From 9b795a25cd7a014d8c08cc213031b55dff83bb69 Mon Sep 17 00:00:00 2001 From: Kaspar V Date: Sun, 22 Jan 2023 23:09:02 +0100 Subject: [PATCH 01/30] fix(pghero): update because CVE-2023-22626 (#23190) There is a vulnerability [CVE-2023-22626](https://github.com/advisories/GHSA-vf99-xw26-86g5) ``` Name: pghero Version: 2.8.3 CVE: CVE-2023-22626 GHSA: GHSA-vf99-xw26-86g5 Criticality: High URL: https://github.com/ankane/pghero/issues/439 Title: Information Disclosure Through EXPLAIN Feature Solution: upgrade to '>= 3.1.0' ``` --- Gemfile | 2 +- Gemfile.lock | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile b/Gemfile index 6a72fec549..9c1c9586a7 100644 --- a/Gemfile +++ b/Gemfile @@ -15,7 +15,7 @@ gem 'rack', '~> 2.2.6' gem 'hamlit-rails', '~> 0.2' gem 'pg', '~> 1.4' gem 'makara', '~> 0.5' -gem 'pghero', '~> 2.8' +gem 'pghero' gem 'dotenv-rails', '~> 2.8' gem 'aws-sdk-s3', '~> 1.117', require: false diff --git a/Gemfile.lock b/Gemfile.lock index d700e58c53..e922ebf211 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -468,8 +468,8 @@ GEM pastel (0.8.0) tty-color (~> 0.5) pg (1.4.5) - pghero (2.8.3) - activerecord (>= 5) + pghero (3.1.0) + activerecord (>= 6) pkg-config (1.5.1) posix-spawn (0.3.15) premailer (1.18.0) @@ -830,7 +830,7 @@ DEPENDENCIES ox (~> 2.14) parslet pg (~> 1.4) - pghero (~> 2.8) + pghero pkg-config (~> 1.5) posix-spawn premailer-rails From 448be26b34c965fcae65eb4c5227b35d97120537 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 23 Jan 2023 13:05:30 +0100 Subject: [PATCH 02/30] Add missing `policy` attribute to `WebPushSubscriptionSerializer` (#23210) * Add missing `policy` attribute to `WebPushSubscriptionSerializer` Fixes #23145 * Add tests --- app/serializers/rest/web_push_subscription_serializer.rb | 6 +++++- .../api/v1/push/subscriptions_controller_spec.rb | 8 ++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/app/serializers/rest/web_push_subscription_serializer.rb b/app/serializers/rest/web_push_subscription_serializer.rb index 194cc0a8c7..674a2d5a86 100644 --- a/app/serializers/rest/web_push_subscription_serializer.rb +++ b/app/serializers/rest/web_push_subscription_serializer.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true class REST::WebPushSubscriptionSerializer < ActiveModel::Serializer - attributes :id, :endpoint, :alerts, :server_key + attributes :id, :endpoint, :alerts, :server_key, :policy def alerts (object.data&.dig('alerts') || {}).each_with_object({}) { |(k, v), h| h[k] = ActiveModel::Type::Boolean.new.cast(v) } @@ -10,4 +10,8 @@ class REST::WebPushSubscriptionSerializer < ActiveModel::Serializer def server_key Rails.configuration.x.vapid_public_key end + + def policy + object.data&.dig('policy') || 'all' + end end diff --git a/spec/controllers/api/v1/push/subscriptions_controller_spec.rb b/spec/controllers/api/v1/push/subscriptions_controller_spec.rb index 534d028790..9487251e16 100644 --- a/spec/controllers/api/v1/push/subscriptions_controller_spec.rb +++ b/spec/controllers/api/v1/push/subscriptions_controller_spec.rb @@ -61,6 +61,10 @@ describe Api::V1::Push::SubscriptionsController do post :create, params: create_payload expect(Web::PushSubscription.where(endpoint: create_payload[:subscription][:endpoint]).count).to eq 1 end + + it 'returns the expected JSON' do + expect(body_as_json.with_indifferent_access).to include({ endpoint: create_payload[:subscription][:endpoint], alerts: {}, policy: 'all' }) + end end describe 'PUT #update' do @@ -78,6 +82,10 @@ describe Api::V1::Push::SubscriptionsController do expect(push_subscription.data['alerts'][type]).to eq(alerts_payload[:data][:alerts][type.to_sym].to_s) end end + + it 'returns the expected JSON' do + expect(body_as_json.with_indifferent_access).to include({ endpoint: create_payload[:subscription][:endpoint], alerts: alerts_payload[:data][:alerts], policy: alerts_payload[:data][:policy] }) + end end describe 'DELETE #destroy' do From f2a6e71bb65e79f7c310ea00238124aac3dcc1ed Mon Sep 17 00:00:00 2001 From: Markus Unterwaditzer Date: Mon, 23 Jan 2023 13:05:54 +0100 Subject: [PATCH 03/30] Suppress AddressFamilyError in link verification (#23204) * Suppress AddressFamilyError * clarify comment --- app/services/verify_link_service.rb | 2 +- spec/services/verify_link_service_spec.rb | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/app/services/verify_link_service.rb b/app/services/verify_link_service.rb index d049b52d16..9708cdd736 100644 --- a/app/services/verify_link_service.rb +++ b/app/services/verify_link_service.rb @@ -10,7 +10,7 @@ class VerifyLinkService < BaseService return unless link_back_present? field.mark_verified! - rescue OpenSSL::SSL::SSLError, HTTP::Error, Addressable::URI::InvalidURIError, Mastodon::HostValidationError, Mastodon::LengthValidationError => e + rescue OpenSSL::SSL::SSLError, HTTP::Error, Addressable::URI::InvalidURIError, Mastodon::HostValidationError, Mastodon::LengthValidationError, IPAddr::AddressFamilyError => e Rails.logger.debug "Error fetching link #{@url}: #{e}" nil end diff --git a/spec/services/verify_link_service_spec.rb b/spec/services/verify_link_service_spec.rb index 391560f1ce..8f65f3a846 100644 --- a/spec/services/verify_link_service_spec.rb +++ b/spec/services/verify_link_service_spec.rb @@ -150,5 +150,27 @@ RSpec.describe VerifyLinkService, type: :service do expect(field.verified?).to be true end end + + context 'when the link contains a link with a missing protocol slash' do + # This was seen in the wild where a user had three pages: + # 1. their mastodon profile, which linked to github and the personal website + # 2. their personal website correctly linking back to mastodon + # 3. a github profile that was linking to the personal website, but with + # a malformed protocol of http:/ + # + # This caused link verification between the mastodon profile and the + # website to fail. + # + # apparently github allows the user to enter website URLs with a single + # slash and makes no attempts to correct that. + let(:html) { 'Hello' } + + it 'does not crash' do + # We could probably put more effort into perhaps auto-correcting the + # link and following it anyway, but at the very least we shouldn't let + # exceptions bubble up + expect(field.verified?).to be false + end + end end end From 77c2ea1f0f77fee988a0b9c9fdf2b6de784d22f4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Jan 2023 13:14:11 +0100 Subject: [PATCH 04/30] Bump rubocop-rspec from 2.18.0 to 2.18.1 (#23203) Bumps [rubocop-rspec](https://github.com/rubocop/rubocop-rspec) from 2.18.0 to 2.18.1. - [Release notes](https://github.com/rubocop/rubocop-rspec/releases) - [Changelog](https://github.com/rubocop/rubocop-rspec/blob/master/CHANGELOG.md) - [Commits](https://github.com/rubocop/rubocop-rspec/compare/v2.18.0...v2.18.1) --- updated-dependencies: - dependency-name: rubocop-rspec dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Gemfile.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index e922ebf211..0c61daf571 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -558,7 +558,7 @@ GEM redis (>= 4) redlock (1.3.2) redis (>= 3.0.0, < 6.0) - regexp_parser (2.6.1) + regexp_parser (2.6.2) request_store (1.5.1) rack (>= 1.4) responders (3.0.1) @@ -614,9 +614,9 @@ GEM activesupport (>= 4.2.0) rack (>= 1.1) rubocop (>= 1.33.0, < 2.0) - rubocop-rspec (2.18.0) + rubocop-rspec (2.18.1) rubocop (~> 1.33) - rubocop-capybara + rubocop-capybara (~> 2.17) ruby-progressbar (1.11.0) ruby-saml (1.13.0) nokogiri (>= 1.10.5) From 98779535fe46b3100b46c37f5d423f672b57f756 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 23 Jan 2023 13:21:50 +0100 Subject: [PATCH 05/30] Fix missing filtering on some notification types (#23211) * Fix missing warning-type filtering on some notification types * Fix missing hide-type filtering on some notification types --- .../notifications/components/notification.js | 21 ++++++++++++++++--- .../containers/notification_container.js | 2 +- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/app/javascript/mastodon/features/notifications/components/notification.js b/app/javascript/mastodon/features/notifications/components/notification.js index ea2c9c0a42..746d085c6e 100644 --- a/app/javascript/mastodon/features/notifications/components/notification.js +++ b/app/javascript/mastodon/features/notifications/components/notification.js @@ -246,7 +246,11 @@ class Notification extends ImmutablePureComponent { } renderStatus (notification, link) { - const { intl, unread } = this.props; + const { intl, unread, status } = this.props; + + if (!status) { + return null; + } return ( @@ -264,6 +268,7 @@ class Notification extends ImmutablePureComponent {