2356 commits

Author	SHA1	Message	Date
sugar	e6872e4f3b	use uniform sampling in secure-rndstr ... the current implementation is biased towards making some characters 25% more common, with the default alphabet the more common characters being '0', '8', 'h', 'q', 'z', 'I', 'R', and 'Z' this changes the probability of all letters to be equal	2025-01-17 11:42:49 +00:00
sugar	1c8a2cfa46	update tests to handle signup requests	2025-01-16 23:19:00 +01:00
sugar	56dcf2c956	fix backend linting errors	2025-01-16 20:34:25 +01:00
Leah	efe20a4fe8	Merge remote-tracking branch 'origin/feature/approval' into feature/approval	2025-01-11 21:28:11 +01:00
Leah	741eb0ac32	fix migration from key without approvals makes all users become unapproved	2025-01-11 21:26:56 +01:00
leah	47d211a5c2	Merge branch 'main' into feature/approval	2025-01-11 19:31:15 +00:00
Leah	22a16e0d5a	fix missing type	2025-01-11 20:08:56 +01:00
sugar	28fad4fd5d	implement /api/v1/accounts/lookup	2025-01-10 21:22:17 +01:00
Leah	6e25bd9c5e	decline users	2025-01-10 19:17:30 +01:00
Leah	2d3589e4aa	Fixes + tested with email	2025-01-10 00:45:35 +01:00
Leah	920a1cd8ee	fixed bug	2025-01-09 23:01:45 +01:00
Leah	1224033142	Seemed to fix old stuff but breaks initilizing an instance? Idk whats going on	2025-01-09 22:04:41 +01:00
Leah	49650a1382	It mostly works. Issues: Error on signup, and missing icons in signup page and admin page	2025-01-09 00:53:20 +01:00
Leah	1ac9e213f1	Add search drive by alt text	2025-01-08 22:27:34 +01:00
あわわわとーにゅ	f2eafaab73	fix(MisskeyIO#872): 消し忘れ (MisskeyIO#875)	2025-01-08 06:07:04 +09:00
あわわわとーにゅ	4f9aee899f	spec(pages): URLとして使用できる文字を制限 (MisskeyIO#873)	2025-01-08 03:50:25 +09:00
あわわわとーにゅ	e1ae455e4a	fix(backend/ClientServerService): 凍結されたユーザーをユーザーIDで照会できない問題を修正 (MisskeyIO#872)	2025-01-08 03:38:12 +09:00
あわわわとーにゅ	3307f86586	fix(backend/AccountMoveService): アカウント引っ越しの際にモデレーションノートに空の改行が足される問題を修正 (MisskeyIO#870)	2025-01-06 01:38:43 +09:00
あわわわとーにゅ	88a361e622	fix(backend/ActivityPubServerService): apOrHtml Constraintが正しく評価されない問題を修正 (MisskeyIO#869)	2025-01-05 02:39:50 +09:00
あわわわとーにゅ	6dcda9db5c	fix(backend/ClientServerService): リモートユーザーをユーザーIDで照会できない問題を修正 (MisskeyIO#868)	2025-01-03 06:57:10 +09:00
あわわわとーにゅ	b5a796ffd1	fix(backend/UtilityService): 非標準ポート番号環境でURIのローカル判定が常にfalseになる問題を修正 (MisskeyIO#867)	2024-12-31 10:29:44 +09:00
あわわわとーにゅ	f7ac3c5493	Revert "perf(queue): BullMQ + DragonflyDB で Hashtag を使用しすべてをロックしないようにする (MisskeyIO#838)" (MisskeyIO#865) ... This reverts commit 8c81bb9b6a partially.	2024-12-31 09:44:43 +09:00
あわわわとーにゅ	7c5e24c07c	fix(ActivityPub): リモートサーバーのリダイレクトを信頼する (MisskeyIO#860)	2024-12-28 18:50:41 +09:00
あわわわとーにゅ	543325582c	fix(ActivityPub): URIとURLが一致しない場合、同じドメイン内のサブドメインの1階層の違いまでは許容する (MisskeyIO#859)	2024-12-28 18:49:13 +09:00
あわわわとーにゅ	ff195d4f8d	cleanup(backend): refactor UtilityService (MisskeyIO#858)	2024-12-28 11:39:48 +09:00
あわわわとーにゅ	cb73368c83	update deps (MisskeyIO#857)	2024-12-28 11:39:27 +09:00
あわわわとーにゅ	7bbbbd0b89	enhance(data-usage): ストリーム上で送るデータがない場合はオブジェクトごと省略するように (MisskeyIO#853)	2024-12-25 15:40:37 +09:00
あわわわとーにゅ	8b17ab77b4	fix(cdn-caching): 自分のリアクションが表示されない問題を修正 (MisskeyIO#851)	2024-12-25 14:13:45 +09:00
riku6460	8c81bb9b6a	perf(queue): BullMQ + DragonflyDB で Hashtag を使用しすべてをロックしないようにする (MisskeyIO#838)	2024-12-25 11:35:41 +09:00
あわわわとーにゅ	531565aa66	update deps (MisskeyIO#844) ... fixes nsfwjs error in b3f73d7312	2024-12-25 11:18:28 +09:00
あわわわとーにゅ	8abe8aecee	fix(sign-in): ログイン失敗時のエラーコードの統一 (MisskeyIO#843)	2024-12-25 09:43:25 +09:00
あわわわとーにゅ	6542ad4a12	enhance(role): ロールの割り当て時メモを残せるように (MisskeyIO#842)	2024-12-25 09:42:59 +09:00
あわわわとーにゅ	d9ed763849	fix merge failure	2024-12-25 04:34:04 +09:00
かっこかり	c6b6aab90e	fix(backend): Inboxのエラーをthrowせずreturnしている問題を修正 (#15022) ... * fix exception handling for Like activities (cherry picked from commit 8f42e8434eaebe3aba5d1980c57f49dd8ad0de91) * fix exception handling for Announce activities (cherry picked from commit cfc3ab4b045af0674122fa49176431860176358b) * fix exception handling for Undo activities * Update Changelog --------- Co-authored-by: Hazelnoot <acomputerdog@gmail.com> (cherry picked from commit f25fc5215bd03b9405b257fc8b8b1d7df7ea33b3)	2024-12-25 04:22:06 +09:00
かっこかり	e3cad435b8	fix(backend): fix apResolver (#15010) ... * fix(backend): fix apResolver * fix * add comments * tweak comment (cherry picked from commit c1f19fad1e7e1717898b37bbb4e863e0f26b306b)	2024-12-25 04:20:44 +09:00
かっこかり	d1b953b15c	fix(backend): fix type error(s) in security fixes (#15009) ... * Fix type error in security fixes (cherry picked from commit fa3cf6c2996741e642955c5e2fca8ad785e83205) * Fix error in test function calls (cherry picked from commit 1758f29364eca3cbd13dbb5c84909c93712b3b3b) * Fix style error (cherry picked from commit 23c4aa25714af145098baa7edd74c1d217e51c1a) * Fix another style error (cherry picked from commit 36af07abe28bec670aaebf9f5af5694bb582c29a) * Fix `.punyHost` misuse (cherry picked from commit 6027b516e1c82324d55d6e54d0e17cbd816feb42) * attempt to fix test: make yaml valid --------- Co-authored-by: Julia Johannesen <julia@insertdomain.name> (cherry picked from commit 3a6c2aa83563515b2ce02cda289b0271d992e84e)	2024-12-25 04:20:41 +09:00
かっこかり	ed68245177	fix(backend): fix security patches (#15008) ... (cherry picked from commit 53e827b18c46f786268278645206404ff2d95f72)	2024-12-25 04:19:51 +09:00
syuilo	710e719fc5	fix ap/show ... (cherry picked from commit 0f59adc436f80c495b4404807b0bd645da2b1db8)	2024-12-25 04:19:51 +09:00
rectcoordsystem	8c5a9c19d1	Merge commit from fork ... * fix(backend): check target IP before sending HTTP request * fix(backend): allow accessing private IP when testing * Apply suggestions from code review Co-authored-by: anatawa12 <anatawa12@icloud.com> * fix(backend): lint and typecheck * fix(backend): add isLocalAddressAllowed option to getAgentByUrl and send (HttpRequestService) * fix(backend): allow fetchSummaryFromProxy, trueMail to access local addresses --------- Co-authored-by: anatawa12 <anatawa12@icloud.com> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> (cherry picked from commit 090e9392cdb1f584af94a6fb727fba95de3b8504)	2024-12-25 04:19:48 +09:00
Julia	f1b5708971	Merge commit from fork ... * Fix poll update spoofing * fix: Disallow negative poll counts --------- Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> (cherry picked from commit b9cb949eb1f8c57eaa98fc5446d902cf8a5ea85c)	2024-12-25 04:17:47 +09:00
Julia	85096e58b9	Merge commit from fork ... * enhance: Add a few validation fixes from Sharkey See the original MR on the GitLab instance: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484 Co-Authored-By: Dakkar <dakkar@thenautilus.net> * fix: primitive 2: acceptance of cross-origin alternate Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 3: validation of non-final url * fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities * fix: primitives 5 & 8: reject activities with non string identifiers Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 6: reject anonymous objects that were fetched by their id * fix: primitives 9, 10 & 11: http signature validation doesn't enforce required headers or specify auth header name Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections * fix: code style for primitive 14 * fix: primitive 15: improper same-origin validation for note uri and url Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 16: improper same-origin validation for user uri and url * fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array * fix: code style for primitive 17 * fix: check attribution against actor in notes While this isn't strictly required to fix the exploits at hand, this mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a preemptive countermeasure. * fix: primitive 18: `ap/get` bypasses access checks One might argue that we could make this one actually preform access checks against the returned activity object, but I feel like that's a lot more work than just restricting it to administrators, since, to me at least, it seems more like a debugging tool than anything else. * fix: primitive 19 & 20: respect blocks and hide more Ideally, the user property should also be hidden (as leaving it in leaks information slightly), but given the schema of the note endpoint, I don't think that would be possible without introducing some kind of "ghost" user, who is attributed for posts by users who have you blocked. * fix: primitives 21, 22, and 23: reuse resolver This also increases the default `recursionLimit` for `Resolver`, as it theoretically will go higher that it previously would and could possibly fail on non-malicious collection activities. * fix: primitives 25-33: proper local instance checks * revert: fix: primitive 19 & 20 This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c. --------- Co-authored-by: Dakkar <dakkar@thenautilus.net> Co-authored-by: Laura Hausmann <laura@hausmann.dev> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> (cherry picked from commit 5f675201f261d5db6a58d3099a190372bb2f09f0)	2024-12-25 04:09:04 +09:00
CDN	09f518b41b	fix(backend): fallback sharedInbox to null in ApPersonService (#14970) ... (cherry picked from commit b3c2de2b2643d777d360de0171ae573f39411c02)	2024-12-25 03:46:54 +09:00
Tamme Schichler	d1b5d56220	fix(backend): Accept arrays in ActivityPub icon and image properties (#14825) ... This is allowed according to the Activity vocabulary: https://www.w3.org/TR/activitystreams-vocabulary/#dfn-icon The issue is noticeable in combination with Bridgy Fed: https://github.com/snarfed/bridgy-fed/issues/1408 (cherry picked from commit 8eb7749e448d912bdbe2c4eadc35f5d5f1becf61)	2024-12-25 03:46:14 +09:00
あわわわとーにゅ	f5c0430bc9	Fix: <link rel="alternate">を追って照会するのはOKレスポンスが返却された場合のみに (#14627) ... cherry picked from commit dd124a8aed Co-authored-by: Julia Johannesen <julia@insertdomain.name> Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>	2024-12-25 03:45:35 +09:00
かっこかり	c441c4728f	fix(backend): happy-domで外部HTMLをパースする際に関連リソースが読み込まれる問題を修正 (#14521) ... cherry picked from commit be0906a6c7 Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>	2024-12-25 03:07:00 +09:00
Hazel K	9e998cc10b	fix(backend): memory leak in memory caches (#14363) ... cherry picked from commit bf8c42eecd Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com> Co-authored-by: Hazel K <acomputerdog@gmail.com>	2024-12-25 02:54:31 +09:00
taichan	6d4dc5ea20	Fix(beckend): html content-type detection on signedGet (#14424) ... cherry picked from commit bf8c42eecd Co-authored-by: taichan <40626578+tai-cha@users.noreply.github.com>	2024-12-25 02:40:30 +09:00
かっこかり	b3d4f18175	Update packages/backend/src/core/activitypub/ApRequestService.ts ... cherry picked from commit 129af06198 Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>	2024-12-25 02:38:30 +09:00
taichan	edf94b5452	enhance(backend): headタグ内にrel=alternateの指定のあるlinkタグがある場合、記述されたURLを参照して照会できるように (#14371) ... cherry picked from commit 9fbc1b7f7b Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> Co-authored-by: taichan <40626578+tai-cha@users.noreply.github.com>	2024-12-25 02:35:58 +09:00
かっこかり	c909c00920	fix(backend): getApTypeでエラーを投げないように (#14361) ... cherry picked from commit 93fc06d18b Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>	2024-12-25 02:30:40 +09:00