Sharkey

mirror of https://activitypub.software/TransFem-org/Sharkey synced 2024-12-19 06:50:08 +00:00

Author	SHA1	Message	Date
Julia Johannesen	c04f344049	fix: primitive 13: check attribution against actor in notes	2024-11-20 19:17:25 -05:00
Julia Johannesen	b9080da75d	fix: code style for primitive 17	2024-11-20 19:17:24 -05:00
Laura Hausmann	4d925fc086	fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array	2024-11-20 19:17:24 -05:00
Laura Hausmann	b74e2e9167	fix: primitive 16: improper same-origin validation for user uri and url	2024-11-20 19:17:24 -05:00
Laura Hausmann	ebea1a2962	fix: primitive 15: improper same-origin validation for note uri and url	2024-11-20 19:17:24 -05:00
Julia Johannesen	4c432c07cb	fix: code style for primitive 14	2024-11-20 19:17:24 -05:00
Laura Hausmann	322b3b677f	fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections	2024-11-20 19:17:24 -05:00
Julia Johannesen	1c7e05ce9e	fix: primitive 7 & 12: prevent poll spoofing	2024-11-20 19:17:24 -05:00
Laura Hausmann	9ab25ede28	fix: primitives 9, 10 & 11: http signature validation doesn't enforce required headers or specify auth header name	2024-11-20 19:17:24 -05:00
Laura Hausmann	174dfb83d0	fix: primitive 6: reject anonymous objects that were fetched by their id	2024-11-20 19:17:24 -05:00
Laura Hausmann	ad8e8793c7	fix: primitives 5 & 8: reject activities with non-string identifiers	2024-11-20 19:17:24 -05:00
Laura Hausmann	1e14612f0e	fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities	2024-11-20 19:17:24 -05:00
Laura Hausmann	9090b745e6	fix: primitive 3: validation of non-final url	2024-11-20 19:17:24 -05:00
Laura Hausmann	d883934826	fix: primitive 2: acceptance of cross-origin alternate links	2024-11-20 19:17:23 -05:00
rectcoordsystem	090e9392cd	Merge commit from fork * fix(backend): check target IP before sending HTTP request * fix(backend): allow accessing private IP when testing * Apply suggestions from code review Co-authored-by: anatawa12 <anatawa12@icloud.com> * fix(backend): lint and typecheck * fix(backend): add isLocalAddressAllowed option to getAgentByUrl and send (HttpRequestService) * fix(backend): allow fetchSummaryFromProxy, trueMail to access local addresses --------- Co-authored-by: anatawa12 <anatawa12@icloud.com> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>	2024-11-21 08:27:09 +09:00
Julia	b9cb949eb1	Merge commit from fork * Fix poll update spoofing * fix: Disallow negative poll counts --------- Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>	2024-11-21 08:24:50 +09:00
Julia	5f675201f2	Merge commit from fork * enhance: Add a few validation fixes from Sharkey See the original MR on the GitLab instance: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484 Co-Authored-By: Dakkar <dakkar@thenautilus.net> * fix: primitive 2: acceptance of cross-origin alternate Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 3: validation of non-final url * fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities * fix: primitives 5 & 8: reject activities with non string identifiers Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 6: reject anonymous objects that were fetched by their id * fix: primitives 9, 10 & 11: http signature validation doesn't enforce required headers or specify auth header name Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections * fix: code style for primitive 14 * fix: primitive 15: improper same-origin validation for note uri and url Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 16: improper same-origin validation for user uri and url * fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array * fix: code style for primitive 17 * fix: check attribution against actor in notes While this isn't strictly required to fix the exploits at hand, this mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a preemptive countermeasure. * fix: primitive 18: `ap/get` bypasses access checks One might argue that we could make this one actually preform access checks against the returned activity object, but I feel like that's a lot more work than just restricting it to administrators, since, to me at least, it seems more like a debugging tool than anything else. * fix: primitive 19 & 20: respect blocks and hide more Ideally, the user property should also be hidden (as leaving it in leaks information slightly), but given the schema of the note endpoint, I don't think that would be possible without introducing some kind of "ghost" user, who is attributed for posts by users who have you blocked. * fix: primitives 21, 22, and 23: reuse resolver This also increases the default `recursionLimit` for `Resolver`, as it theoretically will go higher that it previously would and could possibly fail on non-malicious collection activities. * fix: primitives 25-33: proper local instance checks * revert: fix: primitive 19 & 20 This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c. --------- Co-authored-by: Dakkar <dakkar@thenautilus.net> Co-authored-by: Laura Hausmann <laura@hausmann.dev> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>	2024-11-21 08:20:09 +09:00
syuilo	1c284c8154	New Crowdin updates (#15000 ) * New translations ja-jp.yml (Catalan) * New translations ja-jp.yml (English) * New translations ja-jp.yml (Korean) * New translations ja-jp.yml (Chinese Simplified) * New translations ja-jp.yml (Chinese Traditional) * New translations ja-jp.yml (German)	2024-11-21 08:01:42 +09:00
Sayamame-beans	aa48a0e207	Fix: リノートミュートが新規投稿通知に対して作用していなかった問題を修正 (#15006 ) * fix(backend): renoteMute doesn't work for note notification * docs(changelog): update changelog	2024-11-21 08:00:50 +09:00
syuilo	f0c3a4cc0b	perf(frontend): reduce api requests for non-logged-in enviroment (#15001 ) * wip * Update CHANGELOG.md * wip	2024-11-21 07:58:34 +09:00
鴇峰朔華	4603ab67bb	feat: 絵文字のポップアップメニューに編集を追加 (#15004 ) * Mod: 絵文字のポップアップメニューに編集を追加 * fix: code styleの修正 * fix: code styleの修正 * fix	2024-11-20 20:08:26 +09:00
Julia	e0bb796aff	merge: Fix linter error in emojis endpoint (!758 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/758	2024-11-20 06:29:48 +00:00
Julia Johannesen	fb54546573	Fix linter error in emojis endpoint	2024-11-20 01:17:24 -05:00
Julia	9e0b759197	merge: Bump develop version (!757 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/757	2024-11-20 05:56:55 +00:00
Julia Johannesen	41c500851b	Bump develop version	2024-11-20 00:54:30 -05:00
Julia	27339e03c2	merge: Bump version (!756 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/756	2024-11-20 05:22:39 +00:00
Julia Johannesen	680c2a0718	Bump version	2024-11-20 00:09:56 -05:00
Julia	f258888408	merge: Prevent DoS from spammed media proxy requests (!754 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/754 Approved-by: Julia <julia@insertdomain.name>	2024-11-20 04:59:00 +00:00
Hazelnoot	d150e92f41	prevent DoS from spammed media proxy requests	2024-11-19 23:31:59 -05:00
zawa-ch.	763c708253	Fix(backend): アカウント削除のモデレーションログが動作していないのを修正 (#14996 ) (#14997 ) * アカウント削除のモデレーションログが動作していないのを修正 * update CHANGELOG	2024-11-19 21:12:40 +09:00
github-actions[bot]	6c5d3113c6	Bump version to 2024.11.0-alpha.2	2024-11-19 03:56:50 +00:00
syuilo	968f595606	New Crowdin updates (#14965 ) * New translations ja-jp.yml (Chinese Simplified) * New translations ja-jp.yml (Chinese Traditional) * New translations ja-jp.yml (German) * New translations ja-jp.yml (Catalan) * New translations ja-jp.yml (German) * New translations ja-jp.yml (German) * New translations ja-jp.yml (German) * New translations ja-jp.yml (Swedish) * New translations ja-jp.yml (English) * New translations ja-jp.yml (Catalan) * New translations ja-jp.yml (Chinese Traditional) * New translations ja-jp.yml (Korean) * New translations ja-jp.yml (German) * New translations ja-jp.yml (Swedish) * New translations ja-jp.yml (Chinese Simplified) * New translations ja-jp.yml (Romanian) * New translations ja-jp.yml (French) * New translations ja-jp.yml (Spanish) * New translations ja-jp.yml (Arabic) * New translations ja-jp.yml (Czech) * New translations ja-jp.yml (Italian) * New translations ja-jp.yml (Dutch) * New translations ja-jp.yml (Norwegian) * New translations ja-jp.yml (Polish) * New translations ja-jp.yml (Portuguese) * New translations ja-jp.yml (Russian) * New translations ja-jp.yml (Slovak) * New translations ja-jp.yml (Turkish) * New translations ja-jp.yml (Ukrainian) * New translations ja-jp.yml (Vietnamese) * New translations ja-jp.yml (Indonesian) * New translations ja-jp.yml (Bengali) * New translations ja-jp.yml (Thai) * New translations ja-jp.yml (Uzbek) * New translations ja-jp.yml (Lao) * New translations ja-jp.yml (Japanese, Kansai) * New translations ja-jp.yml (Korean (Gyeongsang)) * New translations ja-jp.yml (Chinese Traditional) * New translations ja-jp.yml (German) * New translations ja-jp.yml (English) * New translations ja-jp.yml (German) * New translations ja-jp.yml (Chinese Simplified) * New translations ja-jp.yml (German) * New translations ja-jp.yml (English) * New translations ja-jp.yml (German) * New translations ja-jp.yml (German) * New translations ja-jp.yml (Polish) * New translations ja-jp.yml (Catalan) * New translations ja-jp.yml (Swedish) * New translations ja-jp.yml (French) * New translations ja-jp.yml (French) * New translations ja-jp.yml (French) * New translations ja-jp.yml (French) * New translations ja-jp.yml (Swedish) * New translations ja-jp.yml (Korean) * New translations ja-jp.yml (Chinese Simplified)	2024-11-19 12:50:04 +09:00
おさむのひと	7b9c884a5d	refactor(backend): SystemWebhookで送信されるペイロードの型を追加 (#14980 )	2024-11-19 10:41:39 +09:00
FineArchs	c271534aba	リノートメニューに「リノートの詳細」を追加 (#14985 ) * add renote-detail menu * changelog * Apply suggestions from code review Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com> * Update CHANGELOG.md --------- Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>	2024-11-19 10:34:33 +09:00
饺子w (Yumechi)	e800c0f85a	fix(backend): お知らせ作成時に画像URL入力欄を空欄に変更できないのを修正 (#14990 ) * fix(backend): アナウンスメントを作成ときに画像URLを後悔できないのを修正 Signed-off-by: eternal-flame-AD <yume@yumechi.jp> * Update CHANGELOG.md Co-authored-by: おさむのひと <46447427+samunohito@users.noreply.github.com> --------- Signed-off-by: eternal-flame-AD <yume@yumechi.jp> Co-authored-by: おさむのひと <46447427+samunohito@users.noreply.github.com>	2024-11-19 10:29:42 +09:00
かっこかり	81348f1277	fix(frontend): TypeScriptの型チェック対象ファイルを限定して高速化するように (#14994 ) * fix frontend tsconfig includes * fix frontend-embed tsconfig includes * fix eslint in frontend / frontend-embed * Update Changelog --------- Co-authored-by: Hazelnoot <acomputerdog@gmail.com>	2024-11-19 10:22:47 +09:00
おさむのひと	0df6c79172	enhance(frontend): デッキ表示時にサイドバーを展開・折りたたみできるように (#14983 ) * enhance(frontend): デッキ表示時にサイドバーを展開・折りたたみできるように * wip * wip * Update navbar.vue * ✌️ * Update CHANGELOG.md * 🎨 --------- Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>	2024-11-18 10:36:51 +09:00
dakkar	482538c7f8	merge: make emoji categories and names case insensitive. (!746 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/746 Approved-by: Hazelnoot <acomputerdog@gmail.com> Approved-by: dakkar <dakkar@thenautilus.net>	2024-11-17 13:22:39 +00:00
syuilo	eed45c7915	Update SECURITY.md	2024-11-17 17:35:27 +09:00
syuilo	42f9586fc6	Update CONTRIBUTING.md	2024-11-17 17:33:50 +09:00
syuilo	032dfc782d	Update CONTRIBUTING.md	2024-11-17 17:33:12 +09:00
syuilo	00b8d0c072	Update CONTRIBUTING.md	2024-11-17 17:32:28 +09:00
syuilo	9aebf0c168	Update CHANGELOG.md	2024-11-17 14:15:38 +09:00
syuilo	a730045bdd	Update CHANGELOG.md	2024-11-17 12:44:44 +09:00
Hazelnoot	d579687156	merge: Dockerfile mkdir files (!740 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/740 Approved-by: Tess K <me@thvxl.se> Approved-by: dakkar <dakkar@thenautilus.net> Approved-by: Hazelnoot <acomputerdog@gmail.com>	2024-11-17 00:48:37 +00:00
Hazelnoot	de970ff54e	merge: Change example config - db name and user consistent with docs (!739 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/739 Approved-by: Tess K <me@thvxl.se> Approved-by: Hazelnoot <acomputerdog@gmail.com>	2024-11-17 00:41:14 +00:00
Hazelnoot	1bfb0dc395	merge: check harder for connectibility (!737 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/737 Approved-by: Hazelnoot <acomputerdog@gmail.com> Approved-by: Marie <github@yuugi.dev>	2024-11-17 00:40:52 +00:00
Hazelnoot	da2dfee0a8	merge: Remove check to prevent admin reporting (Fixes #757 ) (!727 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/727 Closes #757 Approved-by: Julia <julia@insertdomain.name> Approved-by: Marie <github@yuugi.dev> Approved-by: Hazelnoot <acomputerdog@gmail.com>	2024-11-17 00:39:08 +00:00
syuilo	9614f74bf8	🎨	2024-11-16 20:24:31 +09:00
CDN	b3c2de2b26	fix(backend): fallback sharedInbox to null in ApPersonService (#14970 )	2024-11-16 18:53:28 +09:00

... 6 7 8 9 10 ...

29236 commits