[chart] bump version

Signed-off-by: Mae Dartmann <mae+git_work@dartmann.net>
[chart] make maxNoteLength configurable
2024-05-20 18:51:09 +02:00 · 2024-04-29 19:28:52 +02:00 · 2024-04-29 19:28:52 +02:00 · 2024-04-29 16:36:58 +02:00 · 2024-04-29 16:36:58 +02:00
10 changed files with 90 additions and 45 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,27 @@
+## v2023.12.7
+This is a security release. Upgrading is therefore strongly recommended.
+
+### Backend
+- Incoming LD-signed activities are now compacted against a well-known context to defend against spoofing attacks
+- The automatically followed account property no longer gets set to a random (possibly non-local) user on instance settings updates
+- The TypeORM logger is now much more configurable
+- The bull dashboard now has the correct cache-control headers set
+
+### Mastodon client API
+- The quote_id property is now returned for note responses
+- The note search query now sets the userId property correctly, solving the problem of mismatching search results between the web client and the Mastodon client API
+- The user profile html cache now gets updated and queried using the correct timestamp for local users, resolving an issue of stale data being displayed in some circumstances
+
+### Miscellaneous
+- The yarn version was updated to 4.1.1
+- The Dockerfile was updated to work better with some build systems that don't support cp -Tr
+- The helm chart now has an option to set the number of worker threads
+
+### Attribution
+This release was made possible by project contributors: Ezeani Emmanuel, Laura Hausmann, Mae Dartmann & mei23
+
+Furthermore, I want to give special thanks to tesaguri for the security disclosure.
+
 ## v2023.12.6
 This is a security release. Upgrading is therefore strongly recommended.

--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.2
+version: 0.1.3

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/chart/README.md
+++ b/chart/README.md
@ -31,6 +31,7 @@ A fun, new, open way to experience social media https://iceshrimp.dev
 | iceshrimp.libreTranslate.apiKey | string | `""` |  |
 | iceshrimp.libreTranslate.apiUrl | string | `""` |  |
 | iceshrimp.libreTranslate.managed | bool | `false` |  |
+| iceshrimp.maxNoteLength | integer | `3000` | Max note length |
 | iceshrimp.objectStorage.access_key | string | `""` |  |
 | iceshrimp.objectStorage.access_secret | string | `""` |  |
 | iceshrimp.objectStorage.baseUrl | string | `""` |  |
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@ -211,7 +211,7 @@ id: 'aid'
 #───┘ Other configuration └─────────────────────────────────────

 # Max note length, should be < 8000.
-#maxNoteLength: 3000
+maxNoteLength: {{ .Values.iceshrimp.maxNoteLength | default 3000 }}

 # Maximum lenght of an image caption or file comment (default 1500, max 8192)
 #maxCaptionLength: 1500
--- a/chart/values.yaml
+++ b/chart/values.yaml
@ -68,6 +68,9 @@ iceshrimp:
  # Number of worker processes per replica
  clusterLimit: 1

+  # Max note length
+  maxNoteLength: 3000
+
 # https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
 postgresql:
  # -- disable if you want to use an existing db; in which case the values below
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
 	"name": "iceshrimp",
-	"version": "2023.12.6",
+	"version": "2023.12.7",
 	"repository": {
 		"type": "git",
 		"url": "https://iceshrimp.dev/iceshrimp/iceshrimp.git"
--- a/packages/backend/src/queue/processors/inbox.ts
+++ b/packages/backend/src/queue/processors/inbox.ts
@ -29,7 +29,7 @@ const logger = new Logger("inbox");
 // Processing when an activity arrives in the user's inbox
 export default async (job: Bull.Job<InboxJobData>): Promise<string> => {
 	const signature = job.data.signature; // HTTP-signature
-	const activity = job.data.activity;
+	let activity = job.data.activity;

 	//#region Log
 	const info = Object.assign({}, activity) as any;
@ -155,6 +155,8 @@ export default async (job: Bull.Job<InboxJobData>): Promise<string> => {
 				return "skip: LD-Signatureの検証に失敗しました";
 			}

+			activity = await ldSignature.compactToWellKnown(activity);
+
 			// もう一度actorチェック
 			if (authUser.user.uri !== activity.actor) {
 				return `skip: LD-Signature user(${authUser.user.uri}) !== activity.actor(${activity.actor})`;
--- a/packages/backend/src/remote/activitypub/misc/contexts.ts
+++ b/packages/backend/src/remote/activitypub/misc/contexts.ts
@ -518,6 +518,52 @@ const activitystreams = {
 	},
 };

+export const WellKnownContext = {
+	"@context": [
+		"https://www.w3.org/ns/activitystreams",
+		"https://w3id.org/security/v1",
+		{
+			// as non-standards
+			manuallyApprovesFollowers: "as:manuallyApprovesFollowers",
+			movedTo: {
+				"@id": "https://www.w3.org/ns/activitystreams#movedTo",
+				"@type": "@id"
+			},
+			movedToUri: "as:movedTo",
+			sensitive: "as:sensitive",
+			Hashtag: "as:Hashtag",
+			quoteUri: "fedibird:quoteUri",
+			quoteUrl: "as:quoteUrl",
+			// Mastodon
+			toot: "http://joinmastodon.org/ns#",
+			Emoji: "toot:Emoji",
+			featured: "toot:featured",
+			discoverable: "toot:discoverable",
+			// schema
+			schema: "http://schema.org#",
+			PropertyValue: "schema:PropertyValue",
+			value: "schema:value",
+			// Misskey
+			misskey: "https://misskey-hub.net/ns#",
+			_misskey_content: "misskey:_misskey_content",
+			_misskey_quote: "misskey:_misskey_quote",
+			_misskey_reaction: "misskey:_misskey_reaction",
+			_misskey_votes: "misskey:_misskey_votes",
+			_misskey_talk: "misskey:_misskey_talk",
+			_misskey_summary: "misskey:_misskey_summary",
+			isCat: "misskey:isCat",
+			// Fedibird
+			fedibird: "http://fedibird.com/ns#",
+			// vcard
+			vcard: "http://www.w3.org/2006/vcard/ns#",
+			// litepub
+			litepub: "http://litepub.social/ns#",
+			EmojiReact: "litepub:EmojiReact",
+			EmojiReaction: "litepub:EmojiReaction",
+		},
+	],
+};
+
 export const CONTEXTS: Record<string, unknown> = {
 	"https://w3id.org/identity/v1": id_v1,
 	"https://w3id.org/security/v1": security_v1,
--- a/packages/backend/src/remote/activitypub/misc/ld-signature.ts
+++ b/packages/backend/src/remote/activitypub/misc/ld-signature.ts
@ -1,6 +1,6 @@
 import * as crypto from "node:crypto";
 import jsonld from "jsonld";
-import { CONTEXTS } from "./contexts.js";
+import { CONTEXTS, WellKnownContext } from "./contexts.js";
 import fetch from "node-fetch";
 import { httpAgent, httpsAgent } from "@/misc/fetch.js";

@ -89,6 +89,13 @@ export class LdSignature {
 		});
 	}

+	public async compactToWellKnown(data: any): Promise<any> {
+		const options = { documentLoader: this.getLoader() };
+		const context = WellKnownContext as any;
+		delete data["signature"];
+		return await jsonld.compact(data, context, options);
+	}
+
 	private getLoader() {
 		return async (url: string): Promise<any> => {
 			if (!url.match("^https?://")) throw new Error(`Invalid URL ${url}`);
--- a/packages/backend/src/remote/activitypub/renderer/index.ts
+++ b/packages/backend/src/remote/activitypub/renderer/index.ts
@ -4,6 +4,7 @@ import { getUserKeypair } from "@/misc/keypair-store.js";
 import type { User } from "@/models/entities/user.js";
 import { LdSignature } from "../misc/ld-signature.js";
 import type { IActivity } from "../type.js";
+import { WellKnownContext } from "@/remote/activitypub/misc/contexts.js";

 export const renderActivity = (x: any): IActivity | null => {
 	if (x == null) return null;
@ -12,46 +13,7 @@ export const renderActivity = (x: any): IActivity | null => {
 		x.id = `${config.url}/${uuid()}`;
 	}

-	return Object.assign(
-		{
-			"@context": [
-				"https://www.w3.org/ns/activitystreams",
-				"https://w3id.org/security/v1",
-				{
-					// as non-standards
-					manuallyApprovesFollowers: "as:manuallyApprovesFollowers",
-					movedToUri: "as:movedTo",
-					sensitive: "as:sensitive",
-					Hashtag: "as:Hashtag",
-					quoteUri: "fedibird:quoteUri",
-					quoteUrl: "as:quoteUrl",
-					// Mastodon
-					toot: "http://joinmastodon.org/ns#",
-					Emoji: "toot:Emoji",
-					featured: "toot:featured",
-					discoverable: "toot:discoverable",
-					// schema
-					schema: "http://schema.org#",
-					PropertyValue: "schema:PropertyValue",
-					value: "schema:value",
-					// Misskey
-					misskey: "https://misskey-hub.net/ns#",
-					_misskey_content: "misskey:_misskey_content",
-					_misskey_quote: "misskey:_misskey_quote",
-					_misskey_reaction: "misskey:_misskey_reaction",
-					_misskey_votes: "misskey:_misskey_votes",
-					_misskey_talk: "misskey:_misskey_talk",
-					_misskey_summary: "misskey:_misskey_summary",
-					isCat: "misskey:isCat",
-					// Fedibird
-					fedibird: "http://fedibird.com/ns#",
-					// vcard
-					vcard: "http://www.w3.org/2006/vcard/ns#",
-				},
-			],
-		},
-		x,
-	);
+	return Object.assign({}, WellKnownContext, x);
 };

 export const attachLdSignature = async (
Author	SHA1	Message	Date
Mae Dartmann	33c4efbcd4	[chart] bump version Signed-off-by: Mae Dartmann <mae+git_work@dartmann.net>	2024-04-29 19:28:52 +02:00
Mae Dartmann	e9fdad57d5	[chart] make maxNoteLength configurable Signed-off-by: Mae Dartmann <mae+git_work@dartmann.net>	2024-04-29 19:28:52 +02:00
Laura Hausmann	f70f61523d	Release: v2023.12.7	2024-04-29 16:36:58 +02:00
Laura Hausmann	febb499fcb	[backend] Compact LD-signed activities against well-known context to defend against spoofing attacks	2024-04-29 16:36:58 +02:00