Hazelnoot
d8908ef2d8
merge upstream
2025-03-25 16:14:53 -04:00
Hazelnoot
5182f17d32
implement replies collection for posts
2025-03-19 09:52:55 -04:00
syuilo
6c8f21b608
fix(backend): 連合無しモードでも外部から照会可能だった問題を修正
2025-03-17 13:21:09 +09:00
Hazelnoot
a35c2f214b
convert Authorized Fetch to a setting and add support for hybrid mode (essential metadata only)
2025-03-16 10:07:57 -04:00
かっこかり
83c3bb839f
deps: update pnpm to v10 ( #15588 )
...
* Revert "fix(build): corepackのバグの回避 (#15387 )"
This reverts commit 9c70a4e631 .
* deps: update pnpm to v10
* fix broken lockfile
* update changelog
* fix
* fix
* Revert "fix"
This reverts commit 4abc6c194edc20989f5ec97d343307a4b8c9047d.
* fix
* fix
* attempt to fix docker build
* lint fixes
* fix: revertしすぎた
* detect pnpm version and install it
* fix: そもそもpnpmを2回入れる必要がないかも
* fix
* refactor
* fix
* refactor: remove unnecessary arg
* Update Dockerfile
* update pnpm to v10.6.1
* Update Changelog
* chore: use node to avoid installing jq
2025-03-07 07:03:52 +00:00
Marie
995ba34aa4
fix: use toLowerCase() to make sure usernameLower matches while compared to request with possibly capitalization
2025-03-06 02:37:07 +00:00
Hazelnoot
6c2034a373
append default CW when rendering AP Note objects
2025-02-16 19:20:41 -05:00
Hazelnoot
7e1b4b259a
Merge branch 'develop' into merge/2024-02-03
...
# Conflicts:
# packages/backend/src/server/ActivityPubServerService.ts
# pnpm-lock.yaml
2025-02-08 13:16:37 -05:00
Hazelnoot
b171c1c440
move imports to fix git diff in ActivityPubServerService.ts
2025-02-05 11:20:26 -05:00
Hazelnoot
09669d72e7
lookup and cache rate limit factors directly within SkRateLimiterService
2025-02-05 11:20:25 -05:00
Hazelnoot
980ea858f2
fix import order in ActivityPubServerService.ts
2025-02-04 10:38:50 -05:00
Hazelnoot
a4e86758c1
merge upstream 2025-02-03
2025-02-03 14:36:09 -05:00
かっこかり
55713fcd65
fix(backend): apOrHtml Constraintが正しく評価されない問題を修正 ( #15213 )
...
* fix(backend/ActivityPubServerService): apOrHtml Constraintが正しく評価されない問題を修正 (MisskeyIO#869)
* Update Changelog
* indent
---------
Co-authored-by: あわわわとーにゅ <17376330+u1-liquid@users.noreply.github.com >
2025-01-08 10:35:09 +00:00
dakkar
56563d8dc4
fix lints
2024-11-22 13:11:16 +00:00
dakkar
bc816cb166
Merge tag '2024.11.0' into feature/2024.10
2024-11-22 12:29:04 +00:00
Laura Hausmann
9ab25ede28
fix: primitives 9, 10 & 11: http signature validation doesn't enforce required headers or specify auth header name
2024-11-20 19:17:24 -05:00
Julia
5f675201f2
Merge commit from fork
...
* enhance: Add a few validation fixes from Sharkey
See the original MR on the GitLab instance:
https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484
Co-Authored-By: Dakkar <dakkar@thenautilus.net >
* fix: primitive 2: acceptance of cross-origin alternate
Co-Authored-By: Laura Hausmann <laura@hausmann.dev >
* fix: primitive 3: validation of non-final url
* fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities
* fix: primitives 5 & 8: reject activities with non
string identifiers
Co-Authored-By: Laura Hausmann <laura@hausmann.dev >
* fix: primitive 6: reject anonymous objects that were fetched by their id
* fix: primitives 9, 10 & 11: http signature validation
doesn't enforce required headers or specify auth header name
Co-Authored-By: Laura Hausmann <laura@hausmann.dev >
* fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections
* fix: code style for primitive 14
* fix: primitive 15: improper same-origin validation for
note uri and url
Co-Authored-By: Laura Hausmann <laura@hausmann.dev >
* fix: primitive 16: improper same-origin validation for user uri and url
* fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array
* fix: code style for primitive 17
* fix: check attribution against actor in notes
While this isn't strictly required to fix the exploits at hand, this
mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a
preemptive countermeasure.
* fix: primitive 18: `ap/get` bypasses access checks
One might argue that we could make this one actually preform access
checks against the returned activity object, but I feel like that's a
lot more work than just restricting it to administrators, since, to me
at least, it seems more like a debugging tool than anything else.
* fix: primitive 19 & 20: respect blocks and hide more
Ideally, the user property should also be hidden (as leaving it in leaks
information slightly), but given the schema of the note endpoint, I
don't think that would be possible without introducing some kind of
"ghost" user, who is attributed for posts by users who have you blocked.
* fix: primitives 21, 22, and 23: reuse resolver
This also increases the default `recursionLimit` for `Resolver`, as it
theoretically will go higher that it previously would and could possibly
fail on non-malicious collection activities.
* fix: primitives 25-33: proper local instance checks
* revert: fix: primitive 19 & 20
This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c.
---------
Co-authored-by: Dakkar <dakkar@thenautilus.net >
Co-authored-by: Laura Hausmann <laura@hausmann.dev >
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com >
2024-11-21 08:20:09 +09:00
momoirodouhu
a4c5ce1413
enhance(backend) : リモートユーザーの照会をオリジナルにリダイレクトするように ( #12892 ) ( #14897 )
...
* enhance(backend) : リモートユーザーの照会をオリジナルにリダイレクトするように (#12892 )
* オリジンリダイレクトのテストをtodoとして追加。
e2eテストにリモートユーザー考慮のテストがなさそうなので。
次のコマンドで動くことは確認済みです。
curl "http://localhost:3000/@foo@bar " -H "accept: application/activity+json" -L
* Acctのパースを既存のパーサーでするように修正
* lint
2024-11-09 10:54:44 +09:00
Hazelnoot
27b502fab5
normalize re-fetch logic between InboxProcessorService and ActivityPubServerService
2024-10-26 10:40:15 -04:00
dakkar
98f1f30e72
fix "federation allowed" check in our code
2024-10-12 09:35:45 +01:00
dakkar
ee439f9c7f
remove MetaService from ActivityPubServerService
2024-10-09 17:07:43 +01:00
dakkar
11e3c95026
replace isBlockedHost with isFederationAllowedHost
2024-10-09 16:39:24 +01:00
syuilo
337b42bcb1
revert 5f88d56d96
...
バグがある(かつすぐに修正できそうにない) & まだレビュー途中で意図せずマージされたため
2024-07-20 21:33:20 +09:00
tamaina
5f88d56d96
perf(federation): Ed25519署名に対応する ( #13464 )
...
* 1. ed25519キーペアを発行・Personとして公開鍵を送受信
* validate additionalPublicKeys
* getAuthUserFromApIdはmainを選ぶ
* ✌️
* fix
* signatureAlgorithm
* set publicKeyCache lifetime
* refresh
* httpMessageSignatureAcceptable
* ED25519_SIGNED_ALGORITHM
* ED25519_PUBLIC_KEY_SIGNATURE_ALGORITHM
* remove sign additionalPublicKeys signature requirements
* httpMessageSignaturesSupported
* httpMessageSignaturesImplementationLevel
* httpMessageSignaturesImplementationLevel: '01'
* perf(federation): Use hint for getAuthUserFromApId (#13470 )
* Hint for getAuthUserFromApId
* とどのつまりこれでいいのか?
* use @misskey-dev/node-http-message-signatures
* fix
* signedPost, signedGet
* ap-request.tsを復活させる
* remove digest prerender
* fix test?
* fix test
* add httpMessageSignaturesImplementationLevel to FederationInstance
* ManyToOne
* fetchPersonWithRenewal
* exactKey
* ✌️
* use const
* use gen-key-pair fn. from '@misskey-dev/node-http-message-signatures'
* update node-http-message-signatures
* fix
* @misskey-dev/node-http-message-signatures@0.0.0-alpha.11
* getAuthUserFromApIdでupdatePersonの頻度を増やす
* cacheRaw.date
* use requiredInputs
https://github.com/misskey-dev/misskey/pull/13464#discussion_r1509964359
* update @misskey-dev/node-http-message-signatures
* clean up
* err msg
* fix(backend): fetchInstanceMetadataのLockが永遠に解除されない問題を修正
Co-authored-by: まっちゃとーにゅ <17376330+u1-liquid@users.noreply.github.com >
* fix httpMessageSignaturesImplementationLevel validation
* fix test
* fix
* comment
* comment
* improve test
* fix
* use Promise.all in genRSAAndEd25519KeyPair
* refreshAndprepareEd25519KeyPair
* refreshAndfindKey
* commetn
* refactor public keys add
* digestプリレンダを復活させる
RFC実装時にどうするか考える
* fix, async
* fix
* !== true
* use save
* Deliver update person when new key generated (not tested)
https://github.com/misskey-dev/misskey/pull/13464#issuecomment-1977049061
* 循環参照で落ちるのを解消?
* fix?
* Revert "fix?"
This reverts commit 0082f6f8e8c5d5febd14933ba9a1ac643f70ca92.
* a
* logger
* log
* change logger
* 秘密鍵の変更は、フラグではなく鍵を引き回すようにする
* addAllKnowingSharedInboxRecipe
* nanka meccha kaeta
* delivre
* キャッシュ有効チェックはロック取得前に行う
* @misskey-dev/node-http-message-signatures@0.0.3
* PrivateKeyPem
* getLocalUserPrivateKey
* fix test
* if
* fix ap-request
* update node-http-message-signatures
* fix type error
* update package
* fix type
* update package
* retry no key
* @misskey-dev/node-http-message-signatures@0.0.8
* fix type error
* log keyid
* logger
* db-resolver
* JSON.stringify
* HTTP Signatureがなかったり使えなかったりしそうな場合にLD Signatureを活用するように
* inbox-delayed use actor if no signature
* ユーザーとキーの同一性チェックはhostの一致にする
* log signature parse err
* save array
* とりあえずtryで囲っておく
* fetchPersonWithRenewalでエラーが起きたら古いデータを返す
* use transactionalEntityManager
* fix spdx
* @misskey-dev/node-http-message-signatures@0.0.10
* add comment
* fix
* publicKeyに配列が入ってもいいようにする
https://github.com/misskey-dev/misskey/pull/13950
* define additionalPublicKeys
* fix
* merge fix
* refreshAndprepareEd25519KeyPair → refreshAndPrepareEd25519KeyPair
* remove gen-key-pair.ts
* defaultMaxListeners = 512
* Revert "defaultMaxListeners = 512"
This reverts commit f2c412c18057a9300540794ccbe4dfbf6d259ed6.
* genRSAAndEd25519KeyPairではキーを直列に生成する?
* maxConcurrency: 8
* maxConcurrency: 16
* maxConcurrency: 8
* Revert "genRSAAndEd25519KeyPairではキーを直列に生成する?"
This reverts commit d0aada55c1ed5aa98f18731ec82f3ac5eb5a6c16.
* maxWorkers: '90%'
* Revert "maxWorkers: '90%'"
This reverts commit 9e0a93f110456320d6485a871f014f7cdab29b33.
* e2e/timelines.tsで個々のテストに対するtimeoutを削除, maxConcurrency: 32
* better error handling of this.userPublickeysRepository.delete
* better comment
* set result to keypairEntityCache
* deliverJobConcurrency: 16, deliverJobPerSec: 1024, inboxJobConcurrency: 4
* inboxJobPerSec: 64
* delete request.headers['host'];
* fix
* // node-fetch will generate this for us. if we keep 'Host', it won't change with redirects!
* move delete host
* modify comment
* modify comment
* fix correct → collect
* refreshAndfindKey → refreshAndFindKey
* modify comment
* modify attachLdSignature
* getApId, InboxProcessorService
* TODO
* [skip ci] add CHANGELOG
---------
Co-authored-by: MeiMei <30769358+mei23@users.noreply.github.com >
Co-authored-by: まっちゃとーにゅ <17376330+u1-liquid@users.noreply.github.com >
2024-07-18 01:28:17 +09:00
dakkar
4fe8a26081
Merge remote-tracking branch 'misskey/develop' into future-2024-04-25
2024-04-25 11:44:24 +01:00
zyoshoka
8c5d9a6295
fix(backend): incorrect logic for determining whether Quote or not ( #13700 )
...
* fix(backend): incorrect logic for determining whether Quote or not
* Update CHANGELOG.md
---------
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com >
2024-04-14 10:23:48 +09:00
Marie
10bfc61670
merge: upstream
2024-02-19 10:47:42 +01:00
tamaina
c1514ce91d
(re) update SPDX-FileCopyrightText
...
Fix #13290
2024-02-13 15:59:27 +00:00
tamaina
311c2172d7
Revert "update SPDX-FileCopyrightText"
...
This reverts commit 9b5aeb76d8 .
2024-02-13 15:50:11 +00:00
syuilo
9b5aeb76d8
update SPDX-FileCopyrightText
2024-02-12 11:37:45 +09:00
Marie
db012fc8c3
merge: upstream (1)
2024-01-21 13:11:23 +01:00
かっこかり
fb309f3d4f
return a Vary: Accept header for all dual-format endpoints #365 ( #13044 )
...
`/users/:user`, `/@:user`, `/notes/:note` return different responses
depending on the request's `Accept:` header. If we don't consistently
return a `Vary: Accept` header, browsers and caching proxies will get
confused, and return AP representations when HTML was requested, or
vice versa.
Co-authored-by: dakkar <dakkar@thenautilus.net >
Co-authored-by: syuilo <Syuilotan@yahoo.co.jp >
2024-01-21 18:14:42 +09:00
dakkar
9d939bcc49
authorised fetch: log more details
...
this will help debugging problems in the implementation; thanks to
@ShittyKopper for the suggestion
2024-01-08 18:54:01 +00:00
dakkar
61c193c08f
lint
2023-12-31 16:17:45 +00:00
dakkar
6d5d3d9ea1
auth-fetch: ask to never cache responses
...
I could have factored out all the lines that set cache headers, but
that would have made future merges even more complicated ☹
thanks ShittyCopper for reporting the problem!
2023-12-31 13:27:38 +00:00
dakkar
a3dd61dec4
fix logging
2023-12-23 21:27:48 +00:00
dakkar
e6c02909c7
fix typo
...
thanks @Marie
2023-12-23 20:11:53 +00:00
dakkar
477cda0b63
authorized fetch: log when things go wrong
2023-12-23 15:26:42 +00:00
dakkar
1984416e3e
authorized fetch: let /@instance.actor through
...
this is probably never actually used, but it still looks like a good
idea (also, FireFish does it)
thanks @ShittyKoper for noticing!
2023-12-23 15:26:42 +00:00
dakkar
e5ea882ed7
authorized fetch #217
...
the implementation is copied from the other places we already check
HTTP signatures, and cross-checked with Firefish's implementation
2023-12-23 15:26:42 +00:00
zawa-ch
4e2d802967
enhance: “つながりの公開範囲”がフォロー・フォロワー個別設定できるように ( #12702 )
...
* Enhance: “つながりの公開範囲”がフォロー・フォロワー個別設定できるように (#12072 )
* refactor: crowdin 編集部分のコミットを打ち消し
https://github.com/misskey-dev/misskey/pull/12702#issuecomment-1859417158
* refactor: オブジェクトの名前修正
https://github.com/misskey-dev/misskey/pull/12702#issuecomment-1859417158
* fix: 設定項目の説明を削除
名称が具体的になって必要なくなったため
https://github.com/misskey-dev/misskey/pull/12702#discussion_r1429932463
2023-12-18 20:59:20 +09:00
syuilo
9f49b9f4d2
fix(backend): HTTP Digestヘッダのアルゴリズム部分に大文字の"SHA-256"しか使えない
...
Fix #12678
2023-12-16 10:58:44 +09:00
woxtu
5cc3d3c873
Remove an unnecessary type assertion ( #12666 )
2023-12-15 11:22:49 +09:00
MeiMei
238e8ce939
fix: Filter featured collection ( #12541 )
2023-12-02 19:32:30 +09:00
Jaehong Kang
04075ee0be
enhance(backend): Implementation of HTTP header and body validation to fix SIF-2023-002 ( #12334 )
...
Using Buffer instead of string
Co-authored-by: perillamint <perillamint@silicon.moe >
2023-11-15 11:13:34 +09:00
syuilo
65c5626b65
Merge pull request from GHSA-3f39-6537-3cgc
...
This commit implements HTTP header and body validation to fix
[SIF-2023-002](https://advisory.silicon.moe/advisory/sif-2023-002/ )
Signed-off-by: perillamint <perillamint@silicon.moe >
Co-authored-by: perillamint <perillamint@silicon.moe >
Co-authored-by: yunochi <yuno@yunochi.com >
2023-11-14 17:09:45 +09:00
anatawa12
7015cc937b
fix(backend): We can renote pure renote ( #12171 )
...
* chore: make pure renote detection an function
* fix: we can renote pure renote
* docs(changelog): リノートをリノートできるのを修正
* fix: remaining debug log
* chore: move isPureRenote to misc
* chore: make isPureRenote type guard
* chore: use isPureRenote in other places
* fix CHANGELOG
* style: fix lint
---------
Co-authored-by: syuilo <Syuilotan@yahoo.co.jp >
2023-10-30 13:48:22 +09:00
syuilo
4f20c87186
lint fixes
2023-10-09 13:32:41 +09:00
syuilo
053da10e94
refactor(backend): update directory structure for models
2023-09-20 11:33:36 +09:00
syuilo
6cf466e5d1
update deps ( #11820 )
...
* update deps
* fix
* wip
* wip
* wip
* Update docker-compose.yml.example
* Delete reviewer-lottery.yml
* Update RepositoryModule.ts
* wip
* wip
* clean up
* update deps
* wip
* wip
2023-09-15 14:28:29 +09:00