Merge remote-tracking branch 'parent/main' into upstream-20240531

2024-05-31 08:27:09 +09:00 · 2024-05-31 08:27:09 +09:00 · 13ad383039
commit 13ad383039
parent f3f9e5d545 7f808ff6e9
101 changed files with 1486 additions and 1232 deletions
--- a/config/initializers/opentelemetry.rb
+++ b/config/initializers/opentelemetry.rb
@ -66,3 +66,5 @@ if ENV.keys.any? { |name| name.match?(/OTEL_.*_ENDPOINT/) }
    c.service_version = Mastodon::Version.to_s
  end
 end
+
+MastodonOTELTracer = OpenTelemetry.tracer_provider.tracer('mastodon')
--- a/config/initializers/paperclip.rb
+++ b/config/initializers/paperclip.rb
@ -13,7 +13,7 @@ end

 Paperclip.interpolates :prefix_path do |attachment, _style|
  if attachment.storage_schema_version >= 1 && attachment.instance.respond_to?(:local?) && !attachment.instance.local?
-    'cache' + File::SEPARATOR
+    "cache#{File::SEPARATOR}"
  else
    ''
  end
@ -159,7 +159,7 @@ else
  Paperclip::Attachment.default_options.merge!(
    storage: :filesystem,
    path: File.join(ENV.fetch('PAPERCLIP_ROOT_PATH', File.join(':rails_root', 'public', 'system')), ':prefix_path:class', ':attachment', ':id_partition', ':style', ':filename'),
-    url: ENV.fetch('PAPERCLIP_ROOT_URL', '/system') + '/:prefix_url:class/:attachment/:id_partition/:style/:filename'
+    url: "#{ENV.fetch('PAPERCLIP_ROOT_URL', '/system')}/:prefix_url:class/:attachment/:id_partition/:style/:filename"
  )
 end

--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@ -37,6 +37,10 @@ class Rack::Attack
      authenticated_token&.id
    end

+    def warden_user_id
+      @env['warden']&.user&.id
+    end
+
    def unauthenticated?
      !authenticated_user_id
    end
@ -58,10 +62,6 @@ class Rack::Attack
    end
  end

-  Rack::Attack.safelist('allow from localhost') do |req|
-    req.remote_ip == '127.0.0.1' || req.remote_ip == '::1'
-  end
-
  Rack::Attack.blocklist('deny from blocklist') do |req|
    IpBlock.blocked?(req.remote_ip)
  end
@ -105,6 +105,10 @@ class Rack::Attack
    req.authenticated_user_id if (req.post? && req.path.match?(API_DELETE_REBLOG_REGEX)) || (req.delete? && req.path.match?(API_DELETE_STATUS_REGEX))
  end

+  throttle('throttle_oauth_application_registrations/ip', limit: 5, period: 10.minutes) do |req|
+    req.throttleable_remote_ip if req.post? && req.path == '/api/v1/apps'
+  end
+
  throttle('throttle_sign_up_attempts/ip', limit: 25, period: 5.minutes) do |req|
    req.throttleable_remote_ip if req.post? && req.path_matches?('/auth')
  end
@ -137,6 +141,10 @@ class Rack::Attack
    req.session[:attempt_user_id] || req.params.dig('user', 'email').presence if req.post? && req.path_matches?('/auth/sign_in')
  end

+  throttle('throttle_password_change/account', limit: 10, period: 10.minutes) do |req|
+    req.warden_user_id if req.put? || (req.patch? && req.path_matches?('/auth'))
+  end
+
  self.throttled_responder = lambda do |request|
    now        = Time.now.utc
    match_data = request.env['rack.attack.match_data']