Merge remote-tracking branch 'parent/main' into upstream-20231116

2023-11-15 13:01:29 +09:00 · 2023-11-15 13:01:29 +09:00 · 24371d6b2a
commit 24371d6b2a
parent f5d01909ab 998f068499
87 changed files with 566 additions and 347 deletions
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@ -7,6 +7,7 @@ class Api::BaseController < ApplicationController
  include RateLimitHeaders
  include AccessTokenTrackingConcern
  include ApiCachingConcern
+  include Api::ContentSecurityPolicy

  skip_before_action :require_functional!, unless: :limited_federation_mode?

@ -17,26 +18,6 @@ class Api::BaseController < ApplicationController

  protect_from_forgery with: :null_session

-  content_security_policy do |p|
-    # Set every directive that does not have a fallback
-    p.default_src :none
-    p.frame_ancestors :none
-    p.form_action :none
-
-    # Disable every directive with a fallback to cut on response size
-    p.base_uri false
-    p.font_src false
-    p.img_src false
-    p.style_src false
-    p.media_src false
-    p.frame_src false
-    p.manifest_src false
-    p.connect_src false
-    p.script_src false
-    p.child_src false
-    p.worker_src false
-  end
-
  rescue_from ActiveRecord::RecordInvalid, Mastodon::ValidationError do |e|
    render json: { error: e.to_s }, status: 422
  end
--- a/app/controllers/api/v1/instances/domain_blocks_controller.rb
+++ b/app/controllers/api/v1/instances/domain_blocks_controller.rb
@ -13,7 +13,7 @@ class Api::V1::Instances::DomainBlocksController < Api::V1::Instances::BaseContr
      cache_if_unauthenticated!
    end

-    render json: @domain_blocks, each_serializer: REST::DomainBlockSerializer, with_comment: (Setting.show_domain_blocks_rationale == 'all' || (Setting.show_domain_blocks_rationale == 'users' && user_signed_in?))
+    render json: @domain_blocks, each_serializer: REST::DomainBlockSerializer, with_comment: show_rationale_in_response?
  end

  private
@ -26,4 +26,16 @@ class Api::V1::Instances::DomainBlocksController < Api::V1::Instances::BaseContr
    @domain_blocks = DomainBlock.with_user_facing_limitations.by_severity
    @domain_blocks = @domain_blocks.filter { |block| !block.hidden_anonymous } unless user_signed_in?
  end
+
+  def show_rationale_in_response?
+    always_show_rationale? || show_rationale_for_user?
+  end
+
+  def always_show_rationale?
+    Setting.show_domain_blocks_rationale == 'all'
+  end
+
+  def show_rationale_for_user?
+    Setting.show_domain_blocks_rationale == 'users' && user_signed_in?
+  end
 end
--- a/app/controllers/api/v1/timelines/base_controller.rb
+++ b/app/controllers/api/v1/timelines/base_controller.rb
@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+class Api::V1::Timelines::BaseController < Api::BaseController
+  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
+
+  private
+
+  def insert_pagination_headers
+    set_pagination_headers(next_path, prev_path)
+  end
+
+  def pagination_max_id
+    @statuses.last.id
+  end
+
+  def pagination_since_id
+    @statuses.first.id
+  end
+
+  def next_path_params
+    permitted_params.merge(max_id: pagination_max_id)
+  end
+
+  def prev_path_params
+    permitted_params.merge(min_id: pagination_since_id)
+  end
+
+  def permitted_params
+    params
+      .slice(*self.class::PERMITTED_PARAMS)
+      .permit(*self.class::PERMITTED_PARAMS)
+  end
+end
--- a/app/controllers/api/v1/timelines/home_controller.rb
+++ b/app/controllers/api/v1/timelines/home_controller.rb
@ -1,9 +1,10 @@
 # frozen_string_literal: true

-class Api::V1::Timelines::HomeController < Api::BaseController
+class Api::V1::Timelines::HomeController < Api::V1::Timelines::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: [:show]
  before_action :require_user!, only: [:show]
-  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
+
+  PERMITTED_PARAMS = %i(local limit).freeze

  def show
    with_read_replica do
@ -42,27 +43,11 @@ class Api::V1::Timelines::HomeController < Api::BaseController
    HomeFeed.new(current_account)
  end

-  def insert_pagination_headers
-    set_pagination_headers(next_path, prev_path)
-  end
-
-  def pagination_params(core_params)
-    params.slice(:local, :limit).permit(:local, :limit).merge(core_params)
-  end
-
  def next_path
-    api_v1_timelines_home_url pagination_params(max_id: pagination_max_id)
+    api_v1_timelines_home_url next_path_params
  end

  def prev_path
-    api_v1_timelines_home_url pagination_params(min_id: pagination_since_id)
-  end
-
-  def pagination_max_id
-    @statuses.last.id
-  end
-
-  def pagination_since_id
-    @statuses.first.id
+    api_v1_timelines_home_url prev_path_params
  end
 end
--- a/app/controllers/api/v1/timelines/list_controller.rb
+++ b/app/controllers/api/v1/timelines/list_controller.rb
@ -1,12 +1,12 @@
 # frozen_string_literal: true

-class Api::V1::Timelines::ListController < Api::BaseController
+class Api::V1::Timelines::ListController < Api::V1::Timelines::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:lists' }
  before_action :require_user!
  before_action :set_list
  before_action :set_statuses

-  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
+  PERMITTED_PARAMS = %i(limit).freeze

  def show
    render json: @statuses,
@ -41,27 +41,11 @@ class Api::V1::Timelines::ListController < Api::BaseController
    ListFeed.new(@list)
  end

-  def insert_pagination_headers
-    set_pagination_headers(next_path, prev_path)
-  end
-
-  def pagination_params(core_params)
-    params.slice(:limit).permit(:limit).merge(core_params)
-  end
-
  def next_path
-    api_v1_timelines_list_url params[:id], pagination_params(max_id: pagination_max_id)
+    api_v1_timelines_list_url params[:id], next_path_params
  end

  def prev_path
-    api_v1_timelines_list_url params[:id], pagination_params(min_id: pagination_since_id)
-  end
-
-  def pagination_max_id
-    @statuses.last.id
-  end
-
-  def pagination_since_id
-    @statuses.first.id
+    api_v1_timelines_list_url params[:id], prev_path_params
  end
 end
--- a/app/controllers/api/v1/timelines/public_controller.rb
+++ b/app/controllers/api/v1/timelines/public_controller.rb
@ -1,8 +1,9 @@
 # frozen_string_literal: true

-class Api::V1::Timelines::PublicController < Api::BaseController
+class Api::V1::Timelines::PublicController < Api::V1::Timelines::BaseController
  before_action :require_user!, only: [:show], if: :require_auth?
-  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
+
+  PERMITTED_PARAMS = %i(local remote limit only_media).freeze

  def show
    cache_if_unauthenticated!
@ -44,27 +45,11 @@ class Api::V1::Timelines::PublicController < Api::BaseController
    )
  end

-  def insert_pagination_headers
-    set_pagination_headers(next_path, prev_path)
-  end
-
-  def pagination_params(core_params)
-    params.slice(:local, :remote, :limit, :only_media).permit(:local, :remote, :limit, :only_media).merge(core_params)
-  end
-
  def next_path
-    api_v1_timelines_public_url pagination_params(max_id: pagination_max_id)
+    api_v1_timelines_public_url next_path_params
  end

  def prev_path
-    api_v1_timelines_public_url pagination_params(min_id: pagination_since_id)
-  end
-
-  def pagination_max_id
-    @statuses.last.id
-  end
-
-  def pagination_since_id
-    @statuses.first.id
+    api_v1_timelines_public_url prev_path_params
  end
 end
--- a/app/controllers/api/v1/timelines/tag_controller.rb
+++ b/app/controllers/api/v1/timelines/tag_controller.rb
@ -1,9 +1,10 @@
 # frozen_string_literal: true

-class Api::V1::Timelines::TagController < Api::BaseController
+class Api::V1::Timelines::TagController < Api::V1::Timelines::BaseController
  before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: :show, if: :require_auth?
  before_action :load_tag
-  after_action :insert_pagination_headers, unless: -> { @statuses.empty? }
+
+  PERMITTED_PARAMS = %i(local limit only_media).freeze

  def show
    cache_if_unauthenticated!
@ -53,27 +54,11 @@ class Api::V1::Timelines::TagController < Api::BaseController
    )
  end

-  def insert_pagination_headers
-    set_pagination_headers(next_path, prev_path)
-  end
-
-  def pagination_params(core_params)
-    params.slice(:local, :limit, :only_media).permit(:local, :limit, :only_media).merge(core_params)
-  end
-
  def next_path
-    api_v1_timelines_tag_url params[:id], pagination_params(max_id: pagination_max_id)
+    api_v1_timelines_tag_url params[:id], next_path_params
  end

  def prev_path
-    api_v1_timelines_tag_url params[:id], pagination_params(min_id: pagination_since_id)
-  end
-
-  def pagination_max_id
-    @statuses.last.id
-  end
-
-  def pagination_since_id
-    @statuses.first.id
+    api_v1_timelines_tag_url params[:id], prev_path_params
  end
 end
--- a/app/controllers/concerns/api/content_security_policy.rb
+++ b/app/controllers/concerns/api/content_security_policy.rb
@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Api::ContentSecurityPolicy
+  extend ActiveSupport::Concern
+
+  included do
+    content_security_policy do |policy|
+      # Set every directive that does not have a fallback
+      policy.default_src :none
+      policy.frame_ancestors :none
+      policy.form_action :none
+
+      # Disable every directive with a fallback to cut on response size
+      policy.base_uri false
+      policy.font_src false
+      policy.img_src false
+      policy.style_src false
+      policy.media_src false
+      policy.frame_src false
+      policy.manifest_src false
+      policy.connect_src false
+      policy.script_src false
+      policy.child_src false
+      policy.worker_src false
+    end
+  end
+end