mirrors
/
hometown
mirror of https://github.com/hometown-fork/hometown.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge tag 'v3.5.4' into hometown-dev

This commit is contained in:
Darius Kazemi 2022-11-14 11:47:27 -08:00
parent 7adebd4349 105ab82425
commit f5ffda7cf3
11 changed files with 234 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
CHANGELOG.md
View File

@ -3,6 +3,18 @@ Changelog
All notable changes to this project will be documented in this file. All notable changes to this project will be documented in this file.
## [3.5.4] - 2022-11-14
### Fixed
- Fix error when a remote report includes a private post the server has no access to ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/18760))
### Security
- Fix emoji substitution not applying only to text nodes in backend code ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/20641))
- Fix emoji substitution not applying only to text nodes in Web UI ([ClearlyClaire](https://github.com/mastodon/mastodon/pull/20640))
- Fix rate limiting for paths with formats ([Gargron](https://github.com/mastodon/mastodon/pull/20675))
- Fix out-of-bound reads in blurhash transcoder ([delroth](https://github.com/mastodon/mastodon/pull/20388))
## [3.5.3] - 2022-05-26 ## [3.5.3] - 2022-05-26
### Added ### Added

80
app/javascript/mastodon/features/emoji/emoji.js
View File

@ -19,15 +19,23 @@ const emojiFilename = (filename) => {
return borderedEmoji.includes(filename) ? (filename + '_border') : filename; return borderedEmoji.includes(filename) ? (filename + '_border') : filename;
}; };
const emojify = (str, customEmojis = {}) => { const emojifyTextNode = (node, customEmojis) => {
const tagCharsWithoutEmojis = '<&'; const parentElement = node.parentElement;
const tagCharsWithEmojis = Object.keys(customEmojis).length ? '<&:' : '<&'; let str = node.textContent;
let rtn = '', tagChars = tagCharsWithEmojis, invisible = 0;
for (;;) { for (;;) {
let match, i = 0, tag; let match, i = 0;
while (i < str.length && (tag = tagChars.indexOf(str[i])) === -1 && (invisible || !(match = trie.search(str.slice(i))))) {
i += str.codePointAt(i) < 65536 ? 1 : 2; if (customEmojis === null) {
while (i < str.length && !(match = trie.search(str.slice(i)))) {
i += str.codePointAt(i) < 65536 ? 1 : 2;
}
} else {
while (i < str.length && str[i] !== ':' && !(match = trie.search(str.slice(i)))) {
i += str.codePointAt(i) < 65536 ? 1 : 2;
}
} }
let rend, replacement = ''; let rend, replacement = '';
if (i === str.length) { if (i === str.length) {
break; break;
@ -35,8 +43,6 @@ const emojify = (str, customEmojis = {}) => {
if (!(() => { if (!(() => {
rend = str.indexOf(':', i + 1) + 1; rend = str.indexOf(':', i + 1) + 1;
if (!rend) return false; // no pair of ':' if (!rend) return false; // no pair of ':'
const lt = str.indexOf('<', i + 1);
if (!(lt === -1 || lt >= rend)) return false; // tag appeared before closing ':'
const shortname = str.slice(i, rend); const shortname = str.slice(i, rend);
// now got a replacee as ':shortname:' // now got a replacee as ':shortname:'
// if you want additional emoji handler, add statements below which set replacement and return true. // if you want additional emoji handler, add statements below which set replacement and return true.
@ -47,29 +53,6 @@ const emojify = (str, customEmojis = {}) => {
} }
return false; return false;
})()) rend = ++i; })()) rend = ++i;
} else if (tag >= 0) { // <, &
rend = str.indexOf('>;'[tag], i + 1) + 1;
if (!rend) {
break;
}
if (tag === 0) {
if (invisible) {
if (str[i + 1] === '/') { // closing tag
if (!--invisible) {
tagChars = tagCharsWithEmojis;
}
} else if (str[rend - 2] !== '/') { // opening tag
invisible++;
}
} else {
if (str.startsWith('<span class="invisible">', i)) {
// avoid emojifying on invisible text
invisible = 1;
tagChars = tagCharsWithoutEmojis;
}
}
}
i = rend;
} else { // matched to unicode emoji } else { // matched to unicode emoji
const { filename, shortCode } = unicodeMapping[match]; const { filename, shortCode } = unicodeMapping[match];
const title = shortCode ? `:${shortCode}:` : ''; const title = shortCode ? `:${shortCode}:` : '';
@ -80,10 +63,39 @@ const emojify = (str, customEmojis = {}) => {
rend += 1; rend += 1;
} }
} }
rtn += str.slice(0, i) + replacement;
node.textContent = str.slice(0, i);
parentElement.insertAdjacentHTML('beforeend', replacement);
str = str.slice(rend); str = str.slice(rend);
node = document.createTextNode(str);
parentElement.append(node);
} }
return rtn + str; };
const emojifyNode = (node, customEmojis) => {
for (const child of node.childNodes) {
switch(child.nodeType) {
case Node.TEXT_NODE:
emojifyTextNode(child, customEmojis);
break;
case Node.ELEMENT_NODE:
if (!child.classList.contains('invisible'))
emojifyNode(child, customEmojis);
break;
}
}
};
const emojify = (str, customEmojis = {}) => {
const wrapper = document.createElement('div');
wrapper.innerHTML = str;
if (!Object.keys(customEmojis).length)
customEmojis = null;
emojifyNode(wrapper, customEmojis);
return wrapper.innerHTML;
}; };
export default emojify; export default emojify;

58
app/lib/emoji_formatter.rb
View File

@ -23,48 +23,40 @@ class EmojiFormatter
def to_s def to_s
return html if custom_emojis.empty? || html.blank? return html if custom_emojis.empty? || html.blank?
i = -1 tree = Nokogiri::HTML.fragment(html)
tag_open_index = nil tree.xpath('./text()|.//text()[not(ancestor[@class="invisible"])]').to_a.each do |node|
inside_shortname = false i = -1
shortname_start_index = -1 inside_shortname = false
invisible_depth = 0 shortname_start_index = -1
last_index = 0 last_index = 0
result = ''.dup text = node.content
result = Nokogiri::XML::NodeSet.new(tree.document)
while i + 1 < html.size while i + 1 < text.size
i += 1 i += 1
if invisible_depth.zero? && inside_shortname && html[i] == ':' if inside_shortname && text[i] == ':'
inside_shortname = false inside_shortname = false
shortcode = html[shortname_start_index + 1..i - 1] shortcode = text[shortname_start_index + 1..i - 1]
char_after = html[i + 1] char_after = text[i + 1]
next unless (char_after.nil? || !DISALLOWED_BOUNDING_REGEX.match?(char_after)) && (emoji = emoji_map[shortcode]) next unless (char_after.nil? || !DISALLOWED_BOUNDING_REGEX.match?(char_after)) && (emoji = emoji_map[shortcode])
result << html[last_index..shortname_start_index - 1] if shortname_start_index.positive? result << Nokogiri::XML::Text.new(text[last_index..shortname_start_index - 1], tree.document) if shortname_start_index.positive?
result << image_for_emoji(shortcode, emoji) result << Nokogiri::HTML.fragment(image_for_emoji(shortcode, emoji))
last_index = i + 1
elsif tag_open_index && html[i] == '>'
tag = html[tag_open_index..i]
tag_open_index = nil
if invisible_depth.positive? last_index = i + 1
invisible_depth += count_tag_nesting(tag) elsif text[i] == ':' && (i.zero? || !DISALLOWED_BOUNDING_REGEX.match?(text[i - 1]))
elsif tag == '<span class="invisible">' inside_shortname = true
invisible_depth = 1 shortname_start_index = i
end end
elsif html[i] == '<'
tag_open_index = i
inside_shortname = false
elsif !tag_open_index && html[i] == ':' && (i.zero? || !DISALLOWED_BOUNDING_REGEX.match?(html[i - 1]))
inside_shortname = true
shortname_start_index = i
end end
result << Nokogiri::XML::Text.new(text[last_index..-1], tree.document)
node.replace(result)
end end
result << html[last_index..-1] tree.to_html.html_safe # rubocop:disable Rails/OutputSafety
result.html_safe # rubocop:disable Rails/OutputSafety
end end
private private

11
app/services/report_service.rb
View File

@ -57,7 +57,16 @@ class ReportService < BaseService
end end
def reported_status_ids def reported_status_ids
AccountStatusesFilter.new(@target_account, @source_account).results.with_discarded.find(Array(@status_ids)).pluck(:id) return AccountStatusesFilter.new(@target_account, @source_account).results.with_discarded.find(Array(@status_ids)).pluck(:id) if @source_account.local?
# If the account making reports is remote, it is likely anonymized so we have to relax the requirements for attaching statuses.
domain = @source_account.domain.to_s.downcase
has_followers = @target_account.followers.where(Account.arel_table[:domain].lower.eq(domain)).exists?
visibility = has_followers ? %i(public unlisted private) : %i(public unlisted)
scope = @target_account.statuses.with_discarded
scope.merge!(scope.where(visibility: visibility).or(scope.where('EXISTS (SELECT 1 FROM mentions m JOIN accounts a ON m.account_id = a.id WHERE lower(a.domain) = ?)', domain)))
# Allow missing posts to not drop reports that include e.g. a deleted post
scope.where(id: Array(@status_ids)).pluck(:id)
end end
def payload def payload

2
chart/values.yaml
View File

@ -8,7 +8,7 @@ image:
# built from the most recent commit # built from the most recent commit
# #
# tag: latest # tag: latest
tag: v3.5.2 tag: v3.5.4
# use `Always` when using `latest` tag # use `Always` when using `latest` tag
pullPolicy: IfNotPresent pullPolicy: IfNotPresent

49
config/initializers/rack_attack.rb
View File

@ -17,6 +17,18 @@ class Rack::Attack
@remote_ip ||= (@env["action_dispatch.remote_ip"] || ip).to_s @remote_ip ||= (@env["action_dispatch.remote_ip"] || ip).to_s
end end
def throttleable_remote_ip
@throttleable_remote_ip ||= begin
ip = IPAddr.new(remote_ip)
if ip.ipv6?
ip.mask(64)
else
ip
end
end.to_s
end
def authenticated_user_id def authenticated_user_id
authenticated_token&.resource_owner_id authenticated_token&.resource_owner_id
end end
@ -29,6 +41,10 @@ class Rack::Attack
path.start_with?('/api') path.start_with?('/api')
end end
def path_matches?(other_path)
/\A#{Regexp.escape(other_path)}(\..*)?\z/ =~ path
end
def web_request? def web_request?
!api_request? !api_request?
end end
@ -51,19 +67,19 @@ class Rack::Attack
end end
throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req| throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req|
req.remote_ip if req.api_request? && req.unauthenticated? req.throttleable_remote_ip if req.api_request? && req.unauthenticated?
end end
throttle('throttle_api_media', limit: 30, period: 30.minutes) do |req| throttle('throttle_api_media', limit: 30, period: 30.minutes) do |req|
req.authenticated_user_id if req.post? && req.path.match?('^/api/v\d+/media') req.authenticated_user_id if req.post? && req.path.match?(/\A\/api\/v\d+\/media\z/i)
end end
throttle('throttle_media_proxy', limit: 30, period: 10.minutes) do |req| throttle('throttle_media_proxy', limit: 30, period: 10.minutes) do |req|
req.remote_ip if req.path.start_with?('/media_proxy') req.throttleable_remote_ip if req.path.start_with?('/media_proxy')
end end
throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req| throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req|
req.remote_ip if req.post? && req.path == '/api/v1/accounts' req.throttleable_remote_ip if req.post? && req.path == '/api/v1/accounts'
end end
throttle('throttle_authenticated_paging', limit: 300, period: 15.minutes) do |req| throttle('throttle_authenticated_paging', limit: 300, period: 15.minutes) do |req|
@ -71,39 +87,34 @@ class Rack::Attack
end end
throttle('throttle_unauthenticated_paging', limit: 300, period: 15.minutes) do |req| throttle('throttle_unauthenticated_paging', limit: 300, period: 15.minutes) do |req|
req.remote_ip if req.paging_request? && req.unauthenticated? req.throttleable_remote_ip if req.paging_request? && req.unauthenticated?
end end
API_DELETE_REBLOG_REGEX = /\A\/api\/v1\/statuses\/[\d]+\/unreblog/.freeze API_DELETE_REBLOG_REGEX = /\A\/api\/v1\/statuses\/[\d]+\/unreblog\z/.freeze
API_DELETE_STATUS_REGEX = /\A\/api\/v1\/statuses\/[\d]+/.freeze API_DELETE_STATUS_REGEX = /\A\/api\/v1\/statuses\/[\d]+\z/.freeze
throttle('throttle_api_delete', limit: 30, period: 30.minutes) do |req| throttle('throttle_api_delete', limit: 30, period: 30.minutes) do |req|
req.authenticated_user_id if (req.post? && req.path.match?(API_DELETE_REBLOG_REGEX)) || (req.delete? && req.path.match?(API_DELETE_STATUS_REGEX)) req.authenticated_user_id if (req.post? && req.path.match?(API_DELETE_REBLOG_REGEX)) || (req.delete? && req.path.match?(API_DELETE_STATUS_REGEX))
end end
throttle('throttle_sign_up_attempts/ip', limit: 25, period: 5.minutes) do |req| throttle('throttle_sign_up_attempts/ip', limit: 25, period: 5.minutes) do |req|
if req.post? && req.path == '/auth' req.throttleable_remote_ip if req.post? && req.path_matches?('/auth')
addr = req.remote_ip
addr = IPAddr.new(addr) if addr.is_a?(String)
addr = addr.mask(64) if addr.ipv6?
addr.to_s
end
end end
throttle('throttle_password_resets/ip', limit: 25, period: 5.minutes) do |req| throttle('throttle_password_resets/ip', limit: 25, period: 5.minutes) do |req|
req.remote_ip if req.post? && req.path == '/auth/password' req.throttleable_remote_ip if req.post? && req.path_matches?('/auth/password')
end end
throttle('throttle_password_resets/email', limit: 5, period: 30.minutes) do |req| throttle('throttle_password_resets/email', limit: 5, period: 30.minutes) do |req|
req.params.dig('user', 'email').presence if req.post? && req.path == '/auth/password' req.params.dig('user', 'email').presence if req.post? && req.path_matches?('/auth/password')
end end
throttle('throttle_email_confirmations/ip', limit: 25, period: 5.minutes) do |req| throttle('throttle_email_confirmations/ip', limit: 25, period: 5.minutes) do |req|
req.remote_ip if req.post? && %w(/auth/confirmation /api/v1/emails/confirmations).include?(req.path) req.throttleable_remote_ip if req.post? && (req.path_matches?('/auth/confirmation') || req.path == '/api/v1/emails/confirmations')
end end
throttle('throttle_email_confirmations/email', limit: 5, period: 30.minutes) do |req| throttle('throttle_email_confirmations/email', limit: 5, period: 30.minutes) do |req|
if req.post? && req.path == '/auth/password' if req.post? && req.path_matches?('/auth/password')
req.params.dig('user', 'email').presence req.params.dig('user', 'email').presence
elsif req.post? && req.path == '/api/v1/emails/confirmations' elsif req.post? && req.path == '/api/v1/emails/confirmations'
req.authenticated_user_id req.authenticated_user_id
@ -111,11 +122,11 @@ class Rack::Attack
end end
throttle('throttle_login_attempts/ip', limit: 25, period: 5.minutes) do |req| throttle('throttle_login_attempts/ip', limit: 25, period: 5.minutes) do |req|
req.remote_ip if req.post? && req.path == '/auth/sign_in' req.throttleable_remote_ip if req.post? && req.path_matches?('/auth/sign_in')
end end
throttle('throttle_login_attempts/email', limit: 25, period: 1.hour) do |req| throttle('throttle_login_attempts/email', limit: 25, period: 1.hour) do |req|
req.session[:attempt_user_id] || req.params.dig('user', 'email').presence if req.post? && req.path == '/auth/sign_in' req.session[:attempt_user_id] || req.params.dig('user', 'email').presence if req.post? && req.path_matches?('/auth/sign_in')
end end
self.throttled_responder = lambda do |request| self.throttled_responder = lambda do |request|

6
config/routes.rb
View File

@ -47,7 +47,7 @@ Rails.application.routes.draw do
end end
end end
devise_for :users, path: 'auth', controllers: { devise_for :users, path: 'auth', format: false, controllers: {
omniauth_callbacks: 'auth/omniauth_callbacks', omniauth_callbacks: 'auth/omniauth_callbacks',
sessions: 'auth/sessions', sessions: 'auth/sessions',
registrations: 'auth/registrations', registrations: 'auth/registrations',
@ -182,7 +182,7 @@ Rails.application.routes.draw do
resource :statuses_cleanup, controller: :statuses_cleanup, only: [:show, :update] resource :statuses_cleanup, controller: :statuses_cleanup, only: [:show, :update]
get '/public', to: 'public_timelines#show', as: :public_timeline get '/public', to: 'public_timelines#show', as: :public_timeline
get '/media_proxy/:id/(*any)', to: 'media_proxy#show', as: :media_proxy get '/media_proxy/:id/(*any)', to: 'media_proxy#show', as: :media_proxy, format: false
resource :authorize_interaction, only: [:show, :create] resource :authorize_interaction, only: [:show, :create]
resource :share, only: [:show, :create] resource :share, only: [:show, :create]
@ -353,7 +353,7 @@ Rails.application.routes.draw do
get '/admin', to: redirect('/admin/dashboard', status: 302) get '/admin', to: redirect('/admin/dashboard', status: 302)
namespace :api do namespace :api, format: false do
# OEmbed # OEmbed
get '/oembed', to: 'oembed#show', as: :oembed get '/oembed', to: 'oembed#show', as: :oembed

2
lib/mastodon/version.rb
View File

@ -21,7 +21,7 @@ module Mastodon
end end
def suffix def suffix
'+3.5.3' '+3.5.4'
end end
def to_a def to_a

2
lib/paperclip/blurhash_transcoder.rb
View File

@ -5,7 +5,7 @@ module Paperclip
def make def make
return @file unless options[:style] == :small || options[:blurhash] return @file unless options[:style] == :small || options[:blurhash]
pixels = convert(':source RGB:-', source: File.expand_path(@file.path)).unpack('C*') pixels = convert(':source -depth 8 RGB:-', source: File.expand_path(@file.path)).unpack('C*')
geometry = options.fetch(:file_geometry_parser).from_file(@file) geometry = options.fetch(:file_geometry_parser).from_file(@file)
attachment.instance.blurhash = Blurhash.encode(geometry.width, geometry.height, pixels, **(options[:blurhash] || {})) attachment.instance.blurhash = Blurhash.encode(geometry.width, geometry.height, pixels, **(options[:blurhash] || {}))

88
spec/lib/activitypub/activity/flag_spec.rb
View File

@ -1,7 +1,7 @@
require 'rails_helper' require 'rails_helper'
RSpec.describe ActivityPub::Activity::Flag do RSpec.describe ActivityPub::Activity::Flag do
let(:sender) { Fabricate(:account, domain: 'example.com', uri: 'http://example.com/account') } let(:sender) { Fabricate(:account, username: 'example.com', domain: 'example.com', uri: 'http://example.com/actor') }
let(:flagged) { Fabricate(:account) } let(:flagged) { Fabricate(:account) }
let(:status) { Fabricate(:status, account: flagged, uri: 'foobar') } let(:status) { Fabricate(:status, account: flagged, uri: 'foobar') }
let(:flag_id) { nil } let(:flag_id) { nil }
@ -23,16 +23,88 @@ RSpec.describe ActivityPub::Activity::Flag do
describe '#perform' do describe '#perform' do
subject { described_class.new(json, sender) } subject { described_class.new(json, sender) }
before do context 'when the reported status is public' do
subject.perform before do
subject.perform
end
it 'creates a report' do
report = Report.find_by(account: sender, target_account: flagged)
expect(report).to_not be_nil
expect(report.comment).to eq 'Boo!!'
expect(report.status_ids).to eq [status.id]
end
end end
it 'creates a report' do context 'when the reported status is private and should not be visible to the remote server' do
report = Report.find_by(account: sender, target_account: flagged) let(:status) { Fabricate(:status, account: flagged, uri: 'foobar', visibility: :private) }
expect(report).to_not be_nil before do
expect(report.comment).to eq 'Boo!!' subject.perform
expect(report.status_ids).to eq [status.id] end
it 'creates a report with no attached status' do
report = Report.find_by(account: sender, target_account: flagged)
expect(report).to_not be_nil
expect(report.comment).to eq 'Boo!!'
expect(report.status_ids).to eq []
end
end
context 'when the reported status is private and the author has a follower on the remote instance' do
let(:status) { Fabricate(:status, account: flagged, uri: 'foobar', visibility: :private) }
let(:follower) { Fabricate(:account, domain: 'example.com', uri: 'http://example.com/users/account') }
before do
follower.follow!(flagged)
subject.perform
end
it 'creates a report with the attached status' do
report = Report.find_by(account: sender, target_account: flagged)
expect(report).to_not be_nil
expect(report.comment).to eq 'Boo!!'
expect(report.status_ids).to eq [status.id]
end
end
context 'when the reported status is private and the author mentions someone else on the remote instance' do
let(:status) { Fabricate(:status, account: flagged, uri: 'foobar', visibility: :private) }
let(:mentioned) { Fabricate(:account, domain: 'example.com', uri: 'http://example.com/users/account') }
before do
status.mentions.create(account: mentioned)
subject.perform
end
it 'creates a report with the attached status' do
report = Report.find_by(account: sender, target_account: flagged)
expect(report).to_not be_nil
expect(report.comment).to eq 'Boo!!'
expect(report.status_ids).to eq [status.id]
end
end
context 'when the reported status is private and the author mentions someone else on the local instance' do
let(:status) { Fabricate(:status, account: flagged, uri: 'foobar', visibility: :private) }
let(:mentioned) { Fabricate(:account) }
before do
status.mentions.create(account: mentioned)
subject.perform
end
it 'creates a report with no attached status' do
report = Report.find_by(account: sender, target_account: flagged)
expect(report).to_not be_nil
expect(report.comment).to eq 'Boo!!'
expect(report.status_ids).to eq []
end
end end
end end

25
spec/services/report_service_spec.rb
View File

@ -28,6 +28,31 @@ RSpec.describe ReportService, type: :service do
end end
end end
context 'when the reported status is a DM' do
let(:target_account) { Fabricate(:account) }
let(:status) { Fabricate(:status, account: target_account, visibility: :direct) }
subject do
-> { described_class.new.call(source_account, target_account, status_ids: [status.id]) }
end
context 'when it is addressed to the reporter' do
before do
status.mentions.create(account: source_account)
end
it 'creates a report' do
is_expected.to change { target_account.targeted_reports.count }.from(0).to(1)
end
end
context 'when it is not addressed to the reporter' do
it 'errors out' do
is_expected.to raise_error
end
end
end
context 'when other reports already exist for the same target' do context 'when other reports already exist for the same target' do
let!(:target_account) { Fabricate(:account) } let!(:target_account) { Fabricate(:account) }
let!(:other_report) { Fabricate(:report, target_account: target_account) } let!(:other_report) { Fabricate(:report, target_account: target_account) }