Commit Graph

14866 Commits

Author SHA1 Message Date
7e3c5d1ec8 integrate glitch 2022-03-29 10:12:39 +02:00
91527021b7 install yarn deps 2022-02-04 11:01:37 +01:00
df6b81d678 Merge remote-tracking branch 'glitch-soc/main' 2022-02-04 11:01:25 +01:00
adb5be766e Merge branch 'master' of https://framagit.org/tykayn/mastodon 2022-02-04 10:52:11 +01:00
43c0067865 hop 2022-02-04 10:52:07 +01:00
48540d459b Merge branch 'master' of https://framagit.org/tykayn/mastodon 2022-02-04 09:14:38 +01:00
4494d73cbc Merge tag 'v3.4.6' 2022-02-04 09:13:39 +01:00
Claire
73b730e649
Merge pull request #1676 from ClearlyClaire/glitch-soc/merge-upstream
Merge upstream changes
2022-02-03 14:09:19 +01:00
Claire
93a6c143af
Fix insufficient sanitization of report comments (#17430) 2022-02-03 14:08:24 +01:00
Claire
2beb0a7af5 Bump version to 3.4.6 2022-02-03 12:12:27 +01:00
Claire
bb7b2868a0 Bump version to 3.4.6 2022-02-02 23:48:38 +01:00
Wonderfall
a06dda41d0 disable legacy XSS filtering (#17289)
Browsers are phasing out X-XSS-Protection, but Safari and IE still support it.
2022-02-02 23:30:15 +01:00
Claire
bf005edd30 Change mastodon:webpush:generate_vapid_key task to not require functional env (#17338)
Fixes #17297
2022-02-02 23:30:15 +01:00
Claire
df68d2eab8 Fix response_to_recipient? CTE 2022-02-02 23:30:15 +01:00
Claire
b27f50da5a Fix insufficient sanitization of report comments 2022-02-02 23:30:15 +01:00
Claire
e2009ced3a Fix compacted JSON-LD possibly causing compatibility issues on forwarding 2022-02-02 23:30:15 +01:00
Puck Meerburg
fe0210074f Compact JSON-LD signed incoming activities 2022-02-02 23:30:15 +01:00
Claire
c8dbbd60eb Fix error-prone SQL queries (#15828)
* Fix error-prone SQL queries in Account search

While this code seems to not present an actual vulnerability, one could
easily be introduced by mistake due to how the query is built.

This PR parameterises the `to_tsquery` input to make the query more robust.

* Harden code for Status#tagged_with_all and Status#tagged_with_none

Those two scopes aren't used in a way that could be vulnerable to an SQL
injection, but keeping them unchanged might be a hazard.

* Remove unneeded spaces surrounding tsquery term

* Please CodeClimate

* Move advanced_search_for SQL template to its own function

This avoids one level of indentation while making clearer that the SQL template
isn't build from all the dynamic parameters of advanced_search_for.

* Add tests covering tagged_with, tagged_with_all and tagged_with_none

* Rewrite tagged_with_none to avoid multiple joins and make it more robust

* Remove obsolete brakeman warnings

* Revert "Remove unneeded spaces surrounding tsquery term"

The two queries are not strictly equivalent.

This reverts commit 86f16c537e06c6ba4a8b250f25dcce9f049023ff.
2022-02-02 23:30:15 +01:00
Claire
6d831fe274
Fix spurious errors when receiving an Add activity for a private post (#17425) 2022-02-02 22:59:34 +01:00
Claire
a3e0dacf5c Fix response_to_recipient? CTE 2022-02-02 19:55:57 +01:00
Claire
7b969436a0 Fix compacted JSON-LD possibly causing compatibility issues on forwarding 2022-02-02 19:55:57 +01:00
Puck Meerburg
63da32468c Compact JSON-LD signed incoming activities 2022-02-02 16:13:11 +01:00
Claire
20a4b8081f
Merge pull request #1675 from ClearlyClaire/glitch-soc/merge-upstream
Merge upstream changes
2022-02-01 21:41:58 +01:00
Claire
098f2bc1e1 Merge branch 'main' into glitch-soc/merge-upstream 2022-02-01 20:59:28 +01:00
Alexandra Catalina
d0d15bf49c
Update tootsuite/mastodon Docker tag to v3.4.5 (#17417)
Co-authored-by: Renovate Bot <bot@renovateapp.com>
2022-02-01 20:57:50 +01:00
Claire
987d88ea56
Fix requiring an extra restart after recent post-deployment migrations (#17422)
Follow-up to #16409
2022-02-01 20:57:39 +01:00
Rohan Sharma
4d6d4b43c6
Fixed prototype pollution bug and only allow trusted origin (#17420) 2022-02-01 17:34:48 +01:00
Claire
54581d43e7
Bump version to 3.4.5 (#17402) 2022-01-31 21:27:40 +01:00
Claire
1c8c318281 Bump version to 3.4.5 2022-01-31 18:04:24 +01:00
Claire
d722222fe1 Add more advanced migration tests (#17393)
- populate the database with some data when testing migrations
- try both one-step and two-step migrations (`SKIP_POST_DEPLOYMENT_MIGRATIONS`)
2022-01-31 11:23:58 +01:00
Claire
03f0e98b32 Fix followers synchronization mechanism not working when URI has empty path (#16510)
* Fix followers synchronization mechanism not working when URI has empty path

To my knowledge, there is no current implementation on the fediverse
that can use bare domains (e.g., actor is at https://example.org instead of
something like https://example.org/actor) that also plans to support the
followers synchronization mechanism. However, Mastodon's current implementation
would exclude such accounts from followers list.

Also adds tests and rename them to reflect the proper method names.

* Move url prefix regexp to its own constant
2022-01-31 10:59:00 +01:00
Claire
d6f3261c6c
Merge pull request #1674 from ClearlyClaire/glitch-soc/merge-upstream
Merge upstream changes
2022-01-31 10:51:11 +01:00
Claire
2fcf652fff Merge branch 'main' into glitch-soc/merge-upstream 2022-01-31 10:42:17 +01:00
Eugen Rochko
2c83b9076d Add manual GitHub Actions runs (#17000) 2022-01-31 10:35:55 +01:00
Eugen Rochko
c8301bcfc3 Change workflow to push to Docker Hub (#16980) 2022-01-31 10:35:38 +01:00
Yusuke Nakamura
0ae91e45de Build container image by GitHub Actions (#16973)
* Build container image by GitHub Actions

* Trigger docker build only pushed to main branch

* Tweak tagging imgae

- "edge" is the main branch
- "latest" is the tagged latest release
2022-01-31 10:35:14 +01:00
Claire
2363b026e6 Bump ruby-saml from 1.11.0 to 1.13.0 (#16723)
Fixes #16720
2022-01-31 10:33:47 +01:00
Jeong Arm
959234c1e4 Save bundle config as local (#17188)
Some bundle options are saved as global user config and not project local.
Specially, `deployment` must be saved as local config to be run on copied environment
2022-01-31 10:32:46 +01:00
Claire
0dc103ea11 Fix edge case in migration helpers that caused crash because of PostgreSQL quirks (#17398) 2022-01-31 10:31:56 +01:00
Claire
b782f86b51 Fix some old migration scripts (#17394)
* Fix some old migration scripts

* Fix edge case in two-step migration from older releases
2022-01-31 10:31:36 +01:00
Daniel Jakots
aa45404578
Bump NODE_VER to 16.13.2, to solve security issues (#17399)
Fixes CVE-2021-44532, CVE-2021-44533, and CVE-2022-21824.
See: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
2022-01-31 00:32:03 +01:00
Claire
a0e06c3c3e
Add more advanced migration tests (#17393)
- populate the database with some data when testing migrations
- try both one-step and two-step migrations (`SKIP_POST_DEPLOYMENT_MIGRATIONS`)
2022-01-30 23:50:08 +01:00
Claire
c6b291afc3
Change index corruption warning to be a little less scary (#17395) 2022-01-30 23:49:52 +01:00
Claire
b54e263712
Merge pull request #1673 from ClearlyClaire/glitch-soc/merge-upstream
Merge upstream changes
2022-01-30 22:51:32 +01:00
Claire
a99adeaad3
Fix edge case in migration helpers that caused crash because of PostgreSQL quirks (#17398) 2022-01-30 22:34:54 +01:00
Claire
7679ddcd5e Merge branch 'main' into glitch-soc/merge-upstream 2022-01-30 22:33:30 +01:00
Claire
ac583fce21
Fix some old migration scripts (#17394)
* Fix some old migration scripts

* Fix edge case in two-step migration from older releases
2022-01-30 21:38:54 +01:00
Claire
f5639e1cbe
Change public profile pages to be disabled for unconfirmed users (#17385)
Fixes #17382

Note that unconfirmed and unapproved accounts can still be searched for
and their (empty) account retrieved using the REST API.
2022-01-28 14:24:37 +01:00
Claire
2ba6267f16
Merge pull request #1668 from ClearlyClaire/glitch-soc/merge-upstream
Merge upstream changes
2022-01-28 09:38:44 +01:00
Claire
94a39f6b68 Fix Sidekiq warning when pushing DMs to direct timeline 2022-01-28 09:07:56 +01:00