridgy-fed/issues/1408
 2024-10-28 21:06:16 +09:00
syuilo 74847bce30 enhance: アイコンデコレーション管理画面の改善 2024-10-28 20:42:14 +09:00
かっこかり ec4358d1e8
fix(misskey-js): WebSocketの型定義をReconnectingWebsocketに依存するように (#14850) 
* fix(misskey-js): WebSocketの型定義をReconnectingWebsocketに依存するように

* Update Changelog

* run api extractor

* fix

* fix
 2024-10-28 11:43:05 +09:00
dakkar 276b30bdc0 merge: Collapse user activity, files, and listenbrainz on mobile (resolves #747) (!718) 
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/718

Closes #747

Approved-by: Marie <github@yuugi.dev>
Approved-by: dakkar <dakkar@thenautilus.net>
 2024-10-27 12:12:30 +00:00
dakkar d72c40d157 merge: fix race conditions in check_connect.js (!715) 
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/715

Approved-by: Marie <github@yuugi.dev>
Approved-by: dakkar <dakkar@thenautilus.net>
 2024-10-27 12:05:48 +00:00
Hazelnoot a541eaba5e fix test errors 2024-10-26 17:34:42 -04:00
Hazelnoot d2a4d6d9e0 fix lint errors in home.vue / index.listenbrainz.vue 2024-10-26 12:58:07 -04:00
Hazelnoot 27b502fab5 normalize re-fetch logic between InboxProcessorService and ActivityPubServerService 2024-10-26 10:40:15 -04:00
Hazelnoot c0a5955e0a log key rotation 2024-10-26 10:40:15 -04:00