sugar/forkey
1
0
Fork 0
forked from woem.men/forkey
Code Pull requests Activity
26604 commits 8 branches 0 tags 166 MiB
Commit graph

26604 commits

This branch
This branch
All branches
Author SHA1 Message Date
rectcoordsystem
8c5a9c19d1
Merge commit from fork 
* fix(backend): check target IP before sending HTTP request

* fix(backend): allow accessing private IP when testing

* Apply suggestions from code review

Co-authored-by: anatawa12 <anatawa12@icloud.com>

* fix(backend): lint and typecheck

* fix(backend): add isLocalAddressAllowed option to getAgentByUrl and send (HttpRequestService)

* fix(backend): allow fetchSummaryFromProxy, trueMail to access local addresses

---------

Co-authored-by: anatawa12 <anatawa12@icloud.com>
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
(cherry picked from commit 090e9392cdb1f584af94a6fb727fba95de3b8504)
 2024-12-25 04:19:48 +09:00
Julia
f1b5708971
Merge commit from fork 
* Fix poll update spoofing

* fix: Disallow negative poll counts

---------

Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
(cherry picked from commit b9cb949eb1f8c57eaa98fc5446d902cf8a5ea85c)
 2024-12-25 04:17:47 +09:00
Julia
85096e58b9
Merge commit from fork 
* enhance: Add a few validation fixes from Sharkey

See the original MR on the GitLab instance:
https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484

Co-Authored-By: Dakkar <dakkar@thenautilus.net>

* fix: primitive 2: acceptance of cross-origin alternate

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 3: validation of non-final url

* fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities

* fix: primitives 5 & 8: reject activities with non
string identifiers

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 6: reject anonymous objects that were fetched by their id

* fix: primitives 9, 10 & 11: http signature validation
doesn't enforce required headers or specify auth header name

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections

* fix: code style for primitive 14

* fix: primitive 15: improper same-origin validation for
note uri and url

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 16: improper same-origin validation for user uri and url

* fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array

* fix: code style for primitive 17

* fix: check attribution against actor in notes

While this isn't strictly required to fix the exploits at hand, this
mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a
preemptive countermeasure.

* fix: primitive 18: `ap/get` bypasses access checks

One might argue that we could make this one actually preform access
checks against the returned activity object, but I feel like that's a
lot more work than just restricting it to administrators, since, to me
at least, it seems more like a debugging tool than anything else.

* fix: primitive 19 & 20: respect blocks and hide more

Ideally, the user property should also be hidden (as leaving it in leaks
information slightly), but given the schema of the note endpoint, I
don't think that would be possible without introducing some kind of
"ghost" user, who is attributed for posts by users who have you blocked.

* fix: primitives 21, 22, and 23: reuse resolver

This also increases the default `recursionLimit` for `Resolver`, as it
theoretically will go higher that it previously would and could possibly
fail on non-malicious collection activities.

* fix: primitives 25-33: proper local instance checks

* revert: fix: primitive 19 & 20

This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c.

---------

Co-authored-by: Dakkar <dakkar@thenautilus.net>
Co-authored-by: Laura Hausmann <laura@hausmann.dev>
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
(cherry picked from commit 5f675201f261d5db6a58d3099a190372bb2f09f0)
 2024-12-25 04:09:04 +09:00
CDN
09f518b41b
fix(backend): fallback sharedInbox to null in ApPersonService (#14970) 
(cherry picked from commit b3c2de2b2643d777d360de0171ae573f39411c02)
 2024-12-25 03:46:54 +09:00
Tamme Schichler
d1b5d56220
fix(backend): Accept arrays in ActivityPub icon and image properties (#14825) 
This is allowed according to the Activity vocabulary: https://www.w3.org/TR/activitystreams-vocabulary/#dfn-icon
The issue is noticeable in combination with Bridgy Fed: https://github.com/snarfed/bridgy-fed/issues/1408

(cherry picked from commit 8eb7749e448d912bdbe2c4eadc35f5d5f1becf61)
 2024-12-25 03:46:14 +09:00
あわわわとーにゅ
f5c0430bc9
Fix: <link rel="alternate">を追って照会するのはOKレスポンスが返却された場合のみに (#14627) 
cherry picked from commit dd124a8aedb34a1112405fa68bd5daaa96fdc882

Co-authored-by: Julia Johannesen <julia@insertdomain.name>
Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
 2024-12-25 03:45:35 +09:00
かっこかり
c441c4728f
fix(backend): happy-domで外部HTMLをパースする際に関連リソースが読み込まれる問題を修正 (#14521) 
cherry picked from commit be0906a6c73726ed02a358bcbe904fa3d99713ea

Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
 2024-12-25 03:07:00 +09:00
Hazel K
9e998cc10b
fix(backend): memory leak in memory caches (#14363) 
cherry picked from commit bf8c42eecd3d645652ddd7e69b727ced2a15457d

Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
Co-authored-by: Hazel K <acomputerdog@gmail.com>
 2024-12-25 02:54:31 +09:00
taichan
6d4dc5ea20
Fix(beckend): html content-type detection on signedGet (#14424) 
cherry picked from commit bf8c42eecd3d645652ddd7e69b727ced2a15457d

Co-authored-by: taichan <40626578+tai-cha@users.noreply.github.com>
 2024-12-25 02:40:30 +09:00
かっこかり
b3d4f18175
Update packages/backend/src/core/activitypub/ApRequestService.ts 
cherry picked from commit 129af061989f535ab4c79f497ba55cc5f6bf0385

Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
 2024-12-25 02:38:30 +09:00
taichan
edf94b5452
enhance(backend): headタグ内にrel=alternateの指定のあるlinkタグがある場合、記述されたURLを参照して照会できるように (#14371) 
cherry picked from commit 9fbc1b7f7b71cf0eafadd728a6b66cb95a0c35d8

Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
Co-authored-by: taichan <40626578+tai-cha@users.noreply.github.com>
 2024-12-25 02:35:58 +09:00
かっこかり
c909c00920
fix(backend): getApTypeでエラーを投げないように (#14361) 
cherry picked from commit 93fc06d18b8520919cdf422675c4102b4851df18

Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
 2024-12-25 02:30:40 +09:00
Daiki Mizukami
21e3b04391
fix(backend): check visibility of following/followers of remote users / feat: moderators can see following/followers of all users (#14375) 
Cherry-picked from 0d508db8a7a36218d38231af4e718aff0e94d9bc

Co-authored-by: Daiki Mizukami <tesaguriguma@gmail.com>
 2024-12-25 02:24:33 +09:00
tamaina
25e24b053a
refactor(federation): Inboxのエラーハンドリングの仕様変更 (#13610) 
Cherry-picked from 89b27d8587221a321b6ff9cdae4b714bbedd151a

Co-authored-by: tamaina <tamaina@hotmail.co.jp>
 2024-12-25 02:20:32 +09:00
あわわわとーにゅ
303a52160c
chore(build): remove corepack & fetch gitmodules on checkout (MisskeyIO#840) 2024-12-25 01:36:30 +09:00
たーびん
4ecfae0d85
perf(timeline): Optimizing for CDN Caching (MisskeyIO#834) 
Co-authored-by: あわわわとーにゅ <17376330+u1-liquid@users.noreply.github.com>
 2024-12-22 04:01:53 +09:00
あわわわとーにゅ
3362c464c5
spec(api): 一部APIをGETに対応・認証情報をヘッダーに (MisskeyIO#837) 2024-12-22 03:08:34 +09:00
あわわわとーにゅ
58513c1b81
feat(sign-in): メールアドレスログインを実装 (MisskeyIO#836) 
Co-authored-by: まっちゃてぃー。 <56515516+mattyatea@users.noreply.github.com>
 2024-12-22 00:09:33 +09:00
あわわわとーにゅ
3ecc340168
update deps (MisskeyIO#835) 2024-12-21 23:21:18 +09:00
あわわわとーにゅ
08a53cdd2c
enhance(backend): blurhash生成時、リサイズしてからRawに変換するように (MisskeyIO#832) 2024-12-19 05:35:45 +09:00
あわわわとーにゅ
b3f73d7312
update deps (MisskeyIO#833) 2024-12-19 05:35:13 +09:00
あわわわとーにゅ
7772d42d33
feat(MiAuth): アクセストークンの発行に失敗した場合コールバックに遷移しないようにする (MisskeyIO#831) 
Cherry-picked from TeamNijimiss/misskey@800359623e

Co-authored-by: nafu-at <satsuki@nafusoft.dev>
 2024-12-18 04:37:14 +09:00
まっちゃてぃー。
714aad6312
feat(frontend): Audio player で波形を表示するように (MisskeyIO#827) 
Co-authored-by: あわわわとーにゅ <17376330+u1-liquid@users.noreply.github.com>
Co-authored-by: tar_bin <tar.bin.master@gmail.com>
 2024-12-18 02:59:55 +09:00
まっちゃてぃー。
b5df2c0356
fix(frontend): instanceをimportし忘れてた (MisskeyIO#830) 2024-12-17 04:16:11 +09:00
まっちゃてぃー。
1a81d3fa46
enhance(Page): ページを非公開にできるように (MisskeyIO#821) 2024-12-11 03:23:16 +09:00
まっちゃてぃー。
6a416468e3
enhance(frontend/navbar): ナビゲーションバーにMisskey.ioを支援するを追加 (MisskeyIO#828) 2024-12-08 05:01:50 +09:00
あわわわとーにゅ
e7afbd140a
code cleanup (MisskeyIO#825) 2024-11-27 05:48:25 +09:00
あわわわとーにゅ
029d6da7c8
update deps (MisskeyIO#824) 2024-11-27 05:12:48 +09:00
あわわわとーにゅ
b4865fd9ae
use node 22, update deps (#822) 
Co-authored-by: riku6460 <17585784+riku6460@users.noreply.github.com>
 2024-11-23 01:44:01 +09:00
まっちゃてぃー。
f4ebae3956
enhance(Gallery): サムネイルをホバーしてもぼかしが外れないように & ギャラリーの説明を一番上に表示するように (MisskeyIO#820) 2024-11-21 22:06:14 +09:00
dependabot[bot]
1bad66913c
chore(deps): bump codecov/codecov-action from 4 to 5 (MisskeyIO#819) 
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4 to 5.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v4...v5)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-11-15 15:21:11 +09:00
あわわわとーにゅ
5c12930531
Bump up version to 2024.5.0-io.4d (MisskeyIO#817) 2024-11-15 02:35:38 +09:00
あわわわとーにゅ
63122f85c2
spec(sound/note): デフォルトの他人の投稿の効果音をオフに (MisskeyIO#816) 2024-11-14 22:05:22 +09:00
sleep-moe
aec01dd4ad
fix(frontend): スマホで表示した時にipv6だとはみ出てしまうのを修正 (MisskeyIO#815) 2024-11-14 22:05:03 +09:00
あわわわとーにゅ
da43ac01a8
spec(Email/Verifymail): MXレコードのドメインにもBANが適用されるように (MisskeyIO#814) 2024-11-14 22:04:31 +09:00
あわわわとーにゅ
a761b2e6ce
fix(frontend): ユーザーのプロフィールページ閲覧時エラーが発生することがある問題を修正 (MisskeyIO#813) 2024-11-10 13:03:38 +09:00
あわわわとーにゅ
43f0b9a73c
fix(about-report-resolver): 転送設定を一度有効にすると戻すことができない問題を修正 (MisskeyIO#812) 
Cherry-picked from atsu1125/misskey-core@5001b4b77c

Co-authored-by: atsu1125 <atsuchan@atsuchan.page>
 2024-11-10 13:03:18 +09:00
あわわわとーにゅ
6cebb2b9ed
Bump up version to 2024.5.0-io.4c (MisskeyIO#807) 2024-11-09 03:51:05 +09:00
あわわわとーにゅ
9782370e86
fix(frontend): 引用RNの判定の条件が不完全だった問題を修正 (MisskeyIO#806) 2024-11-09 03:48:51 +09:00
あわわわとーにゅ
6a697785dc
Bump up version to 2024.5.0-io.4b (MisskeyIO#804) 2024-11-08 16:05:25 +09:00
あわわわとーにゅ
ee135b7e3c
Fix code scanning alert no. 27: DOM text reinterpreted as HTML (MisskeyIO#801) 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
 2024-11-08 15:54:42 +09:00
あわわわとーにゅ
443335c662
Fix code scanning alert no. 28: Incomplete string escaping or encoding (MisskeyIO#800) 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
 2024-11-08 15:49:35 +09:00
あわわわとーにゅ
729ad19c3a
update deps (MisskeyIO#802) 2024-11-08 15:48:33 +09:00
あわわわとーにゅ
7d7552e076
Fix code scanning alert no. 25: Incomplete URL scheme check (MisskeyIO#799) 
* Fix code scanning alert no. 26: Incomplete URL scheme check

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Fix code scanning alert no. 25: Incomplete URL scheme check

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
 2024-11-08 15:10:47 +09:00
あわわわとーにゅ
e6fb07165e
update deps (MisskeyIO#798) 2024-11-08 15:10:10 +09:00
あわわわとーにゅ
781f60275a
Bump up version to 2024.5.0-io.4a (MisskeyIO#794) 2024-11-08 05:45:57 +09:00
あわわわとーにゅ
122ed3c82d
feat(analytics): デッキUIのページ移動とAPIの応答時間のイベント実装 (MisskeyIO#793) 2024-11-07 16:24:13 +09:00
あわわわとーにゅ
9559fbefe0
spec(SSO/SAML): Attribute追加 (MisskeyIO#792) 2024-11-07 10:08:32 +09:00
あわわわとーにゅ
fcd75902cc
feat(analytics): イベントの重複フィルターの修正 (MisskeyIO#791) 2024-11-06 19:58:06 +09:00
あわわわとーにゅ
410b36b5a0
Bump up version to 2024.5.0-io.4 (MisskeyIO#789) 2024-11-06 10:37:46 +09:00