AkkomaGang/akkoma
AkkomaGang/akkoma
15
65
Fork 91
Code Issues 173 Pull requests 21 Projects 2 Releases 14 Packages Wiki Activity
15786 commits 26 branches 107 tags 317 MiB
Commit graph

5824 commits

Author SHA1 Message Date
Oneric
d488cf476e Fix voters count field 
Mastodon API demands this be null unless it’s a multi-selection poll.
Not abiding by this can mess up display in some clients.

Fixes: #190
 2024-06-27 18:29:45 +02:00
Oneric
ca182a0ae7 Correctly parse content types with multiple profiles 
Multiple profiles can be specified as a space-separated list
and the possibility of additional profiles is explicitly brought up
in ActivityStream spec
 2024-06-27 18:29:45 +02:00
Oneric
495a1a71e8 strip_metadata: skip BMP files 
Not _yet_ supported as of exiftool 12.87, though
at first glance it seems like standard BMP files
can't store any metadata besides colour profiles

Fixes the specific case from
AkkomaGang/akkoma-fe#396
although the frontend shouldn’t get bricked regardless.
 2024-06-27 18:29:45 +02:00
Mark Felder
07539f7825 Hide logs during test unless a test fails 
Currently `mix test` prints a slew of logs in the terminal
with messages from different tests intermsparsed. Globally
enabling capture log hides log messages unless a test fails
reducing noise and making it easier to anylse the important
(from failed tests) messages.

Compiler warnings and a few messages not printed via Logger
still show up but its much more readable than before.

Ported from: 3aed111a42
 2024-06-27 18:29:45 +02:00
floatingghost
5992e8bb16 Merge pull request 'Update http-signatures dep, allow created header' (#800) from created-pseudoheader into develop
Some checks are pending
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details 
Reviewed-on: #800
 2024-06-17 21:52:59 +00:00
Floatingghost
57273754b7 we may as well handle (expires) as well
All checks were successful
ci/woodpecker/push/lint Pipeline was successful
Details
ci/woodpecker/push/test Pipeline was successful
Details
ci/woodpecker/push/build-amd64 Pipeline was successful
Details
ci/woodpecker/push/build-arm64 Pipeline was successful
Details
ci/woodpecker/push/docs Pipeline was successful
Details
ci/woodpecker/pr/lint Pipeline was successful
Details
ci/woodpecker/pr/test Pipeline was successful
Details
ci/woodpecker/pr/build-amd64 Pipeline was successful
Details
ci/woodpecker/pr/build-arm64 Pipeline was successful
Details
ci/woodpecker/pr/docs Pipeline was successful
Details
2024-06-17 22:30:14 +01:00
floatingghost
59bfdf2ca4 Merge pull request 'Add limit CLI flags to prune jobs' (#655) from Oneric/akkoma:prune-batch into develop
Some checks are pending
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details 
Reviewed-on: #655
 2024-06-17 20:47:53 +00:00
Oneric
bf8f493ffd Remove proxy_remote vestiges
All checks were successful
ci/woodpecker/pr/lint Pipeline was successful
Details
ci/woodpecker/pr/test Pipeline was successful
Details
ci/woodpecker/pr/build-amd64 Pipeline was successful
Details
ci/woodpecker/pr/build-arm64 Pipeline was successful
Details
ci/woodpecker/pr/docs Pipeline was successful
Details 
Ever since 364b6969eb
this setting wasn't used by the backend and a noop.
The stated usecase is better served by setting the base_url
to a local subdomain and using proxying in nginx/Caddy/...
 2024-06-16 01:21:52 +02:00
Floatingghost
2b96c3b224 Update http-signatures dep, allow created header
Some checks are pending
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details
ci/woodpecker/pr/build-amd64 Pipeline is pending
Details
ci/woodpecker/pr/build-arm64 Pipeline is pending
Details
ci/woodpecker/pr/docs Pipeline is pending
Details
ci/woodpecker/pr/lint Pipeline is pending
Details
ci/woodpecker/pr/test Pipeline is pending
Details
2024-06-12 18:40:44 +01:00
floatingghost
b03edb4ff4 Merge pull request 'Fix StealEmoji’s max size check' (#793) from Oneric/akkoma:emojistealer_contentlength into develop
Some checks are pending
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details 
Reviewed-on: #793
 2024-06-12 17:09:05 +00:00
Floatingghost
ad52135bf5 Convert rich media backfill to oban task
Some checks are pending
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details
ci/woodpecker/pr/build-amd64 Pipeline is pending
Details
ci/woodpecker/pr/build-arm64 Pipeline is pending
Details
ci/woodpecker/pr/docs Pipeline is pending
Details
ci/woodpecker/pr/lint Pipeline is pending
Details
ci/woodpecker/pr/test Pipeline is pending
Details
2024-06-11 18:06:51 +01:00
Floatingghost
9c5feb81aa fix tests
Some checks failed
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details
ci/woodpecker/pr/lint Pipeline was successful
Details
ci/woodpecker/pr/test Pipeline failed
Details
ci/woodpecker/pr/build-amd64 unknown status
Details
ci/woodpecker/pr/docs unknown status
Details
ci/woodpecker/pr/build-arm64 unknown status
Details
2024-06-09 21:26:29 +01:00
Floatingghost
a360836ce3 fix oembed test 2024-06-09 21:17:12 +01:00
Floatingghost
16bed0562d Fix tests 2024-06-09 18:28:00 +01:00
Mark Felder
2f5eb79473 Mastodon API: Remove deprecated GET /api/v1/statuses/:id/card endpoint 
Removed back in 2019

https://github.com/mastodon/mastodon/pull/11213
 2024-06-09 17:38:06 +01:00
Mark Felder
f4daa90bd8 Remove test validating missing descriptions are returned as an empty string 2024-06-09 17:37:59 +01:00
Mark Felder
688748b531 Improve test description 2024-06-09 17:37:32 +01:00
Mark Felder
2e5aa71176 Rich Media Cards are fetched asynchonously and not guaranteed to be available on first post render 2024-06-09 17:37:22 +01:00
Mark Felder
7ca655a999 Rich Media Cards are cached by URL not per status 2024-06-09 17:36:57 +01:00
Mark Felder
765c7e98d2 Respect the TTL returned in OpenGraph tags 2024-06-09 17:36:15 +01:00
Mark Felder
ddbe989461 Fix broken tests 2024-06-09 17:35:47 +01:00
Floatingghost
a924e117fd Add pool timeouts 2024-06-09 17:20:29 +01:00
Oneric
a3840e7d1f Raise minimum PostgreSQL version to 12 
This lets us:
 - avoid issues with broken hash indices for PostgreSQL <10
 - drop runtime checks and legacy codepaths for <11 in db search
 - always enable custom query plans for performance optimisation

PostgreSQL 11 is already EOL since 2023-11-09, so
in theory everyone should already have moved on to 12 anyway.
 2024-06-07 16:21:09 +02:00
Oneric
be5440c5e8 mrf/steal_emoji: fix size limit check 
Headers are strings, but this expected to already get an int
thus always failing the comparison if the header was set.

Fixes mistake in d6d838cbe8
 2024-06-05 20:11:53 +02:00
Oneric
68fe0a9633 test: fix content-length value type 
All headers are strings, always.
In this case it didn't matter atm,
but let’s not provide confusing examples.
 2024-06-05 19:59:59 +02:00
Floatingghost
c9a03af7c1 Move rescue to the HTTP request itself
Some checks failed
ci/woodpecker/push/lint Pipeline was successful
Details
ci/woodpecker/push/test Pipeline was successful
Details
ci/woodpecker/push/build-amd64 Pipeline was successful
Details
ci/woodpecker/push/build-arm64 Pipeline was successful
Details
ci/woodpecker/push/docs Pipeline was successful
Details
ci/woodpecker/pr/lint Pipeline failed
Details
ci/woodpecker/pr/test unknown status
Details
ci/woodpecker/pr/build-arm64 unknown status
Details
ci/woodpecker/pr/build-amd64 unknown status
Details
ci/woodpecker/pr/docs unknown status
Details
2024-06-04 14:30:16 +01:00
Floatingghost
30e13a8785 Don't error on rich media fail
Some checks are pending
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details
2024-06-04 14:21:40 +01:00
Oneric
bed7ff8e89 mix: consistently use shell_info and shell_error
All checks were successful
ci/woodpecker/pr/lint Pipeline was successful
Details
ci/woodpecker/pr/test Pipeline was successful
Details
ci/woodpecker/pr/build-amd64 Pipeline was successful
Details
ci/woodpecker/pr/build-arm64 Pipeline was successful
Details
ci/woodpecker/pr/docs Pipeline was successful
Details 
Logger output being visible depends on user configuration, but most of
the prints in mix tasks should always be shown. When running inside a
mix shell, it’s probably preferable to send output directly to it rather
than using raw IO.puts and we already have shell_* functions for this,
let’s use them everywhere.
 2024-05-31 17:17:42 +02:00
Oneric
1d4c212441 dbprune: shortcut array activity search 
This brought down query costs from 7,953,740.90 to 47,600.97
 2024-05-31 17:16:40 +02:00
Oneric
6e7cbf1885 Test both standalone and flag mode for pruning orphaned activities 2024-05-31 17:16:40 +02:00
floatingghost
8f97c15b07 Merge pull request 'Preserve Meilisearch’s result ranking' (#772) from Oneric/akkoma:search-meili-order into develop
Some checks are pending
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details 
Reviewed-on: #772
 2024-05-31 14:12:05 +00:00
Floatingghost
3af0c53a86 use proper workers for fetching pins instead of an ad-hoc task (#788)
Some checks are pending
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details 
Reviewed-on: #788
Co-authored-by: Floatingghost <hannah@coffee-and-dreams.uk>
Co-committed-by: Floatingghost <hannah@coffee-and-dreams.uk>
 2024-05-31 08:58:52 +00:00
Oneric
65aeaefa41 meilisearch: respect meili’s result ranking 
Meilisearch is already configured to return results sorted by a
particular ranking configured in the meilisearch CLI task.
Resorting the returned top results by date partially negates this and
runs counter to what someone with tweaked settings expects.

Issue and fix identified by AdamK2003 in
#579
But instead of using a O(n^2) resorting, this commit directly
retrieves results in the correct order from the database.

Closes: #579
 2024-05-29 23:17:27 +00:00
Floatingghost
66b3248dd3 mix tests probably shouldn't be async
Some checks are pending
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details
ci/woodpecker/pr/build-amd64 Pipeline is pending
Details
ci/woodpecker/pr/build-arm64 Pipeline is pending
Details
ci/woodpecker/pr/docs Pipeline is pending
Details
ci/woodpecker/pr/lint Pipeline is pending
Details
ci/woodpecker/pr/test Pipeline is pending
Details
2024-05-27 04:03:13 +01:00
Floatingghost
73ead8656a don't allow emoji formatter to be async
Some checks failed
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details
ci/woodpecker/pr/lint Pipeline was successful
Details
ci/woodpecker/pr/test Pipeline failed
Details
ci/woodpecker/pr/build-arm64 unknown status
Details
ci/woodpecker/pr/build-amd64 unknown status
Details
ci/woodpecker/pr/docs unknown status
Details
2024-05-27 03:25:18 +01:00
Floatingghost
f15eded3e1 Add extra test case for nonsense field, increase timeouts
Some checks failed
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details
ci/woodpecker/pr/lint Pipeline was successful
Details
ci/woodpecker/pr/test Pipeline was successful
Details
ci/woodpecker/pr/build-arm64 unknown status
Details
ci/woodpecker/pr/build-amd64 unknown status
Details
ci/woodpecker/pr/docs unknown status
Details
2024-05-27 02:09:48 +01:00
Floatingghost
da67e69af5 Allow for attachment to be a single object in user data
Some checks failed
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details
ci/woodpecker/pr/lint Pipeline was successful
Details
ci/woodpecker/pr/test Pipeline was successful
Details
ci/woodpecker/pr/build-arm64 unknown status
Details
ci/woodpecker/pr/build-amd64 unknown status
Details
ci/woodpecker/pr/docs unknown status
Details
2024-05-26 17:09:26 +01:00
Floatingghost
b72127b45a Merge remote-tracking branch 'oneric-sec/media-owner' into develop 2024-05-22 19:36:10 +01:00
Oneric
9a91299f96 Don't try to handle non-media objects as media 
Trying to display non-media as media crashed the renderer,
but when posting a status with a valid, non-media object id
the post was still created, but then crashed e.g. timeline rendering.
It also crashed C2S inbox reads, so this could not be used to leak
private posts.
 2024-05-22 20:30:23 +02:00
Oneric
0c2b33458d Restrict media usage to owners 
In Mastodon media can only be used by owners and only be associated with
a single post. We currently allow media to be associated with several
posts and until now did not limit their usage in posts to media owners.
However, media update and GET lookup was already limited to owners.
(In accordance with allowing media reuse, we also still allow GET
lookups of media already used in a post unlike Mastodon)

Allowing reuse isn’t problematic per se, but allowing use by non-owners
can be problematic if media ids of private-scoped posts can be guessed
since creating a new post with this media id will reveal the uploaded
file content and alt text.
Given media ids are currently just part of a sequentieal series shared
with some other objects, guessing media ids is with some persistence
indeed feasible.

E.g. sampline some public media ids from a real-world
instance with 112 total and 61 monthly-active users:

  17.465.096  at  t0
  17.472.673  at  t1 = t0 + 4h
  17.473.248  at  t2 = t1 + 20min

This gives about 30 new ids per minute of which most won't be
local media but remote and local posts, poll answers etc.
Assuming the default ratelimit of 15 post actions per 10s, scraping all
media for the 4h interval takes about 84 minutes and scraping the 20min
range mere 6.3 minutes. (Until the preceding commit, post updates were
not rate limited at all, allowing even faster scraping.)
If an attacker can infer (e.g. via reply to a follower-only post not
accessbile to the attacker) some sensitive information was uploaded
during a specific time interval and has some pointers regarding the
nature of the information, identifying the specific upload out of all
scraped media for this timerange is not impossible.

Thus restrict media usage to owners.

Checking ownership just in ActivitDraft would already be sufficient,
since when a scheduled status actually gets posted it goes through
ActivityDraft again, but would erroneously return a success status
when scheduling an illegal post.

Independently discovered and fixed by mint in Pleroma
1afde067b1
 2024-05-22 20:30:18 +02:00
Floatingghost
842cac2a50 ensure we mock_global 2024-05-22 19:30:03 +01:00
Lain Soykaf
3e1f5e5372 WebFingerControllerTest: Restore host after test. 2024-05-22 19:27:51 +01:00
marcin mikołajczak
3a21293970 Fix tests 
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
 2024-05-22 19:27:31 +01:00
marcin mikołajczak
0d66237205 Fix validate_webfinger when running a different domain for Webfinger 
Signed-off-by: marcin mikołajczak <git@mkljczk.pl>
 2024-05-22 19:20:02 +01:00
Oneric
94e9c8f48a Purge unused media description update on post 
In MastoAPI media descriptions are updated via the
media update API not upon post creation or post update.

This functionality was originally added about 6 years ago in
ba93396649 which was part of
https://git.pleroma.social/pleroma/pleroma/-/merge_requests/626 and
https://git.pleroma.social/pleroma/pleroma-fe/-/merge_requests/450.
They introduced image descriptions to the front- and backend,
but predate adoption of Mastodon API.

For a while adding an `descriptions` array on post creation might have
continued to work as an undocumented Pleroma extension to Masto API, but
at latest when OpenAPI specs were added for those endpoints four years
ago in 7803a85d2c, these codepaths ceased
to be used. The API specs don’t list a `descriptions` parameter and
any unknown parameters are stripped out.

The attachments_from_ids function is only called from
ScheduledActivity and ActivityDraft.create with the latter
only being called by CommonAPI.{post,update} whihc in turn
are only called from ScheduledActivity again, MastoAPI controller
and without any attachment or description parameter WelcomeMessage.
Therefore no codepath can contain a descriptions parameter.
 2024-05-22 20:18:08 +02:00
lain
50403351f4 add impostor test for webfinger 2024-05-22 19:17:34 +01:00
Alex Gleason
a953b1d927 Prevent spoofing webfinger 2024-05-22 19:08:37 +01:00
floatingghost
76ded10a70 Merge pull request 'Backoff on HTTP requests when 429 is recieved' (#762) from backoff-http into develop
Some checks are pending
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details 
Reviewed-on: #762
 2024-05-11 04:38:47 +00:00
Floatingghost
4457928e32 duct-tape fix for #438
Some checks are pending
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details 
we really need to make this less manual
 2024-05-11 05:30:18 +01:00
Floatingghost
ea6bc8a7c5 add a test for 503-rate-limiting
Some checks are pending
ci/woodpecker/push/build-amd64 Pipeline is pending
Details
ci/woodpecker/push/build-arm64 Pipeline is pending
Details
ci/woodpecker/push/docs Pipeline is pending
Details
ci/woodpecker/push/lint Pipeline is pending
Details
ci/woodpecker/push/test Pipeline is pending
Details
ci/woodpecker/pr/lint Pipeline was successful
Details
ci/woodpecker/pr/test Pipeline was successful
Details
ci/woodpecker/pr/build-amd64 Pipeline was successful
Details
ci/woodpecker/pr/build-arm64 Pipeline was successful
Details
ci/woodpecker/pr/docs Pipeline was successful
Details
2024-05-06 23:36:00 +01:00