mirror of
https://iceshrimp.dev/iceshrimp/iceshrimp.git
synced 2024-05-20 18:51:09 +02:00
Compare commits
4 commits
dcfa69ff9d
...
33c4efbcd4
Author | SHA1 | Date | |
---|---|---|---|
33c4efbcd4 | |||
e9fdad57d5 | |||
Laura Hausmann | f70f61523d | ||
Laura Hausmann | febb499fcb |
24
CHANGELOG.md
24
CHANGELOG.md
|
@ -1,3 +1,27 @@
|
|||
## v2023.12.7
|
||||
This is a security release. Upgrading is therefore strongly recommended.
|
||||
|
||||
### Backend
|
||||
- Incoming LD-signed activities are now compacted against a well-known context to defend against spoofing attacks
|
||||
- The automatically followed account property no longer gets set to a random (possibly non-local) user on instance settings updates
|
||||
- The TypeORM logger is now much more configurable
|
||||
- The bull dashboard now has the correct cache-control headers set
|
||||
|
||||
### Mastodon client API
|
||||
- The quote_id property is now returned for note responses
|
||||
- The note search query now sets the userId property correctly, solving the problem of mismatching search results between the web client and the Mastodon client API
|
||||
- The user profile html cache now gets updated and queried using the correct timestamp for local users, resolving an issue of stale data being displayed in some circumstances
|
||||
|
||||
### Miscellaneous
|
||||
- The yarn version was updated to 4.1.1
|
||||
- The Dockerfile was updated to work better with some build systems that don't support cp -Tr
|
||||
- The helm chart now has an option to set the number of worker threads
|
||||
|
||||
### Attribution
|
||||
This release was made possible by project contributors: Ezeani Emmanuel, Laura Hausmann, Mae Dartmann & mei23
|
||||
|
||||
Furthermore, I want to give special thanks to tesaguri for the security disclosure.
|
||||
|
||||
## v2023.12.6
|
||||
This is a security release. Upgrading is therefore strongly recommended.
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ type: application
|
|||
# This is the chart version. This version number should be incremented each time you make changes
|
||||
# to the chart and its templates, including the app version.
|
||||
# Versions are expected to follow Semantic Versioning (https://semver.org/)
|
||||
version: 0.1.2
|
||||
version: 0.1.3
|
||||
|
||||
# This is the version number of the application being deployed. This version number should be
|
||||
# incremented each time you make changes to the application. Versions are not expected to
|
||||
|
|
|
@ -31,6 +31,7 @@ A fun, new, open way to experience social media https://iceshrimp.dev
|
|||
| iceshrimp.libreTranslate.apiKey | string | `""` | |
|
||||
| iceshrimp.libreTranslate.apiUrl | string | `""` | |
|
||||
| iceshrimp.libreTranslate.managed | bool | `false` | |
|
||||
| iceshrimp.maxNoteLength | integer | `3000` | Max note length |
|
||||
| iceshrimp.objectStorage.access_key | string | `""` | |
|
||||
| iceshrimp.objectStorage.access_secret | string | `""` | |
|
||||
| iceshrimp.objectStorage.baseUrl | string | `""` | |
|
||||
|
|
|
@ -211,7 +211,7 @@ id: 'aid'
|
|||
#───┘ Other configuration └─────────────────────────────────────
|
||||
|
||||
# Max note length, should be < 8000.
|
||||
#maxNoteLength: 3000
|
||||
maxNoteLength: {{ .Values.iceshrimp.maxNoteLength | default 3000 }}
|
||||
|
||||
# Maximum lenght of an image caption or file comment (default 1500, max 8192)
|
||||
#maxCaptionLength: 1500
|
||||
|
|
|
@ -68,6 +68,9 @@ iceshrimp:
|
|||
# Number of worker processes per replica
|
||||
clusterLimit: 1
|
||||
|
||||
# Max note length
|
||||
maxNoteLength: 3000
|
||||
|
||||
# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
|
||||
postgresql:
|
||||
# -- disable if you want to use an existing db; in which case the values below
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "iceshrimp",
|
||||
"version": "2023.12.6",
|
||||
"version": "2023.12.7",
|
||||
"repository": {
|
||||
"type": "git",
|
||||
"url": "https://iceshrimp.dev/iceshrimp/iceshrimp.git"
|
||||
|
|
|
@ -29,7 +29,7 @@ const logger = new Logger("inbox");
|
|||
// Processing when an activity arrives in the user's inbox
|
||||
export default async (job: Bull.Job<InboxJobData>): Promise<string> => {
|
||||
const signature = job.data.signature; // HTTP-signature
|
||||
const activity = job.data.activity;
|
||||
let activity = job.data.activity;
|
||||
|
||||
//#region Log
|
||||
const info = Object.assign({}, activity) as any;
|
||||
|
@ -155,6 +155,8 @@ export default async (job: Bull.Job<InboxJobData>): Promise<string> => {
|
|||
return "skip: LD-Signatureの検証に失敗しました";
|
||||
}
|
||||
|
||||
activity = await ldSignature.compactToWellKnown(activity);
|
||||
|
||||
// もう一度actorチェック
|
||||
if (authUser.user.uri !== activity.actor) {
|
||||
return `skip: LD-Signature user(${authUser.user.uri}) !== activity.actor(${activity.actor})`;
|
||||
|
|
|
@ -518,6 +518,52 @@ const activitystreams = {
|
|||
},
|
||||
};
|
||||
|
||||
export const WellKnownContext = {
|
||||
"@context": [
|
||||
"https://www.w3.org/ns/activitystreams",
|
||||
"https://w3id.org/security/v1",
|
||||
{
|
||||
// as non-standards
|
||||
manuallyApprovesFollowers: "as:manuallyApprovesFollowers",
|
||||
movedTo: {
|
||||
"@id": "https://www.w3.org/ns/activitystreams#movedTo",
|
||||
"@type": "@id"
|
||||
},
|
||||
movedToUri: "as:movedTo",
|
||||
sensitive: "as:sensitive",
|
||||
Hashtag: "as:Hashtag",
|
||||
quoteUri: "fedibird:quoteUri",
|
||||
quoteUrl: "as:quoteUrl",
|
||||
// Mastodon
|
||||
toot: "http://joinmastodon.org/ns#",
|
||||
Emoji: "toot:Emoji",
|
||||
featured: "toot:featured",
|
||||
discoverable: "toot:discoverable",
|
||||
// schema
|
||||
schema: "http://schema.org#",
|
||||
PropertyValue: "schema:PropertyValue",
|
||||
value: "schema:value",
|
||||
// Misskey
|
||||
misskey: "https://misskey-hub.net/ns#",
|
||||
_misskey_content: "misskey:_misskey_content",
|
||||
_misskey_quote: "misskey:_misskey_quote",
|
||||
_misskey_reaction: "misskey:_misskey_reaction",
|
||||
_misskey_votes: "misskey:_misskey_votes",
|
||||
_misskey_talk: "misskey:_misskey_talk",
|
||||
_misskey_summary: "misskey:_misskey_summary",
|
||||
isCat: "misskey:isCat",
|
||||
// Fedibird
|
||||
fedibird: "http://fedibird.com/ns#",
|
||||
// vcard
|
||||
vcard: "http://www.w3.org/2006/vcard/ns#",
|
||||
// litepub
|
||||
litepub: "http://litepub.social/ns#",
|
||||
EmojiReact: "litepub:EmojiReact",
|
||||
EmojiReaction: "litepub:EmojiReaction",
|
||||
},
|
||||
],
|
||||
};
|
||||
|
||||
export const CONTEXTS: Record<string, unknown> = {
|
||||
"https://w3id.org/identity/v1": id_v1,
|
||||
"https://w3id.org/security/v1": security_v1,
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
import * as crypto from "node:crypto";
|
||||
import jsonld from "jsonld";
|
||||
import { CONTEXTS } from "./contexts.js";
|
||||
import { CONTEXTS, WellKnownContext } from "./contexts.js";
|
||||
import fetch from "node-fetch";
|
||||
import { httpAgent, httpsAgent } from "@/misc/fetch.js";
|
||||
|
||||
|
@ -89,6 +89,13 @@ export class LdSignature {
|
|||
});
|
||||
}
|
||||
|
||||
public async compactToWellKnown(data: any): Promise<any> {
|
||||
const options = { documentLoader: this.getLoader() };
|
||||
const context = WellKnownContext as any;
|
||||
delete data["signature"];
|
||||
return await jsonld.compact(data, context, options);
|
||||
}
|
||||
|
||||
private getLoader() {
|
||||
return async (url: string): Promise<any> => {
|
||||
if (!url.match("^https?://")) throw new Error(`Invalid URL ${url}`);
|
||||
|
|
|
@ -4,6 +4,7 @@ import { getUserKeypair } from "@/misc/keypair-store.js";
|
|||
import type { User } from "@/models/entities/user.js";
|
||||
import { LdSignature } from "../misc/ld-signature.js";
|
||||
import type { IActivity } from "../type.js";
|
||||
import { WellKnownContext } from "@/remote/activitypub/misc/contexts.js";
|
||||
|
||||
export const renderActivity = (x: any): IActivity | null => {
|
||||
if (x == null) return null;
|
||||
|
@ -12,46 +13,7 @@ export const renderActivity = (x: any): IActivity | null => {
|
|||
x.id = `${config.url}/${uuid()}`;
|
||||
}
|
||||
|
||||
return Object.assign(
|
||||
{
|
||||
"@context": [
|
||||
"https://www.w3.org/ns/activitystreams",
|
||||
"https://w3id.org/security/v1",
|
||||
{
|
||||
// as non-standards
|
||||
manuallyApprovesFollowers: "as:manuallyApprovesFollowers",
|
||||
movedToUri: "as:movedTo",
|
||||
sensitive: "as:sensitive",
|
||||
Hashtag: "as:Hashtag",
|
||||
quoteUri: "fedibird:quoteUri",
|
||||
quoteUrl: "as:quoteUrl",
|
||||
// Mastodon
|
||||
toot: "http://joinmastodon.org/ns#",
|
||||
Emoji: "toot:Emoji",
|
||||
featured: "toot:featured",
|
||||
discoverable: "toot:discoverable",
|
||||
// schema
|
||||
schema: "http://schema.org#",
|
||||
PropertyValue: "schema:PropertyValue",
|
||||
value: "schema:value",
|
||||
// Misskey
|
||||
misskey: "https://misskey-hub.net/ns#",
|
||||
_misskey_content: "misskey:_misskey_content",
|
||||
_misskey_quote: "misskey:_misskey_quote",
|
||||
_misskey_reaction: "misskey:_misskey_reaction",
|
||||
_misskey_votes: "misskey:_misskey_votes",
|
||||
_misskey_talk: "misskey:_misskey_talk",
|
||||
_misskey_summary: "misskey:_misskey_summary",
|
||||
isCat: "misskey:isCat",
|
||||
// Fedibird
|
||||
fedibird: "http://fedibird.com/ns#",
|
||||
// vcard
|
||||
vcard: "http://www.w3.org/2006/vcard/ns#",
|
||||
},
|
||||
],
|
||||
},
|
||||
x,
|
||||
);
|
||||
return Object.assign({}, WellKnownContext, x);
|
||||
};
|
||||
|
||||
export const attachLdSignature = async (
|
||||
|
|
Loading…
Reference in a new issue