Commit graph

15728 commits

Author SHA1 Message Date
floatingghost
72af38c0e9 Merge pull request 'migrate CI config to v2' (#785) from woodpecker-v2 into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/785
2024-05-27 03:32:40 +00:00
Floatingghost
ae19fd90c9 use elixir 1.16 for format checks 2024-05-27 04:07:44 +01:00
Floatingghost
66b3248dd3 mix tests probably shouldn't be async 2024-05-27 04:03:13 +01:00
Floatingghost
73ead8656a don't allow emoji formatter to be async 2024-05-27 03:25:18 +01:00
Floatingghost
f32a7fd76a arch is aarch64 now 2024-05-27 03:02:02 +01:00
Floatingghost
4078fd655c migrate CI config to v2 2024-05-27 02:56:05 +01:00
floatingghost
5bdef8c724 Merge pull request 'Allow for attachment to be a single object in user data' (#783) from single-attachment into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/783
2024-05-27 01:44:53 +00:00
floatingghost
cdc918c8f1 Merge pull request 'Document AP and nodeinfo extensions' (#778) from Oneric/akkoma:doc_ap-extensions into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/778
2024-05-27 01:34:58 +00:00
Floatingghost
f15eded3e1 Add extra test case for nonsense field, increase timeouts 2024-05-27 02:09:48 +01:00
Oneric
05eda169fe Document AP and nodeinfo extensions
And while add it point to this via a top-level
FEDERATION.md document as standardised by FEP-67ff.

Also add a few missing descriptions to the config cheatsheet
and move the recently removed C2S extension into an appropiate
subsection.
2024-05-26 19:04:06 +02:00
floatingghost
3ce855cbde Merge pull request 'Fix Exiftool stderr being read as an image description' (#782) from norm/akkoma:fix-exiftool-description into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/782
2024-05-26 16:11:12 +00:00
Floatingghost
da67e69af5 Allow for attachment to be a single object in user data 2024-05-26 17:09:26 +01:00
Norm
c2d3221be3 Fix Exiftool stderr being read as an image description
Fixes: https://akkoma.dev/AkkomaGang/akkoma/issues/773
2024-05-23 14:44:17 -04:00
Floatingghost
5e92f955ac bump version 2024-05-22 19:42:25 +01:00
Floatingghost
b72127b45a Merge remote-tracking branch 'oneric-sec/media-owner' into develop 2024-05-22 19:36:10 +01:00
Oneric
9a91299f96 Don't try to handle non-media objects as media
Trying to display non-media as media crashed the renderer,
but when posting a status with a valid, non-media object id
the post was still created, but then crashed e.g. timeline rendering.
It also crashed C2S inbox reads, so this could not be used to leak
private posts.
2024-05-22 20:30:23 +02:00
Oneric
fbd961c747 Drop activity_type override for uploads
Afaict this was never used, but keeping this (in theory) possible
hinders detecting which objects are actually media uploads and
which proper ActivityPub objects.

It was originally added as part of upload support itself in
02d3dc6869 without being used
and `git log -S:activity_type` and `git log -Sactivity_type:`
don't find any other commits using this.
2024-05-22 20:30:23 +02:00
Oneric
0c2b33458d Restrict media usage to owners
In Mastodon media can only be used by owners and only be associated with
a single post. We currently allow media to be associated with several
posts and until now did not limit their usage in posts to media owners.
However, media update and GET lookup was already limited to owners.
(In accordance with allowing media reuse, we also still allow GET
lookups of media already used in a post unlike Mastodon)

Allowing reuse isn’t problematic per se, but allowing use by non-owners
can be problematic if media ids of private-scoped posts can be guessed
since creating a new post with this media id will reveal the uploaded
file content and alt text.
Given media ids are currently just part of a sequentieal series shared
with some other objects, guessing media ids is with some persistence
indeed feasible.

E.g. sampline some public media ids from a real-world
instance with 112 total and 61 monthly-active users:

  17.465.096  at  t0
  17.472.673  at  t1 = t0 + 4h
  17.473.248  at  t2 = t1 + 20min

This gives about 30 new ids per minute of which most won't be
local media but remote and local posts, poll answers etc.
Assuming the default ratelimit of 15 post actions per 10s, scraping all
media for the 4h interval takes about 84 minutes and scraping the 20min
range mere 6.3 minutes. (Until the preceding commit, post updates were
not rate limited at all, allowing even faster scraping.)
If an attacker can infer (e.g. via reply to a follower-only post not
accessbile to the attacker) some sensitive information was uploaded
during a specific time interval and has some pointers regarding the
nature of the information, identifying the specific upload out of all
scraped media for this timerange is not impossible.

Thus restrict media usage to owners.

Checking ownership just in ActivitDraft would already be sufficient,
since when a scheduled status actually gets posted it goes through
ActivityDraft again, but would erroneously return a success status
when scheduling an illegal post.

Independently discovered and fixed by mint in Pleroma
1afde067b1
2024-05-22 20:30:18 +02:00
Floatingghost
842cac2a50 ensure we mock_global 2024-05-22 19:30:03 +01:00
Lain Soykaf
3e1f5e5372 WebFingerControllerTest: Restore host after test. 2024-05-22 19:27:51 +01:00
marcin mikołajczak
3a21293970 Fix tests
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2024-05-22 19:27:31 +01:00
marcin mikołajczak
0d66237205 Fix validate_webfinger when running a different domain for Webfinger
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
2024-05-22 19:20:02 +01:00
Oneric
6ef6b2a289 Apply rate limits to status updates 2024-05-22 20:18:08 +02:00
Oneric
94e9c8f48a Purge unused media description update on post
In MastoAPI media descriptions are updated via the
media update API not upon post creation or post update.

This functionality was originally added about 6 years ago in
ba93396649 which was part of
https://git.pleroma.social/pleroma/pleroma/-/merge_requests/626 and
https://git.pleroma.social/pleroma/pleroma-fe/-/merge_requests/450.
They introduced image descriptions to the front- and backend,
but predate adoption of Mastodon API.

For a while adding an `descriptions` array on post creation might have
continued to work as an undocumented Pleroma extension to Masto API, but
at latest when OpenAPI specs were added for those endpoints four years
ago in 7803a85d2c, these codepaths ceased
to be used. The API specs don’t list a `descriptions` parameter and
any unknown parameters are stripped out.

The attachments_from_ids function is only called from
ScheduledActivity and ActivityDraft.create with the latter
only being called by CommonAPI.{post,update} whihc in turn
are only called from ScheduledActivity again, MastoAPI controller
and without any attachment or description parameter WelcomeMessage.
Therefore no codepath can contain a descriptions parameter.
2024-05-22 20:18:08 +02:00
Oneric
873aa9da1c activity_draft: mark new/2 as private 2024-05-22 20:18:08 +02:00
Oneric
34a48cb87f scheduled_activity: mark private functions as private
And remove unused due_activities/1
2024-05-22 20:18:08 +02:00
lain
50403351f4 add impostor test for webfinger 2024-05-22 19:17:34 +01:00
Alex Gleason
a953b1d927 Prevent spoofing webfinger 2024-05-22 19:08:37 +01:00
Norm
bb29c5bed2 Update tor/i2p guide
Direct users to add in the appropriate headers and update the listening
port instead of copy/pasting a config that's already outdated and
probably would otherwise have to be synced with the main example nginx
config.
2024-05-16 19:08:02 -04:00
Norm
bc46f3da4c Update mediaproxy howto
Since the configuration options on the nginx side already exist in the
sample config, there's no need to tell users to copy-paste those
settings in again.
2024-05-16 19:06:59 -04:00
Norm
7e709768c3 Use /var/tmp for media cache path in apache/nginx configs
The /var/tmp directory is not mounted as tmpfs unlike /tmp which is
mounted as such on some distros like Fedora or Arch. Since there isn't
really a benefit to having the cache on tmpfs, this change should allow
for a larger cache if needed without worrying about running out of RAM.
2024-05-15 20:42:48 -04:00
floatingghost
76ded10a70 Merge pull request 'Backoff on HTTP requests when 429 is recieved' (#762) from backoff-http into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/762
2024-05-11 04:38:47 +00:00
Floatingghost
4457928e32 duct-tape fix for #438
we really need to make this less manual
2024-05-11 05:30:18 +01:00
floatingghost
ee03149ba1 Merge pull request 'Fix Exiftool migration id' (#763) from Oneric/akkoma:fix-migration-timeline-exifdesc into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/763
2024-05-06 22:51:05 +00:00
Floatingghost
ea6bc8a7c5 add a test for 503-rate-limiting 2024-05-06 23:36:00 +01:00
Floatingghost
bd74693db6 additionally support retry-after values 2024-05-06 23:34:48 +01:00
Oneric
5256678901 Fix Exiftool migration id
Applying works fine with a 20220220135625 version, but it won’t be
rolled back in the right order. Fortunately this action is idempotent
so we can just rename and reapply it with a new id.

To also not break large-scale rollbacks past 2022 for anyone
who already applied it with the old id, keep a stub migration.
2024-05-07 00:16:21 +02:00
floatingghost
fdeecc7b4c Merge pull request 'Update clients list in docs' (#761) from norm/akkoma:docs-clients-update into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/761
2024-05-06 21:33:26 +00:00
floatingghost
51482c4fe8 Merge pull request 'Remove remaining Dokku files' (#766) from norm/akkoma:remove-dokku into develop
Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/766
2024-05-06 21:33:16 +00:00
Oneric
b7e3d44756 Drop unused indices
This promotes and expands our existing optional migration.
Based on usage statistics from several instances, see:
https://akkoma.dev/AkkomaGang/akkoma/issues/764

activities_hosts is now retained after all since it’s essential
for the "instance" query parameter of *oma’s public timeline to
reliably work in a reasonable amount of time. (Although akkoma-fe has
no support for this feature and apparently barely anyone uses it.)

activities_actor_index was already dropped before in
20221211234352_remove_unused_indices; no need to drop it again.

Birthday indices were introduced in pleroma starting with
20220116183110_add_birthday_to_users which is past the
last common migration 20210416051708.
2024-05-02 00:08:33 +02:00
Norm
8ae54b260a Remove remaining Dokku files 2024-04-29 13:45:58 -04:00
Floatingghost
21a81e1111 version bump with translations 2024-04-27 15:10:52 +01:00
Floatingghost
3738ab67bd Merge remote-tracking branch 'origin/translations' into develop 2024-04-27 15:10:23 +01:00
Floatingghost
7038b60ab5 bump version 2024-04-27 15:08:21 +01:00
Norm
549d580054 Add Enafore to clients list 2024-04-26 15:21:58 -04:00
Floatingghost
010e8c7bb2 where were you when lint fail 2024-04-26 19:28:01 +01:00
Floatingghost
9671cdecdf changelog entry 2024-04-26 19:10:17 +01:00
Floatingghost
f531484063 Merge branch 'develop' into backoff-http 2024-04-26 19:06:18 +01:00
Floatingghost
ec7e9da734 Correct ttl syntax for new cachex 2024-04-26 19:05:12 +01:00
FloatingGhost
3c384c1b76 Add ratelimit backoff to HTTP get 2024-04-26 19:01:12 +01:00