Commit graph

205 commits

Author SHA1 Message Date
9a91299f96 Don't try to handle non-media objects as media
Trying to display non-media as media crashed the renderer,
but when posting a status with a valid, non-media object id
the post was still created, but then crashed e.g. timeline rendering.
It also crashed C2S inbox reads, so this could not be used to leak
private posts.
2024-05-22 20:30:23 +02:00
0c2b33458d Restrict media usage to owners
In Mastodon media can only be used by owners and only be associated with
a single post. We currently allow media to be associated with several
posts and until now did not limit their usage in posts to media owners.
However, media update and GET lookup was already limited to owners.
(In accordance with allowing media reuse, we also still allow GET
lookups of media already used in a post unlike Mastodon)

Allowing reuse isn’t problematic per se, but allowing use by non-owners
can be problematic if media ids of private-scoped posts can be guessed
since creating a new post with this media id will reveal the uploaded
file content and alt text.
Given media ids are currently just part of a sequentieal series shared
with some other objects, guessing media ids is with some persistence
indeed feasible.

E.g. sampline some public media ids from a real-world
instance with 112 total and 61 monthly-active users:

  17.465.096  at  t0
  17.472.673  at  t1 = t0 + 4h
  17.473.248  at  t2 = t1 + 20min

This gives about 30 new ids per minute of which most won't be
local media but remote and local posts, poll answers etc.
Assuming the default ratelimit of 15 post actions per 10s, scraping all
media for the 4h interval takes about 84 minutes and scraping the 20min
range mere 6.3 minutes. (Until the preceding commit, post updates were
not rate limited at all, allowing even faster scraping.)
If an attacker can infer (e.g. via reply to a follower-only post not
accessbile to the attacker) some sensitive information was uploaded
during a specific time interval and has some pointers regarding the
nature of the information, identifying the specific upload out of all
scraped media for this timerange is not impossible.

Thus restrict media usage to owners.

Checking ownership just in ActivitDraft would already be sufficient,
since when a scheduled status actually gets posted it goes through
ActivityDraft again, but would erroneously return a success status
when scheduling an illegal post.

Independently discovered and fixed by mint in Pleroma
1afde067b1
2024-05-22 20:30:18 +02:00
94e9c8f48a Purge unused media description update on post
In MastoAPI media descriptions are updated via the
media update API not upon post creation or post update.

This functionality was originally added about 6 years ago in
ba93396649 which was part of
https://git.pleroma.social/pleroma/pleroma/-/merge_requests/626 and
https://git.pleroma.social/pleroma/pleroma-fe/-/merge_requests/450.
They introduced image descriptions to the front- and backend,
but predate adoption of Mastodon API.

For a while adding an `descriptions` array on post creation might have
continued to work as an undocumented Pleroma extension to Masto API, but
at latest when OpenAPI specs were added for those endpoints four years
ago in 7803a85d2c, these codepaths ceased
to be used. The API specs don’t list a `descriptions` parameter and
any unknown parameters are stripped out.

The attachments_from_ids function is only called from
ScheduledActivity and ActivityDraft.create with the latter
only being called by CommonAPI.{post,update} whihc in turn
are only called from ScheduledActivity again, MastoAPI controller
and without any attachment or description parameter WelcomeMessage.
Therefore no codepath can contain a descriptions parameter.
2024-05-22 20:18:08 +02:00
98cb255d12 Support elixir1.15
Some checks failed
ci/woodpecker/push/build-amd64 Pipeline is pending
ci/woodpecker/push/build-arm64 Pipeline is pending
ci/woodpecker/push/docs Pipeline is pending
ci/woodpecker/push/test Pipeline is pending
ci/woodpecker/pr/test Pipeline failed
ci/woodpecker/pr/build-amd64 unknown status
ci/woodpecker/pr/build-arm64 unknown status
ci/woodpecker/pr/docs unknown status
OTP builds to 1.15

Changelog entry

Ensure policies are fully loaded

Fix :warn

use main branch for linkify

Fix warn in tests

Migrations for phoenix 1.17

Revert "Migrations for phoenix 1.17"

This reverts commit 6a3b2f15b7.

Oban upgrade

Add default empty whitelist

mix format

limit test to amd64

OTP 26 tests for 1.15

use OTP_VERSION tag

baka

just 1.15

Massive deps update

Update locale, deps

Mix format

shell????

multiline???

?

max cases 1

use assert_recieve

don't put_env in async tests

don't async conn/fs tests

mix format

FIx some uploader issues

Fix tests
2023-08-03 17:44:09 +01:00
tusooa
3095251e6c Dedupe poll options 2023-06-14 22:45:19 +00:00
ilja
b4952a81fe Interpret \n as newline for MFM
Markdown doesn't generally consider `\n` a newline,
but Misskey does for MFM.

Now we do to for MFM (and not for Markdown) :)
2023-02-18 19:56:11 +01:00
a8cd859ef9 Use actual ISO8601 timestamps for masto API (#425)
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Some users post posts with spoofed timestamp, and some clients will have issues with certain dates. Tusky for example crashes if the date is any sooner than 1 BCE (“year zero” in the representation).

I limited the range of what is considered a valid date to be somewhere between the years 1583 and 9999 (inclusive).

The numbers have been chosen because:

- ISO 8601 only allows years before 1583 with “mutual agreement”
- Years after 9999 could cause issues with certain clients as well

Co-authored-by: Charlotte 🦝 Delenk <lotte@chir.rs>
Reviewed-on: #425
Co-authored-by: darkkirb <lotte@chir.rs>
Co-committed-by: darkkirb <lotte@chir.rs>
2023-01-09 22:12:28 +00:00
745e15468e Use same context for quote posts as the post that's being quoted (#379)
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
See #350 (comment)

When making quotes through Mast-API, they will now have the same context as the quoted post. This also results in them being showed when fetching the thread. I checked Misskey to see how it's there, and they show the quotes there as well, see e.g. <https://mk.toast.cafe/notes/98u1g0tulg>.

An example from Akkoma:

Co-authored-by: ilja <git@ilja.space>
Reviewed-on: #379
Reviewed-by: floatingghost <hannah@coffee-and-dreams.uk>
Co-authored-by: ilja <akkoma.dev@ilja.space>
Co-committed-by: ilja <akkoma.dev@ilja.space>
2022-12-31 18:09:27 +00:00
9be6caf125 argon2 password hashing (#406)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #406
2022-12-30 02:46:58 +00:00
2641dcdd15 Post editing (#202)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Rebased from #103

Co-authored-by: Tusooa Zhu <tusooa@kazv.moe>
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: #202
2022-09-06 19:24:02 +00:00
e9f1897cfd parser MFM server-side (#172)
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Reviewed-on: #172
2022-08-18 03:14:48 +00:00
62e179f446 make conversation-id deterministic (#154)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Reviewed-on: #154
2022-08-06 20:59:15 +00:00
19a27ff006 allow small/center tags in misskeymarkdown (#132)
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Reviewed-on: #132
2022-08-01 12:46:52 +00:00
5ad256f170 [#58] pre-link MFM content (#59)
All checks were successful
ci/woodpecker/push/lint Pipeline was successful
ci/woodpecker/push/test Pipeline was successful
ci/woodpecker/push/release Pipeline was successful
Reviewed-on: #59
2022-07-10 17:06:25 +00:00
4fb2251221 Allow authoring MFM
Some checks failed
ci/woodpecker/push/release Pipeline was successful
ci/woodpecker/push/lint Pipeline failed
ci/woodpecker/push/test unknown status
2022-06-14 15:56:12 +01:00
Haelwenn
773708cfe8 Merge branch 'builder-note' into 'develop'
CommonAPI.Utils.make_note_data/1 --> ActivityPub.Builder.note/1

See merge request pleroma/pleroma!3511
2021-08-14 18:32:40 +00:00
Alex Gleason
a2eacfc525
CommonAPI.Utils.make_note_data/1 --> ActivityPub.Builder.note/1 2021-08-14 11:01:06 -05:00
Haelwenn (lanodan) Monnier
436fac3bac
maybe_notify_subscribers: Don't create notifications from ingested messages 2021-08-11 20:49:38 +02:00
Alex Gleason
b99f60615c Fix order of Pleroma.Web.Utils.Params aliases 2021-06-08 12:50:47 -05:00
Alex Gleason
ec65b7ae29 Pleroma.Web.Params --> Pleroma.Web.Utils.Params 2021-06-08 12:50:47 -05:00
Alex Gleason
0877b120c3 Pleroma.Web.ControllerHelper.truthy_param?/1 --> Pleroma.Web.Params.truthy_param?/1
Breaks cycle in lib/pleroma/web/api_spec/operations/status_operation.ex
2021-06-08 12:50:47 -05:00
Alex Gleason
c435de426d
Merge remote-tracking branch 'pleroma/develop' into cycles-constants 2021-06-01 11:33:11 -05:00
Alex Gleason
10dfe81479
Pleroma.Constants.as_local_public/0 --> Pleroma.Web.ActivityPub.Utils.as_local_public/0
Move as_local_public/0 to stop making modules depend on Web at compile-time
2021-05-31 13:39:15 -05:00
Alex Gleason
52fc59f125
Merge remote-tracking branch 'upstream/develop' into earmark 2021-04-30 13:17:03 -05:00
Alex Gleason
6727a3659f
Remove Pleroma.Formatter.minify/2 2021-04-30 12:27:06 -05:00
Haelwenn (lanodan) Monnier
3bc7d12271
Remove sensitive-property setting #nsfw, create HashtagPolicy 2021-02-27 21:26:17 +01:00
Haelwenn (lanodan) Monnier
c4439c630f
Bump Copyright to 2021
grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;'
2021-01-13 07:49:50 +01:00
lain
e1e7e4d379 Object: Rework how Object.normalize works
Now it defaults to not fetching, and the option is named.
2021-01-04 13:38:31 +01:00
Haelwenn
3966add048 Revert "Merge branch 'features/hashtag-column' into 'develop'"
This reverts merge request !2824
2020-12-28 12:02:16 +00:00
Haelwenn (lanodan) Monnier
acb03d591b
Insert text representation of hashtags into object["hashtags"]
Includes a new mix task: pleroma.database fill_old_hashtags
2020-12-22 05:15:34 +01:00
Alex Gleason
f8c93246d6 Refactor Earmark code, fix tests 2020-12-11 17:22:42 -06:00
Alex Gleason
e9e17e5df3 Upgrade Earmark to v1.4.10 2020-12-11 17:22:17 -06:00
Egor Kislitsyn
af3f00292c
Fix formatting 2020-11-11 19:12:46 +04:00
Egor Kislitsyn
0118ccb53c
Add local visibility 2020-11-11 18:54:01 +04:00
minibikini
1bfd8528bb Merge branch 'develop' into 'feature/local-only-scope'
# Conflicts:
#   CHANGELOG.md
2020-10-27 18:59:19 +00:00
Egor Kislitsyn
2a475622ee
Add Pleroma.Constants.as_local_public/0 2020-10-15 19:07:00 +04:00
Egor Kislitsyn
4f79bbbc31
Add local-only statuses 2020-10-15 18:37:44 +04:00
Mark Felder
64553ebae2 Merge branch 'develop' into chore/elixir-1.11 2020-10-13 09:54:53 -05:00
Alexander Strizhakov
9f4fe5485b
alias alphabetically order 2020-10-13 16:43:59 +03:00
Alexander Strizhakov
c497558d43
AuthenticationPlug module name 2020-10-13 16:43:58 +03:00
Mark Felder
636c00037d Fix duplicate @doc entries 2020-10-07 09:58:45 -05:00
Haelwenn (lanodan) Monnier
82895a4012
SideEffects: port ones from ActivityPub.do_create and ActivityPub.insert 2020-07-15 11:40:23 +02:00
Mark Felder
d23804f191 Use the Pleroma.Config alias 2020-07-09 10:53:51 -05:00
lain
ee35bb5ac2 Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into remake-remodel-dms 2020-05-25 13:57:27 +02:00
rinpatch
7bc2ec0aa2 Merge branch 'mastodon-migration-compat' into 'develop'
Add compatibility routes for converted mastodon instances

Closes #1797

See merge request pleroma/pleroma!2572
2020-05-24 19:05:57 +00:00
Roman Chvanikov
5d60b25e69 Apply suggestion to lib/pleroma/web/common_api/utils.ex 2020-05-22 15:44:10 +00:00
Roman Chvanikov
cc82229ba7 Add filename_display_max_length config 2020-05-22 18:19:25 +03:00
lain
355aa3bdc7 ActivityPubController: Add Mastodon activity compat route. 2020-05-22 17:06:12 +02:00
lain
eb5f428565 CommonAPI: Change public->private implicit addressing.
This will not add the OP to the `to` field anymore when going from
public to private.
2020-05-20 13:38:47 +02:00
lain
3cff4e24cd Merge branch 'develop' of git.pleroma.social:pleroma/pleroma into remake-remodel-dms 2020-05-13 12:44:16 +02:00