1
0
forked from mirror/misskey
🌎 A completely free and open interplanetary microblogging platform 🚀
Go to file
Julia 5f675201f2
Merge commit from fork
* enhance: Add a few validation fixes from Sharkey

See the original MR on the GitLab instance:
https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484

Co-Authored-By: Dakkar <dakkar@thenautilus.net>

* fix: primitive 2: acceptance of cross-origin alternate

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 3: validation of non-final url

* fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities

* fix: primitives 5 & 8: reject activities with non
string identifiers

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 6: reject anonymous objects that were fetched by their id

* fix: primitives 9, 10 & 11: http signature validation
doesn't enforce required headers or specify auth header name

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections

* fix: code style for primitive 14

* fix: primitive 15: improper same-origin validation for
note uri and url

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 16: improper same-origin validation for user uri and url

* fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array

* fix: code style for primitive 17

* fix: check attribution against actor in notes

While this isn't strictly required to fix the exploits at hand, this
mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a
preemptive countermeasure.

* fix: primitive 18: `ap/get` bypasses access checks

One might argue that we could make this one actually preform access
checks against the returned activity object, but I feel like that's a
lot more work than just restricting it to administrators, since, to me
at least, it seems more like a debugging tool than anything else.

* fix: primitive 19 & 20: respect blocks and hide more

Ideally, the user property should also be hidden (as leaving it in leaks
information slightly), but given the schema of the note endpoint, I
don't think that would be possible without introducing some kind of
"ghost" user, who is attributed for posts by users who have you blocked.

* fix: primitives 21, 22, and 23: reuse resolver

This also increases the default `recursionLimit` for `Resolver`, as it
theoretically will go higher that it previously would and could possibly
fail on non-malicious collection activities.

* fix: primitives 25-33: proper local instance checks

* revert: fix: primitive 19 & 20

This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c.

---------

Co-authored-by: Dakkar <dakkar@thenautilus.net>
Co-authored-by: Laura Hausmann <laura@hausmann.dev>
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
2024-11-21 08:20:09 +09:00
.config fix: 初期パスワードをコメントアウト (#14682) 2024-10-03 21:01:09 +09:00
.devcontainer update node to 22.11.0 (#14869) 2024-11-13 19:43:36 +09:00
.github chore(deps): bump codecov/codecov-action from 4 to 5 (#14961) 2024-11-15 17:32:28 +09:00
.okteto ok-to-test with okteto (#8799) 2022-06-09 00:50:23 +09:00
.vscode fix(dev): vscode-jest: Deprecated: Please use jest.runMode instead. 2024-03-14 17:42:30 +09:00
assets cleanup: trim trailing whitespace (#11136) 2023-07-08 07:08:16 +09:00
chart Misskey® Reactions Buffering Technology™ (#14579) 2024-09-20 21:03:53 +09:00
cypress fix: signin の資格情報が足りないだけの場合はエラーにせず200を返すように (#14700) 2024-10-05 12:03:47 +09:00
fluent-emojis@cae981eb4c feat: introduce fluent emoji 2022-12-26 16:04:56 +09:00
idea refactor(frontend): prefix css variables (#14725) 2024-10-09 18:08:14 +09:00
locales New Crowdin updates (#15000) 2024-11-21 08:01:42 +09:00
packages Merge commit from fork 2024-11-21 08:20:09 +09:00
scripts update deps (#14950) 2024-11-15 17:22:00 +09:00
.dockerignore refactor: misskey-assetsサブモジュールを削除 (#12818) 2024-07-18 01:47:11 +09:00
.dockleignore fix: aptのキャッシュを削除しないようにする (#9803) 2023-02-05 14:15:59 +09:00
.editorconfig cleanup: trim trailing whitespace (#11136) 2023-07-08 07:08:16 +09:00
.gitattributes 改行コードをLFに統一 (#9926) 2023-02-14 13:13:34 +09:00
.gitignore Update .gitignore 2024-11-16 15:32:51 +09:00
.gitmodules refactor: misskey-assetsサブモジュールを削除 (#12818) 2024-07-18 01:47:11 +09:00
.node-version update node to 22.11.0 (#14869) 2024-11-13 19:43:36 +09:00
.npmrc fix: .npmrcによりpackage.json記載のnodeバージョンに満たない場合はビルドに失敗するようにする (#12755) 2023-12-23 15:32:31 +09:00
.vsls.json Add .vsls.json 2018-08-13 00:24:45 +09:00
CHANGELOG.md Fix: リノートミュートが新規投稿通知に対して作用していなかった問題を修正 (#15006) 2024-11-21 08:00:50 +09:00
CODE_OF_CONDUCT.md docs: Update Code of Conduct to version 2.1 (#12150) 2023-11-13 16:52:54 +09:00
codecov.yml Update codecov.yml 2023-02-26 14:17:29 +09:00
compose_example.yml enhance(backend): Load settings via environment variables (#14179) 2024-07-14 21:33:22 +09:00
compose.local-db.yml chore(docker-compose): 推奨の名前にする (#14096) 2024-06-28 11:16:12 +09:00
CONTRIBUTING.md Update CONTRIBUTING.md 2024-11-17 17:33:50 +09:00
COPYING 2024 2024-01-01 00:30:56 +09:00
crowdin.yml ドキュメントをmisskey-hubに移行 2021-11-05 16:18:52 +09:00
cypress.config.ts update cypress 2022-06-11 15:53:45 +09:00
Dockerfile update node to 22.11.0 (#14869) 2024-11-13 19:43:36 +09:00
healthcheck.sh feat(backend): add /healthz endpoint (#13834) 2024-05-23 15:19:52 +09:00
LICENSE Use AGPLv3 2018-03-28 22:56:28 +09:00
package.json Bump version to 2024.11.0-alpha.2 2024-11-19 03:56:50 +00:00
pnpm-lock.yaml use execa 8.0.1 2024-11-15 19:48:31 +09:00
pnpm-workspace.yaml feat(frontend): ノート・ユーザータイムライン埋め込み (#13929) 2024-09-09 20:57:36 +09:00
Procfile Create Procfile 2019-04-05 18:17:30 +09:00
README.md Update README.md for Sentry 2024-05-31 20:42:02 +09:00
ROADMAP.md Update ROADMAP.md 2024-01-04 08:44:38 +09:00
SECURITY.md Update SECURITY.md 2024-11-17 17:35:27 +09:00

Misskey logo

🌎 Misskey is an open source, federated social media platform that's free forever! 🚀

Learn more


find an instance create an instance become a contributor join the community become a patron

Thanks

Sentry

Thanks to Sentry for providing the error tracking platform that helps us catch unexpected errors.

Chromatic

Thanks to Chromatic for providing the visual testing platform that helps us review UI changes and catch visual regressions.

Codecov

Thanks to Codecov for providing the code coverage platform that helps us improve our test coverage.

Crowdin

Thanks to Crowdin for providing the localization platform that helps us translate Misskey into many languages.

Docker

Thanks to Docker for providing the container platform that helps us run Misskey in production.