b0834ebf55
prevent DoS from spammed media proxy requests
2024-11-20 19:37:38 -05:00
0f59adc436
fix ap/show
2024-11-21 09:25:18 +09:00
9fdabe3666
fix(backend): use atomic command to improve security
...
Co-Authored-By: Acid Chicken <root@acid-chicken.com>
2024-11-21 09:22:15 +09:00
8e90484b3e
Bump version
2024-11-20 19:21:57 -05:00
776f6fd1f5
fix(backend): allow fetchSummaryFromProxy, trueMail to access local addresses
2024-11-20 19:17:25 -05:00
7b3e3f8e25
fix(backend): add isLocalAddressAllowed option to getAgentByUrl and send (HttpRequestService)
2024-11-20 19:17:25 -05:00
360d71278a
fix(backend): lint and typecheck
2024-11-20 19:17:25 -05:00
663c06be00
Apply suggestions from code review
...
Co-authored-by: anatawa12 <anatawa12@icloud.com>
2024-11-20 19:17:25 -05:00
7ccccf5545
fix(backend): allow accessing private IP when testing
2024-11-20 19:17:25 -05:00
f36f4b5398
fix(backend): check target IP before sending HTTP request
2024-11-20 19:17:25 -05:00
cc4e99fdde
fix: Try using `CacheService` to avoid excess db lookups
...
This isn't perfect, theoretically if some massive number of users
blocked the user making this request the set lookup could take a long
amount of time, but eh, it works, and that scenario is highly unlikely.
2024-11-20 19:17:25 -05:00
5764fa55cb
fix: primitives 25-33: proper local instance checks
2024-11-20 19:17:25 -05:00
74565f67f7
fix: primitives 21, 22, and 23: reuse resolver
...
This also increases the default `recursionLimit` for `Resolver`, as it
theoretically will go higher that it previously would and could possibly
fail on non-malicious collection activities.
2024-11-20 19:17:25 -05:00
408e782507
fix: primitive 19 & 20: respect blocks and hide more
...
Ideally, the user property should also be hidden (as leaving it in leaks
information slightly), but given the schema of the note endpoint, I
don't think that would be possible without introducing some kind of
"ghost" user, who is attributed for posts by users who have you blocked.
2024-11-20 19:17:25 -05:00
cbf8cc376e
fix: primitive 18: `ap/get` bypasses access checks
...
One might argue that we could make this one actually preform access
checks against the returned activity object, but I feel like that's a
lot more work than just restricting it to administrators, since, to me
at least, it seems more like a debugging tool than anything else.
2024-11-20 19:17:25 -05:00
c04f344049
fix: primitive 13: check attribution against actor in notes
2024-11-20 19:17:25 -05:00
b9080da75d
fix: code style for primitive 17
2024-11-20 19:17:24 -05:00
4d925fc086
fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array
2024-11-20 19:17:24 -05:00
b74e2e9167
fix: primitive 16: improper same-origin validation for user uri and url
2024-11-20 19:17:24 -05:00
ebea1a2962
fix: primitive 15: improper same-origin validation for note uri and url
2024-11-20 19:17:24 -05:00
4c432c07cb
fix: code style for primitive 14
2024-11-20 19:17:24 -05:00
322b3b677f
fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections
2024-11-20 19:17:24 -05:00
1c7e05ce9e
fix: primitive 7 & 12: prevent poll spoofing
2024-11-20 19:17:24 -05:00
9ab25ede28
fix: primitives 9, 10 & 11: http signature validation doesn't enforce required headers or specify auth header name
2024-11-20 19:17:24 -05:00
174dfb83d0
fix: primitive 6: reject anonymous objects that were fetched by their id
2024-11-20 19:17:24 -05:00
ad8e8793c7
fix: primitives 5 & 8: reject activities with non-string identifiers
2024-11-20 19:17:24 -05:00
1e14612f0e
fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities
2024-11-20 19:17:24 -05:00
9090b745e6
fix: primitive 3: validation of non-final url
2024-11-20 19:17:24 -05:00
d883934826
fix: primitive 2: acceptance of cross-origin alternate links
2024-11-20 19:17:23 -05:00
090e9392cd
Merge commit from fork
...
* fix(backend): check target IP before sending HTTP request
* fix(backend): allow accessing private IP when testing
* Apply suggestions from code review
Co-authored-by: anatawa12 <anatawa12@icloud.com>
* fix(backend): lint and typecheck
* fix(backend): add isLocalAddressAllowed option to getAgentByUrl and send (HttpRequestService)
* fix(backend): allow fetchSummaryFromProxy, trueMail to access local addresses
---------
Co-authored-by: anatawa12 <anatawa12@icloud.com>
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
2024-11-21 08:27:09 +09:00
b9cb949eb1
Merge commit from fork
...
* Fix poll update spoofing
* fix: Disallow negative poll counts
---------
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
2024-11-21 08:24:50 +09:00
5f675201f2
Merge commit from fork
...
* enhance: Add a few validation fixes from Sharkey
See the original MR on the GitLab instance:
https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484
Co-Authored-By: Dakkar <dakkar@thenautilus.net>
* fix: primitive 2: acceptance of cross-origin alternate
Co-Authored-By: Laura Hausmann <laura@hausmann.dev>
* fix: primitive 3: validation of non-final url
* fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities
* fix: primitives 5 & 8: reject activities with non
string identifiers
Co-Authored-By: Laura Hausmann <laura@hausmann.dev>
* fix: primitive 6: reject anonymous objects that were fetched by their id
* fix: primitives 9, 10 & 11: http signature validation
doesn't enforce required headers or specify auth header name
Co-Authored-By: Laura Hausmann <laura@hausmann.dev>
* fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections
* fix: code style for primitive 14
* fix: primitive 15: improper same-origin validation for
note uri and url
Co-Authored-By: Laura Hausmann <laura@hausmann.dev>
* fix: primitive 16: improper same-origin validation for user uri and url
* fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array
* fix: code style for primitive 17
* fix: check attribution against actor in notes
While this isn't strictly required to fix the exploits at hand, this
mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a
preemptive countermeasure.
* fix: primitive 18: `ap/get` bypasses access checks
One might argue that we could make this one actually preform access
checks against the returned activity object, but I feel like that's a
lot more work than just restricting it to administrators, since, to me
at least, it seems more like a debugging tool than anything else.
* fix: primitive 19 & 20: respect blocks and hide more
Ideally, the user property should also be hidden (as leaving it in leaks
information slightly), but given the schema of the note endpoint, I
don't think that would be possible without introducing some kind of
"ghost" user, who is attributed for posts by users who have you blocked.
* fix: primitives 21, 22, and 23: reuse resolver
This also increases the default `recursionLimit` for `Resolver`, as it
theoretically will go higher that it previously would and could possibly
fail on non-malicious collection activities.
* fix: primitives 25-33: proper local instance checks
* revert: fix: primitive 19 & 20
This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c.
---------
Co-authored-by: Dakkar <dakkar@thenautilus.net>
Co-authored-by: Laura Hausmann <laura@hausmann.dev>
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
2024-11-21 08:20:09 +09:00
aa48a0e207
Fix: リノートミュートが新規投稿通知に対して作用していなかった問題を修正 ( #15006 )
...
* fix(backend): renoteMute doesn't work for note notification
* docs(changelog): update changelog
2024-11-21 08:00:50 +09:00
f0c3a4cc0b
perf(frontend): reduce api requests for non-logged-in enviroment ( #15001 )
...
* wip
* Update CHANGELOG.md
* wip
2024-11-21 07:58:34 +09:00
4603ab67bb
feat: 絵文字のポップアップメニューに編集を追加 ( #15004 )
...
* Mod: 絵文字のポップアップメニューに編集を追加
* fix: code styleの修正
* fix: code styleの修正
* fix
2024-11-20 20:08:26 +09:00
fb54546573
Fix linter error in emojis endpoint
2024-11-20 01:17:24 -05:00
9e0b759197
merge: Bump develop version ( !757 )
...
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/757
2024-11-20 05:56:55 +00:00
d150e92f41
prevent DoS from spammed media proxy requests
2024-11-19 23:31:59 -05:00
763c708253
Fix(backend): アカウント削除のモデレーションログが動作していないのを修正 ( #14996 ) ( #14997 )
...
* アカウント削除のモデレーションログが動作していないのを修正
* update CHANGELOG
2024-11-19 21:12:40 +09:00
6c5d3113c6
Bump version to 2024.11.0-alpha.2
2024-11-19 03:56:50 +00:00
7b9c884a5d
refactor(backend): SystemWebhookで送信されるペイロードの型を追加 ( #14980 )
2024-11-19 10:41:39 +09:00
c271534aba
リノートメニューに「リノートの詳細」を追加 ( #14985 )
...
* add renote-detail menu
* changelog
* Apply suggestions from code review
Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
* Update CHANGELOG.md
---------
Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
2024-11-19 10:34:33 +09:00
e800c0f85a
fix(backend): お知らせ作成時に画像URL入力欄を空欄に変更できないのを修正 ( #14990 )
...
* fix(backend): アナウンスメントを作成ときに画像URLを後悔できないのを修正
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
* Update CHANGELOG.md
Co-authored-by: おさむのひと <46447427+samunohito@users.noreply.github.com>
---------
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
Co-authored-by: おさむのひと <46447427+samunohito@users.noreply.github.com>
2024-11-19 10:29:42 +09:00
81348f1277
fix(frontend): TypeScriptの型チェック対象ファイルを限定して高速化するように ( #14994 )
...
* fix frontend tsconfig includes
* fix frontend-embed tsconfig includes
* fix eslint in frontend / frontend-embed
* Update Changelog
---------
Co-authored-by: Hazelnoot <acomputerdog@gmail.com>
2024-11-19 10:22:47 +09:00
0df6c79172
enhance(frontend): デッキ表示時にサイドバーを展開・折りたたみできるように ( #14983 )
...
* enhance(frontend): デッキ表示時にサイドバーを展開・折りたたみできるように
* wip
* wip
* Update navbar.vue
* ✌️
* Update CHANGELOG.md
* 🎨
---------
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
2024-11-18 10:36:51 +09:00
482538c7f8
merge: make emoji categories and names case insensitive. ( !746 )
...
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/746
Approved-by: Hazelnoot <acomputerdog@gmail.com>
Approved-by: dakkar <dakkar@thenautilus.net>
2024-11-17 13:22:39 +00:00
1bfb0dc395
merge: check harder for connectibility ( !737 )
...
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/737
Approved-by: Hazelnoot <acomputerdog@gmail.com>
Approved-by: Marie <github@yuugi.dev>
2024-11-17 00:40:52 +00:00
da2dfee0a8
merge: Remove check to prevent admin reporting ( Fixes #757 ) ( !727 )
...
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/727
Closes #757
Approved-by: Julia <julia@insertdomain.name>
Approved-by: Marie <github@yuugi.dev>
Approved-by: Hazelnoot <acomputerdog@gmail.com>
2024-11-17 00:39:08 +00:00
9614f74bf8
🎨
2024-11-16 20:24:31 +09:00
b3c2de2b26
fix(backend): fallback sharedInbox to null in ApPersonService ( #14970 )
2024-11-16 18:53:28 +09:00
cf1b7c7064
add warning for open registration ( #14963 )
...
* wip
* wip
* Update ja-JP.yml
* Update index.d.ts
* ✌️
2024-11-16 17:22:34 +09:00
459449864c
🎨
2024-11-16 10:16:11 +09:00
eaad96aae3
edit query
2024-11-15 13:40:53 -03:00
eef0c895bc
use execa 8.0.1
...
#14966
2024-11-15 19:48:31 +09:00
d9d92bcfbf
Revert "use nodemon 3.0.2"
...
This reverts commit ce1f84e5a3
2024-11-15 19:40:12 +09:00
ce1f84e5a3
use nodemon 3.0.2
...
#14966
2024-11-15 19:33:50 +09:00
cf7df05023
Bump version to 2024.11.0-alpha.1
2024-11-15 09:06:13 +00:00
ee2c017f48
Merge branch 'develop' of https://github.com/misskey-dev/misskey into develop
2024-11-15 18:00:22 +09:00
d0cdc0b7a1
chore(frontend): tweak animation style
2024-11-15 18:00:20 +09:00
c0d1682604
feat: 送信したフォローリクエストを確認できるように ( #14856 )
...
* FEAT: Allow users to view pending follow requests they sent
This commit implements the `following/requests/sent` interface firstly
implemented on Firefish, and provides a UI interface to view the pending
follow requests users sent.
* ux: should not show follow requests tab when have no pending sent follow req
* fix default followreq tab
* fix default followreq tab
* restore missing hasPendingReceivedFollowRequest in navbar
* refactor
* use tabler icons
* tweak design
* Revert "ux: should not show follow requests tab when have no pending sent follow req"
This reverts commit e580b92c37f27c2849c6d27e22ca4c47086081bb.
* Update Changelog
* Update Changelog
* change tab titles
---------
Co-authored-by: Lhc_fl <lhcfl@outlook.com>
Co-authored-by: Hazelnoot <acomputerdog@gmail.com>
2024-11-15 17:30:54 +09:00
e26e24b610
update deps ( #14950 )
...
* update deps
* wip
* Revert "wip"
This reverts commit 393de249fe248ae181221266e0b7828a3ac53152.
* wip
* wip
* wip
* wip
2024-11-15 17:22:00 +09:00
7f8c8f62b1
fix(frontend): スマホで表示した時にipv6だとはみ出てしまうのを修正 ( #14960 )
...
* fix(frontend): スマホで表示した時にipv6だとはみ出てしまうのを修正 (MisskeyIO#815)
(cherry picked from commit aec01dd4adda8e975da523c5bea329120e689569)
* Update Changelog
---------
Co-authored-by: sleep-moe <yukikum57@gmail.com>
2024-11-15 09:33:09 +09:00
a16d7e1e75
fix SCSS warning
2024-11-14 12:12:25 +00:00
fdad036912
Merge branch 'develop' into feature/2024.10
2024-11-13 11:45:10 +00:00
0a05841f33
merge: Add "pinned" section to notes tab on user profiles ( !689 )
...
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/689
Approved-by: dakkar <dakkar@thenautilus.net>
Approved-by: Tess K <me@thvxl.se>
2024-11-13 11:14:59 +00:00
2305788ed9
Enhance(frontend): ノート詳細画面にロールのバッジを表示 ( #14946 )
...
* enhance(frontend): ノートの詳細画面にロールのバッジを表示(#14058 )
* Update CHANGELOG.md
2024-11-13 11:19:54 +09:00
68e5b5a84a
Set horizontal margin for even better consistency
2024-11-12 22:09:37 +01:00
6d6b03dfe2
tweak popup left margin for consistency
2024-11-12 21:39:38 +01:00
19be113cb4
Keep MkUserPopup from extending past left side of screen
2024-11-12 21:39:38 +01:00
101ca9e0f7
make sure popup position is never off screen to the left
2024-11-12 21:39:38 +01:00
a11b77a415
fix(backend): Webhook Test一致性 ( #14863 )
...
* fix(backend): Webhook Test一致性
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
* UserWebhookPayload<'followed'> 修正
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
---------
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
2024-11-12 09:51:18 +09:00
917e67d356
merge: Styling of following feed. ( !738 )
...
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/738
Approved-by: dakkar <dakkar@thenautilus.net>
Approved-by: Marie <github@yuugi.dev>
2024-11-11 11:14:52 +00:00
1bc4f400c0
Merge branch 'develop' of https://github.com/misskey-dev/misskey into develop
2024-11-11 16:35:23 +09:00
458c72c153
Update about-misskey.vue
2024-11-11 16:35:13 +09:00
31e5f0bd09
fix(frontend): メールアドレス登録有効化時の「完了」ダイアログボックスの表示条件を修正 ( #14928 )
...
* fix(frontend): メールアドレス登録有効化時の「完了」ダイアログボックスの表示条件を修正
* Update MkSignupDialog.form.vue
* fix condition
2024-11-10 15:08:58 +09:00
cf09aa21f0
Bump version to 2024.11.0-alpha.0
2024-11-09 02:28:02 +00:00
9f7d41eb47
Bump version to 2024.10.2-alpha.3
2024-11-09 02:25:42 +00:00
4a62051ce7
fix(backend): ローカルユーザーへのメンションを含むノートが連合される際に正しいURLに変換されないことがある問題を修正 ( #14879 )
...
* fix: make sure mentions of local users get rendered correctly during AP delivery (resolves #645 )
* Update Changelog
* indent
---------
Co-authored-by: Laura Hausmann <laura@hausmann.dev>
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
2024-11-09 10:58:09 +09:00
3a421837bf
refactor(frontend): 動画UIのフルスクリーン周りの調整 ( #14877 )
...
* refactor(frontend): フルスクリーン周りの調整
(cherry picked from commit 783032caec5853d78d5af3391e29cf364f2282e8)
* refactor(frontend): deviceKindの循環参照を除去
(cherry picked from commit 1ca471f57e968a1a6e2259bde4a7c6da1fe0c54e)
* fix
---------
Co-authored-by: taiyme <53635909+taiyme@users.noreply.github.com>
2024-11-09 10:57:04 +09:00
a4c5ce1413
enhance(backend) : リモートユーザーの照会をオリジナルにリダイレクトするように ( #12892 ) ( #14897 )
...
* enhance(backend) : リモートユーザーの照会をオリジナルにリダイレクトするように (#12892 )
* オリジンリダイレクトのテストをtodoとして追加。
e2eテストにリモートユーザー考慮のテストがなさそうなので。
次のコマンドで動くことは確認済みです。
curl "http://localhost:3000/@foo@bar " -H "accept: application/activity+json" -L
* Acctのパースを既存のパーサーでするように修正
* lint
2024-11-09 10:54:44 +09:00
e75b62f3f5
enhance(frontend): 個別お知らせページではmetaタグを出力するように ( #14902 )
...
* enhance(frontend): 個別お知らせページではmetaタグを出力するように
* Update Changelog
2024-11-09 10:53:09 +09:00
5b60ae810b
fix(frontend): 外部URLへのリダイレクトのバリデーションを強化 ( #14919 )
...
* Fix code scanning alert no. 25: Incomplete URL scheme check (MisskeyIO#799)
* Fix code scanning alert no. 26: Incomplete URL scheme check
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Fix code scanning alert no. 25: Incomplete URL scheme check
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---------
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
(cherry picked from commit 7d7552e076c0152a5966e919be0e9a60b3736208)
* ✌️
---------
Co-authored-by: あわわわとーにゅ <17376330+u1-liquid@users.noreply.github.com>
2024-11-09 10:52:07 +09:00
98b4717c45
fix(backend): SQLのサニタイズを強化 ( #14920 )
...
* Fix code scanning alert no. 28: Incomplete string escaping or encoding (MisskeyIO#800)
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
(cherry picked from commit 443335c662b14f609d6a81a8f3807e95709aebc1)
* ✌️
---------
Co-authored-by: あわわわとーにゅ <17376330+u1-liquid@users.noreply.github.com>
2024-11-09 10:51:28 +09:00
03559156b9
Improve performance of notes/following API
2024-11-09 00:32:03 +01:00
f17d716d61
fix upstream linting
2024-11-08 17:53:42 +00:00
0a15ffba55
remove duplicate import
2024-11-08 17:53:34 +00:00
a930fd9758
probably fix most renamed CSS variables
2024-11-08 17:33:04 +00:00
544fc3239f
probably re-enable friendlycaptcha on signin
2024-11-08 17:09:19 +00:00
41ac75a113
fix uses of renamed method
...
`FederatedInstanceService.fetch` will now just load from the DB, it
won't do anything if the instance is not already there
2024-11-08 16:45:51 +00:00
b4e8e78172
replace new icons
2024-11-08 16:28:37 +00:00
d6c6ba5531
regenerate misskey-js
2024-11-08 16:09:25 +00:00
ec875d9c40
fix merge mistakes in `admin/accounts/create.ts`
2024-11-08 16:09:02 +00:00
2ca1cbe51b
copy changes from MkNote* to SkNote*
2024-11-08 16:04:32 +00:00
ffebe778d4
copy changes from NoteCreate to NoteEdit
2024-11-08 15:55:50 +00:00
f079edaf3c
Merge tag '2024.10.1' into feature/2024.10
2024-11-08 15:52:37 +00:00
794cb9ffe2
fix(backend): followedMessageではなくdescriptionになっていたのを修正 ( #14908 )
2024-11-07 17:16:51 +09:00
bca690f256
fix(backend): フォロワーへのメッセージの絵文字をemojisに含めるように ( #14904 )
2024-11-07 15:10:10 +09:00
f1eb17f66c
chore: little type trick in pizzax.ts ( #14891 )
...
Make `makeGetterSetter` take the correct type associated with getter and setter
2024-11-06 22:01:58 +09:00
b1c82213a3
fix(backend): FTT無効時にユーザーリストタイムラインが使用できない問題を修正 ( #14878 )
...
* fix: return getfromdb when FanoutTimeline is not enabled
* Update Changelog
* fix
---------
Co-authored-by: Lhc_fl <lhcfl@outlook.com>
2024-11-06 22:01:21 +09:00
a896c39dbf
fix(frontend): ノート投稿ボタンにホバー時のスタイルが適用されていない ( #14887 )
...
* fix(frontend): ノート投稿ボタンにホバー時のスタイルが適用されていない (#305 )
(cherry picked from commit 711ab846a967feeddbe0c908bee4b91646cec321)
* Update Changelog
---------
Co-authored-by: taiy <53635909+taiyme@users.noreply.github.com>
2024-11-06 15:15:28 +09:00
Hazelnoot
syuilo
Julia Johannesen
rectcoordsystem
rectcoordsystem
Laura Hausmann
Sayamame-beans
鴇峰 朔華
zawa-ch.
github-actions[bot]
おさむのひと
FineArchs
饺子w (Yumechi)
かっこかり
dakkar
CDN
piuvas
shimmar
tess
momoirodouhu
Caramel
4ster1sk
Linca