From 28a9d3e16abe5c8249dafe46086308df8638d459 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Thu, 26 May 2022 18:43:14 +0200
Subject: [PATCH 01/10] Remove 3.3.x from supported versions in security policy
(#18516)
---
SECURITY.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SECURITY.md b/SECURITY.md
index 12f50ed880..62e23f7360 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -14,7 +14,7 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through
| ------- | ------------------ |
| 3.5.x | Yes |
| 3.4.x | Yes |
-| 3.3.x | Yes |
+| 3.3.x | No |
| < 3.3 | No |
[bug-bounty]: https://app.intigriti.com/programs/mastodon/mastodonio/detail
From 5fba206a5f51c4b343a94d99f5f7864504ffbb72 Mon Sep 17 00:00:00 2001
From: Yamagishi Kazutoshi <ykzts@desire.sh>
Date: Fri, 27 May 2022 03:29:28 +0900
Subject: [PATCH 02/10] Add ES6 compatibility to browserslist (#18519)
---
.browserslistrc | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/.browserslistrc b/.browserslistrc
index d5734664cc..54dd3aaf34 100644
--- a/.browserslistrc
+++ b/.browserslistrc
@@ -4,6 +4,4 @@ not IE 11
not dead
[development]
-last 1 chrome version
-last 1 firefox version
-last 1 safari version
+supports es6-module
From 35ebb5571edeb5f1336b4d7ee3cf3c4d5bd3bb4b Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Thu, 26 May 2022 20:32:48 +0200
Subject: [PATCH 03/10] Fix follower and other counters being able to go
negative (#18517)
---
app/models/account_stat.rb | 12 ++++++++++++
app/models/status_stat.rb | 12 ++++++++++++
2 files changed, 24 insertions(+)
diff --git a/app/models/account_stat.rb b/app/models/account_stat.rb
index b49827267a..a5d71a5b8c 100644
--- a/app/models/account_stat.rb
+++ b/app/models/account_stat.rb
@@ -20,4 +20,16 @@ class AccountStat < ApplicationRecord
belongs_to :account, inverse_of: :account_stat
update_index('accounts', :account)
+
+ def following_count
+ [attributes['following_count'], 0].max
+ end
+
+ def followers_count
+ [attributes['followers_count'], 0].max
+ end
+
+ def statuses_count
+ [attributes['statuses_count'], 0].max
+ end
end
diff --git a/app/models/status_stat.rb b/app/models/status_stat.rb
index 024c467e71..437861d1c4 100644
--- a/app/models/status_stat.rb
+++ b/app/models/status_stat.rb
@@ -17,6 +17,18 @@ class StatusStat < ApplicationRecord
after_commit :reset_parent_cache
+ def replies_count
+ [attributes['replies_count'], 0].max
+ end
+
+ def reblogs_count
+ [attributes['reblogs_count'], 0].max
+ end
+
+ def favourites_count
+ [attributes['favourites_count'], 0].max
+ end
+
private
def reset_parent_cache
From 89d4d6fd3b8c43782d1f52249718c546bcc303f1 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Thu, 26 May 2022 22:03:54 +0200
Subject: [PATCH 04/10] Fix confirmation redirect to app without `Location`
header (#18523)
---
app/controllers/auth/confirmations_controller.rb | 2 +-
app/lib/application_extension.rb | 4 ++++
config/initializers/doorkeeper.rb | 7 +++++++
3 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/app/controllers/auth/confirmations_controller.rb b/app/controllers/auth/confirmations_controller.rb
index 1475bbcefa..010fd37556 100644
--- a/app/controllers/auth/confirmations_controller.rb
+++ b/app/controllers/auth/confirmations_controller.rb
@@ -40,7 +40,7 @@ class Auth::ConfirmationsController < Devise::ConfirmationsController
def after_confirmation_path_for(_resource_name, user)
if user.created_by_application && truthy_param?(:redirect_to_app)
- user.created_by_application.redirect_uri
+ user.created_by_application.confirmation_redirect_uri
else
super
end
diff --git a/app/lib/application_extension.rb b/app/lib/application_extension.rb
index a1fea6430a..d61ec0e6e7 100644
--- a/app/lib/application_extension.rb
+++ b/app/lib/application_extension.rb
@@ -12,4 +12,8 @@ module ApplicationExtension
def most_recently_used_access_token
@most_recently_used_access_token ||= access_tokens.where.not(last_used_at: nil).order(last_used_at: :desc).first
end
+
+ def confirmation_redirect_uri
+ redirect_uri.lines.first.strip
+ end
end
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
index f78db86534..84b649f5c1 100644
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -128,6 +128,13 @@ Doorkeeper.configure do
#
force_ssl_in_redirect_uri false
+ # Specify what redirect URI's you want to block during Application creation.
+ # Any redirect URI is whitelisted by default.
+ #
+ # You can use this option in order to forbid URI's with 'javascript' scheme
+ # for example.
+ forbid_redirect_uri { |uri| %w[data vbscript javascript].include?(uri.scheme.to_s.downcase) }
+
# Specify what grant flows are enabled in array of Strings. The valid
# strings and the flows they enable are:
#
From b264197a1df3e43abb112a66169e2c5307b180a5 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Thu, 26 May 2022 22:04:05 +0200
Subject: [PATCH 05/10] Fix suspended users being able to access APIs that
don't require a user (#18524)
---
app/controllers/activitypub/base_controller.rb | 1 +
app/controllers/api/base_controller.rb | 5 +++++
2 files changed, 6 insertions(+)
diff --git a/app/controllers/activitypub/base_controller.rb b/app/controllers/activitypub/base_controller.rb
index 196d85a326..b8a7e0ab96 100644
--- a/app/controllers/activitypub/base_controller.rb
+++ b/app/controllers/activitypub/base_controller.rb
@@ -2,6 +2,7 @@
class ActivityPub::BaseController < Api::BaseController
skip_before_action :require_authenticated_user!
+ skip_before_action :require_not_suspended!
skip_around_action :set_locale
private
diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
index d96285b440..2e393fbb6f 100644
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -11,6 +11,7 @@ class Api::BaseController < ApplicationController
skip_before_action :require_functional!, unless: :whitelist_mode?
before_action :require_authenticated_user!, if: :disallow_unauthenticated_api_access?
+ before_action :require_not_suspended!
before_action :set_cache_headers
protect_from_forgery with: :null_session
@@ -97,6 +98,10 @@ class Api::BaseController < ApplicationController
render json: { error: 'This method requires an authenticated user' }, status: 401 unless current_user
end
+ def require_not_suspended!
+ render json: { error: 'Your login is currently disabled' }, status: 403 if current_user&.account&.suspended?
+ end
+
def require_user!
if !current_user
render json: { error: 'This method requires an authenticated user' }, status: 422
From e8717256681f7ee8383648eec5908ebdf7002913 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Thu, 26 May 2022 22:04:16 +0200
Subject: [PATCH 06/10] Fix moderator leak in undo_mark_statuses_as_sensitive
(#18525)
Signed-off-by: Eugen Rochko <eugen@zeonfederated.com>
Co-authored-by: 40826d <74816220+40826d@users.noreply.github.com>
---
app/services/approve_appeal_service.rb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/app/services/approve_appeal_service.rb b/app/services/approve_appeal_service.rb
index 37a08b46e3..96aaaa7d07 100644
--- a/app/services/approve_appeal_service.rb
+++ b/app/services/approve_appeal_service.rb
@@ -52,8 +52,9 @@ class ApproveAppealService < BaseService
end
def undo_mark_statuses_as_sensitive!
+ representative_account = Account.representative
@strike.statuses.includes(:media_attachments).each do |status|
- UpdateStatusService.new.call(status, @current_account.id, sensitive: false) if status.with_media?
+ UpdateStatusService.new.call(status, representative_account.id, sensitive: false) if status.with_media?
end
end
From 49c6b3736a910f21063304affc8ae52e72d676ab Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Thu, 26 May 2022 22:06:10 +0200
Subject: [PATCH 07/10] Fix empty votes arbitrarily increasing voters count in
polls (#18526)
---
app/services/vote_service.rb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/app/services/vote_service.rb b/app/services/vote_service.rb
index ccd04dbfcb..114ec285c8 100644
--- a/app/services/vote_service.rb
+++ b/app/services/vote_service.rb
@@ -7,6 +7,8 @@ class VoteService < BaseService
include Lockable
def call(account, poll, choices)
+ return if choices.empty?
+
authorize_with account, poll, :vote?
@account = account
From 4bb50e32e43878ce3210053938f166d1a1056305 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Thu, 26 May 2022 22:08:02 +0200
Subject: [PATCH 08/10] Fix being able to report otherwise inaccessible
statuses (#18528)
---
app/models/admin/status_batch_action.rb | 6 +++++-
app/services/report_service.rb | 2 +-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/app/models/admin/status_batch_action.rb b/app/models/admin/status_batch_action.rb
index 631af183c2..7bf6fa6daf 100644
--- a/app/models/admin/status_batch_action.rb
+++ b/app/models/admin/status_batch_action.rb
@@ -103,7 +103,7 @@ class Admin::StatusBatchAction
def handle_report!
@report = Report.new(report_params) unless with_report?
- @report.status_ids = (@report.status_ids + status_ids.map(&:to_i)).uniq
+ @report.status_ids = (@report.status_ids + allowed_status_ids).uniq
@report.save!
@report_id = @report.id
@@ -135,4 +135,8 @@ class Admin::StatusBatchAction
def report_params
{ account: current_account, target_account: target_account }
end
+
+ def allowed_status_ids
+ AccountStatusesFilter.new(@report.target_account, current_account).results.with_discarded.where(id: status_ids).pluck(:id)
+ end
end
diff --git a/app/services/report_service.rb b/app/services/report_service.rb
index 9d784c341a..d251bb33f0 100644
--- a/app/services/report_service.rb
+++ b/app/services/report_service.rb
@@ -57,7 +57,7 @@ class ReportService < BaseService
end
def reported_status_ids
- @target_account.statuses.with_discarded.find(Array(@status_ids)).pluck(:id)
+ AccountStatusesFilter.new(@target_account, @source_account).results.with_discarded.find(Array(@status_ids)).pluck(:id)
end
def payload
From a4410daf1329f1d9236bb4648bc886f9e4708062 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Thu, 26 May 2022 22:08:12 +0200
Subject: [PATCH 09/10] Fix being able to appeal a strike unlimited times
(#18529)
Peculiarity of the `has_one` association is that the convenience
creation method deletes the previous association even if the new
one is invalid
---
app/services/appeal_service.rb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/app/services/appeal_service.rb b/app/services/appeal_service.rb
index 1397c50f5f..cef9be05fd 100644
--- a/app/services/appeal_service.rb
+++ b/app/services/appeal_service.rb
@@ -14,7 +14,8 @@ class AppealService < BaseService
private
def create_appeal!
- @appeal = @strike.create_appeal!(
+ @appeal = Appeal.create!(
+ strike: @strike,
text: @text,
account: @strike.target_account
)
From 902d3627e2e3b7b98a779d99b8808f62edde6a62 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Thu, 26 May 2022 22:14:47 +0200
Subject: [PATCH 10/10] Fix concurrent unfollowing decrementing follower count
more than once (#18527)
---
app/services/unfollow_service.rb | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/app/services/unfollow_service.rb b/app/services/unfollow_service.rb
index 151f3674fd..d83a60e4e7 100644
--- a/app/services/unfollow_service.rb
+++ b/app/services/unfollow_service.rb
@@ -2,6 +2,8 @@
class UnfollowService < BaseService
include Payloadable
+ include Redisable
+ include Lockable
# Unfollow and notify the remote user
# @param [Account] source_account Where to unfollow from
@@ -13,7 +15,9 @@ class UnfollowService < BaseService
@target_account = target_account
@options = options
- unfollow! || undo_follow_request!
+ with_lock("relationship:#{[source_account.id, target_account.id].sort.join(':')}") do
+ unfollow! || undo_follow_request!
+ end
end
private