Merge pull request #2753 from ClearlyClaire/glitch-soc/merge-upstream

Merge upstream changes up to 4743657ba2
main-rebase-security-fix
Claire 2024-06-23 12:33:13 +02:00 committed by GitHub
commit be3d60c36c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
23 changed files with 111 additions and 80 deletions

2
.nvmrc
View File

@ -1 +1 @@
20.14
20.15

View File

@ -5,10 +5,6 @@ Rails/FilePath:
Rails/HttpStatus:
EnforcedStyle: numeric
Rails/LexicallyScopedActionFilter:
Exclude:
- app/controllers/auth/* # Conflicts with `Lint/UselessMethodDefinition` for inherited controller actions
Rails/NegateInclude:
Enabled: false

View File

@ -31,14 +31,6 @@ Rails/OutputSafety:
Exclude:
- 'config/initializers/simple_form.rb'
# This cop supports unsafe autocorrection (--autocorrect-all).
# Configuration parameters: AllowedMethods, AllowedPatterns.
# AllowedMethods: ==, equal?, eql?
Style/ClassEqualityComparison:
Exclude:
- 'app/helpers/jsonld_helper.rb'
- 'app/serializers/activitypub/outbox_serializer.rb'
# This cop supports safe autocorrection (--autocorrect).
# Configuration parameters: AllowedVars.
Style/FetchEnvVar:

View File

@ -19,9 +19,9 @@ ARG NODE_MAJOR_VERSION="20"
# Debian image to use for base image, change with [--build-arg DEBIAN_VERSION="bookworm"]
ARG DEBIAN_VERSION="bookworm"
# Node image to use for base image based on combined variables (ex: 20-bookworm-slim)
FROM docker.io/node:${NODE_MAJOR_VERSION}-${DEBIAN_VERSION}-slim as node
FROM docker.io/node:${NODE_MAJOR_VERSION}-${DEBIAN_VERSION}-slim AS node
# Ruby image to use for base image based on combined variables (ex: 3.3.x-slim-bookworm)
FROM docker.io/ruby:${RUBY_VERSION}-slim-${DEBIAN_VERSION} as ruby
FROM docker.io/ruby:${RUBY_VERSION}-slim-${DEBIAN_VERSION} AS ruby
# Resulting version string is vX.X.X-MASTODON_VERSION_PRERELEASE+MASTODON_VERSION_METADATA
# Example: v4.3.0-nightly.2023.11.09+pr-123456
@ -117,7 +117,7 @@ RUN \
;
# Create temporary build layer from base image
FROM ruby as build
FROM ruby AS build
# Copy Node package configuration files into working directory
COPY package.json yarn.lock .yarnrc.yml /opt/mastodon/
@ -185,7 +185,7 @@ RUN \
corepack prepare --activate;
# Create temporary libvips specific build layer from build layer
FROM build as libvips
FROM build AS libvips
# libvips version to compile, change with [--build-arg VIPS_VERSION="8.15.2"]
# renovate: datasource=github-releases depName=libvips packageName=libvips/libvips
@ -205,7 +205,7 @@ RUN \
ninja install;
# Create temporary ffmpeg specific build layer from build layer
FROM build as ffmpeg
FROM build AS ffmpeg
# ffmpeg version to compile, change with [--build-arg FFMPEG_VERSION="7.0.x"]
# renovate: datasource=repology depName=ffmpeg packageName=openpkg_current/ffmpeg
@ -247,7 +247,7 @@ RUN \
make install;
# Create temporary bundler specific build layer from build layer
FROM build as bundler
FROM build AS bundler
ARG TARGETPLATFORM
@ -269,7 +269,7 @@ RUN \
bundle install -j"$(nproc)";
# Create temporary node specific build layer from build layer
FROM build as yarn
FROM build AS yarn
ARG TARGETPLATFORM
@ -286,7 +286,7 @@ RUN \
yarn workspaces focus --production @mastodon/mastodon;
# Create temporary assets build layer from build layer
FROM build as precompiler
FROM build AS precompiler
# Copy Mastodon sources into precompiler layer
COPY . /opt/mastodon/
@ -310,7 +310,7 @@ RUN \
rm -fr /opt/mastodon/tmp;
# Prep final Mastodon Ruby layer
FROM ruby as mastodon
FROM ruby AS mastodon
ARG TARGETPLATFORM

View File

@ -69,7 +69,7 @@ gem 'oj', '~> 3.14'
gem 'ox', '~> 2.14'
gem 'parslet'
gem 'premailer-rails'
gem 'public_suffix', '~> 5.0'
gem 'public_suffix', '~> 6.0'
gem 'pundit', '~> 2.3'
gem 'rack-attack', '~> 6.6'
gem 'rack-cors', '~> 2.0', require: 'rack/cors'
@ -105,7 +105,7 @@ gem 'private_address_check', '~> 0.5'
gem 'opentelemetry-api', '~> 1.2.5'
group :opentelemetry do
gem 'opentelemetry-exporter-otlp', '~> 0.27.0', require: false
gem 'opentelemetry-exporter-otlp', '~> 0.28.0', require: false
gem 'opentelemetry-instrumentation-active_job', '~> 0.7.1', require: false
gem 'opentelemetry-instrumentation-active_model_serializers', '~> 0.20.1', require: false
gem 'opentelemetry-instrumentation-concurrent_ruby', '~> 0.21.2', require: false

View File

@ -89,8 +89,8 @@ GEM
minitest (>= 5.1)
mutex_m
tzinfo (~> 2.0)
addressable (2.8.6)
public_suffix (>= 2.0.2, < 6.0)
addressable (2.8.7)
public_suffix (>= 2.0.2, < 7.0)
aes_key_wrap (1.1.0)
android_key_attestation (0.3.0)
annotate (3.2.0)
@ -143,7 +143,7 @@ GEM
brpoplpush-redis_script (0.1.3)
concurrent-ruby (~> 1.0, >= 1.0.5)
redis (>= 1.0, < 6)
builder (3.2.4)
builder (3.3.0)
bundler-audit (0.9.1)
bundler (>= 1.2.0, < 3)
thor (~> 1.0)
@ -195,7 +195,7 @@ GEM
railties (>= 4.1.0)
responders
warden (~> 1.2.3)
devise-two-factor (5.0.0)
devise-two-factor (5.1.0)
activesupport (~> 7.0)
devise (~> 4.0)
railties (~> 7.0)
@ -226,7 +226,7 @@ GEM
htmlentities (~> 4.3.3)
launchy (~> 2.1)
mail (~> 2.7)
erubi (1.12.0)
erubi (1.13.0)
et-orbi (1.2.11)
tzinfo
excon (0.110.0)
@ -398,6 +398,7 @@ GEM
llhttp-ffi (0.5.0)
ffi-compiler (~> 1.0)
rake (~> 13.0)
logger (1.6.0)
lograge (0.14.0)
actionpack (>= 4)
activesupport (>= 4)
@ -489,8 +490,8 @@ GEM
opentelemetry-api (1.2.5)
opentelemetry-common (0.20.1)
opentelemetry-api (~> 1.0)
opentelemetry-exporter-otlp (0.27.0)
google-protobuf (~> 3.14)
opentelemetry-exporter-otlp (0.28.0)
google-protobuf (>= 3.18)
googleapis-common-protos-types (~> 1.3)
opentelemetry-api (~> 1.1)
opentelemetry-common (~> 0.20)
@ -602,7 +603,7 @@ GEM
railties (>= 7.0.0)
psych (5.1.2)
stringio
public_suffix (5.1.1)
public_suffix (6.0.0)
puma (6.4.2)
nio4r (~> 2.0)
pundit (2.3.2)
@ -675,7 +676,7 @@ GEM
link_header (~> 0.0, >= 0.0.8)
rdf-normalize (0.7.0)
rdf (~> 3.3)
rdoc (6.6.3.1)
rdoc (6.7.0)
psych (>= 4.0.0)
redcarpet (3.6.0)
redis (4.8.1)
@ -771,8 +772,9 @@ GEM
scenic (1.8.0)
activerecord (>= 4.0.0)
railties (>= 4.0.0)
selenium-webdriver (4.21.1)
selenium-webdriver (4.22.0)
base64 (~> 0.2)
logger (~> 1.4)
rexml (~> 3.2, >= 3.2.5)
rubyzip (>= 1.2.2, < 3.0)
websocket (~> 1.0)
@ -972,7 +974,7 @@ DEPENDENCIES
omniauth-saml (~> 2.0)
omniauth_openid_connect (~> 0.6.1)
opentelemetry-api (~> 1.2.5)
opentelemetry-exporter-otlp (~> 0.27.0)
opentelemetry-exporter-otlp (~> 0.28.0)
opentelemetry-instrumentation-active_job (~> 0.7.1)
opentelemetry-instrumentation-active_model_serializers (~> 0.20.1)
opentelemetry-instrumentation-concurrent_ruby (~> 0.21.2)
@ -994,7 +996,7 @@ DEPENDENCIES
premailer-rails
private_address_check (~> 0.5)
propshaft
public_suffix (~> 5.0)
public_suffix (~> 6.0)
puma (~> 6.3)
pundit (~> 2.3)
rack (~> 2.2.7)

View File

@ -25,6 +25,14 @@ class Auth::RegistrationsController < Devise::RegistrationsController
super(&:build_invite_request)
end
def edit # rubocop:disable Lint/UselessMethodDefinition
super
end
def create # rubocop:disable Lint/UselessMethodDefinition
super
end
def update
super do |resource|
resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password?

View File

@ -141,7 +141,7 @@ module JsonLdHelper
def safe_for_forwarding?(original, compacted)
original.without('@context', 'signature').all? do |key, value|
compacted_value = compacted[key]
return false unless value.class == compacted_value.class
return false unless value.instance_of?(compacted_value.class)
if value.is_a?(Hash)
safe_for_forwarding?(value, compacted_value)

View File

@ -2,13 +2,8 @@
class CacheBuster
def initialize(options = {})
Rails.application.deprecators[:mastodon].warn('Default values for the cache buster secret header name and values will be removed in Mastodon 4.3. Please set them explicitely if you rely on those.') unless options[:http_method] || (options[:secret] && options[:secret_header])
@secret_header = options[:secret_header] ||
(options[:http_method] ? nil : 'Secret-Header')
@secret = options[:secret] ||
(options[:http_method] ? nil : 'True')
@secret_header = options[:secret_header]
@secret = options[:secret]
@http_method = options[:http_method] || 'GET'
end

View File

@ -269,16 +269,21 @@ class LinkDetailsExtractor
end
def document
@document ||= Nokogiri::HTML(@html, nil, encoding)
@document ||= detect_encoding_and_parse_document
end
def encoding
@encoding ||= begin
guess = detector.detect(@html, @html_charset)
guess&.fetch(:confidence, 0).to_i > 60 ? guess&.fetch(:encoding, nil) : nil
def detect_encoding_and_parse_document
[detect_encoding, nil, @html_charset, 'UTF-8'].uniq.each do |encoding|
document = Nokogiri::HTML(@html, nil, encoding)
return document if document.to_s.valid_encoding?
end
end
def detect_encoding
guess = detector.detect(@html, @html_charset)
guess&.fetch(:confidence, 0).to_i > 60 ? guess&.fetch(:encoding, nil) : nil
end
def detector
@detector ||= CharlockHolmes::EncodingDetector.new.tap do |detector|
detector.strip_tags = true

View File

@ -2,7 +2,7 @@
class ActivityPub::OutboxSerializer < ActivityPub::CollectionSerializer
def self.serializer_for(model, options)
if model.class.name == 'ActivityPub::ActivityPresenter'
if model.instance_of?(::ActivityPub::ActivityPresenter)
ActivityPub::ActivitySerializer
else
super

View File

@ -1,7 +1,7 @@
# frozen_string_literal: true
class AddAttachmentAvatarToAccounts < ActiveRecord::Migration[4.2]
def self.up
def up
change_table :accounts do |t|
# The following corresponds to `t.attachment :avatar` in an older version of Paperclip
t.string :avatar_file_name
@ -11,7 +11,7 @@ class AddAttachmentAvatarToAccounts < ActiveRecord::Migration[4.2]
end
end
def self.down
def down
remove_attachment :accounts, :avatar
end
end

View File

@ -1,7 +1,7 @@
# frozen_string_literal: true
class AddDeviseToUsers < ActiveRecord::Migration[4.2]
def self.up
def up
change_table(:users, bulk: true) do |t|
## Database authenticatable
t.string :encrypted_password, null: false, default: ''
@ -24,7 +24,7 @@ class AddDeviseToUsers < ActiveRecord::Migration[4.2]
add_index :users, :reset_password_token, unique: true
end
def self.down
def down
remove_index :users, :reset_password_token
remove_column :users, :encrypted_password

View File

@ -1,7 +1,7 @@
# frozen_string_literal: true
class AddAttachmentHeaderToAccounts < ActiveRecord::Migration[4.2]
def self.up
def up
change_table :accounts do |t|
# The following corresponds to `t.attachment :header` in an older version of Paperclip
t.string :header_file_name
@ -11,7 +11,7 @@ class AddAttachmentHeaderToAccounts < ActiveRecord::Migration[4.2]
end
end
def self.down
def down
remove_attachment :accounts, :header
end
end

View File

@ -1,7 +1,7 @@
# frozen_string_literal: true
class RailsSettingsMigration < ActiveRecord::Migration[5.0]
def self.up
def up
create_table :settings do |t|
t.string :var, null: false
t.text :value
@ -11,7 +11,7 @@ class RailsSettingsMigration < ActiveRecord::Migration[5.0]
add_index :settings, [:target_type, :target_id, :var], unique: true
end
def self.down
def down
drop_table :settings
end
end

View File

@ -1,7 +1,7 @@
# frozen_string_literal: true
class AddAttachmentDataToImports < ActiveRecord::Migration[4.2]
def self.up
def up
change_table :imports do |t|
# The following corresponds to `t.attachment :data` in an older version of Paperclip
t.string :data_file_name
@ -11,7 +11,7 @@ class AddAttachmentDataToImports < ActiveRecord::Migration[4.2]
end
end
def self.down
def down
remove_attachment :imports, :data
end
end

View File

@ -1,7 +1,7 @@
{
"name": "@mastodon/mastodon",
"license": "AGPL-3.0-or-later",
"packageManager": "yarn@4.3.0",
"packageManager": "yarn@4.3.1",
"engines": {
"node": ">=18"
},

View File

@ -0,0 +1,17 @@
HTTP/1.1 200 OK
server: nginx
date: Thu, 13 Jun 2024 14:33:13 GMT
content-type: text/html; charset=ISO-8859-1
content-length: 158
accept-ranges: bytes
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Tofu á l'orange</title>
</head>
<body>
<h2>Tofu á l'orange</h2>
</body>
</html>

View File

@ -28,14 +28,6 @@ describe CacheBuster do
end
context 'when using default options' do
around do |example|
# Disables the CacheBuster.new deprecation warning about default arguments.
# Remove this `silence` block when default arg support is removed from CacheBuster
Rails.application.deprecators[:mastodon].silence do
example.run
end
end
include_examples 'makes_request'
end

View File

@ -26,6 +26,7 @@ RSpec.describe FetchLinkCardService do
stub_request(:get, 'http://example.com/sjis_with_wrong_charset').to_return(request_fixture('sjis_with_wrong_charset.txt'))
stub_request(:get, 'http://example.com/koi8-r').to_return(request_fixture('koi8-r.txt'))
stub_request(:get, 'http://example.com/windows-1251').to_return(request_fixture('windows-1251.txt'))
stub_request(:get, 'http://example.com/low_confidence_latin1').to_return(request_fixture('low_confidence_latin1.txt'))
Rails.cache.write('oembed_endpoint:example.com', oembed_cache) if oembed_cache
@ -148,6 +149,14 @@ RSpec.describe FetchLinkCardService do
end
end
context 'with a URL of a page in ISO-8859-1 encoding, that charlock_holmes cannot detect' do
let(:status) { Fabricate(:status, text: 'Check out http://example.com/low_confidence_latin1') }
it 'decodes the HTML' do
expect(status.preview_card.title).to eq("Tofu á l'orange")
end
end
context 'with a Japanese path URL' do
let(:status) { Fabricate(:status, text: 'テストhttp://example.com/日本語') }

View File

@ -13,7 +13,14 @@ ARG NODE_MAJOR_VERSION="20"
# Debian image to use for base image, change with [--build-arg DEBIAN_VERSION="bookworm"]
ARG DEBIAN_VERSION="bookworm"
# Node image to use for base image based on combined variables (ex: 20-bookworm-slim)
FROM docker.io/node:${NODE_MAJOR_VERSION}-${DEBIAN_VERSION}-slim as streaming
FROM docker.io/node:${NODE_MAJOR_VERSION}-${DEBIAN_VERSION}-slim AS streaming
# Resulting version string is vX.X.X-MASTODON_VERSION_PRERELEASE+MASTODON_VERSION_METADATA
# Example: v4.3.0-nightly.2023.11.09+pr-123456
# Overwrite existence of 'alpha.X' in version.rb [--build-arg MASTODON_VERSION_PRERELEASE="nightly.2023.11.09"]
ARG MASTODON_VERSION_PRERELEASE=""
# Append build metadata or fork information to version.rb [--build-arg MASTODON_VERSION_METADATA="pr-123456"]
ARG MASTODON_VERSION_METADATA=""
# Timezone used by the Docker container and runtime, change with [--build-arg TZ=Europe/Berlin]
ARG TZ="Etc/UTC"

View File

@ -1,7 +1,7 @@
{
"name": "@mastodon/streaming",
"license": "AGPL-3.0-or-later",
"packageManager": "yarn@4.3.0",
"packageManager": "yarn@4.3.1",
"engines": {
"node": ">=18"
},
@ -34,7 +34,7 @@
"@types/cors": "^2.8.16",
"@types/express": "^4.17.17",
"@types/pg": "^8.6.6",
"@types/uuid": "^9.0.0",
"@types/uuid": "^10.0.0",
"@types/ws": "^8.5.9",
"eslint-define-config": "^2.0.0",
"pino-pretty": "^11.0.0",

View File

@ -2928,7 +2928,7 @@ __metadata:
"@types/cors": "npm:^2.8.16"
"@types/express": "npm:^4.17.17"
"@types/pg": "npm:^8.6.6"
"@types/uuid": "npm:^9.0.0"
"@types/uuid": "npm:^10.0.0"
"@types/ws": "npm:^8.5.9"
bufferutil: "npm:^4.0.7"
cors: "npm:^2.8.5"
@ -4048,10 +4048,10 @@ __metadata:
languageName: node
linkType: hard
"@types/uuid@npm:^9.0.0":
version: 9.0.8
resolution: "@types/uuid@npm:9.0.8"
checksum: 10c0/b411b93054cb1d4361919579ef3508a1f12bf15b5fdd97337d3d351bece6c921b52b6daeef89b62340fd73fd60da407878432a1af777f40648cbe53a01723489
"@types/uuid@npm:^10.0.0":
version: 10.0.0
resolution: "@types/uuid@npm:10.0.0"
checksum: 10c0/9a1404bf287164481cb9b97f6bb638f78f955be57c40c6513b7655160beb29df6f84c915aaf4089a1559c216557dc4d2f79b48d978742d3ae10b937420ddac60
languageName: node
linkType: hard
@ -8948,17 +8948,18 @@ __metadata:
linkType: hard
"glob@npm:^10.2.2, glob@npm:^10.2.6, glob@npm:^10.3.10":
version: 10.4.1
resolution: "glob@npm:10.4.1"
version: 10.4.2
resolution: "glob@npm:10.4.2"
dependencies:
foreground-child: "npm:^3.1.0"
jackspeak: "npm:^3.1.2"
minimatch: "npm:^9.0.4"
minipass: "npm:^7.1.2"
package-json-from-dist: "npm:^1.0.0"
path-scurry: "npm:^1.11.1"
bin:
glob: dist/esm/bin.mjs
checksum: 10c0/77f2900ed98b9cc2a0e1901ee5e476d664dae3cd0f1b662b8bfd4ccf00d0edc31a11595807706a274ca10e1e251411bbf2e8e976c82bed0d879a9b89343ed379
checksum: 10c0/2c7296695fa75a935f3ad17dc62e4e170a8bb8752cf64d328be8992dd6ad40777939003754e10e9741ff8fbe43aa52fba32d6930d0ffa0e3b74bc3fb5eebaa2f
languageName: node
linkType: hard
@ -12692,6 +12693,13 @@ __metadata:
languageName: node
linkType: hard
"package-json-from-dist@npm:^1.0.0":
version: 1.0.0
resolution: "package-json-from-dist@npm:1.0.0"
checksum: 10c0/e3ffaf6ac1040ab6082a658230c041ad14e72fabe99076a2081bb1d5d41210f11872403fc09082daf4387fc0baa6577f96c9c0e94c90c394fd57794b66aa4033
languageName: node
linkType: hard
"pako@npm:~1.0.5":
version: 1.0.11
resolution: "pako@npm:1.0.11"