pkgs/glitch-soc: (old) security update

2024-02-16 09:11:24 +01:00 · 2024-02-16 09:11:24 +01:00 · 6d962a6291
parent 5250d8d361
commit 6d962a6291
1 changed files with 311 additions and 0 deletions
--- a/pkgs/glitch-soc/local-new-fixes.patch
+++ b/pkgs/glitch-soc/local-new-fixes.patch
@ -0,0 +1,311 @@
+commit ff58ec0103441615ecb92141113b104f13132642
+Author: Claire <claire.github-309c@sitedethib.com>
+Date:   Thu Feb 1 15:56:46 2024 +0100
+
+    Merge pull request from GHSA-3fjr-858r-92rw
+    
+    * Fix insufficient origin validation
+    
+    * Bump version to 4.3.0-alpha.1
+
+diff --git a/app/controllers/concerns/signature_verification.rb b/app/controllers/concerns/signature_verification.rb
+index 35391e64c..92f1eb5a1 100644
+--- a/app/controllers/concerns/signature_verification.rb
+++ b/app/controllers/concerns/signature_verification.rb
+@@ -266,7 +266,7 @@ module SignatureVerification
+       stoplight_wrap_request { ResolveAccountService.new.call(key_id.delete_prefix('acct:'), suppress_errors: false) }
+     elsif !ActivityPub::TagManager.instance.local_uri?(key_id)
+       account   = ActivityPub::TagManager.instance.uri_to_actor(key_id)
+-      account ||= stoplight_wrap_request { ActivityPub::FetchRemoteKeyService.new.call(key_id, id: false, suppress_errors: false) }
+      account ||= stoplight_wrap_request { ActivityPub::FetchRemoteKeyService.new.call(key_id, suppress_errors: false) }
+       account
+     end
+   rescue Mastodon::PrivateNetworkAddressError => e
+diff --git a/app/lib/activitypub/activity.rb b/app/lib/activitypub/activity.rb
+index 51384ef98..322f3e27a 100644
+--- a/app/lib/activitypub/activity.rb
+++ b/app/lib/activitypub/activity.rb
+@@ -154,7 +154,7 @@ class ActivityPub::Activity
+     if object_uri.start_with?('http')
+       return if ActivityPub::TagManager.instance.local_uri?(object_uri)
+ 
+-      ActivityPub::FetchRemoteStatusService.new.call(object_uri, id: true, on_behalf_of: @account.followers.local.first, request_id: @options[:request_id])
+      ActivityPub::FetchRemoteStatusService.new.call(object_uri, on_behalf_of: @account.followers.local.first, request_id: @options[:request_id])
+     elsif @object['url'].present?
+       ::FetchRemoteStatusService.new.call(@object['url'], request_id: @options[:request_id])
+     end
+diff --git a/app/lib/activitypub/linked_data_signature.rb b/app/lib/activitypub/linked_data_signature.rb
+index faea63e8f..9459fdd8b 100644
+--- a/app/lib/activitypub/linked_data_signature.rb
+++ b/app/lib/activitypub/linked_data_signature.rb
+@@ -19,7 +19,7 @@ class ActivityPub::LinkedDataSignature
+     return unless type == 'RsaSignature2017'
+ 
+     creator = ActivityPub::TagManager.instance.uri_to_actor(creator_uri)
+-    creator = ActivityPub::FetchRemoteKeyService.new.call(creator_uri, id: false) if creator&.public_key.blank?
+    creator = ActivityPub::FetchRemoteKeyService.new.call(creator_uri) if creator&.public_key.blank?
+ 
+     return if creator.nil?
+ 
+diff --git a/app/services/activitypub/fetch_remote_account_service.rb b/app/services/activitypub/fetch_remote_account_service.rb
+index 567dd8a14..7b083d889 100644
+--- a/app/services/activitypub/fetch_remote_account_service.rb
+++ b/app/services/activitypub/fetch_remote_account_service.rb
+@@ -2,7 +2,7 @@
+ 
+ class ActivityPub::FetchRemoteAccountService < ActivityPub::FetchRemoteActorService
+   # Does a WebFinger roundtrip on each call, unless `only_key` is true
+-  def call(uri, id: true, prefetched_body: nil, break_on_redirect: false, only_key: false, suppress_errors: true, request_id: nil)
+  def call(uri, prefetched_body: nil, break_on_redirect: false, only_key: false, suppress_errors: true, request_id: nil)
+     actor = super
+     return actor if actor.nil? || actor.is_a?(Account)
+ 
+diff --git a/app/services/activitypub/fetch_remote_actor_service.rb b/app/services/activitypub/fetch_remote_actor_service.rb
+index 8df8c7587..86a134bb4 100644
+--- a/app/services/activitypub/fetch_remote_actor_service.rb
+++ b/app/services/activitypub/fetch_remote_actor_service.rb
+@@ -10,15 +10,15 @@ class ActivityPub::FetchRemoteActorService < BaseService
+   SUPPORTED_TYPES = %w(Application Group Organization Person Service).freeze
+ 
+   # Does a WebFinger roundtrip on each call, unless `only_key` is true
+-  def call(uri, id: true, prefetched_body: nil, break_on_redirect: false, only_key: false, suppress_errors: true, request_id: nil)
+  def call(uri, prefetched_body: nil, break_on_redirect: false, only_key: false, suppress_errors: true, request_id: nil)
+     return if domain_not_allowed?(uri)
+     return ActivityPub::TagManager.instance.uri_to_actor(uri) if ActivityPub::TagManager.instance.local_uri?(uri)
+ 
+     @json = begin
+       if prefetched_body.nil?
+-        fetch_resource(uri, id)
+        fetch_resource(uri, true)
+       else
+-        body_to_json(prefetched_body, compare_id: id ? uri : nil)
+        body_to_json(prefetched_body, compare_id: uri)
+       end
+     rescue Oj::ParseError
+       raise Error, "Error parsing JSON-LD document #{uri}"
+diff --git a/app/services/activitypub/fetch_remote_key_service.rb b/app/services/activitypub/fetch_remote_key_service.rb
+index 8eb97c1e6..e96b5ad3b 100644
+--- a/app/services/activitypub/fetch_remote_key_service.rb
+++ b/app/services/activitypub/fetch_remote_key_service.rb
+@@ -6,23 +6,10 @@ class ActivityPub::FetchRemoteKeyService < BaseService
+   class Error < StandardError; end
+ 
+   # Returns actor that owns the key
+-  def call(uri, id: true, prefetched_body: nil, suppress_errors: true)
+  def call(uri, suppress_errors: true)
+     raise Error, 'No key URI given' if uri.blank?
+ 
+-    if prefetched_body.nil?
+-      if id
+-        @json = fetch_resource_without_id_validation(uri)
+-        if actor_type?
+-          @json = fetch_resource(@json['id'], true)
+-        elsif uri != @json['id']
+-          raise Error, "Fetched URI #{uri} has wrong id #{@json['id']}"
+-        end
+-      else
+-        @json = fetch_resource(uri, id)
+-      end
+-    else
+-      @json = body_to_json(prefetched_body, compare_id: id ? uri : nil)
+-    end
+    @json = fetch_resource(uri, false)
+ 
+     raise Error, "Unable to fetch key JSON at #{uri}" if @json.nil?
+     raise Error, "Unsupported JSON-LD context for document #{uri}" unless supported_context?(@json)
+diff --git a/app/services/activitypub/fetch_remote_status_service.rb b/app/services/activitypub/fetch_remote_status_service.rb
+index e3a9b60b5..6f8882378 100644
+--- a/app/services/activitypub/fetch_remote_status_service.rb
+++ b/app/services/activitypub/fetch_remote_status_service.rb
+@@ -8,14 +8,14 @@ class ActivityPub::FetchRemoteStatusService < BaseService
+   DISCOVERIES_PER_REQUEST = 1000
+ 
+   # Should be called when uri has already been checked for locality
+-  def call(uri, id: true, prefetched_body: nil, on_behalf_of: nil, expected_actor_uri: nil, request_id: nil)
+  def call(uri, prefetched_body: nil, on_behalf_of: nil, expected_actor_uri: nil, request_id: nil)
+     return if domain_not_allowed?(uri)
+ 
+     @request_id = request_id || "#{Time.now.utc.to_i}-status-#{uri}"
+     @json = if prefetched_body.nil?
+-              fetch_resource(uri, id, on_behalf_of)
+              fetch_resource(uri, true, on_behalf_of)
+             else
+-              body_to_json(prefetched_body, compare_id: id ? uri : nil)
+              body_to_json(prefetched_body, compare_id: uri)
+             end
+ 
+     return unless supported_context?
+@@ -65,7 +65,7 @@ class ActivityPub::FetchRemoteStatusService < BaseService
+ 
+   def account_from_uri(uri)
+     actor = ActivityPub::TagManager.instance.uri_to_resource(uri, Account)
+-    actor = ActivityPub::FetchRemoteAccountService.new.call(uri, id: true, request_id: @request_id) if actor.nil? || actor.possibly_stale?
+    actor = ActivityPub::FetchRemoteAccountService.new.call(uri, request_id: @request_id) if actor.nil? || actor.possibly_stale?
+     actor
+   end
+ 
+diff --git a/app/services/activitypub/process_account_service.rb b/app/services/activitypub/process_account_service.rb
+index 8fc0989a3..9e787ace5 100644
+--- a/app/services/activitypub/process_account_service.rb
+++ b/app/services/activitypub/process_account_service.rb
+@@ -277,7 +277,7 @@ class ActivityPub::ProcessAccountService < BaseService
+ 
+   def moved_account
+     account   = ActivityPub::TagManager.instance.uri_to_resource(@json['movedTo'], Account)
+-    account ||= ActivityPub::FetchRemoteAccountService.new.call(@json['movedTo'], id: true, break_on_redirect: true, request_id: @options[:request_id])
+    account ||= ActivityPub::FetchRemoteAccountService.new.call(@json['movedTo'], break_on_redirect: true, request_id: @options[:request_id])
+     account
+   end
+ 
+diff --git a/app/services/fetch_resource_service.rb b/app/services/fetch_resource_service.rb
+index a3406e5a5..71c6cca79 100644
+--- a/app/services/fetch_resource_service.rb
+++ b/app/services/fetch_resource_service.rb
+@@ -48,7 +48,15 @@ class FetchResourceService < BaseService
+       body = response.body_with_limit
+       json = body_to_json(body)
+ 
+-      [json['id'], { prefetched_body: body, id: true }] if supported_context?(json) && (equals_or_includes_any?(json['type'], ActivityPub::FetchRemoteActorService::SUPPORTED_TYPES) || expected_type?(json))
+      return unless supported_context?(json) && (equals_or_includes_any?(json['type'], ActivityPub::FetchRemoteActorService::SUPPORTED_TYPES) || expected_type?(json))
+
+      if json['id'] != @url
+        return if terminal
+
+        return process(json['id'], terminal: true)
+      end
+
+      [@url, { prefetched_body: body }]
+     elsif !terminal
+       link_header = response['Link'] && parse_link_header(response)
+ 
+diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb
+index b55873a3c..511c64778 100644
+--- a/lib/mastodon/version.rb
+++ b/lib/mastodon/version.rb
+@@ -17,7 +17,7 @@ module Mastodon
+     end
+ 
+     def default_prerelease
+-      'alpha.0'
+      'alpha.1'
+     end
+ 
+     def prerelease
+diff --git a/spec/lib/activitypub/linked_data_signature_spec.rb b/spec/lib/activitypub/linked_data_signature_spec.rb
+index 97268eea6..1af45673c 100644
+--- a/spec/lib/activitypub/linked_data_signature_spec.rb
+++ b/spec/lib/activitypub/linked_data_signature_spec.rb
+@@ -56,7 +56,7 @@ RSpec.describe ActivityPub::LinkedDataSignature do
+ 
+         allow(ActivityPub::FetchRemoteKeyService).to receive(:new).and_return(service_stub)
+ 
+-        allow(service_stub).to receive(:call).with('http://example.com/alice', id: false) do
+        allow(service_stub).to receive(:call).with('http://example.com/alice') do
+           sender.update!(public_key: old_key)
+           sender
+         end
+@@ -64,7 +64,7 @@ RSpec.describe ActivityPub::LinkedDataSignature do
+ 
+       it 'fetches key and returns creator' do
+         expect(subject.verify_actor!).to eq sender
+-        expect(service_stub).to have_received(:call).with('http://example.com/alice', id: false).once
+        expect(service_stub).to have_received(:call).with('http://example.com/alice').once
+       end
+     end
+ 
+diff --git a/spec/services/activitypub/fetch_remote_account_service_spec.rb b/spec/services/activitypub/fetch_remote_account_service_spec.rb
+index ac7484d96..f33a928da 100644
+--- a/spec/services/activitypub/fetch_remote_account_service_spec.rb
+++ b/spec/services/activitypub/fetch_remote_account_service_spec.rb
+@@ -18,7 +18,7 @@ RSpec.describe ActivityPub::FetchRemoteAccountService, type: :service do
+   end
+ 
+   describe '#call' do
+-    let(:account) { subject.call('https://example.com/alice', id: true) }
+    let(:account) { subject.call('https://example.com/alice') }
+ 
+     shared_examples 'sets profile data' do
+       it 'returns an account' do
+diff --git a/spec/services/activitypub/fetch_remote_actor_service_spec.rb b/spec/services/activitypub/fetch_remote_actor_service_spec.rb
+index 93d31b69d..944a2f8b1 100644
+--- a/spec/services/activitypub/fetch_remote_actor_service_spec.rb
+++ b/spec/services/activitypub/fetch_remote_actor_service_spec.rb
+@@ -18,7 +18,7 @@ RSpec.describe ActivityPub::FetchRemoteActorService, type: :service do
+   end
+ 
+   describe '#call' do
+-    let(:account) { subject.call('https://example.com/alice', id: true) }
+    let(:account) { subject.call('https://example.com/alice') }
+ 
+     shared_examples 'sets profile data' do
+       it 'returns an account' do
+diff --git a/spec/services/activitypub/fetch_remote_key_service_spec.rb b/spec/services/activitypub/fetch_remote_key_service_spec.rb
+index e210d20ec..0b14da4f4 100644
+--- a/spec/services/activitypub/fetch_remote_key_service_spec.rb
+++ b/spec/services/activitypub/fetch_remote_key_service_spec.rb
+@@ -55,7 +55,7 @@ RSpec.describe ActivityPub::FetchRemoteKeyService, type: :service do
+   end
+ 
+   describe '#call' do
+-    let(:account) { subject.call(public_key_id, id: false) }
+    let(:account) { subject.call(public_key_id) }
+ 
+     context 'when the key is a sub-object from the actor' do
+       before do
+diff --git a/spec/services/fetch_resource_service_spec.rb b/spec/services/fetch_resource_service_spec.rb
+index 0f1068471..78037a06c 100644
+--- a/spec/services/fetch_resource_service_spec.rb
+++ b/spec/services/fetch_resource_service_spec.rb
+@@ -57,7 +57,7 @@ RSpec.describe FetchResourceService, type: :service do
+ 
+       let(:json) do
+         {
+-          id: 1,
+          id: 'http://example.com/foo',
+           '@context': ActivityPub::TagManager::CONTEXT,
+           type: 'Note',
+         }.to_json
+@@ -83,27 +83,27 @@ RSpec.describe FetchResourceService, type: :service do
+         let(:content_type) { 'application/activity+json; charset=utf-8' }
+         let(:body) { json }
+ 
+-        it { is_expected.to eq [1, { prefetched_body: body, id: true }] }
+        it { is_expected.to eq ['http://example.com/foo', { prefetched_body: body }] }
+       end
+ 
+       context 'when content type is ld+json with profile' do
+         let(:content_type) { 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' }
+         let(:body) { json }
+ 
+-        it { is_expected.to eq [1, { prefetched_body: body, id: true }] }
+        it { is_expected.to eq ['http://example.com/foo', { prefetched_body: body }] }
+       end
+ 
+       context 'when link header is present' do
+         let(:headers) { { 'Link' => '<http://example.com/foo>; rel="alternate"; type="application/activity+json"' } }
+ 
+-        it { is_expected.to eq [1, { prefetched_body: json, id: true }] }
+        it { is_expected.to eq ['http://example.com/foo', { prefetched_body: json }] }
+       end
+ 
+       context 'when content type is text/html' do
+         let(:content_type) { 'text/html' }
+         let(:body) { '<html><head><link rel="alternate" href="http://example.com/foo" type="application/activity+json"/></head></html>' }
+ 
+-        it { is_expected.to eq [1, { prefetched_body: json, id: true }] }
+        it { is_expected.to eq ['http://example.com/foo', { prefetched_body: json }] }
+       end
+     end
+   end
+diff --git a/spec/services/resolve_url_service_spec.rb b/spec/services/resolve_url_service_spec.rb
+index bcfb9dbfb..5270cc10d 100644
+--- a/spec/services/resolve_url_service_spec.rb
+++ b/spec/services/resolve_url_service_spec.rb
+@@ -139,6 +139,7 @@ describe ResolveURLService, type: :service do
+         stub_request(:get, url).to_return(status: 302, headers: { 'Location' => status_url })
+         body = ActiveModelSerializers::SerializableResource.new(status, serializer: ActivityPub::NoteSerializer, adapter: ActivityPub::Adapter).to_json
+         stub_request(:get, status_url).to_return(body: body, headers: { 'Content-Type' => 'application/activity+json' })
+        stub_request(:get, uri).to_return(body: body, headers: { 'Content-Type' => 'application/activity+json' })
+       end
+ 
+       it 'returns status by url' do