Merge commit '71db616fed' into kb_migration

config/application.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'boot'
 
 require 'rails'
@@ -58,7 +60,15 @@ require_relative '../lib/mastodon/redis_config'
 module Mastodon
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 6.1
+    config.load_defaults 7.0
+
+    # TODO: Release a version which uses the 7.0 defaults as specified above,
+    # but preserves the 6.1 cache format as set below. In a subsequent change,
+    # remove this line setting to 6.1 cache format, and then release another version.
+    # https://guides.rubyonrails.org/upgrading_ruby_on_rails.html#new-activesupport-cache-serialization-format
+    # https://github.com/mastodon/mastodon/pull/24241#discussion_r1162890242
+    config.active_support.cache_format_version = 6.1
+
     config.add_autoload_paths_to_load_path = false
 
     # Settings in config/environments/* take precedence over those specified here.
@@ -194,10 +204,10 @@ module Mastodon
     config.to_prepare do
       Doorkeeper::AuthorizationsController.layout 'modal'
       Doorkeeper::AuthorizedApplicationsController.layout 'admin'
-      Doorkeeper::Application.send :include, ApplicationExtension
-      Doorkeeper::AccessToken.send :include, AccessTokenExtension
-      Devise::FailureApp.send :include, AbstractController::Callbacks
-      Devise::FailureApp.send :include, Localized
+      Doorkeeper::Application.include ApplicationExtension
+      Doorkeeper::AccessToken.include AccessTokenExtension
+      Devise::FailureApp.include AbstractController::Callbacks
+      Devise::FailureApp.include Localized
     end
   end
 end

config/boot.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 unless ENV.key?('RAILS_ENV')
   STDERR.puts 'ERROR: Missing RAILS_ENV environment variable, please set it to "production", "development", or "test".'
   exit 1

config/brakeman.ignore

@@ -1,65 +1,5 @@
 {
   "ignored_warnings": [
-    {
-      "warning_type": "SQL Injection",
-      "warning_code": 0,
-      "fingerprint": "19df3740b8d02a9fe0eb52c939b4b87d3a2a591162a6adfa8d64e9c26aeebe6d",
-      "check_name": "SQL",
-      "message": "Possible SQL injection",
-      "file": "app/models/status.rb",
-      "line": 106,
-      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
-      "code": "result.joins(\"INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "Status",
-        "method": null
-      },
-      "user_input": "id",
-      "confidence": "Weak",
-      "note": ""
-    },
-    {
-      "warning_type": "SQL Injection",
-      "warning_code": 0,
-      "fingerprint": "30dfe36e87fe1b8f239df9a33d576e44a9863f73b680198d4713be6540ae61d3",
-      "check_name": "SQL",
-      "message": "Possible SQL injection",
-      "file": "app/models/trends/query.rb",
-      "line": 76,
-      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
-      "code": "klass.joins(\"join unnest(array[#{ids.join(\",\")}]) with ordinality as x (id, ordering) on #{klass.table_name}.id = x.id\")",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "Trends::Query",
-        "method": "to_arel"
-      },
-      "user_input": "ids.join(\",\")",
-      "confidence": "Weak",
-      "note": ""
-    },
-    {
-      "warning_type": "Redirect",
-      "warning_code": 18,
-      "fingerprint": "5fad11cd67f905fab9b1d5739d01384a1748ebe78c5af5ac31518201925265a7",
-      "check_name": "Redirect",
-      "message": "Possible unprotected redirect",
-      "file": "app/controllers/remote_interaction_controller.rb",
-      "line": 24,
-      "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
-      "code": "redirect_to(RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id])))",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "RemoteInteractionController",
-        "method": "create"
-      },
-      "user_input": "RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id]))",
-      "confidence": "High",
-      "note": ""
-    },
     {
       "warning_type": "Cross-Site Scripting",
       "warning_code": 2,
@@ -88,46 +28,33 @@
       },
       "user_input": "(Unresolved Model).new.strike",
       "confidence": "Weak",
+      "cwe_id": [
+        79
+      ],
       "note": ""
     },
     {
-      "warning_type": "SQL Injection",
-      "warning_code": 0,
-      "fingerprint": "75fcd147b7611763ab6915faf8c5b0709e612b460f27c05c72d8b9bd0a6a77f8",
-      "check_name": "SQL",
-      "message": "Possible SQL injection",
-      "file": "lib/mastodon/snowflake.rb",
-      "line": 87,
-      "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
-      "code": "connection.execute(\"CREATE OR REPLACE FUNCTION timestamp_id(table_name text)\\nRETURNS bigint AS\\n$$\\n  DECLARE\\n    time_part bigint;\\n    sequence_base bigint;\\n    tail bigint;\\n  BEGIN\\n    time_part := (\\n      -- Get the time in milliseconds\\n      ((date_part('epoch', now()) * 1000))::bigint\\n      -- And shift it over two bytes\\n      << 16);\\n\\n    sequence_base := (\\n      'x' ||\\n      -- Take the first two bytes (four hex characters)\\n      substr(\\n        -- Of the MD5 hash of the data we documented\\n        md5(table_name || '#{SecureRandom.hex(16)}' || time_part::text),\\n        1, 4\\n      )\\n    -- And turn it into a bigint\\n    )::bit(16)::bigint;\\n\\n    -- Finally, add our sequence number to our base, and chop\\n    -- it to the last two bytes\\n    tail := (\\n      (sequence_base + nextval(table_name || '_id_seq'))\\n      & 65535);\\n\\n    -- Return the time part and the sequence part. OR appears\\n    -- faster here than addition, but they're equivalent:\\n    -- time_part has no trailing two bytes, and tail is only\\n    -- the last two bytes.\\n    RETURN time_part | tail;\\n  END\\n$$ LANGUAGE plpgsql VOLATILE;\\n\")",
+      "warning_type": "Denial of Service",
+      "warning_code": 76,
+      "fingerprint": "7b6abba5699755348e7ee82a4694bfbf574b41c7cce2d0db0f7c11ae3f983c72",
+      "check_name": "RegexDoS",
+      "message": "Model attribute used in regular expression",
+      "file": "lib/mastodon/cli/domains.rb",
+      "line": 128,
+      "link": "https://brakemanscanner.org/docs/warning_types/denial_of_service/",
+      "code": "/\\.?(#{DomainBlock.where(:severity => 1).pluck(:domain).map do\n Regexp.escape(domain)\n end.join(\"|\")})$/",
       "render_path": null,
       "location": {
         "type": "method",
-        "class": "Mastodon::Snowflake",
-        "method": "define_timestamp_id"
+        "class": "Mastodon::CLI::Domains",
+        "method": "crawl"
       },
-      "user_input": "SecureRandom.hex(16)",
-      "confidence": "Medium",
-      "note": ""
-    },
-    {
-      "warning_type": "Mass Assignment",
-      "warning_code": 105,
-      "fingerprint": "7631e93d0099506e7c3e5c91ba8d88523b00a41a0834ae30031a5a4e8bb3020a",
-      "check_name": "PermitAttributes",
-      "message": "Potentially dangerous key allowed for mass assignment",
-      "file": "app/controllers/api/v2/search_controller.rb",
-      "line": 28,
-      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
-      "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "Api::V2::SearchController",
-        "method": "search_params"
-      },
-      "user_input": ":account_id",
-      "confidence": "High",
+      "user_input": "DomainBlock.where(:severity => 1).pluck(:domain)",
+      "confidence": "Weak",
+      "cwe_id": [
+        20,
+        185
+      ],
       "note": ""
     },
     {
@@ -137,7 +64,7 @@
       "check_name": "PermitAttributes",
       "message": "Potentially dangerous key allowed for mass assignment",
       "file": "app/controllers/api/v1/admin/reports_controller.rb",
-      "line": 90,
+      "line": 88,
       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
       "code": "params.permit(:resolved, :account_id, :target_account_id)",
       "render_path": null,
@@ -148,6 +75,9 @@
       },
       "user_input": ":account_id",
       "confidence": "High",
+      "cwe_id": [
+        915
+      ],
       "note": ""
     },
     {
@@ -157,7 +87,7 @@
       "check_name": "PermitAttributes",
       "message": "Potentially dangerous key allowed for mass assignment",
       "file": "app/controllers/api/v1/notifications_controller.rb",
-      "line": 81,
+      "line": 77,
       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
       "code": "params.permit(:account_id, :types => ([]), :exclude_types => ([]))",
       "render_path": null,
@@ -168,26 +98,32 @@
       },
       "user_input": ":account_id",
       "confidence": "High",
+      "cwe_id": [
+        915
+      ],
       "note": ""
     },
     {
-      "warning_type": "Redirect",
-      "warning_code": 18,
-      "fingerprint": "ba568ac09683f98740f663f3d850c31785900215992e8c090497d359a2563d50",
-      "check_name": "Redirect",
-      "message": "Possible unprotected redirect",
-      "file": "app/controllers/remote_follow_controller.rb",
-      "line": 21,
-      "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
-      "code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(@account))",
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "b0dd0a26d24f5ede9713fe49210e9638be5f5548af9eee0b5a16fe9dbc80ffcd",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/controllers/api/v2/search_controller.rb",
+      "line": 42,
+      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
+      "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id, :following)",
       "render_path": null,
       "location": {
         "type": "method",
-        "class": "RemoteFollowController",
-        "method": "create"
+        "class": "Api::V2::SearchController",
+        "method": "search_params"
       },
-      "user_input": "RemoteFollow.new(resource_params).subscribe_address_for(@account)",
+      "user_input": ":account_id",
       "confidence": "High",
+      "cwe_id": [
+        915
+      ],
       "note": ""
     },
     {
@@ -218,18 +154,21 @@
       },
       "user_input": "(Unresolved Model).new.url",
       "confidence": "Weak",
+      "cwe_id": [
+        79
+      ],
       "note": ""
     },
     {
       "warning_type": "Mass Assignment",
       "warning_code": 105,
-      "fingerprint": "f9de0ca4b04ae4b51b74d98db14dcbb6dae6809e627b58e711019cf9b4a47866",
+      "fingerprint": "d0511f0287aea4ed9511f5a744f880cb15af77a8ec88f81b7365b00b642cf427",
       "check_name": "PermitAttributes",
       "message": "Potentially dangerous key allowed for mass assignment",
       "file": "app/controllers/api/v1/reports_controller.rb",
       "line": 26,
       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
-      "code": "params.permit(:account_id, :comment, :category, :forward, :status_ids => ([]), :rule_ids => ([]))",
+      "code": "params.permit(:account_id, :comment, :category, :forward, :forward_to_domains => ([]), :status_ids => ([]), :rule_ids => ([]))",
       "render_path": null,
       "location": {
         "type": "method",
@@ -238,9 +177,12 @@
       },
       "user_input": ":account_id",
       "confidence": "High",
+      "cwe_id": [
+        915
+      ],
       "note": ""
     }
   ],
-  "updated": "2022-03-22 07:48:32 +0100",
-  "brakeman_version": "5.2.1"
+  "updated": "2023-07-12 11:20:51 -0400",
+  "brakeman_version": "6.0.0"
 }

config/database.yml

@@ -27,10 +27,20 @@ test:
   port: <%= ENV['DB_PORT'] %>
 
 production:
-  <<: *default
-  database: <%= ENV['DB_NAME'] || 'mastodon_production' %>
-  username: <%= ENV['DB_USER'] || 'mastodon' %>
-  password: <%= (ENV['DB_PASS'] || '').to_json %>
-  host: <%= ENV['DB_HOST'] || 'localhost' %>
-  port: <%= ENV['DB_PORT'] || 5432 %>
-  prepared_statements: <%= ENV['PREPARED_STATEMENTS'] || 'true' %>
+  primary:
+    <<: *default
+    database: <%= ENV['DB_NAME'] || 'mastodon_production' %>
+    username: <%= ENV['DB_USER'] || 'mastodon' %>
+    password: <%= (ENV['DB_PASS'] || '').to_json %>
+    host: <%= ENV['DB_HOST'] || 'localhost' %>
+    port: <%= ENV['DB_PORT'] || 5432 %>
+    prepared_statements: <%= ENV['PREPARED_STATEMENTS'] || 'true' %>
+  read:
+    <<: *default
+    database: <%= ENV['DB_REPLICA_NAME'] ||ENV['DB_NAME'] || 'mastodon_production' %>
+    username: <%= ENV['DB_REPLICA_USER'] ||ENV['DB_USER'] || 'mastodon' %>
+    password: <%= (ENV['DB_REPLICA_PASS'] || ENV['DB_PASS'] || '').to_json %>
+    host: <%= ENV['DB_REPLICA_HOST'] ||ENV['DB_HOST'] || 'localhost' %>
+    port: <%= ENV['DB_REPLICA_PORT'] ||ENV['DB_PORT'] || 5432 %>
+    prepared_statements: <%= ENV['PREPARED_STATEMENTS'] || 'true' %>
+    replica: true

config/environment.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Load the Rails application.
 require_relative 'application'
 

config/environments/development.rb

@@ -1,8 +1,12 @@
+# frozen_string_literal: true
+
+require 'active_support/core_ext/integer/time'
+
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
 
-  # In the development environment your application's code is reloaded on
-  # every request. This slows down response time but is perfect for development
+  # In the development environment your application's code is reloaded any time
+  # it changes. This slows down response time but is perfect for development
   # since you don't have to restart the web server when you make code changes.
   config.cache_classes = false
 
@@ -12,13 +16,22 @@ Rails.application.configure do
   # Show full error reports.
   config.consider_all_requests_local = true
 
+  # Enable server timing
+  config.server_timing = true
+
   # Enable/disable caching. By default caching is disabled.
   # Run rails dev:cache to toggle caching.
   if Rails.root.join('tmp', 'caching-dev.txt').exist?
     config.action_controller.perform_caching = true
+    config.action_controller.enable_fragment_cache_logging = true
+
     config.cache_store = :redis_cache_store, REDIS_CACHE_PARAMS
+    config.public_file_server.headers = {
+      'Cache-Control' => "public, max-age=#{2.days.to_i}",
+    }
   else
     config.action_controller.perform_caching = false
+
     config.cache_store = :null_store
   end
 
@@ -41,12 +54,19 @@ Rails.application.configure do
   # Print deprecation notices to the Rails logger.
   config.active_support.deprecation = :log
 
+  # Raise exceptions for disallowed deprecations.
+  config.active_support.disallowed_deprecation = :raise
+
+  # Tell Active Support which deprecation messages to disallow.
+  config.active_support.disallowed_deprecation_warnings = []
+
   # Raise an error on page load if there are pending migrations.
   config.active_record.migration_error = :page_load
 
+  # Highlight code that triggered database queries in logs.
+  config.active_record.verbose_query_logs = true
+
   # Debug mode disables concatenation and preprocessing of assets.
-  # This option may cause significant delays in view rendering with a large
-  # number of complex assets.
   config.assets.debug = true
 
   # Suppress logger output for asset requests.
@@ -57,12 +77,14 @@ Rails.application.configure do
   # Raises helpful error messages.
   config.assets.raise_runtime_errors = true
 
-  # Raises error for missing translations
-  # config.action_view.raise_on_missing_translations = true
+  # Raises error for missing translations.
+  # config.i18n.raise_on_missing_translations = true
 
-  # Use an evented file watcher to asynchronously detect changes in source code,
-  # routes, locales, etc. This feature depends on the listen gem.
-  # config.file_watcher = ActiveSupport::EventedFileUpdateChecker
+  # Annotate rendered view with file names.
+  # config.action_view.annotate_rendered_view_with_filenames = true
+
+  # Uncomment if you wish to allow Action Cable access from any origin.
+  # config.action_cable.disable_request_forgery_protection = true
 
   config.action_mailer.default_options = { from: 'notifications@localhost' }
 

config/environments/production.rb

@@ -1,3 +1,7 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/integer/time"
+
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
 
@@ -19,20 +23,24 @@ Rails.application.configure do
   # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
   # config.require_master_key = true
 
-  ActiveSupport::Logger.new(STDOUT).tap do |logger|
-    logger.formatter = config.log_formatter
-    config.logger = ActiveSupport::TaggedLogging.new(logger)
-  end
+  # Compress CSS using a preprocessor.
+  # config.assets.css_compressor = :sass
 
   # Do not fallback to assets pipeline if a precompiled asset is missed.
   config.assets.compile = false
 
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
+  # config.asset_host = "http://assets.example.com"
+
   # Specifies the header that your server uses for sending files.
   config.action_dispatch.x_sendfile_header = ENV['SENDFILE_HEADER'] if ENV['SENDFILE_HEADER'].present?
+  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for Apache
+  # config.action_dispatch.x_sendfile_header = "X-Accel-Redirect" # for NGINX
 
   # Allow to specify public IP of reverse proxy if it's needed
   config.action_dispatch.trusted_proxies = ENV['TRUSTED_PROXY_IP'].split(/(?:\s*,\s*|\s+)/).map { |item| IPAddr.new(item) } if ENV['TRUSTED_PROXY_IP'].present?
 
+  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
   config.force_ssl = true
   config.ssl_options = {
     redirect: {
@@ -40,6 +48,8 @@ Rails.application.configure do
     }
   }
 
+  # Include generic and useful information about system operation, but avoid logging too much
+  # information to avoid inadvertent exposure of personally identifiable information (PII).
   # Use the lowest log level to ensure availability of diagnostic information
   # when problems arise.
   config.log_level = ENV.fetch('RAILS_LOG_LEVEL', 'info').to_sym
@@ -50,6 +60,12 @@ Rails.application.configure do
   # Use a different cache store in production.
   config.cache_store = :redis_cache_store, REDIS_CACHE_PARAMS
 
+  # Use a real queuing backend for Active Job (and separate queues per environment).
+  # config.active_job.queue_adapter     = :resque
+  # config.active_job.queue_name_prefix = "mastodon_production"
+
+  config.action_mailer.perform_caching = false
+
   # Ignore bad email addresses and do not raise email delivery errors.
   # Set this to true and configure the email server for immediate delivery to raise delivery errors.
   # config.action_mailer.raise_delivery_errors = false
@@ -73,6 +89,15 @@ Rails.application.configure do
     end
   end
 
+  # Use a different logger for distributed setups.
+  # require "syslog/logger"
+  # config.logger = ActiveSupport::TaggedLogging.new(Syslog::Logger.new "app-name")
+
+  ActiveSupport::Logger.new(STDOUT).tap do |logger|
+    logger.formatter = config.log_formatter
+    config.logger = ActiveSupport::TaggedLogging.new(logger)
+  end
+
   # Do not dump schema after migrations.
   config.active_record.dump_schema_after_migration = false
 

config/environments/test.rb

@@ -1,25 +1,28 @@
+# frozen_string_literal: true
+
+require 'active_support/core_ext/integer/time'
+
+# The test environment is used exclusively to run your application's
+# test suite. You never need to work with it otherwise. Remember that
+# your test database is "scratch space" for the test suite and is wiped
+# and recreated between test runs. Don't rely on the data there!
+
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
 
-  # The test environment is used exclusively to run your application's
-  # test suite. You never need to work with it otherwise. Remember that
-  # your test database is "scratch space" for the test suite and is wiped
-  # and recreated between test runs. Don't rely on the data there!
+  # Turn false under Spring and add config.action_view.cache_template_loading = true.
   config.cache_classes = true
 
-  # Do not eager load code on boot. This avoids loading your whole application
-  # just for the purpose of running a single test. If you are using a tool that
-  # preloads Rails for running tests, you may have to set it to true.
-  config.eager_load = false
+  # Eager loading loads your whole application. When running a single test locally,
+  # this probably isn't necessary. It's a good idea to do in a continuous integration
+  # system, or in some way before deploying your code.
+  config.eager_load = ENV['CI'].present?
 
-  config.assets.digest = false
+  config.assets_digest = false
 
   # Show full error reports and disable caching.
   config.consider_all_requests_local       = true
   config.action_controller.perform_caching = false
-
-  # The default store, file_store is shared by processes parallelly executed
-  # and should not be used.
   config.cache_store = :memory_store
 
   # Raise exceptions instead of rendering exception templates.
@@ -27,6 +30,7 @@ Rails.application.configure do
 
   # Disable request forgery protection in test environment.
   config.action_controller.allow_forgery_protection = false
+
   config.action_mailer.perform_caching = false
 
   config.action_mailer.default_options = { from: 'notifications@localhost' }
@@ -46,8 +50,8 @@ Rails.application.configure do
   config.x.vapid_private_key = vapid_key.private_key
   config.x.vapid_public_key = vapid_key.public_key
 
-  # Raises error for missing translations
-  # config.action_view.raise_on_missing_translations = true
+  # Raise exceptions for disallowed deprecations.
+  config.active_support.disallowed_deprecation = :raise
 
   config.i18n.default_locale = :en
   config.i18n.fallbacks = true
@@ -57,6 +61,15 @@ Rails.application.configure do
     # Ref: https://github.com/mastodon/mastodon/issues/23644
     10.times { |i| Status.allocate.instance_variable_set(:"@ivar_#{i}", nil) }
   end
+
+  # Tell Active Support which deprecation messages to disallow.
+  config.active_support.disallowed_deprecation_warnings = []
+
+  # Raises error for missing translations.
+  # config.i18n.raise_on_missing_translations = true
+
+  # Annotate rendered view with file names.
+  # config.action_view.annotate_rendered_view_with_filenames = true
 end
 
 Paperclip::Attachment.default_options[:path] = Rails.root.join('spec', 'test_files', ':class', ':id_partition', ':style.:extension')

config/i18n-tasks.yml

@@ -63,6 +63,7 @@ ignore_unused:
   - 'admin_mailer.new_appeal.actions.*'
   - 'statuses.attached.*'
   - 'move_handler.carry_{mutes,blocks}_over_text'
+  - 'admin_mailer.*.subject'
   - 'notification_mailer.*'
   - 'imports.overwrite_preambles.{following,blocking,muting,domain_blocking,bookmarks}_html'
   - 'imports.preambles.{following,blocking,muting,domain_blocking,bookmarks}_html'

config/initializers/0_post_deployment_migrations.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Post deployment migrations are included by default. This file must be loaded
 # before other initializers as Rails may otherwise memoize a list of migrations
 # excluding the post deployment migrations.

config/initializers/active_model_serializers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 ActiveModelSerializers.config.tap do |config|
   config.default_includes = '**'
 end

config/initializers/application_controller_renderer.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 # Be sure to restart your server when you modify this file.
 
 # ActiveSupport::Reloader.to_prepare do

config/initializers/assets.rb

@@ -1,13 +1,16 @@
+# frozen_string_literal: true
+
 # Be sure to restart your server when you modify this file.
 
 # Version of your assets, change this if you want to expire all your assets.
 Rails.application.config.assets.version = '1.0'
 
-# Add additional assets to the asset load path
-# Rails.application.config.assets.paths << 'node_modules'
+# Add additional assets to the asset load path.
+# Rails.application.config.assets.paths << Emoji.images_path
 
 # Precompile additional assets.
-# application.js, application.css, and all non-JS/CSS in app/assets folder are already added.
-# Rails.application.config.assets.precompile += %w()
+# application.js, application.css, and all non-JS/CSS in the app/assets
+# folder are already added.
+# Rails.application.config.assets.precompile += %w( admin.js admin.css )
 
 Rails.application.config.assets.initialize_on_precompile = true

config/initializers/backtrace_silencers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Be sure to restart your server when you modify this file.
 
 # You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.

config/initializers/cache_logging.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Log cache errors with Rail's logger
 # This used to be the default in old Rails versions: https://github.com/rails/rails/commit/7fcf8590e788cef8b64cc266f75931c418902ca9#diff-f0748f0be8a653eea13369ebb1cadabcad71ede7cfaf20282447e64329817befL86
 Rails.cache.logger = Rails.logger

config/initializers/chewy.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 enabled         = ENV['ES_ENABLED'] == 'true'
 host            = ENV.fetch('ES_HOST') { 'localhost' }
 port            = ENV.fetch('ES_PORT') { 9200 }

config/initializers/content_security_policy.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Define an application-wide content security policy
 # For further information see the following documentation
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

config/initializers/cookie_rotator.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+Rails.application.config.after_initialize do
+  Rails.application.config.action_dispatch.cookies_rotations.tap do |cookies|
+    authenticated_encrypted_cookie_salt = Rails.application.config.action_dispatch.authenticated_encrypted_cookie_salt
+    signed_cookie_salt = Rails.application.config.action_dispatch.signed_cookie_salt
+
+    secret_key_base = Rails.application.secret_key_base
+
+    key_generator = ActiveSupport::KeyGenerator.new(
+      secret_key_base, iterations: 1000, hash_digest_class: OpenSSL::Digest::SHA1
+    )
+    key_len = ActiveSupport::MessageEncryptor.key_len
+
+    old_encrypted_secret = key_generator.generate_key(authenticated_encrypted_cookie_salt, key_len)
+    old_signed_secret = key_generator.generate_key(signed_cookie_salt)
+
+    cookies.rotate :encrypted, old_encrypted_secret
+    cookies.rotate :signed, old_signed_secret
+  end
+end

config/initializers/cookies_serializer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Be sure to restart your server when you modify this file.
 
 # Specify a serializer for the signed and encrypted cookie jars.

config/initializers/cors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Be sure to restart your server when you modify this file.
 
 # Avoid CORS issues when API is called from the frontend app.

config/initializers/devise.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'devise/strategies/authenticatable'
 
 Warden::Manager.after_set_user except: :fetch do |user, warden|

config/initializers/doorkeeper.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Doorkeeper.configure do
   # Change the ORM that doorkeeper will use (needs plugins)
   orm :active_record

config/initializers/fast_blank.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 if String.method_defined?(:blank_as?)
   class String
     alias blank? blank_as?

config/initializers/ffmpeg.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 if ENV['FFMPEG_BINARY'].present?
   FFMPEG.ffmpeg_binary = ENV['FFMPEG_BINARY']
 end

config/initializers/filter_parameter_logging.rb

@@ -1,4 +1,10 @@
+# frozen_string_literal: true
+
 # Be sure to restart your server when you modify this file.
 
-# Configure sensitive parameters which will be filtered from the log file.
-Rails.application.config.filter_parameters += [:password, :private_key, :public_key, :otp_attempt]
+# Configure parameters to be filtered from the log file. Use this to limit dissemination of
+# sensitive information. See the ActiveSupport::ParameterFilter documentation for supported
+# notations and behaviors.
+Rails.application.config.filter_parameters += [
+  :passw, :secret, :token, :_key, :crypt, :salt, :certificate, :otp, :ssn
+]

config/initializers/http_client_proxy.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Rails.application.configure do
   config.x.http_client_proxy = {}
 

config/initializers/httplog.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 HttpLog.configure do |config|
   config.logger = Rails.logger
   config.color = { color: :yellow }

config/initializers/inflections.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Be sure to restart your server when you modify this file.
 
 # Add new inflection rules using the following format. Inflections

config/initializers/mail_delivery_job.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 ActionMailer::MailDeliveryJob.class_eval do
   discard_on ActiveJob::DeserializationError
 end

config/initializers/makara.rb

@@ -1,2 +0,0 @@
-Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax
-Makara::Cookie::DEFAULT_OPTIONS[:secure]    = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'

config/initializers/mime_types.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Be sure to restart your server when you modify this file.
 
 Mime::Type.register 'application/json', :json, %w(text/x-json application/jsonrequest application/jrd+json application/activity+json application/ld+json)

config/initializers/new_framework_defaults_7_0.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+# TODO
+# The Rails 7.0 framework default here is to set this true. However, we have a
+# location in devise that redirects where we don't have an easy ability to
+# override a method or set a config option, but where the redirect does not
+# provide this option.
+# https://github.com/heartcombo/devise/blob/v4.9.2/app/controllers/devise/confirmations_controller.rb#L28
+# Once a solution is found, this line can be removed.
+Rails.application.config.action_controller.raise_on_open_redirects = false

config/initializers/oj.rb

@@ -1 +1,3 @@
+# frozen_string_literal: true
+
 Oj.default_options = { mode: :compat, time_format: :ruby, use_to_json: true }

config/initializers/omniauth.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Rails.application.config.middleware.use OmniAuth::Builder do
   # Vanilla omniauth strategies
 end

config/initializers/open_uri_redirection.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'open-uri'
 
 module OpenURI

config/initializers/permissions_policy.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 # Define an application-wide HTTP permissions policy. For further
 # information see https://developers.google.com/web/updates/2018/06/feature-policy
 #

config/initializers/pghero.rb

@@ -1 +1,3 @@
+# frozen_string_literal: true
+
 PgHero.show_migrations = Rails.env.development?

config/initializers/preload_link_headers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Since Rails 6.1, ActionView adds preload links for javascript files
 # in the Links header per default.
 

config/initializers/premailer_rails.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative '../../lib/mastodon/premailer_webpack_strategy'
 
 Premailer::Rails.config.merge!(remove_ids: true,

config/initializers/rack_attack.rb

@@ -5,9 +5,9 @@ require 'doorkeeper/grape/authorization_decorator'
 class Rack::Attack
   class Request
     def authenticated_token
-      return @token if defined?(@token)
+      return @authenticated_token if defined?(@authenticated_token)
 
-      @token = Doorkeeper::OAuth::Token.authenticate(
+      @authenticated_token = Doorkeeper::OAuth::Token.authenticate(
         Doorkeeper::Grape::AuthorizationDecorator.new(self),
         *Doorkeeper.configuration.access_token_methods
       )

config/initializers/rack_attack_logging.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 ActiveSupport::Notifications.subscribe(/rack_attack/) do |_name, _start, _finish, _request_id, payload|
   req = payload[:request]
 

config/initializers/redis.rb

@@ -1 +1,3 @@
+# frozen_string_literal: true
+
 Redis.sadd_returns_boolean = false

config/initializers/session_store.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Be sure to restart your server when you modify this file.
 
 Rails.application.config.session_store :cookie_store,

config/initializers/simple_form.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Use this setup block to configure all options available in SimpleForm.
 
 module AppendComponent

config/initializers/stoplight.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'stoplight'
 
 Rails.application.reloader.to_prepare do

config/initializers/trusted_proxies.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Rack
   class Request
     def trusted_proxy?(ip)

config/initializers/twitter_regex.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Twitter::TwitterText
   class Configuration
     def emoji_parsing_enabled

config/initializers/webauthn.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 WebAuthn.configure do |config|
   # This value needs to match `window.location.origin` evaluated by
   # the User Agent during registration and authentication ceremonies.

config/initializers/wrap_parameters.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Be sure to restart your server when you modify this file.
 
 # This file contains settings for ActionController::ParamsWrapper which

config/locales/sr-Latn.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rails_i18n/common_pluralizations/romanian'
 
 ::RailsI18n::Pluralization::Romanian.with_locale(:'sr-Latn')

config/locales/sr.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'rails_i18n/common_pluralizations/romanian'
 
 ::RailsI18n::Pluralization::Romanian.with_locale(:sr)

config/puma.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 persistent_timeout ENV.fetch('PERSISTENT_TIMEOUT') { 20 }.to_i
 
 max_threads_count = ENV.fetch('MAX_THREADS') { 5 }.to_i

config/routes.rb

@@ -33,6 +33,7 @@ Rails.application.routes.draw do
     /mutes
     /followed_tags
     /statuses/(*any)
+    /deck/(*any)
   ).freeze
 
   root 'home#index'

config/routes/admin.rb

@@ -68,7 +68,7 @@ namespace :admin do
     end
   end
 
-  resources :instances, only: [:index, :show, :destroy], constraints: { id: %r{[^/]+} } do
+  resources :instances, only: [:index, :show, :destroy], constraints: { id: %r{[^/]+} }, format: 'html' do
     member do
       post :clear_delivery_errors
       post :restart_delivery

config/routes/api.rb

@@ -311,7 +311,7 @@ namespace :api, format: false do
 
   namespace :web do
     resource :settings, only: [:update]
-    resource :embed, only: [:create]
+    resources :embeds, only: [:show]
     resources :push_subscriptions, only: [:create] do
       member do
         put :update