5f675201f2
* enhance: Add a few validation fixes from Sharkey See the original MR on the GitLab instance: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484 Co-Authored-By: Dakkar <dakkar@thenautilus.net> * fix: primitive 2: acceptance of cross-origin alternate Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 3: validation of non-final url * fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities * fix: primitives 5 & 8: reject activities with non string identifiers Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 6: reject anonymous objects that were fetched by their id * fix: primitives 9, 10 & 11: http signature validation doesn't enforce required headers or specify auth header name Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections * fix: code style for primitive 14 * fix: primitive 15: improper same-origin validation for note uri and url Co-Authored-By: Laura Hausmann <laura@hausmann.dev> * fix: primitive 16: improper same-origin validation for user uri and url * fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array * fix: code style for primitive 17 * fix: check attribution against actor in notes While this isn't strictly required to fix the exploits at hand, this mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a preemptive countermeasure. * fix: primitive 18: `ap/get` bypasses access checks One might argue that we could make this one actually preform access checks against the returned activity object, but I feel like that's a lot more work than just restricting it to administrators, since, to me at least, it seems more like a debugging tool than anything else. * fix: primitive 19 & 20: respect blocks and hide more Ideally, the user property should also be hidden (as leaving it in leaks information slightly), but given the schema of the note endpoint, I don't think that would be possible without introducing some kind of "ghost" user, who is attributed for posts by users who have you blocked. * fix: primitives 21, 22, and 23: reuse resolver This also increases the default `recursionLimit` for `Resolver`, as it theoretically will go higher that it previously would and could possibly fail on non-malicious collection activities. * fix: primitives 25-33: proper local instance checks * revert: fix: primitive 19 & 20 This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c. --------- Co-authored-by: Dakkar <dakkar@thenautilus.net> Co-authored-by: Laura Hausmann <laura@hausmann.dev> Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com> |
||
---|---|---|
.config | ||
.devcontainer | ||
.github | ||
.okteto | ||
.vscode | ||
assets | ||
chart | ||
cypress | ||
fluent-emojis@cae981eb4c | ||
idea | ||
locales | ||
packages | ||
scripts | ||
.dockerignore | ||
.dockleignore | ||
.editorconfig | ||
.gitattributes | ||
.gitignore | ||
.gitmodules | ||
.node-version | ||
.npmrc | ||
.vsls.json | ||
CHANGELOG.md | ||
CODE_OF_CONDUCT.md | ||
CONTRIBUTING.md | ||
COPYING | ||
Dockerfile | ||
LICENSE | ||
Procfile | ||
README.md | ||
ROADMAP.md | ||
SECURITY.md | ||
codecov.yml | ||
compose.local-db.yml | ||
compose_example.yml | ||
crowdin.yml | ||
cypress.config.ts | ||
healthcheck.sh | ||
package.json | ||
pnpm-lock.yaml | ||
pnpm-workspace.yaml |
README.md
Thanks
Thanks to Sentry for providing the error tracking platform that helps us catch unexpected errors.
Thanks to Chromatic for providing the visual testing platform that helps us review UI changes and catch visual regressions.
Thanks to Codecov for providing the code coverage platform that helps us improve our test coverage.
Thanks to Crowdin for providing the localization platform that helps us translate Misskey into many languages.
Thanks to Docker for providing the container platform that helps us run Misskey in production.