Commit graph

65 commits

Author SHA1 Message Date
8684964c5d Only allow exact id matches
This protects us from falling for obvious spoofs as from the current
upload exploit (unfortunately we can’t reasonably do anything about
spoofs with exact matches as was possible via emoji and proxy).

Such objects being invalid is supported by the spec, sepcifically
sections 3.1 and 3.2: https://www.w3.org/TR/activitypub/#obj-id

Anonymous objects are not relevant here (they can only exists within
parent objects iiuc) and neither is client-to-server or transient objects
(as those cannot be fetched in the first place).
This leaves us with the requirement for `id` to (a) exist and
(b) be a publicly dereferencable URI from the originating server.
This alone does not yet demand strict equivalence, but the spec then
further explains objects ought to be fetchable _via their ID_.
Meaning an object not retrievable via its ID, is invalid.

This reading is supported by the fact, e.g. GoToSocial (recently) and
Mastodon (for 6+ years) do already implement such strict ID checks,
additionally proving this doesn’t cause federation issues in practice.

However, apart from canonical IDs there can also be additional display
URLs. *omas first redirect those to their canonical location, but *keys
and Mastodon directly serve the AP representation without redirects.

Mastodon and GTS deal with this in two different ways,
but both constitute an effective countermeasure:
 - Mastodon:
   Unless it already is a known AP id, two fetches occur.
   The first fetch just reads the `id` property and then refetches from
   the id. The last fetch requires the returned id to exactly match the
   URL the content was fetched from. (This can be optimised by skipping
   the second fetch if it already matches)
   05eda8d193/app/helpers/jsonld_helper.rb (L168)
   63f0979799

 - GTS:
   Only does a single fetch and then checks if _either_ the id
   _or_ url property (which can be an object) match the original fetch
   URL. This relies on implementations always including their display URL
   as "url" if differing from the id. For actors this is true for all
   investigated implementations, for posts only Mastodon includes an
   "url", but it is also the only one with a differing display URL.
   2bafd7daf5 (diff-943bbb02c8ac74ac5dc5d20807e561dcdfaebdc3b62b10730f643a20ac23c24fR222)

Albeit Mastodon’s refetch offers higher compatibility with theoretical
implmentations using either multiple different display URL or not
denoting any of them as "url" at all, for now we chose to adopt a
GTS-like refetch-free approach to avoid additional implementation
concerns wrt to whether redirects should be allowed when fetching a
canonical AP id and potential for accidentally loosening some checks
(e.g. cross-domain refetches) for one of the fetches.
This may be reconsidered in the future.
2024-03-25 14:05:05 -01:00
59a142e0b0 Never fetch resource from ourselves
If it’s not already in the database,
it must be counterfeit (or just not exists at all)

Changed test URLs were only ever used from "local: false" users anyway.
2024-03-25 14:05:05 -01:00
0ec62acb9d Always insert Dedupe upload filter
This actually was already intended before to eradict all future
path-traversal-style exploits and to fix issues with some
characters like akkoma#610 in 0b2ec0ccee. However, Dedupe and
AnonymizeFilename got mixed up. The latter only anonymises the name
in Content-Disposition headers GET parameters (with link_name),
_not_ the upload path.

Even without Dedupe, the upload path is prefixed by an UUID,
so it _should_ already be hard to guess for attackers. But now
we actually can be sure no path shenanigangs occur, uploads
reliably work and save some disk space.

While this makes the final path predictable, this prediction is
not exploitable. Insertion of a back-reference to the upload
itself requires pulling off a successfull preimage attack against
SHA-256, which is deemed infeasible for the foreseeable futures.

Dedupe was already included in the default list in config.exs
since 28cfb2c37a, but this will get overridde by whatever the
config generated by the "pleroma.instance gen" task chose.

Upload+delete tests running in parallel using Dedupe might be flaky, but
this was already true before and needs its own commit to fix eventually.
2024-03-18 22:33:10 -01:00
6cb40bee26 Migrate to phoenix 1.7 (#626)
Closes #612

Co-authored-by: tusooa <tusooa@kazv.moe>
Reviewed-on: AkkomaGang/akkoma#626
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Co-committed-by: FloatingGhost <hannah@coffee-and-dreams.uk>
2023-08-15 10:22:18 +00:00
64e233ca20 Tag Mock-tests as "mocked" and run them seperately 2023-08-04 12:50:50 +01:00
98cb255d12 Support elixir1.15
OTP builds to 1.15

Changelog entry

Ensure policies are fully loaded

Fix :warn

use main branch for linkify

Fix warn in tests

Migrations for phoenix 1.17

Revert "Migrations for phoenix 1.17"

This reverts commit 6a3b2f15b74ea5e33150529385215b7a531f3999.

Oban upgrade

Add default empty whitelist

mix format

limit test to amd64

OTP 26 tests for 1.15

use OTP_VERSION tag

baka

just 1.15

Massive deps update

Update locale, deps

Mix format

shell????

multiline???

?

max cases 1

use assert_recieve

don't put_env in async tests

don't async conn/fs tests

mix format

FIx some uploader issues

Fix tests
2023-08-03 17:44:09 +01:00
8c86a06ed1 Merge pull request 'Remove "default" image description' (#493) from ilja/akkoma:remove_default_image_description into develop
Reviewed-on: AkkomaGang/akkoma#493
2023-04-14 16:27:41 +00:00
3f76de76da Apply Patch 2023-03-12 19:13:56 +00:00
ilja
6c396fcab4 Remove "default" image description
When no image description is filled in, Pleroma allowed fallbacks.
Those were (based on a setting) either the filename, or a fixed description.
Neither are good options for image descriptions imo, so here we remove this.

Note that there's two tests removed who supposedly tested something else.
But examining closer, they didn't seem to test what they claimed to test,
so I removed them rather than try to "fix" them.
2023-03-12 08:42:33 +01:00
b058df3faa Allow dashes in domain name search 2022-12-06 10:57:10 +00:00
d55de5debf Remerge of hashtag following (#341)
this time with less idiot

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: AkkomaGang/akkoma#341
2022-12-05 12:58:48 +00:00
ec6bf8c3f7 revert 4a94c9a31e
revert Add ability to follow hashtags (#336)

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: AkkomaGang/akkoma#336
2022-12-04 20:04:09 +00:00
4a94c9a31e Add ability to follow hashtags (#336)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: AkkomaGang/akkoma#336
2022-12-04 17:36:59 +00:00
db60640c5b Fixing up deletes a bit (#327)
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: AkkomaGang/akkoma#327
2022-12-01 15:00:53 +00:00
f36d14818d Unilateral remove from followers (#232)
from https://git.pleroma.social/pleroma/pleroma/-/merge_requests/3647/

Co-authored-by: marcin mikołajczak <git@mkljczk.pl>
Co-authored-by: Tusooa Zhu <tusooa@kazv.moe>
Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: AkkomaGang/akkoma#232
2022-10-19 10:01:14 +00:00
8e4de118c1 Don't persist local undone follow (#194)
same deal but backwards this time

Co-authored-by: FloatingGhost <hannah@coffee-and-dreams.uk>
Reviewed-on: AkkomaGang/akkoma#194
2022-08-31 18:00:36 +00:00
62e179f446 make conversation-id deterministic (#154)
Reviewed-on: AkkomaGang/akkoma#154
2022-08-06 20:59:15 +00:00
0ec3a11895 don't persist undo of follows (#149)
Reviewed-on: AkkomaGang/akkoma#149
2022-08-05 13:28:56 +00:00
0a55c37182 don't error out if the featured collection has a string ID 2022-07-26 15:08:35 +01:00
0f132b802d purge chat and shout endpoints 2022-07-21 11:29:28 +01:00
cf0ad02ea9 Remove scrobbling support 2022-07-19 15:07:45 +01:00
5b4d77eaa7 maintenance: dependency upgrade (#81)
Reviewed-on: AkkomaGang/akkoma#81
2022-07-18 00:56:35 +00:00
sfr
058bf96798 implement Move activities (#45)
Reviewed-on: AkkomaGang/akkoma#45
Co-authored-by: sfr <sol@solfisher.com>
Co-committed-by: sfr <sol@solfisher.com>
2022-07-04 16:29:39 +00:00
0a3a552696 Add support for a first reference in pinned objects 2022-07-03 17:25:20 +01:00
4da9a12bf8 Add test for friendica featured collection 2022-07-03 16:59:12 +01:00
db46913dcc make linter happy 2021-12-06 11:50:51 +00:00
cd8bdbc761 Make deactivated user check into a subquery
Fixes #2792
2021-12-06 11:44:17 +00:00
Alex Gleason
762be6ce10
Merge remote-tracking branch 'upstream/develop' into block-behavior 2021-04-29 11:14:32 -05:00
Alexander Strizhakov
8f0778166c
moving fixture into mastodon folder 2021-03-25 13:03:41 +03:00
Alexander Strizhakov
3ec1dbd922
Let pins federate
- save object ids on pin, instead of activity ids
- pins federation
- removed pinned_activities field from the users table
- activityPub endpoint for user pins
- pulling remote users pins
2021-03-25 13:03:40 +03:00
rinpatch
67bde35e71 Merge branch 'bugfix/bridgy-user-icon' into 'develop'
Add support for actor icon being a list (Bridgy)

See merge request pleroma/pleroma!3372
2021-03-19 08:36:26 +00:00
Haelwenn (lanodan) Monnier
b1d4b2b81e
Add support for actor icon being a list (Bridgy) 2021-03-15 06:44:05 +01:00
Ivan Tashkinov
5856f51717 [#3213] ActivityPub hashtags filtering refactoring. Test fix. 2021-03-03 23:09:30 +03:00
Ivan Tashkinov
77f3da0358 [#3213] Misc. tweaks: proper upsert in Hashtag, better feature toggle management. 2021-02-23 13:52:28 +03:00
Ivan Tashkinov
1dac7d1462 [#3213] Fixed hashtags.name lookup (must use citext type to do index scan). Fixed embedded hashtags lookup (lowercasing), adjusted tests. 2021-02-15 21:13:14 +03:00
Ivan Tashkinov
d1c6dd97aa [#3213] Partially addressed code review points.
migration rollback task changes, hashtags-related config handling tweaks, `hashtags.data` deletion (unused).
2021-02-07 22:24:12 +03:00
Ivan Tashkinov
cf4765af40 [#3213] ActivityPub: fixed subquery-based hashtags filtering implementation (addressed empty list options issue). Added regression test. 2021-01-31 23:06:38 +03:00
Ivan Tashkinov
1b49b8efe5 Merge remote-tracking branch 'remotes/origin/develop' into feature/object-hashtags-rework
# Conflicts:
#	CHANGELOG.md
2021-01-31 20:38:58 +03:00
Ivan Tashkinov
6fd4163ab6 [#3213] ActivityPub: implemented subqueries-based hashtags filtering, removed aggregation-based hashtags filtering. 2021-01-31 20:37:33 +03:00
Ivan Tashkinov
380d0cce6b [#3213] Reinstated DISTINCT clause for hashtag "any" filtering with 2+ terms. Added test. 2021-01-29 00:17:33 +03:00
e854c35e65 Convert tests to all use clear_config instead of Pleroma.Config.put 2021-01-26 11:58:43 -06:00
Ivan Tashkinov
c041e9c630 [#3213] HashtagsTableMigrator: failures handling fix, retry function.
Changed default hashtags filtering strategy to non-aggregate approach.
2021-01-21 20:23:08 +03:00
Ivan Tashkinov
48b399cedb [#3213] Refactoring of HashtagsTableMigrator. Hashtag timeline performance optimization (auto switch to non-aggregate join strategy when efficient). 2021-01-16 20:22:14 +03:00
Ivan Tashkinov
e350898828 Merge remote-tracking branch 'remotes/origin/develop' into feature/object-hashtags-rework 2021-01-13 22:11:16 +03:00
Haelwenn (lanodan) Monnier
c4439c630f
Bump Copyright to 2021
grep -rl '# Copyright © .* Pleroma' * | xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;'
2021-01-13 07:49:50 +01:00
lain
bd788c0939 ActivtityPub Test: Add example for guppe actor 2021-01-07 16:20:30 +01:00
Alex Gleason
1438fd9583
Merge remote-tracking branch 'upstream/develop' into block-behavior 2021-01-06 15:22:35 -06:00
lain
e1e7e4d379 Object: Rework how Object.normalize works
Now it defaults to not fetching, and the option is named.
2021-01-04 13:38:31 +01:00
Ivan Tashkinov
cbb19d0e18 [#3213] Hashtag-filtering functions in ActivityPub. Mix task for migrating hashtags to hashtags table. 2020-12-26 22:20:55 +03:00
Ivan Tashkinov
e369b1306b Added Hashtag entity and objects-hashtags association with auto-sync with data.tag on Object update. 2020-12-22 22:04:33 +03:00