tarrien/Mastodon
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into glitch-soc/merge-upstream

Browse Source 
Conflicts:
- `app/controllers/activitypub/collections_controller.rb`:
  Conflict due to glitch-soc having to take care of local-only
  pinned toots in that controller.
  Took upstream's changes and restored the local-only special
  handling.
- `app/controllers/auth/sessions_controller.rb`:
  Minor conflicts due to the theming system, applied upstream
  changes, adapted the following two files for glitch-soc's
  theming system:
  - `app/controllers/concerns/sign_in_token_authentication_concern.rb`
  - `app/controllers/concerns/two_factor_authentication_concern.rb`
- `app/services/backup_service.rb`:
  Minor conflict due to glitch-soc having to handle local-only
  toots specially. Applied upstream changes and restored
  the local-only special handling.
- `app/views/admin/custom_emojis/index.html.haml`:
  Minor conflict due to the theming system.
- `package.json`:
  Upstream dependency updated, too close to a glitch-soc-only
  dependency in the file.
- `yarn.lock`:
  Upstream dependency updated, too close to a glitch-soc-only
  dependency in the file.
This commit is contained in:
Thibaut Girka
2020-06-09 10:39:20 +02:00
parent f328f2faa3 89f40b6c3e
commit 12c8ac9e14
246 changed files with 5027 additions and 1354 deletions
Download Patch File Download Diff File Expand all files Collapse all files

242
config/brakeman.ignore
View File

@@ -1,25 +1,5 @@
{
"ignored_warnings": [
{
"warning_type": "Mass Assignment",
"warning_code": 105,
"fingerprint": "0117d2be5947ea4e4fbed9c15f23c6615b12c6892973411820c83d079808819d",
"check_name": "PermitAttributes",
"message": "Potentially dangerous key allowed for mass assignment",
"file": "app/controllers/api/v1/search_controller.rb",
"line": 30,
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
"code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)",
"render_path": null,
"location": {
"type": "method",
"class": "Api::V1::SearchController",
"method": "search_params"
},
"user_input": ":account_id",
"confidence": "High",
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
@@ -27,7 +7,7 @@
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/report.rb",
"line": 90,
"line": 112,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "Admin::ActionLog.from(\"(#{[Admin::ActionLog.where(:target_type => \"Report\", :target_id => id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Account\", :target_id => target_account_id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)].map do\n \"(#{query.to_sql})\"\n end.join(\" UNION ALL \")}) AS admin_action_logs\")",
"render_path": null,
@@ -47,7 +27,7 @@
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/status.rb",
"line": 87,
"line": 100,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "result.joins(\"INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
"render_path": null,
@@ -61,39 +41,62 @@
"note": ""
},
{
"warning_type": "Mass Assignment",
"warning_code": 105,
"fingerprint": "28d81cc22580ef76e912b077b245f353499aa27b3826476667224c00227af2a9",
"check_name": "PermitAttributes",
"message": "Potentially dangerous key allowed for mass assignment",
"file": "app/controllers/admin/reports_controller.rb",
"line": 56,
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
"code": "params.permit(:account_id, :resolved, :target_account_id)",
"render_path": null,
"warning_type": "Dynamic Render Path",
"warning_code": 15,
"fingerprint": "20a660939f2bbf8c665e69f2844031c0564524689a9570a0091ed94846212020",
"check_name": "Render",
"message": "Render path contains parameter value",
"file": "app/views/admin/action_logs/index.html.haml",
"line": 26,
"link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
"code": "render(action => Admin::ActionLogFilter.new(filter_params).results.page(params[:page]), {})",
"render_path": [
{
"type": "controller",
"class": "Admin::ActionLogsController",
"method": "index",
"line": 8,
"file": "app/controllers/admin/action_logs_controller.rb",
"rendered": {
"name": "admin/action_logs/index",
"file": "app/views/admin/action_logs/index.html.haml"
}
}
],
"location": {
"type": "method",
"class": "Admin::ReportsController",
"method": "filter_params"
"type": "template",
"template": "admin/action_logs/index"
},
"user_input": ":account_id",
"confidence": "High",
"user_input": "params[:page]",
"confidence": "Weak",
"note": ""
},
{
"warning_type": "Dynamic Render Path",
"warning_code": 15,
"fingerprint": "4b6a895e2805578d03ceedbe1d469cc75a0c759eba093722523edb4b8683c873",
"fingerprint": "371fe16dc4c9d6ab08a20437d65be4825776107a67c38f6d4780a9c703cd44a5",
"check_name": "Render",
"message": "Render path contains parameter value",
"file": "app/views/admin/action_logs/index.html.haml",
"line": 4,
"file": "app/views/admin/email_domain_blocks/index.html.haml",
"line": 17,
"link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
"code": "render(action => Admin::ActionLog.page(params[:page]), {})",
"render_path": [{"type":"controller","class":"Admin::ActionLogsController","method":"index","line":7,"file":"app/controllers/admin/action_logs_controller.rb","rendered":{"name":"admin/action_logs/index","file":"/home/eugr/Projects/mastodon/app/views/admin/action_logs/index.html.haml"}}],
"code": "render(action => EmailDomainBlock.where(:parent_id => nil).includes(:children).order(:id => :desc).page(params[:page]), {})",
"render_path": [
{
"type": "controller",
"class": "Admin::EmailDomainBlocksController",
"method": "index",
"line": 10,
"file": "app/controllers/admin/email_domain_blocks_controller.rb",
"rendered": {
"name": "admin/email_domain_blocks/index",
"file": "app/views/admin/email_domain_blocks/index.html.haml"
}
}
],
"location": {
"type": "template",
"template": "admin/action_logs/index"
"template": "admin/email_domain_blocks/index"
},
"user_input": "params[:page]",
"confidence": "Weak",
@@ -106,7 +109,7 @@
"check_name": "Redirect",
"message": "Possible unprotected redirect",
"file": "app/controllers/remote_interaction_controller.rb",
"line": 21,
"line": 24,
"link": "https://brakemanscanner.org/docs/warning_types/redirect/",
"code": "redirect_to(RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id])))",
"render_path": null,
@@ -119,25 +122,6 @@
"confidence": "High",
"note": ""
},
{
"warning_type": "Dynamic Render Path",
"warning_code": 15,
"fingerprint": "67afc0d5f7775fa5bd91d1912e1b5505aeedef61876347546fa20f92fd6915e6",
"check_name": "Render",
"message": "Render path contains parameter value",
"file": "app/views/stream_entries/embed.html.haml",
"line": 3,
"link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
"code": "render(action => \"stream_entries/#{Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase}\", { Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase.to_sym => Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity, :centered => true, :autoplay => ActiveModel::Type::Boolean.new.cast(params[:autoplay]) })",
"render_path": [{"type":"controller","class":"StatusesController","method":"embed","line":63,"file":"app/controllers/statuses_controller.rb","rendered":{"name":"stream_entries/embed","file":"/home/eugr/Projects/mastodon/app/views/stream_entries/embed.html.haml"}}],
"location": {
"type": "template",
"template": "stream_entries/embed"
},
"user_input": "params[:id]",
"confidence": "Weak",
"note": ""
},
{
"warning_type": "SQL Injection",
"warning_code": 0,
@@ -145,7 +129,7 @@
"check_name": "SQL",
"message": "Possible SQL injection",
"file": "app/models/status.rb",
"line": 92,
"line": 105,
"link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
"code": "result.joins(\"LEFT OUTER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
"render_path": null,
@@ -159,22 +143,43 @@
"note": ""
},
{
"warning_type": "Dynamic Render Path",
"warning_code": 15,
"fingerprint": "8d843713d99e8403f7992f3e72251b633817cf9076ffcbbad5613859d2bbc127",
"check_name": "Render",
"message": "Render path contains parameter value",
"file": "app/views/admin/custom_emojis/index.html.haml",
"line": 45,
"link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
"code": "render(action => filtered_custom_emojis.eager_load(:local_counterpart).page(params[:page]), {})",
"render_path": [{"type":"controller","class":"Admin::CustomEmojisController","method":"index","line":11,"file":"app/controllers/admin/custom_emojis_controller.rb","rendered":{"name":"admin/custom_emojis/index","file":"/home/eugr/Projects/mastodon/app/views/admin/custom_emojis/index.html.haml"}}],
"warning_type": "Mass Assignment",
"warning_code": 105,
"fingerprint": "7631e93d0099506e7c3e5c91ba8d88523b00a41a0834ae30031a5a4e8bb3020a",
"check_name": "PermitAttributes",
"message": "Potentially dangerous key allowed for mass assignment",
"file": "app/controllers/api/v2/search_controller.rb",
"line": 28,
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
"code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)",
"render_path": null,
"location": {
"type": "template",
"template": "admin/custom_emojis/index"
"type": "method",
"class": "Api::V2::SearchController",
"method": "search_params"
},
"user_input": "params[:page]",
"confidence": "Weak",
"user_input": ":account_id",
"confidence": "High",
"note": ""
},
{
"warning_type": "Mass Assignment",
"warning_code": 105,
"fingerprint": "8f63dec68951d9bcf7eddb15af9392b2e1333003089c41fb76688dfd3579f394",
"check_name": "PermitAttributes",
"message": "Potentially dangerous key allowed for mass assignment",
"file": "app/controllers/api/v1/crypto/deliveries_controller.rb",
"line": 23,
"link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
"code": "params.require(:device).permit(:account_id, :device_id, :type, :body, :hmac)",
"render_path": null,
"location": {
"type": "method",
"class": "Api::V1::Crypto::DeliveriesController",
"method": "resource_params"
},
"user_input": ":account_id",
"confidence": "High",
"note": ""
},
{
@@ -204,10 +209,22 @@
"check_name": "Render",
"message": "Render path contains parameter value",
"file": "app/views/admin/accounts/index.html.haml",
"line": 47,
"line": 54,
"link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
"code": "render(action => filtered_accounts.page(params[:page]), {})",
"render_path": [{"type":"controller","class":"Admin::AccountsController","method":"index","line":12,"file":"app/controllers/admin/accounts_controller.rb","rendered":{"name":"admin/accounts/index","file":"/home/eugr/Projects/mastodon/app/views/admin/accounts/index.html.haml"}}],
"render_path": [
{
"type": "controller",
"class": "Admin::AccountsController",
"method": "index",
"line": 12,
"file": "app/controllers/admin/accounts_controller.rb",
"rendered": {
"name": "admin/accounts/index",
"file": "app/views/admin/accounts/index.html.haml"
}
}
],
"location": {
"type": "template",
"template": "admin/accounts/index"
@@ -216,6 +233,26 @@
"confidence": "Weak",
"note": ""
},
{
"warning_type": "Redirect",
"warning_code": 18,
"fingerprint": "ba568ac09683f98740f663f3d850c31785900215992e8c090497d359a2563d50",
"check_name": "Redirect",
"message": "Possible unprotected redirect",
"file": "app/controllers/remote_follow_controller.rb",
"line": 21,
"link": "https://brakemanscanner.org/docs/warning_types/redirect/",
"code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(@account))",
"render_path": null,
"location": {
"type": "method",
"class": "RemoteFollowController",
"method": "create"
},
"user_input": "RemoteFollow.new(resource_params).subscribe_address_for(@account)",
"confidence": "High",
"note": ""
},
{
"warning_type": "Redirect",
"warning_code": 18,
@@ -223,7 +260,7 @@
"check_name": "Redirect",
"message": "Possible unprotected redirect",
"file": "app/controllers/media_controller.rb",
"line": 14,
"line": 20,
"link": "https://brakemanscanner.org/docs/warning_types/redirect/",
"code": "redirect_to(MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original))",
"render_path": null,
@@ -236,26 +273,6 @@
"confidence": "High",
"note": ""
},
{
"warning_type": "Redirect",
"warning_code": 18,
"fingerprint": "bb7e94e60af41decb811bb32171f1b27e9bf3f4d01e9e511127362e22510eb11",
"check_name": "Redirect",
"message": "Possible unprotected redirect",
"file": "app/controllers/remote_follow_controller.rb",
"line": 19,
"link": "https://brakemanscanner.org/docs/warning_types/redirect/",
"code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(Account.find_local!(params[:account_username])))",
"render_path": null,
"location": {
"type": "method",
"class": "RemoteFollowController",
"method": "create"
},
"user_input": "RemoteFollow.new(resource_params).subscribe_address_for(Account.find_local!(params[:account_username]))",
"confidence": "High",
"note": ""
},
{
"warning_type": "Mass Assignment",
"warning_code": 105,
@@ -275,27 +292,8 @@
"user_input": ":account_id",
"confidence": "High",
"note": ""
},
{
"warning_type": "Dynamic Render Path",
"warning_code": 15,
"fingerprint": "fbd0fc59adb5c6d44b60e02debb31d3af11719f534c9881e21435bbff87404d6",
"check_name": "Render",
"message": "Render path contains parameter value",
"file": "app/views/stream_entries/show.html.haml",
"line": 23,
"link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
"code": "render(partial => \"stream_entries/#{Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase}\", { :locals => ({ Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase.to_sym => Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity, :include_threads => true }) })",
"render_path": [{"type":"controller","class":"StatusesController","method":"show","line":34,"file":"app/controllers/statuses_controller.rb","rendered":{"name":"stream_entries/show","file":"/home/eugr/Projects/mastodon/app/views/stream_entries/show.html.haml"}}],
"location": {
"type": "template",
"template": "stream_entries/show"
},
"user_input": "params[:id]",
"confidence": "Weak",
"note": ""
}
],
"updated": "2019-02-21 02:30:29 +0100",
"brakeman_version": "4.4.0"
"updated": "2020-06-01 18:18:02 +0200",
"brakeman_version": "4.8.0"
}

3
config/initializers/doorkeeper.rb
View File

@@ -95,7 +95,8 @@ Doorkeeper.configure do
:'admin:read:reports',
:'admin:write',
:'admin:write:accounts',
:'admin:write:reports'
:'admin:write:reports',
:crypto
# Change the way client credentials are retrieved from the request object.
# By default it retrieves first from the `HTTP_AUTHORIZATION` header, then

1
config/initializers/inflections.rb
View File

@@ -19,6 +19,7 @@ ActiveSupport::Inflector.inflections(:en) do |inflect|
inflect.acronym 'ActivityStreams'
inflect.acronym 'JsonLd'
inflect.acronym 'NodeInfo'
inflect.acronym 'Ed25519'
inflect.singular 'data', 'data'
end

22
config/locales/en.yml
View File

@@ -35,13 +35,16 @@ en:
status_count_before: Who authored
tagline: Follow friends and discover new ones
terms: Terms of service
unavailable_content: Unavailable content
unavailable_content: Moderated servers
unavailable_content_description:
domain: Server
reason: Reason
rejecting_media: 'Media files from these servers will not be processed or stored, and no thumbnails will be displayed, requiring manual click-through to the original file:'
silenced: 'Posts from these servers will be hidden in public timelines and conversations, and no notifications will be generated from their users'' interactions, unless you are following them:'
rejecting_media_title: Filtered media
silenced: 'Posts from these servers will be hidden in public timelines and conversations, and no notifications will be generated from their users interactions, unless you are following them:'
silenced_title: Silenced servers
suspended: 'No data from these servers will be processed, stored or exchanged, making any interaction or communication with users from these servers impossible:'
suspended_title: Suspended servers
unavailable_content_html: Mastodon generally allows you to view content from and interact with users from any other server in the fediverse. These are the exceptions that have been made on this particular server.
user_count_after:
one: user
@@ -309,6 +312,7 @@ en:
listed: Listed
new:
title: Add new custom emoji
not_permitted: You are not permitted to perform this action
overwrite: Overwrite
shortcode: Shortcode
shortcode_hint: At least 2 characters, only alphanumeric characters and underscores
@@ -721,6 +725,10 @@ en:
hint_html: "<strong>Tip:</strong> We won't ask you for your password again for the next hour."
invalid_password: Invalid password
prompt: Confirm password to continue
crypto:
errors:
invalid_key: is not a valid Ed25519 or Curve25519 key
invalid_signature: is not a valid Ed25519 signature
date:
formats:
default: "%b %d, %Y"
@@ -918,6 +926,7 @@ en:
on_cooldown: You have recently migrated your account. This function will become available again in %{count} days.
past_migrations: Past migrations
proceed_with_move: Move followers
redirected_msg: Your account is now redirecting to %{acct}.
redirecting_to: Your account is redirecting to %{acct}.
set_redirect: Set redirect
warning:
@@ -1267,6 +1276,12 @@ en:
explanation: You requested a full backup of your Mastodon account. It's now ready for download!
subject: Your archive is ready for download
title: Archive takeout
sign_in_token:
details: 'Here are details of the attempt:'
explanation: 'We detected an attempt to sign in to your account from an unrecognized IP address. If this is you, please enter the security code below on the sign in challenge page:'
further_actions: 'If this wasn''t you, please change your password and enable two-factor authentication on your account. You can do so here:'
subject: Please confirm attempted sign in
title: Sign in attempt
warning:
explanation:
disable: While your account is frozen, your account data remains intact, but you cannot perform any actions until it is unlocked.
@@ -1304,11 +1319,14 @@ en:
title: Welcome aboard, %{name}!
users:
follow_limit_reached: You cannot follow more than %{limit} people
generic_access_help_html: Trouble accessing your account? You may get in touch with %{email} for assistance
invalid_email: The e-mail address is invalid
invalid_otp_token: Invalid two-factor code
invalid_sign_in_token: Invalid security code
otp_lost_help_html: If you lost access to both, you may get in touch with %{email}
seamless_external_login: You are logged in via an external service, so password and e-mail settings are not available.
signed_in_as: 'Signed in as:'
suspicious_sign_in_confirmation: You appear to not have logged in from this device before, and you haven't logged in for a while, so we're sending a security code to your e-mail address to confirm that it's you.
verification:
explanation_html: 'You can <strong>verify yourself as the owner of the links in your profile metadata</strong>. For that, the linked website must contain a link back to your Mastodon profile. The link back <strong>must</strong> have a <code>rel="me"</code> attribute. The text content of the link does not matter. Here is an example:'
verification: Verification

1
config/locales/simple_form.en.yml
View File

@@ -151,6 +151,7 @@ en:
setting_use_blurhash: Show colorful gradients for hidden media
setting_use_pending_items: Slow mode
severity: Severity
sign_in_token_attempt: Security code
type: Import type
username: Username
username_or_email: Username or Email

18
config/routes.rb
View File

@@ -79,6 +79,7 @@ Rails.application.routes.draw do
resource :outbox, only: [:show], module: :activitypub
resource :inbox, only: [:create], module: :activitypub
resource :claim, only: [:create], module: :activitypub
resources :collections, only: [:show], module: :activitypub
end
@@ -342,6 +343,23 @@ Rails.application.routes.draw do
end
end
namespace :crypto do
resources :deliveries, only: :create
namespace :keys do
resource :upload, only: [:create]
resource :query, only: [:create]
resource :claim, only: [:create]
resource :count, only: [:show]
end
resources :encrypted_messages, only: [:index] do
collection do
post :clear
end
end
end
resources :conversations, only: [:index, :destroy] do
member do
post :read

10
config/webpack/shared.js
View File

@@ -110,10 +110,12 @@ module.exports = {
writeToDisk: true,
publicPath: true,
}),
new CopyPlugin([
{ from: 'node_modules/tesseract.js/dist/worker.min.js', to: 'ocr' },
{ from: 'node_modules/tesseract.js-core/tesseract-core.wasm.js', to: 'ocr' },
]),
new CopyPlugin({
patterns: [
{ from: 'node_modules/tesseract.js/dist/worker.min.js', to: 'ocr' },
{ from: 'node_modules/tesseract.js-core/tesseract-core.wasm.js', to: 'ocr' },
],
}),
],
resolve: {