OpenSource/Sharkey

mirror of https://activitypub.software/TransFem-org/Sharkey.git synced 2025-01-07 22:02:11 +01:00

Author	SHA1	Message	Date
Hazelnoot	a47590e64c	add shared (cross-resource) rate limit for proxy	2024-11-25 13:03:51 -05:00
Hazelnoot	1fb1875ac3	normalize AP IDs during verification	2024-11-23 20:23:05 -05:00
dakkar	c4334bff81	honour blocks and "signing required" for note versions	2024-11-23 12:37:15 +00:00
dakkar	f9912e4ae5	allow overriding `setupPassword` via env not sure how useful this is, but let's keep complete coverage	2024-11-23 11:03:48 +00:00
dakkar	6c13dc04f2	Merge branch 'develop' into feature/2024.10	2024-11-23 10:41:33 +00:00
dakkar	b4a278ae54	merge: Comply with type for Packed<'Note'> (fixes aria client compatibility) (!771 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/771 Approved-by: dakkar <dakkar@thenautilus.net>	2024-11-22 23:57:22 +00:00
dakkar	a51fef29c0	remove `minInterval` from `FileServerService` when showing a reply, browser will request the replied-to avatar twice at the same time, and get confused if one of the requests is refused something similar seems to happen with videos and their previews	2024-11-22 23:25:07 +00:00
dakkar	8e07eb7f44	remove duplicate `limit` the `users/lists/push` endpoint already has a limit, of 30/hour	2024-11-22 23:14:37 +00:00
dakkar	caaa78d98d	merge: Add default rate limit (!768 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/768 Approved-by: dakkar <dakkar@thenautilus.net> Approved-by: Tess K <me@thvxl.se> Approved-by: Marie <github@yuugi.dev>	2024-11-22 23:03:34 +00:00
dakkar	0ea0466313	merge: Filter Add / Remove activities with non-Note payloads (resolves #750 ) (!693 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/693 Closes #750 Approved-by: dakkar <dakkar@thenautilus.net> Approved-by: Marie <github@yuugi.dev>	2024-11-22 23:03:12 +00:00
dakkar	3ae9f4e8e6	merge: Accept Like(Note) and Update(Note) activities where the Note isn't already cached (resolves #795 and #748 ) (!729 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/729 Closes #795 and #748 Approved-by: dakkar <dakkar@thenautilus.net> Approved-by: Marie <github@yuugi.dev>	2024-11-22 23:02:39 +00:00
Hazelnoot	3faad0a5e5	merge: Fix typo "to many requests" (!769 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/769 Approved-by: Tess K <me@thvxl.se> Approved-by: dakkar <dakkar@thenautilus.net> Approved-by: Marie <github@yuugi.dev>	2024-11-22 21:33:03 +00:00
tess	ebdfb2feb7	Comply with type for Packed<'Note'>	2024-11-22 21:57:04 +01:00
Hazelnoot	dbab122a99	fix typo "to many requests"	2024-11-22 15:26:55 -05:00
Hazelnoot	e3b826db5a	add rate limits to all public endpoints	2024-11-22 15:19:24 -05:00
Hazelnoot	7e3f519a5b	merge: Fix note hiding when renote and target have different visibility settings (resolves #803 ) (!741 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/741 Closes #803 Approved-by: dakkar <dakkar@thenautilus.net> Approved-by: Marie <github@yuugi.dev>	2024-11-22 19:35:19 +00:00
Hazelnoot	6b54405003	add default / fallback rate limit	2024-11-22 13:53:41 -05:00
Hazelnoot	e32fb4e86d	remove unused import from ApInboxService.ts (introduced by merge error)	2024-11-22 09:22:26 -05:00
Hazelnoot	2b9c3f0d5c	log type of unsupported featured object	2024-11-22 09:20:49 -05:00
Hazelnoot	ae7b90de6c	allow any valid post to be featured, not just Note	2024-11-22 09:20:46 -05:00
Hazelnoot	d74cf9e4ff	filter Add / Remove activities with non-Note payloads	2024-11-22 09:20:11 -05:00
Hazelnoot	9d5bc6cb28	pass resolver when creating notes via side-effect	2024-11-22 09:16:52 -05:00
Hazelnoot	9d3321fca4	allow Update(Note) and Update(Poll) to implicitly create missing notes	2024-11-22 09:16:48 -05:00
Hazelnoot	2bbccde2ce	reduce inbox log spam when fetching blocked / unavailable notes	2024-11-22 09:16:03 -05:00
Hazelnoot	47eb0daebb	fetch target note of Like(Note) activities	2024-11-22 09:16:03 -05:00
dakkar	56563d8dc4	fix lints	2024-11-22 13:11:16 +00:00
dakkar	efeb5ba08b	remove duplicate import	2024-11-22 12:54:32 +00:00
dakkar	9dbed8fb3e	maybe improve note validation on update?	2024-11-22 12:31:14 +00:00
dakkar	bc816cb166	Merge tag '2024.11.0' into feature/2024.10	2024-11-22 12:29:04 +00:00
dakkar	585052646a	better wording for moderator inactivity messages	2024-11-22 10:49:16 +00:00
dakkar	d069d78c21	Merge branch 'develop' into feature/2024.10	2024-11-22 10:42:58 +00:00
Hazelnoot	fadcabeaa6	merge: Don't preview URLs to blocked hosts (!751 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/751 Approved-by: Tess K <me@thvxl.se> Approved-by: dakkar <dakkar@thenautilus.net>	2024-11-22 10:37:29 +00:00
Hazelnoot	2ac36e4a5c	merge: Fix federation error "The note creation failed with duplication error even when there is no duplication" (resolves #749 ) (!745 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/745 Closes #749 Approved-by: Tess K <me@thvxl.se> Approved-by: dakkar <dakkar@thenautilus.net>	2024-11-22 10:37:11 +00:00
Hazelnoot	4b5a400264	merge: Allow Update activities for non-note posts (resolves #794 ) (!728 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/728 Closes #794 Approved-by: Tess K <me@thvxl.se> Approved-by: dakkar <dakkar@thenautilus.net>	2024-11-22 10:35:21 +00:00
かっこかり	f25fc5215b	fix(backend): Inboxのエラーをthrowせずreturnしている問題を修正 (#15022 ) * fix exception handling for Like activities (cherry picked from commit `8f42e8434e`) * fix exception handling for Announce activities (cherry picked from commit `cfc3ab4b04`) * fix exception handling for Undo activities * Update Changelog --------- Co-authored-by: Hazelnoot <acomputerdog@gmail.com>	2024-11-22 12:14:41 +09:00
Hazelnoot	5b72c08a68	merge: Fix type confusion with exceptions in AP handling (resolves #796 ) (!730 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/730 Closes #796 Approved-by: dakkar <dakkar@thenautilus.net> Approved-by: Tess K <me@thvxl.se>	2024-11-21 16:44:54 +00:00
Hazelnoot	9f3b97effb	merge: Reduce log spam from `ApPersonService.updateFeatured` (!747 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/747 Approved-by: dakkar <dakkar@thenautilus.net> Approved-by: Tess K <me@thvxl.se>	2024-11-21 16:35:18 +00:00
Hazelnoot	34a5dbe21b	merge: Reduce log spam from charts (!748 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/748 Approved-by: dakkar <dakkar@thenautilus.net> Approved-by: Tess K <me@thvxl.se>	2024-11-21 16:32:32 +00:00
かっこかり	c1f19fad1e	fix(backend): fix apResolver (#15010 ) * fix(backend): fix apResolver * fix * add comments * tweak comment	2024-11-21 14:36:24 +09:00
Hazelnoot	241b186a8a	merge: Prevent "mark instance as NSFW" from producing hellspawns (!749 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/749 Approved-by: Tess K <me@thvxl.se> Approved-by: dakkar <dakkar@thenautilus.net>	2024-11-21 05:26:41 +00:00
Hazelnoot	4b503f88e1	normalize naming of `isPackedPureRenote` and `PackedPureRenote`	2024-11-20 22:27:52 -05:00
Hazelnoot	faf1b3559a	fix note hiding when renote and target have different visibility settings	2024-11-20 22:27:50 -05:00
Hazelnoot	2fb2e52312	add isPureRenotePacked	2024-11-20 22:27:43 -05:00
Hazelnoot	2a4c432f41	don't generate URL previews for blocked domains	2024-11-20 22:25:49 -05:00
Hazelnoot	4c6cec552e	verify that preview URL is valid	2024-11-20 22:25:49 -05:00
Hazelnoot	c48faca707	fix lint errors in UrlPreviewService	2024-11-20 22:25:49 -05:00
かっこかり	3a6c2aa835	fix(backend): fix type error(s) in security fixes (#15009 ) * Fix type error in security fixes (cherry picked from commit `fa3cf6c299`) * Fix error in test function calls (cherry picked from commit `1758f29364`) * Fix style error (cherry picked from commit `23c4aa2571`) * Fix another style error (cherry picked from commit `36af07abe2`) * Fix `.punyHost` misuse (cherry picked from commit `6027b516e1`) * attempt to fix test: make yaml valid --------- Co-authored-by: Julia Johannesen <julia@insertdomain.name>	2024-11-21 12:10:02 +09:00
Hazelnoot	bcc20d6dc4	allow Update activities for non-note posts	2024-11-20 22:08:20 -05:00
Hazelnoot	0de7a084a9	fix exception handling for Undo activities	2024-11-20 22:05:10 -05:00
Hazelnoot	cfc3ab4b04	fix exception handling for Announce activities	2024-11-20 22:05:10 -05:00
Hazelnoot	8f42e8434e	fix exception handling for Like activities	2024-11-20 22:05:10 -05:00
Hazelnoot	dff465000c	fix import-order in ApInboxService	2024-11-20 22:05:10 -05:00
Hazelnoot	0f6d26e065	reduce log spam from charts	2024-11-20 22:03:32 -05:00
Hazelnoot	c9934c379f	remove duplicate `isPureRenote` method	2024-11-20 22:03:17 -05:00
Hazelnoot	a62e4f1cf2	ignore `isNSFW` for pure renotes	2024-11-20 22:03:17 -05:00
Hazelnoot	dcd5b6d972	replace `console.error` with `this.logger.error` (merge error)	2024-11-20 22:02:59 -05:00
Hazelnoot	fedf0d7e20	further reduce log spam from `updateFeatured` errors	2024-11-20 22:02:59 -05:00
Hazelnoot	984cfe358d	reduce log spam from `updateFeatured`	2024-11-20 22:02:59 -05:00
Hazelnoot	aabb1945e8	respect pinned note limit for remote users	2024-11-20 22:02:47 -05:00
Hazelnoot	4e0f7ced84	preserve the raw URI in parseUri	2024-11-20 22:02:31 -05:00
Julia	41536480ce	merge: Bump develop version (!766 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/766	2024-11-21 02:58:28 +00:00
Julia Johannesen	6027b516e1	Fix `.punyHost` misuse	2024-11-20 21:24:35 -05:00
Julia Johannesen	36af07abe2	Fix another style error	2024-11-20 20:31:22 -05:00
かっこかり	53e827b18c	fix(backend): fix security patches (#15008 )	2024-11-21 10:30:30 +09:00
Julia Johannesen	23c4aa2571	Fix style error	2024-11-20 20:24:59 -05:00
Julia Johannesen	1758f29364	Fix error in test function calls	2024-11-20 20:16:43 -05:00
Julia Johannesen	fa3cf6c299	Fix type error in security fixes	2024-11-20 20:06:46 -05:00
Hazelnoot	b0834ebf55	prevent DoS from spammed media proxy requests	2024-11-20 19:37:38 -05:00
syuilo	0f59adc436	fix ap/show	2024-11-21 09:25:18 +09:00
syuilo	9fdabe3666	fix(backend): use atomic command to improve security Co-Authored-By: Acid Chicken <root@acid-chicken.com>	2024-11-21 09:22:15 +09:00
Julia Johannesen	8e90484b3e	Bump version	2024-11-20 19:21:57 -05:00
rectcoordsystem	776f6fd1f5	fix(backend): allow fetchSummaryFromProxy, trueMail to access local addresses	2024-11-20 19:17:25 -05:00
rectcoordsystem	7b3e3f8e25	fix(backend): add isLocalAddressAllowed option to getAgentByUrl and send (HttpRequestService)	2024-11-20 19:17:25 -05:00
rectcoordsystem	360d71278a	fix(backend): lint and typecheck	2024-11-20 19:17:25 -05:00
rectcoordsystem	663c06be00	Apply suggestions from code review Co-authored-by: anatawa12 <anatawa12@icloud.com>	2024-11-20 19:17:25 -05:00
rectcoordsystem	7ccccf5545	fix(backend): allow accessing private IP when testing	2024-11-20 19:17:25 -05:00
rectcoordsystem	f36f4b5398	fix(backend): check target IP before sending HTTP request	2024-11-20 19:17:25 -05:00
Julia Johannesen	cc4e99fdde	fix: Try using `CacheService` to avoid excess db lookups This isn't perfect, theoretically if some massive number of users blocked the user making this request the set lookup could take a long amount of time, but eh, it works, and that scenario is highly unlikely.	2024-11-20 19:17:25 -05:00
Julia Johannesen	5764fa55cb	fix: primitives 25-33: proper local instance checks	2024-11-20 19:17:25 -05:00
Julia Johannesen	74565f67f7	fix: primitives 21, 22, and 23: reuse resolver This also increases the default `recursionLimit` for `Resolver`, as it theoretically will go higher that it previously would and could possibly fail on non-malicious collection activities.	2024-11-20 19:17:25 -05:00
Julia Johannesen	408e782507	fix: primitive 19 & 20: respect blocks and hide more Ideally, the user property should also be hidden (as leaving it in leaks information slightly), but given the schema of the note endpoint, I don't think that would be possible without introducing some kind of "ghost" user, who is attributed for posts by users who have you blocked.	2024-11-20 19:17:25 -05:00
Julia Johannesen	cbf8cc376e	fix: primitive 18: `ap/get` bypasses access checks One might argue that we could make this one actually preform access checks against the returned activity object, but I feel like that's a lot more work than just restricting it to administrators, since, to me at least, it seems more like a debugging tool than anything else.	2024-11-20 19:17:25 -05:00
Julia Johannesen	c04f344049	fix: primitive 13: check attribution against actor in notes	2024-11-20 19:17:25 -05:00
Julia Johannesen	b9080da75d	fix: code style for primitive 17	2024-11-20 19:17:24 -05:00
Laura Hausmann	4d925fc086	fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array	2024-11-20 19:17:24 -05:00
Laura Hausmann	b74e2e9167	fix: primitive 16: improper same-origin validation for user uri and url	2024-11-20 19:17:24 -05:00
Laura Hausmann	ebea1a2962	fix: primitive 15: improper same-origin validation for note uri and url	2024-11-20 19:17:24 -05:00
Julia Johannesen	4c432c07cb	fix: code style for primitive 14	2024-11-20 19:17:24 -05:00
Laura Hausmann	322b3b677f	fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections	2024-11-20 19:17:24 -05:00
Julia Johannesen	1c7e05ce9e	fix: primitive 7 & 12: prevent poll spoofing	2024-11-20 19:17:24 -05:00
Laura Hausmann	9ab25ede28	fix: primitives 9, 10 & 11: http signature validation doesn't enforce required headers or specify auth header name	2024-11-20 19:17:24 -05:00
Laura Hausmann	174dfb83d0	fix: primitive 6: reject anonymous objects that were fetched by their id	2024-11-20 19:17:24 -05:00
Laura Hausmann	ad8e8793c7	fix: primitives 5 & 8: reject activities with non-string identifiers	2024-11-20 19:17:24 -05:00
Laura Hausmann	1e14612f0e	fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities	2024-11-20 19:17:24 -05:00
Laura Hausmann	9090b745e6	fix: primitive 3: validation of non-final url	2024-11-20 19:17:24 -05:00
Laura Hausmann	d883934826	fix: primitive 2: acceptance of cross-origin alternate links	2024-11-20 19:17:23 -05:00
rectcoordsystem	090e9392cd	Merge commit from fork * fix(backend): check target IP before sending HTTP request * fix(backend): allow accessing private IP when testing * Apply suggestions from code review Co-authored-by: anatawa12 <anatawa12@icloud.com> * fix(backend): lint and typecheck * fix(backend): add isLocalAddressAllowed option to getAgentByUrl and send (HttpRequestService) * fix(backend): allow fetchSummaryFromProxy, trueMail to access local addresses --------- Co-authored-by: anatawa12 <anatawa12@icloud.com> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>	2024-11-21 08:27:09 +09:00
Julia	b9cb949eb1	Merge commit from fork * Fix poll update spoofing * fix: Disallow negative poll counts --------- Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>	2024-11-21 08:24:50 +09:00
Julia	5f675201f2	Merge commit from fork * enhance: Add a few validation fixes from Sharkey See the original MR on the GitLab instance: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484 Co-Authored-By: Dakkar <dakkar@thenautilus.net> * fix: primitive 2: acceptance of cross-origin alternate Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 3: validation of non-final url * fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities * fix: primitives 5 & 8: reject activities with non string identifiers Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 6: reject anonymous objects that were fetched by their id * fix: primitives 9, 10 & 11: http signature validation doesn't enforce required headers or specify auth header name Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections * fix: code style for primitive 14 * fix: primitive 15: improper same-origin validation for note uri and url Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 16: improper same-origin validation for user uri and url * fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array * fix: code style for primitive 17 * fix: check attribution against actor in notes While this isn't strictly required to fix the exploits at hand, this mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a preemptive countermeasure. * fix: primitive 18: `ap/get` bypasses access checks One might argue that we could make this one actually preform access checks against the returned activity object, but I feel like that's a lot more work than just restricting it to administrators, since, to me at least, it seems more like a debugging tool than anything else. * fix: primitive 19 & 20: respect blocks and hide more Ideally, the user property should also be hidden (as leaving it in leaks information slightly), but given the schema of the note endpoint, I don't think that would be possible without introducing some kind of "ghost" user, who is attributed for posts by users who have you blocked. * fix: primitives 21, 22, and 23: reuse resolver This also increases the default `recursionLimit` for `Resolver`, as it theoretically will go higher that it previously would and could possibly fail on non-malicious collection activities. * fix: primitives 25-33: proper local instance checks * revert: fix: primitive 19 & 20 This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c. --------- Co-authored-by: Dakkar <dakkar@thenautilus.net> Co-authored-by: Laura Hausmann <laura@hausmann.dev> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>	2024-11-21 08:20:09 +09:00
Sayamame-beans	aa48a0e207	Fix: リノートミュートが新規投稿通知に対して作用していなかった問題を修正 (#15006 ) * fix(backend): renoteMute doesn't work for note notification * docs(changelog): update changelog	2024-11-21 08:00:50 +09:00

1 2 3 4 5 ...

3222 commits