No description
85096e58b9
* enhance: Add a few validation fixes from Sharkey See the original MR on the GitLab instance: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484 Co-Authored-By: Dakkar <dakkar@thenautilus.net> * fix: primitive 2: acceptance of cross-origin alternate Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 3: validation of non-final url * fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities * fix: primitives 5 & 8: reject activities with non string identifiers Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 6: reject anonymous objects that were fetched by their id * fix: primitives 9, 10 & 11: http signature validation doesn't enforce required headers or specify auth header name Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections * fix: code style for primitive 14 * fix: primitive 15: improper same-origin validation for note uri and url Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 16: improper same-origin validation for user uri and url * fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array * fix: code style for primitive 17 * fix: check attribution against actor in notes While this isn't strictly required to fix the exploits at hand, this mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a preemptive countermeasure. * fix: primitive 18: `ap/get` bypasses access checks One might argue that we could make this one actually preform access checks against the returned activity object, but I feel like that's a lot more work than just restricting it to administrators, since, to me at least, it seems more like a debugging tool than anything else. * fix: primitive 19 & 20: respect blocks and hide more Ideally, the user property should also be hidden (as leaving it in leaks information slightly), but given the schema of the note endpoint, I don't think that would be possible without introducing some kind of "ghost" user, who is attributed for posts by users who have you blocked. * fix: primitives 21, 22, and 23: reuse resolver This also increases the default `recursionLimit` for `Resolver`, as it theoretically will go higher that it previously would and could possibly fail on non-malicious collection activities. * fix: primitives 25-33: proper local instance checks * revert: fix: primitive 19 & 20 This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c. --------- Co-authored-by: Dakkar <dakkar@thenautilus.net> Co-authored-by: Laura Hausmann <laura@hausmann.dev> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> (cherry picked from commit 5f675201f261d5db6a58d3099a190372bb2f09f0) |
||
|---|---|---|
| .config | ||
| .devcontainer | ||
| .github | ||
| .okteto | ||
| .vscode | ||
| assets | ||
| chart | ||
| cypress | ||
| fluent-emojis@cae981eb4c | ||
| locales | ||
| packages | ||
| scripts | ||
| .dockerignore | ||
| .dockleignore | ||
| .editorconfig | ||
| .gitattributes | ||
| .gitignore | ||
| .gitmodules | ||
| .node-version | ||
| .npmrc | ||
| .vsls.json | ||
| CHANGELOG.md | ||
| CODE_OF_CONDUCT.md | ||
| codecov.yml | ||
| CONTRIBUTING.md | ||
| COPYING | ||
| crowdin.yml | ||
| cypress.config.ts | ||
| docker-compose.local-db.yml | ||
| docker-compose_example.yml | ||
| Dockerfile | ||
| healthcheck.sh | ||
| LICENSE | ||
| package.json | ||
| pnpm-lock.yaml | ||
| pnpm-workspace.yaml | ||
| Procfile | ||
| README.md | ||
| ROADMAP.md | ||
| SECURITY.md | ||
✨ Features
- ActivityPub support
Not on Misskey? No problem! Not only can Misskey instances talk to each other, but you can make friends with people on other networks like Mastodon and Pixelfed! - Reactions
You can add emoji reactions to any post! No longer are you bound by a like button, show everyone exactly how you feel with the tap of a button. - Drive
With Misskey's built in drive, you get cloud storage right in your social media, where you can upload any files, make folders, and find media from posts you've made! - Rich Web UI
Misskey has a rich and easy to use Web UI! It is highly customizable, from changing the layout and adding widgets to making custom themes. Furthermore, plugins can be created using AiScript, an original programming language. - And much more...
Documentation
Misskey Documentation can be found at Misskey Hub, some of the links and graphics above also lead to specific portions of it.
Sponsors of Misskey
List of sponsors of Misskey can be found at Misskey Hub.
Sponsors of Misskey.io
Thanks
Thanks to Chromatic for providing the visual testing platform that helps us review UI changes and catch visual regressions.
Thanks to Codecov for providing the code coverage platform that helps us improve our test coverage.
Thanks to Crowdin for providing the localization platform that helps us translate Misskey into many languages.
Thanks to Docker for providing the container platform that helps us run Misskey in production.