Alexandra Catalina
a8aba8a526
Update tootsuite/mastodon Docker tag to v3.4.5 ( #17417 )
...
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-02-01 20:57:50 +01:00
Claire
2657ca3b5e
Fix requiring an extra restart after recent post-deployment migrations ( #17422 )
...
Follow-up to #16409
2022-02-01 20:57:39 +01:00
Rohan Sharma
e96b704def
Fixed prototype pollution bug and only allow trusted origin ( #17420 )
2022-02-01 17:34:48 +01:00
Claire
c7083702fa
Bump version to 3.4.5 ( #17402 )
2022-01-31 21:27:40 +01:00
Daniel Jakots
646789f51e
Bump NODE_VER to 16.13.2, to solve security issues ( #17399 )
...
Fixes CVE-2021-44532, CVE-2021-44533, and CVE-2022-21824.
See: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
2022-01-31 00:32:03 +01:00
Claire
7389378eed
Add more advanced migration tests ( #17393 )
...
- populate the database with some data when testing migrations
- try both one-step and two-step migrations (`SKIP_POST_DEPLOYMENT_MIGRATIONS`)
2022-01-30 23:50:08 +01:00
Claire
507cb23dc3
Change index corruption warning to be a little less scary ( #17395 )
2022-01-30 23:49:52 +01:00
Claire
71862291aa
Fix edge case in migration helpers that caused crash because of PostgreSQL quirks ( #17398 )
2022-01-30 22:34:54 +01:00
Claire
c3e77d07d2
Fix some old migration scripts ( #17394 )
...
* Fix some old migration scripts
* Fix edge case in two-step migration from older releases
2022-01-30 21:38:54 +01:00
Claire
8919f6cf63
Change public profile pages to be disabled for unconfirmed users ( #17385 )
...
Fixes #17382
Note that unconfirmed and unapproved accounts can still be searched for
and their (empty) account retrieved using the REST API.
2022-01-28 14:24:37 +01:00
Claire
1f07ab014d
Refactor and improve tests ( #17386 )
...
* Change account and user fabricators to simplify and improve tests
- `Fabricate(:account)` implicitly fabricates an associated `user` if
no `domain` attribute is given (an account with `domain: nil` is
considered a local account, but no user record was created), unless
`user: nil` is passed
- `Fabricate(:account, user: Fabricate(:user))` should still be possible
but is discouraged.
* Fix and refactor tests
- avoid passing unneeded attributes to `Fabricate(:user)` or
`Fabricate(:account)`
- avoid embedding `Fabricate(:user)` into a `Fabricate(:account)` or the other
way around
- prefer `Fabricate(:user, account_attributes: …)` to
`Fabricate(:user, account: Fabricate(:account, …)`
- also, some tests were using remote accounts with local user records, which is
not representative of production code.
2022-01-28 00:46:42 +01:00
Claire
33ea1c9008
Fix Sidekiq warnings about JSON serialization ( #17381 )
...
* Fix Sidekiq warnings about JSON serialization
This occurs on every symbol argument we pass, and every symbol key in hashes,
because Sidekiq expects strings instead.
See https://github.com/mperham/sidekiq/pull/5071
We do not need to change how workers parse their arguments because this has
not changed and we were already converting to symbols adequately or using
`with_indifferent_access`.
* Set Sidekiq to raise on unsafe arguments in test mode
In order to more easily catch issues that would produce warnings in production
code.
2022-01-28 00:43:56 +01:00
Claire
1d846bd6fb
Fix some old database migrations ( #17379 )
2022-01-27 18:13:41 +01:00
dependabot[bot]
5801e6d7ef
Bump pg from 1.2.3 to 1.3.0 ( #17349 )
...
Bumps [pg](https://github.com/ged/ruby-pg ) from 1.2.3 to 1.3.0.
- [Release notes](https://github.com/ged/ruby-pg/releases )
- [Changelog](https://github.com/ged/ruby-pg/blob/master/History.rdoc )
- [Commits](https://github.com/ged/ruby-pg/compare/v1.2.3...v1.3.0 )
---
updated-dependencies:
- dependency-name: pg
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-27 20:26:40 +09:00
dependabot[bot]
f5401e89f3
Bump axios from 0.24.0 to 0.25.0 ( #17354 )
...
Bumps [axios](https://github.com/axios/axios ) from 0.24.0 to 0.25.0.
- [Release notes](https://github.com/axios/axios/releases )
- [Changelog](https://github.com/axios/axios/blob/master/CHANGELOG.md )
- [Commits](https://github.com/axios/axios/compare/v0.24.0...v0.25.0 )
---
updated-dependencies:
- dependency-name: axios
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-27 20:26:18 +09:00
dependabot[bot]
b7de46786d
Bump rdf-normalize from 0.4.0 to 0.5.0 ( #17226 )
...
Bumps [rdf-normalize](https://github.com/ruby-rdf/rdf-normalize ) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/ruby-rdf/rdf-normalize/releases )
- [Commits](https://github.com/ruby-rdf/rdf-normalize/compare/0.4.0...0.5.0 )
---
updated-dependencies:
- dependency-name: rdf-normalize
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-27 20:25:18 +09:00
Claire
6e8d231e27
Fix local distribution of edited statuses ( #17380 )
...
Because `FanOutOnWriteService#update?` was broken, edits were considered as new
toots and a regular `update` payload was sent.
2022-01-26 20:53:50 +01:00
Su Yang
43b5489c0f
Add healthcheck for sidekiq ( #17365 )
2022-01-26 18:08:49 +01:00
Eugen Rochko
b6364cf1ad
Fix poll updates being saved as status edits ( #17373 )
...
Fix #17344
2022-01-26 18:05:39 +01:00
dependabot[bot]
73e36415e8
Bump sass from 1.48.0 to 1.49.0 ( #17352 )
...
Bumps [sass](https://github.com/sass/dart-sass ) from 1.48.0 to 1.49.0.
- [Release notes](https://github.com/sass/dart-sass/releases )
- [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md )
- [Commits](https://github.com/sass/dart-sass/compare/1.48.0...1.49.0 )
---
updated-dependencies:
- dependency-name: sass
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 21:25:26 +09:00
dependabot[bot]
cb80dc6c35
Bump json-ld-preloaded from 3.1.6 to 3.2.0 ( #17353 )
...
Bumps [json-ld-preloaded](https://github.com/ruby-rdf/json-ld-preloaded ) from 3.1.6 to 3.2.0.
- [Release notes](https://github.com/ruby-rdf/json-ld-preloaded/releases )
- [Commits](https://github.com/ruby-rdf/json-ld-preloaded/compare/3.1.6...3.2.0 )
---
updated-dependencies:
- dependency-name: json-ld-preloaded
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 21:23:42 +09:00
dependabot[bot]
e2e7aad5e8
Bump fabrication from 2.23.1 to 2.24.0 ( #17356 )
...
Bumps [fabrication](https://github.com/paulelliott/fabrication ) from 2.23.1 to 2.24.0.
- [Release notes](https://github.com/paulelliott/fabrication/releases )
- [Changelog](https://github.com/paulelliott/fabrication/blob/master/Changelog.markdown )
- [Commits](https://github.com/paulelliott/fabrication/commits )
---
updated-dependencies:
- dependency-name: fabrication
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 21:22:51 +09:00
dependabot[bot]
5a3db0d7b9
Bump sidekiq from 6.3.1 to 6.4.0 ( #17350 )
...
Bumps [sidekiq](https://github.com/mperham/sidekiq ) from 6.3.1 to 6.4.0.
- [Release notes](https://github.com/mperham/sidekiq/releases )
- [Changelog](https://github.com/mperham/sidekiq/blob/main/Changes.md )
- [Commits](https://github.com/mperham/sidekiq/compare/v6.3.1...v6.4.0 )
---
updated-dependencies:
- dependency-name: sidekiq
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 21:22:10 +09:00
dependabot[bot]
7b20b2a4e8
Bump @babel/plugin-transform-runtime from 7.16.8 to 7.16.10 ( #17361 )
...
Bumps [@babel/plugin-transform-runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-runtime ) from 7.16.8 to 7.16.10.
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.16.10/packages/babel-plugin-transform-runtime )
---
updated-dependencies:
- dependency-name: "@babel/plugin-transform-runtime"
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:52:40 +09:00
dependabot[bot]
67ce5d774c
Bump cld3 from 3.4.3 to 3.4.4 ( #17357 )
...
Bumps [cld3](https://github.com/akihikodaki/cld3-ruby ) from 3.4.3 to 3.4.4.
- [Release notes](https://github.com/akihikodaki/cld3-ruby/releases )
- [Commits](https://github.com/akihikodaki/cld3-ruby/compare/v3.4.3...v3.4.4 )
---
updated-dependencies:
- dependency-name: cld3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:48:05 +09:00
dependabot[bot]
a6360a47d5
Bump aws-sdk-s3 from 1.111.1 to 1.111.3 ( #17368 )
...
Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby ) from 1.111.1 to 1.111.3.
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases )
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md )
- [Commits](https://github.com/aws/aws-sdk-ruby/commits )
---
updated-dependencies:
- dependency-name: aws-sdk-s3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:46:52 +09:00
dependabot[bot]
e23ac7533c
Bump bootsnap from 1.10.1 to 1.10.2 ( #17367 )
...
Bumps [bootsnap](https://github.com/Shopify/bootsnap ) from 1.10.1 to 1.10.2.
- [Release notes](https://github.com/Shopify/bootsnap/releases )
- [Changelog](https://github.com/Shopify/bootsnap/blob/main/CHANGELOG.md )
- [Commits](https://github.com/Shopify/bootsnap/compare/v1.10.1...v1.10.2 )
---
updated-dependencies:
- dependency-name: bootsnap
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:45:45 +09:00
dependabot[bot]
7a153d7e73
Bump node-fetch from 2.6.1 to 2.6.7 ( #17366 )
...
Bumps [node-fetch](https://github.com/node-fetch/node-fetch ) from 2.6.1 to 2.6.7.
- [Release notes](https://github.com/node-fetch/node-fetch/releases )
- [Commits](https://github.com/node-fetch/node-fetch/compare/v2.6.1...v2.6.7 )
---
updated-dependencies:
- dependency-name: node-fetch
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:44:01 +09:00
dependabot[bot]
babd992684
Bump nanoid from 3.1.23 to 3.2.0 ( #17342 )
...
Bumps [nanoid](https://github.com/ai/nanoid ) from 3.1.23 to 3.2.0.
- [Release notes](https://github.com/ai/nanoid/releases )
- [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md )
- [Commits](https://github.com/ai/nanoid/compare/3.1.23...3.2.0 )
---
updated-dependencies:
- dependency-name: nanoid
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:41:22 +09:00
dependabot[bot]
cdbb032e21
Bump @babel/preset-env from 7.16.8 to 7.16.11 ( #17358 )
...
Bumps [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env ) from 7.16.8 to 7.16.11.
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.16.11/packages/babel-preset-env )
---
updated-dependencies:
- dependency-name: "@babel/preset-env"
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:39:43 +09:00
dependabot[bot]
2a3e637e56
Bump rubocop from 1.24.1 to 1.25.0 ( #17322 )
...
Bumps [rubocop](https://github.com/rubocop/rubocop ) from 1.24.1 to 1.25.0.
- [Release notes](https://github.com/rubocop/rubocop/releases )
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md )
- [Commits](https://github.com/rubocop/rubocop/compare/v1.24.1...v1.25.0 )
---
updated-dependencies:
- dependency-name: rubocop
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:39:08 +09:00
dependabot[bot]
e3d7ed2139
Bump @babel/core from 7.16.7 to 7.16.12 ( #17360 )
...
Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core ) from 7.16.7 to 7.16.12.
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.16.12/packages/babel-core )
---
updated-dependencies:
- dependency-name: "@babel/core"
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:34:55 +09:00
dependabot[bot]
c4647b48d2
Bump rails from 6.1.4.1 to 6.1.4.4 ( #17159 )
...
* Bump rails from 6.1.4.1 to 6.1.4.4
Bumps [rails](https://github.com/rails/rails ) from 6.1.4.1 to 6.1.4.4.
- [Release notes](https://github.com/rails/rails/releases )
- [Commits](https://github.com/rails/rails/compare/v6.1.4.1...v6.1.4.4 )
---
updated-dependencies:
- dependency-name: rails
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* Revert marcel to 1.0.1
Avoid some regression that need to be investigated
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2022-01-25 20:34:37 +09:00
Wonderfall
85389ddd45
disable legacy XSS filtering ( #17289 )
...
Browsers are phasing out X-XSS-Protection, but Safari and IE still support it.
2022-01-24 13:14:26 +01:00
Claire
d045ba2add
Fix link_to_login argument handling when a block is passed ( #17345 )
2022-01-24 03:29:03 +01:00
Claire
e92ac5b769
Fix error-prone SQL queries ( #15828 )
...
* Fix error-prone SQL queries in Account search
While this code seems to not present an actual vulnerability, one could
easily be introduced by mistake due to how the query is built.
This PR parameterises the `to_tsquery` input to make the query more robust.
* Harden code for Status#tagged_with_all and Status#tagged_with_none
Those two scopes aren't used in a way that could be vulnerable to an SQL
injection, but keeping them unchanged might be a hazard.
* Remove unneeded spaces surrounding tsquery term
* Please CodeClimate
* Move advanced_search_for SQL template to its own function
This avoids one level of indentation while making clearer that the SQL template
isn't build from all the dynamic parameters of advanced_search_for.
* Add tests covering tagged_with, tagged_with_all and tagged_with_none
* Rewrite tagged_with_none to avoid multiple joins and make it more robust
* Remove obsolete brakeman warnings
* Revert "Remove unneeded spaces surrounding tsquery term"
The two queries are not strictly equivalent.
This reverts commit 86f16c537e06c6ba4a8b250f25dcce9f049023ff.
2022-01-23 18:10:10 +01:00
Claire
41d64ee271
Change `percent` to `rate` in retention metrics API ( #16910 )
2022-01-23 16:01:25 +01:00
Claire
06f653972a
Add OMNIAUTH_ONLY environment variable to enforce externa log-in ( #17288 )
...
* Remove support for OAUTH_REDIRECT_AT_SIGN_IN
Fixes #15959
Introduced in #6540 , OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.
However, it did not prevent the log-in form on /about introduced by #10232 from
appearing, and completely broke with the introduction of #15228 .
As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.
* Add OMNIAUTH_ONLY environment variable to enforce external log-in only
* Disable user registration when OMNIAUTH_ONLY is set to true
* Replace log-in links When OMNIAUTH_ONLY is set with exactly one OmniAuth provider
2022-01-23 15:52:58 +01:00
Claire
12bb24ea35
Remove support for OAUTH_REDIRECT_AT_SIGN_IN ( #17287 )
...
Fixes #15959
Introduced in #6540 , OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.
However, it did not prevent the log-in form on /about introduced by #10232 from
appearing, and completely broke with the introduction of #15228 .
As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.
2022-01-23 15:50:41 +01:00
Claire
8114f4208f
Remove leftover database columns from Devise::Models::Rememberable ( #17191 )
...
* Remove leftover database columns from Devise::Models::Rememberable
* Update fix-duplication maintenance script
* Improve errors/warnings in the fix-duplicates maintenance script
2022-01-23 15:46:30 +01:00
Claire
12e087568d
Remove old duplicate index ( #17245 )
...
Some Mastodon versions (v1.1 and v1.2) had a duplicate index in `db/schema.rb`
without any migration script creating it. #2224 (included in v1.3) removed the
duplicate index from the file but did not provide a migration script to remove
it.
This means that any instance that was installed from v1.1 or v1.2's source code
has a duplicate index and a corresponding warning in PgHero. Instances set up
using an earlier or later Mastodon version do not have this issue.
This PR removes the duplicate index if it is present.
2022-01-23 13:53:58 +01:00
Claire
335049cc33
Fix text being incorrectly pre-selected in composer textarea on /share ( #17339 )
...
Fixes #17295
2022-01-20 20:56:21 +01:00
Claire
efd2f303fe
Change mastodon:webpush:generate_vapid_key task to not require functional env ( #17338 )
...
Fixes #17297
2022-01-20 14:51:23 +01:00
Claire
68a9057420
Add post edited notice in admin and public UIs ( #17335 )
...
* Add edited toot flag on public pages
* Add toot edit flag to admin pages
2022-01-20 13:37:31 +01:00
Eugen Rochko
a427958026
Fix error when using raw distribution worker ( #17334 )
...
Regression from #16697
2022-01-19 23:05:59 +01:00
Eugen Rochko
bfbfbf5032
Fix error when processing poll updates ( #17333 )
...
Regression from #16697
2022-01-19 22:50:01 +01:00
Eugen Rochko
06b698a723
Add support for editing for published statuses ( #16697 )
...
* Add support for editing for published statuses
* Fix references to stripped-out code
* Various fixes and improvements
* Further fixes and improvements
* Fix updates being potentially sent to unauthorized recipients
* Various fixes and improvements
* Fix wrong words in test
* Fix notifying accounts that were tagged but were not in the audience
* Fix mistake
2022-01-19 22:37:27 +01:00
Jeong Arm
be15674215
Fix NameError on ActivityPub::FetchFeaturedCollectionService ( #17326 )
...
Related: #16954
2022-01-19 04:08:46 +01:00
dependabot[bot]
1eeed9357a
Bump json-ld from 3.1.10 to 3.2.0 ( #17224 )
...
Bumps [json-ld](https://github.com/ruby-rdf/json-ld ) from 3.1.10 to 3.2.0.
- [Release notes](https://github.com/ruby-rdf/json-ld/releases )
- [Commits](https://github.com/ruby-rdf/json-ld/compare/3.1.10...3.2.0 )
---
updated-dependencies:
- dependency-name: json-ld
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-19 11:12:01 +09:00
dependabot[bot]
14a82cadc5
Bump thor from 1.1.0 to 1.2.1 ( #17250 )
...
Bumps [thor](https://github.com/rails/thor ) from 1.1.0 to 1.2.1.
- [Release notes](https://github.com/rails/thor/releases )
- [Commits](https://github.com/rails/thor/compare/v1.1.0...v1.2.1 )
---
updated-dependencies:
- dependency-name: thor
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-19 11:07:37 +09:00