Merge branch 'release/2.0.4' into 'stable'

Release/2.0.4 See merge request pleroma/pleroma!2503
2020-05-10 17:13:03 +00:00 · 2020-05-10 17:13:03 +00:00 · a6283bbae1
commit a6283bbae1
parent 019a192e43 489201d5d5
10 changed files with 125 additions and 34 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,31 @@ All notable changes to this project will be documented in this file.

 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

+## [2.0.4] - 2020-05-10
+
+### Security
+- AP C2S: Fix a potential DoS by creating nonsensical objects that break timelines
+
+### Fixed
+- Peertube user lookups not working
+- `InsertSkeletonsForDeletedUsers` migration failing on some instances
+- Healthcheck reporting the number of memory currently used, rather than allocated in total
+- LDAP not being usable in OTP releases
+- Default apache configuration having tls chain issues
+
+### Upgrade notes
+
+#### Apache only
+
+1. Remove the following line from your config:
+```
+    SSLCertificateFile      /etc/letsencrypt/live/${servername}/cert.pem
+```
+
+#### Everyone
+
+1. Restart Pleroma
+
 ## [2.0.3] - 2020-05-02

 ### Security
--- a/config/description.exs
+++ b/config/description.exs
@ -2260,6 +2260,7 @@
        children: [
          %{
            key: :active,
+            label: "Enabled",
            type: :boolean,
            description: "Globally enable or disable digest emails"
          },
--- a/installation/pleroma-apache.conf
+++ b/installation/pleroma-apache.conf
@ -32,9 +32,8 @@ CustomLog ${APACHE_LOG_DIR}/access.log combined

 <VirtualHost *:443>
    SSLEngine on
-    SSLCertificateFile      /etc/letsencrypt/live/${servername}/cert.pem
+    SSLCertificateFile      /etc/letsencrypt/live/${servername}/fullchain.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/${servername}/privkey.pem
-    SSLCertificateChainFile /etc/letsencrypt/live/${servername}/fullchain.pem

    # Mozilla modern configuration, tweak to your needs
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
--- a/lib/pleroma/healthcheck.ex
+++ b/lib/pleroma/healthcheck.ex
@ -29,7 +29,7 @@ defmodule Pleroma.Healthcheck do
  @spec system_info() :: t()
  def system_info do
    %Healthcheck{
-      memory_used: Float.round(:erlang.memory(:total) / 1024 / 1024, 2)
+      memory_used: Float.round(:recon_alloc.memory(:allocated) / 1024 / 1024, 2)
    }
    |> assign_db_info()
    |> assign_job_queue_stats()
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@ -370,7 +370,10 @@ def read_inbox(%{assigns: %{user: %{nickname: as_nickname}}} = conn, %{
    |> json(err)
  end

-  def handle_user_activity(user, %{"type" => "Create"} = params) do
+  defp handle_user_activity(
+         %User{} = user,
+         %{"type" => "Create", "object" => %{"type" => "Note"}} = params
+       ) do
    object =
      params["object"]
      |> Map.merge(Map.take(params, ["to", "cc"]))
@ -386,7 +389,7 @@ def handle_user_activity(user, %{"type" => "Create"} = params) do
    })
  end

-  def handle_user_activity(user, %{"type" => "Delete"} = params) do
+  defp handle_user_activity(user, %{"type" => "Delete"} = params) do
    with %Object{} = object <- Object.normalize(params["object"]),
         true <- user.is_moderator || user.ap_id == object.data["actor"],
         {:ok, delete} <- ActivityPub.delete(object) do
@ -396,7 +399,7 @@ def handle_user_activity(user, %{"type" => "Delete"} = params) do
    end
  end

-  def handle_user_activity(user, %{"type" => "Like"} = params) do
+  defp handle_user_activity(user, %{"type" => "Like"} = params) do
    with %Object{} = object <- Object.normalize(params["object"]),
         {:ok, activity, _object} <- ActivityPub.like(user, object) do
      {:ok, activity}
@ -405,7 +408,7 @@ def handle_user_activity(user, %{"type" => "Like"} = params) do
    end
  end

-  def handle_user_activity(_, _) do
+  defp handle_user_activity(_, _) do
    {:error, dgettext("errors", "Unhandled activity type")}
  end

--- a/lib/pleroma/web/web_finger/web_finger.ex
+++ b/lib/pleroma/web/web_finger/web_finger.ex
@ -193,13 +193,15 @@ def finger(account) do
          URI.parse(account).host
      end

+    encoded_account = URI.encode("acct:#{account}")
+
    address =
      case find_lrdd_template(domain) do
        {:ok, template} ->
-          String.replace(template, "{uri}", URI.encode(account))
+          String.replace(template, "{uri}", encoded_account)

        _ ->
-          "https://#{domain}/.well-known/webfinger?resource=acct:#{account}"
+          "https://#{domain}/.well-known/webfinger?resource=#{encoded_account}"
      end

    with response <-
--- a/mix.exs
+++ b/mix.exs
@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
  def project do
    [
      app: :pleroma,
-      version: version("2.0.3"),
+      version: version("2.0.4"),
      elixir: "~> 1.8",
      elixirc_paths: elixirc_paths(Mix.env()),
      compilers: [:phoenix, :gettext] ++ Mix.compilers(),
@ -63,7 +63,15 @@ def copy_nginx_config(%{path: target_path} = release) do
  def application do
    [
      mod: {Pleroma.Application, []},
-      extra_applications: [:logger, :runtime_tools, :comeonin, :quack, :fast_sanitize, :ssl],
+      extra_applications: [
+        :logger,
+        :runtime_tools,
+        :comeonin,
+        :quack,
+        :fast_sanitize,
+        :ssl,
+        :eldap
+      ],
      included_applications: [:ex_syslogger]
    ]
  end
--- a/priv/repo/migrations/20200428221338_insert_skeletons_for_deleted_users.exs
+++ b/priv/repo/migrations/20200428221338_insert_skeletons_for_deleted_users.exs
@ -30,7 +30,7 @@ def change do
          Repo,
          "select distinct unnest(nonexistent_locals.recipients) from activities, lateral (select array_agg(recipient) as recipients from unnest(activities.recipients) as recipient where recipient similar to '#{
            instance_uri
-          }/users/[A-Za-z0-9]*' and not(recipient in (select ap_id from users where local = true))) nonexistent_locals;",
+          }/users/[A-Za-z0-9]*' and not(recipient in (select ap_id from users))) nonexistent_locals;",
          [],
          timeout: :infinity
        )
--- a/test/support/http_request_mock.ex
+++ b/test/support/http_request_mock.ex
@ -211,7 +211,7 @@ def get(
  end

  def get(
-        "https://squeet.me/xrd/?uri=lain@squeet.me",
+        "https://squeet.me/xrd/?uri=acct:lain@squeet.me",
        _,
        _,
        Accept: "application/xrd+xml,application/jrd+json"
@ -850,7 +850,7 @@ def get(
  end

  def get(
-        "https://social.heldscal.la/.well-known/webfinger?resource=shp@social.heldscal.la",
+        "https://social.heldscal.la/.well-known/webfinger?resource=acct:shp@social.heldscal.la",
        _,
        _,
        Accept: "application/xrd+xml,application/jrd+json"
@ -863,7 +863,7 @@ def get(
  end

  def get(
-        "https://social.heldscal.la/.well-known/webfinger?resource=invalid_content@social.heldscal.la",
+        "https://social.heldscal.la/.well-known/webfinger?resource=acct:invalid_content@social.heldscal.la",
        _,
        _,
        Accept: "application/xrd+xml,application/jrd+json"
@ -880,7 +880,7 @@ def get("http://framatube.org/.well-known/host-meta", _, _, _) do
  end

  def get(
-        "http://framatube.org/main/xrd?uri=framasoft@framatube.org",
+        "http://framatube.org/main/xrd?uri=acct:framasoft@framatube.org",
        _,
        _,
        Accept: "application/xrd+xml,application/jrd+json"
@ -939,7 +939,7 @@ def get("http://gerzilla.de/.well-known/host-meta", _, _, _) do
  end

  def get(
-        "https://gerzilla.de/xrd/?uri=kaniini@gerzilla.de",
+        "https://gerzilla.de/xrd/?uri=acct:kaniini@gerzilla.de",
        _,
        _,
        Accept: "application/xrd+xml,application/jrd+json"
@ -1135,7 +1135,7 @@ def get("http://404.site" <> _, _, _, _) do
  end

  def get(
-        "https://zetsubou.xn--q9jyb4c/.well-known/webfinger?resource=lain@zetsubou.xn--q9jyb4c",
+        "https://zetsubou.xn--q9jyb4c/.well-known/webfinger?resource=acct:lain@zetsubou.xn--q9jyb4c",
        _,
        _,
        Accept: "application/xrd+xml,application/jrd+json"
@ -1148,7 +1148,7 @@ def get(
  end

  def get(
-        "https://zetsubou.xn--q9jyb4c/.well-known/webfinger?resource=https://zetsubou.xn--q9jyb4c/users/lain",
+        "https://zetsubou.xn--q9jyb4c/.well-known/webfinger?resource=acct:https://zetsubou.xn--q9jyb4c/users/lain",
        _,
        _,
        Accept: "application/xrd+xml,application/jrd+json"
--- a/test/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/web/activity_pub/activity_pub_controller_test.exs
@ -652,9 +652,25 @@ test "it returns an announce activity in a collection", %{conn: conn} do

      assert response(conn, 200) =~ announce_activity.data["object"]
    end
+  end

-    test "it rejects posts from other users", %{conn: conn} do
-      data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!()
+  describe "POST /users/:nickname/outbox (C2S)" do
+    setup do
+      [
+        activity: %{
+          "@context" => "https://www.w3.org/ns/activitystreams",
+          "type" => "Create",
+          "object" => %{"type" => "Note", "content" => "AP C2S test"},
+          "to" => "https://www.w3.org/ns/activitystreams#Public",
+          "cc" => []
+        }
+      ]
+    end
+
+    test "it rejects posts from other users / unauthenticated users", %{
+      conn: conn,
+      activity: activity
+    } do
      user = insert(:user)
      otheruser = insert(:user)

@ -662,39 +678,76 @@ test "it rejects posts from other users", %{conn: conn} do
        conn
        |> assign(:user, otheruser)
        |> put_req_header("content-type", "application/activity+json")
-        |> post("/users/#{user.nickname}/outbox", data)
+        |> post("/users/#{user.nickname}/outbox", activity)

      assert json_response(conn, 403)
    end

-    test "it inserts an incoming create activity into the database", %{conn: conn} do
-      data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!()
+    test "it inserts an incoming create activity into the database", %{
+      conn: conn,
+      activity: activity
+    } do
      user = insert(:user)

-      conn =
+      result =
        conn
        |> assign(:user, user)
        |> put_req_header("content-type", "application/activity+json")
-        |> post("/users/#{user.nickname}/outbox", data)
-
-      result = json_response(conn, 201)
+        |> post("/users/#{user.nickname}/outbox", activity)
+        |> json_response(201)

      assert Activity.get_by_ap_id(result["id"])
+      assert result["object"]
+      assert %Object{data: object} = Object.normalize(result["object"])
+      assert object["content"] == activity["object"]["content"]
    end

-    test "it rejects an incoming activity with bogus type", %{conn: conn} do
-      data = File.read!("test/fixtures/activitypub-client-post-activity.json") |> Poison.decode!()
+    test "it rejects anything beyond 'Note' creations", %{conn: conn, activity: activity} do
      user = insert(:user)

-      data =
-        data
-        |> Map.put("type", "BadType")
+      activity =
+        activity
+        |> put_in(["object", "type"], "Benis")
+
+      _result =
+        conn
+        |> assign(:user, user)
+        |> put_req_header("content-type", "application/activity+json")
+        |> post("/users/#{user.nickname}/outbox", activity)
+        |> json_response(400)
+    end
+
+    test "it inserts an incoming sensitive activity into the database", %{
+      conn: conn,
+      activity: activity
+    } do
+      user = insert(:user)
+      object = Map.put(activity["object"], "sensitive", true)
+      activity = Map.put(activity, "object", object)
+
+      result =
+        conn
+        |> assign(:user, user)
+        |> put_req_header("content-type", "application/activity+json")
+        |> post("/users/#{user.nickname}/outbox", activity)
+        |> json_response(201)
+
+      assert Activity.get_by_ap_id(result["id"])
+      assert result["object"]
+      assert %Object{data: object} = Object.normalize(result["object"])
+      assert object["sensitive"] == activity["object"]["sensitive"]
+      assert object["content"] == activity["object"]["content"]
+    end
+
+    test "it rejects an incoming activity with bogus type", %{conn: conn, activity: activity} do
+      user = insert(:user)
+      activity = Map.put(activity, "type", "BadType")

      conn =
        conn
        |> assign(:user, user)
        |> put_req_header("content-type", "application/activity+json")
-        |> post("/users/#{user.nickname}/outbox", data)
+        |> post("/users/#{user.nickname}/outbox", activity)

      assert json_response(conn, 400)
    end