From c92eb63b11e6f8cbe6797e2e2a8cfec8e7ddcf81 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 30 Sep 2024 12:25:54 +0200 Subject: [PATCH 01/10] Merge commit from fork This should not change the set of words matched by `USERNAME_RE` but does change the one matched by `MENTION_RE`. Indeed, the previous regexp allowed a domain part to start with `.` or `-`, which the new regexp does not allow. --- app/models/account.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/models/account.rb b/app/models/account.rb index 24ce72d235..694c9000eb 100644 --- a/app/models/account.rb +++ b/app/models/account.rb @@ -71,8 +71,8 @@ class Account < ApplicationRecord DEFAULT_FIELDS_SIZE = 6 INSTANCE_ACTOR_ID = -99 - USERNAME_RE = /[a-z0-9_]+([a-z0-9_.-]+[a-z0-9_]+)?/i - MENTION_RE = %r{(? Date: Fri, 27 Sep 2024 14:31:00 +0200 Subject: [PATCH 02/10] Fix bundler-audit --- .bundler-audit.yml | 10 ++++++++++ Gemfile.lock | 10 +++++----- 2 files changed, 15 insertions(+), 5 deletions(-) create mode 100644 .bundler-audit.yml diff --git a/.bundler-audit.yml b/.bundler-audit.yml new file mode 100644 index 0000000000..c867b1abf0 --- /dev/null +++ b/.bundler-audit.yml @@ -0,0 +1,10 @@ +--- +ignore: + # devise-two-factor advisory about brute-forcing TOTP + # We have rate-limits on authentication endpoints in place (including second + # factor verification) since Mastodon v3.2.0 + - CVE-2024-0227 + # devise-two-factor advisory about generated secrets being weaker than expected + # We call `generate_otp_secret` ourselves with a requested length of 32 characters, + # which exceeds the recommended remediation of 26 characters, so we're safe + - CVE-2024-8796 diff --git a/Gemfile.lock b/Gemfile.lock index 738ca0fd7e..b79d0dad1d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -290,9 +290,9 @@ GEM ruby-progressbar (~> 1.4) globalid (1.2.1) activesupport (>= 6.1) - google-protobuf (3.25.4) + google-protobuf (3.25.5) googleapis-common-protos-types (1.15.0) - google-protobuf (>= 3.18, < 5.a) + google-protobuf (>= 3.25.5, < 5.a) haml (6.3.0) temple (>= 0.8.2) thor @@ -494,7 +494,7 @@ GEM opentelemetry-common (0.21.0) opentelemetry-api (~> 1.0) opentelemetry-exporter-otlp (0.29.0) - google-protobuf (>= 3.18) + google-protobuf (>= 3.25.5) googleapis-common-protos-types (~> 1.3) opentelemetry-api (~> 1.1) opentelemetry-common (~> 0.20) @@ -607,7 +607,7 @@ GEM psych (5.1.2) stringio public_suffix (6.0.1) - puma (6.4.2) + puma (6.4.3) nio4r (~> 2.0) pundit (2.4.0) activesupport (>= 3.0.0) @@ -892,7 +892,7 @@ GEM rack-proxy (>= 0.6.1) railties (>= 5.2) semantic_range (>= 2.3.0) - webrick (1.8.1) + webrick (1.8.2) websocket (1.2.11) websocket-driver (0.7.6) websocket-extensions (>= 0.1.0) From 5db2174f0f5590defba797c17ab24fe26b583c49 Mon Sep 17 00:00:00 2001 From: KMY Date: Mon, 30 Sep 2024 21:46:22 +0900 Subject: [PATCH 03/10] Fix test --- Gemfile.lock | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index b79d0dad1d..ff98da28cc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -290,9 +290,11 @@ GEM ruby-progressbar (~> 1.4) globalid (1.2.1) activesupport (>= 6.1) - google-protobuf (3.25.5) - googleapis-common-protos-types (1.15.0) - google-protobuf (>= 3.25.5, < 5.a) + google-protobuf (4.28.2) + bigdecimal + rake (>= 13) + googleapis-common-protos-types (1.16.0) + google-protobuf (>= 3.18, < 5.a) haml (6.3.0) temple (>= 0.8.2) thor From 72ee2860370bfc04c48c601c142f9efcd00a2fb8 Mon Sep 17 00:00:00 2001 From: KMY Date: Mon, 30 Sep 2024 21:48:32 +0900 Subject: [PATCH 04/10] Fix test --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index ff98da28cc..2fd7c3ad2b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -496,7 +496,7 @@ GEM opentelemetry-common (0.21.0) opentelemetry-api (~> 1.0) opentelemetry-exporter-otlp (0.29.0) - google-protobuf (>= 3.25.5) + google-protobuf (>= 3.18) googleapis-common-protos-types (~> 1.3) opentelemetry-api (~> 1.1) opentelemetry-common (~> 0.20) From 99d66c1e29497be9602fc1d0969d5277971003ac Mon Sep 17 00:00:00 2001 From: Claire Date: Fri, 20 Sep 2024 16:58:06 +0200 Subject: [PATCH 05/10] Fix issue when encountering reblog of deleted post in feed rebuild (#32001) --- app/lib/feed_manager.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/lib/feed_manager.rb b/app/lib/feed_manager.rb index 12f2b9a20f..4ad166fcd3 100644 --- a/app/lib/feed_manager.rb +++ b/app/lib/feed_manager.rb @@ -598,7 +598,7 @@ class FeedManager arr = crutches[:active_mentions][s.id] || [] arr.push(s.account_id) - if s.reblog? + if s.reblog? && s.reblog.present? arr.push(s.reblog.account_id) arr.concat(crutches[:active_mentions][s.reblog_of_id] || []) end From d72c8dc7773e24cec5288cd8036e94910adfe69e Mon Sep 17 00:00:00 2001 From: Claire Date: Thu, 12 Sep 2024 14:58:12 +0200 Subject: [PATCH 06/10] Fix security context sometimes not being added in LD-Signed activities (#31871) --- app/lib/activitypub/linked_data_signature.rb | 9 ++++++++- spec/lib/activitypub/linked_data_signature_spec.rb | 9 ++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/app/lib/activitypub/linked_data_signature.rb b/app/lib/activitypub/linked_data_signature.rb index 9459fdd8b7..c42313b05e 100644 --- a/app/lib/activitypub/linked_data_signature.rb +++ b/app/lib/activitypub/linked_data_signature.rb @@ -4,6 +4,7 @@ class ActivityPub::LinkedDataSignature include JsonLdHelper CONTEXT = 'https://w3id.org/identity/v1' + SIGNATURE_CONTEXT = 'https://w3id.org/security/v1' def initialize(json) @json = json.with_indifferent_access @@ -46,7 +47,13 @@ class ActivityPub::LinkedDataSignature signature = Base64.strict_encode64(keypair.sign(OpenSSL::Digest.new('SHA256'), to_be_signed)) - @json.merge('signature' => options.merge('signatureValue' => signature)) + # Mastodon's context is either an array or a single URL + context_with_security = Array(@json['@context']) + context_with_security << 'https://w3id.org/security/v1' + context_with_security.uniq! + context_with_security = context_with_security.first if context_with_security.size == 1 + + @json.merge('signature' => options.merge('signatureValue' => signature), '@context' => context_with_security) end private diff --git a/spec/lib/activitypub/linked_data_signature_spec.rb b/spec/lib/activitypub/linked_data_signature_spec.rb index 1af45673c0..b1a8dc5c49 100644 --- a/spec/lib/activitypub/linked_data_signature_spec.rb +++ b/spec/lib/activitypub/linked_data_signature_spec.rb @@ -95,16 +95,11 @@ RSpec.describe ActivityPub::LinkedDataSignature do describe '#sign!' do subject { described_class.new(raw_json).sign!(sender) } - it 'returns a hash' do + it 'returns a hash with a signature, the expected context, and the signature can be verified', :aggregate_failures do expect(subject).to be_a Hash - end - - it 'contains signature' do expect(subject['signature']).to be_a Hash expect(subject['signature']['signatureValue']).to be_present - end - - it 'can be verified again' do + expect(Array(subject['@context'])).to include('https://w3id.org/security/v1') expect(described_class.new(subject).verify_actor!).to eq sender end end From 6a2342d8af03cf441698f0301a985e997f81c6e5 Mon Sep 17 00:00:00 2001 From: Claire Date: Fri, 20 Sep 2024 12:10:09 +0200 Subject: [PATCH 07/10] Change Mastodon to issue correctly-signed queries by default (#31994) --- app/lib/request.rb | 2 +- app/services/activitypub/fetch_replies_service.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/lib/request.rb b/app/lib/request.rb index ab42e82300..d7da9fe63c 100644 --- a/app/lib/request.rb +++ b/app/lib/request.rb @@ -77,7 +77,7 @@ class Request @url = Addressable::URI.parse(url).normalize @http_client = options.delete(:http_client) @allow_local = options.delete(:allow_local) - @full_path = options.delete(:with_query_string) + @full_path = !options.delete(:omit_query_string) @options = options.merge(socket_class: use_proxy? || @allow_local ? ProxySocket : Socket) @options = @options.merge(timeout_class: PerOperationWithDeadline, timeout_options: TIMEOUT) @options = @options.merge(proxy_url) if use_proxy? diff --git a/app/services/activitypub/fetch_replies_service.rb b/app/services/activitypub/fetch_replies_service.rb index e2ecdef165..46cab6caf9 100644 --- a/app/services/activitypub/fetch_replies_service.rb +++ b/app/services/activitypub/fetch_replies_service.rb @@ -49,7 +49,7 @@ class ActivityPub::FetchRepliesService < BaseService rescue Mastodon::UnexpectedResponseError => e raise unless e.response && e.response.code == 401 && Addressable::URI.parse(collection_or_uri).query.present? - fetch_resource_without_id_validation(collection_or_uri, nil, true, request_options: { with_query_string: true }) + fetch_resource_without_id_validation(collection_or_uri, nil, true, request_options: { omit_query_string: false }) end end From 7753dde1e71dcd2f51aa68afee0e8fbc664be173 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 23 Sep 2024 17:36:15 +0200 Subject: [PATCH 08/10] Fix replies collection being cached improperly --- app/controllers/activitypub/replies_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/activitypub/replies_controller.rb b/app/controllers/activitypub/replies_controller.rb index 11aac48c9c..0a19275d38 100644 --- a/app/controllers/activitypub/replies_controller.rb +++ b/app/controllers/activitypub/replies_controller.rb @@ -12,7 +12,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController before_action :set_replies def index - expires_in 0, public: public_fetch_mode? + expires_in 0, public: @status.distributable? && public_fetch_mode? render json: replies_collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json', skip_activities: true end From d410714aa8c4410cf3d0b24a73dbac5e4c496643 Mon Sep 17 00:00:00 2001 From: Claire Date: Thu, 26 Sep 2024 21:27:57 +0200 Subject: [PATCH 09/10] =?UTF-8?q?Add=20=E2=80=9CA=20Mastodon=20update=20is?= =?UTF-8?q?=20available.=E2=80=9D=20message=20on=20admin=20dashboard=20for?= =?UTF-8?q?=20non-bugfix=20updates=20(#32106)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/lib/admin/system_check/software_version_check.rb | 6 ++++-- config/locales/en.yml | 3 +++ spec/lib/admin/system_check/software_version_check_spec.rb | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/app/lib/admin/system_check/software_version_check.rb b/app/lib/admin/system_check/software_version_check.rb index e142feddf0..e5cacfe354 100644 --- a/app/lib/admin/system_check/software_version_check.rb +++ b/app/lib/admin/system_check/software_version_check.rb @@ -14,14 +14,16 @@ class Admin::SystemCheck::SoftwareVersionCheck < Admin::SystemCheck::BaseCheck def message if software_updates.any?(&:urgent?) Admin::SystemCheck::Message.new(:software_version_critical_check, nil, admin_software_updates_path, true) - else + elsif software_updates.any?(&:patch_type?) Admin::SystemCheck::Message.new(:software_version_patch_check, nil, admin_software_updates_path) + else + Admin::SystemCheck::Message.new(:software_version_check, nil, admin_software_updates_path) end end private def software_updates - @software_updates ||= SoftwareUpdate.pending_to_a.filter { |update| update.urgent? || update.patch_type? } + @software_updates ||= SoftwareUpdate.pending_to_a end end diff --git a/config/locales/en.yml b/config/locales/en.yml index 20f45bebc9..e67796211a 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -1136,6 +1136,9 @@ en: message_html: You haven't defined any server rules. sidekiq_process_check: message_html: No Sidekiq process running for the %{value} queue(s). Please review your Sidekiq configuration + software_version_check: + action: See available updates + message_html: A Mastodon update is available. software_version_critical_check: action: See available updates message_html: A critical Mastodon update is available, please update as quickly as possible. diff --git a/spec/lib/admin/system_check/software_version_check_spec.rb b/spec/lib/admin/system_check/software_version_check_spec.rb index de4335fc51..cc4c80e7a4 100644 --- a/spec/lib/admin/system_check/software_version_check_spec.rb +++ b/spec/lib/admin/system_check/software_version_check_spec.rb @@ -51,8 +51,8 @@ describe Admin::SystemCheck::SoftwareVersionCheck do Fabricate(:software_update, version: '99.99.99', type: 'major', urgent: false) end - it 'returns true' do - expect(check.pass?).to be true + it 'returns false' do + expect(check.pass?).to be false end end From b6b21f5b45f2da89c778def0acffbdd5d29b60c3 Mon Sep 17 00:00:00 2001 From: KMY Date: Mon, 30 Sep 2024 21:32:17 +0900 Subject: [PATCH 10/10] Bump version to 14.2 --- lib/mastodon/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb index fd6eb9325e..1e7c4183d3 100644 --- a/lib/mastodon/version.rb +++ b/lib/mastodon/version.rb @@ -9,7 +9,7 @@ module Mastodon end def kmyblue_minor - 1 + 2 end def kmyblue_flag