92658f0fb0
Fix instance actor not being dereferenceable ( #17457 )
...
* Add tests
* Fix instance actor not being dereferenceable
* Fix tests
* Fix tests for real
2022-02-06 15:31:03 +01:00
097c4903f1
Update build-image.yml ( #17454 )
2022-02-05 17:29:54 +01:00
e03e7ac290
Fix error on account relationships page in admin UI ( #17444 )
2022-02-05 05:06:34 +01:00
6a649e9131
Bump brakeman from 5.2.0 to 5.2.1 ( #17410 )
...
Bumps [brakeman](https://github.com/presidentbeef/brakeman ) from 5.2.0 to 5.2.1.
- [Release notes](https://github.com/presidentbeef/brakeman/releases )
- [Changelog](https://github.com/presidentbeef/brakeman/blob/main/CHANGES.md )
- [Commits](https://github.com/presidentbeef/brakeman/compare/v5.2.0...v5.2.1 )
---
updated-dependencies:
- dependency-name: brakeman
dependency-type: direct:development
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-02-05 13:03:12 +09:00
bfe5ad5fee
Bump redis from 4.0.2 to 4.0.3 ( #17412 )
...
Bumps [redis](https://github.com/redis/node-redis ) from 4.0.2 to 4.0.3.
- [Release notes](https://github.com/redis/node-redis/releases )
- [Changelog](https://github.com/redis/node-redis/blob/master/CHANGELOG.md )
- [Commits](https://github.com/redis/node-redis/compare/redis@4.0.2...redis@4.0.3 )
---
updated-dependencies:
- dependency-name: redis
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-02-05 13:03:06 +09:00
e001e116da
Bump sidekiq-scheduler from 3.1.0 to 3.1.1 ( #17407 )
...
Bumps [sidekiq-scheduler](https://github.com/moove-it/sidekiq-scheduler ) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/moove-it/sidekiq-scheduler/releases )
- [Commits](https://github.com/moove-it/sidekiq-scheduler/compare/v3.1.0...v3.1.1 )
---
updated-dependencies:
- dependency-name: sidekiq-scheduler
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-02-05 13:02:57 +09:00
e0263c7369
Bump http-link-header from 1.0.3 to 1.0.4 ( #17414 )
...
Bumps [http-link-header](https://github.com/jhermsmeier/node-http-link-header ) from 1.0.3 to 1.0.4.
- [Release notes](https://github.com/jhermsmeier/node-http-link-header/releases )
- [Changelog](https://github.com/jhermsmeier/node-http-link-header/blob/master/CHANGELOG.md )
- [Commits](https://github.com/jhermsmeier/node-http-link-header/compare/v1.0.3...v1.0.4 )
---
updated-dependencies:
- dependency-name: http-link-header
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-02-05 13:02:42 +09:00
50ab3f3dcb
Update tootsuite/mastodon Docker tag to v3.4.6 ( #17436 )
...
Co-authored-by: Renovate Bot <bot@renovateapp.com >
2022-02-03 21:29:20 +01:00
3413f1c44b
Forward-port version bump to 3.4.6 ( #17434 )
2022-02-03 14:21:38 +01:00
c8b1e72a4f
Fix compacted JSON-LD possibly causing compatibility issues on forwarding ( #17428 )
2022-02-03 14:09:04 +01:00
948235592a
Fix response_to_recipient? CTE ( #17427 )
2022-02-03 14:07:43 +01:00
d1ecc323e7
Compact JSON-LD signed incoming activities ( #17426 )
...
Co-authored-by: Puck Meerburg <puck@puck.moe >
2022-02-03 14:07:29 +01:00
d0d15bf49c
Update tootsuite/mastodon Docker tag to v3.4.5 ( #17417 )
...
Co-authored-by: Renovate Bot <bot@renovateapp.com >
2022-02-01 20:57:50 +01:00
987d88ea56
Fix requiring an extra restart after recent post-deployment migrations ( #17422 )
...
Follow-up to #16409
2022-02-01 20:57:39 +01:00
4d6d4b43c6
Fixed prototype pollution bug and only allow trusted origin ( #17420 )
2022-02-01 17:34:48 +01:00
54581d43e7
Bump version to 3.4.5 ( #17402 )
2022-01-31 21:27:40 +01:00
aa45404578
Bump NODE_VER to 16.13.2, to solve security issues ( #17399 )
...
Fixes CVE-2021-44532, CVE-2021-44533, and CVE-2022-21824.
See: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
2022-01-31 00:32:03 +01:00
a0e06c3c3e
Add more advanced migration tests ( #17393 )
...
- populate the database with some data when testing migrations
- try both one-step and two-step migrations (`SKIP_POST_DEPLOYMENT_MIGRATIONS`)
2022-01-30 23:50:08 +01:00
c6b291afc3
Change index corruption warning to be a little less scary ( #17395 )
2022-01-30 23:49:52 +01:00
a99adeaad3
Fix edge case in migration helpers that caused crash because of PostgreSQL quirks ( #17398 )
2022-01-30 22:34:54 +01:00
ac583fce21
Fix some old migration scripts ( #17394 )
...
* Fix some old migration scripts
* Fix edge case in two-step migration from older releases
2022-01-30 21:38:54 +01:00
f5639e1cbe
Change public profile pages to be disabled for unconfirmed users ( #17385 )
...
Fixes #17382
Note that unconfirmed and unapproved accounts can still be searched for
and their (empty) account retrieved using the REST API.
2022-01-28 14:24:37 +01:00
e38fc319dc
Refactor and improve tests ( #17386 )
...
* Change account and user fabricators to simplify and improve tests
- `Fabricate(:account)` implicitly fabricates an associated `user` if
no `domain` attribute is given (an account with `domain: nil` is
considered a local account, but no user record was created), unless
`user: nil` is passed
- `Fabricate(:account, user: Fabricate(:user))` should still be possible
but is discouraged.
* Fix and refactor tests
- avoid passing unneeded attributes to `Fabricate(:user)` or
`Fabricate(:account)`
- avoid embedding `Fabricate(:user)` into a `Fabricate(:account)` or the other
way around
- prefer `Fabricate(:user, account_attributes: …)` to
`Fabricate(:user, account: Fabricate(:account, …)`
- also, some tests were using remote accounts with local user records, which is
not representative of production code.
2022-01-28 00:46:42 +01:00
03d59340da
Fix Sidekiq warnings about JSON serialization ( #17381 )
...
* Fix Sidekiq warnings about JSON serialization
This occurs on every symbol argument we pass, and every symbol key in hashes,
because Sidekiq expects strings instead.
See https://github.com/mperham/sidekiq/pull/5071
We do not need to change how workers parse their arguments because this has
not changed and we were already converting to symbols adequately or using
`with_indifferent_access`.
* Set Sidekiq to raise on unsafe arguments in test mode
In order to more easily catch issues that would produce warnings in production
code.
2022-01-28 00:43:56 +01:00
14c69a535b
Fix some old database migrations ( #17379 )
2022-01-27 18:13:41 +01:00
4942a7ce86
Bump pg from 1.2.3 to 1.3.0 ( #17349 )
...
Bumps [pg](https://github.com/ged/ruby-pg ) from 1.2.3 to 1.3.0.
- [Release notes](https://github.com/ged/ruby-pg/releases )
- [Changelog](https://github.com/ged/ruby-pg/blob/master/History.rdoc )
- [Commits](https://github.com/ged/ruby-pg/compare/v1.2.3...v1.3.0 )
---
updated-dependencies:
- dependency-name: pg
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-27 20:26:40 +09:00
497b8eedda
Bump axios from 0.24.0 to 0.25.0 ( #17354 )
...
Bumps [axios](https://github.com/axios/axios ) from 0.24.0 to 0.25.0.
- [Release notes](https://github.com/axios/axios/releases )
- [Changelog](https://github.com/axios/axios/blob/master/CHANGELOG.md )
- [Commits](https://github.com/axios/axios/compare/v0.24.0...v0.25.0 )
---
updated-dependencies:
- dependency-name: axios
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-27 20:26:18 +09:00
df78d83e95
Bump rdf-normalize from 0.4.0 to 0.5.0 ( #17226 )
...
Bumps [rdf-normalize](https://github.com/ruby-rdf/rdf-normalize ) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/ruby-rdf/rdf-normalize/releases )
- [Commits](https://github.com/ruby-rdf/rdf-normalize/compare/0.4.0...0.5.0 )
---
updated-dependencies:
- dependency-name: rdf-normalize
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-27 20:25:18 +09:00
166cc5b89d
Fix local distribution of edited statuses ( #17380 )
...
Because `FanOutOnWriteService#update?` was broken, edits were considered as new
toots and a regular `update` payload was sent.
2022-01-26 20:53:50 +01:00
10188c7db7
Add healthcheck for sidekiq ( #17365 )
2022-01-26 18:08:49 +01:00
6505b39e5d
Fix poll updates being saved as status edits ( #17373 )
...
Fix #17344
2022-01-26 18:05:39 +01:00
bebf9bf33f
Bump sass from 1.48.0 to 1.49.0 ( #17352 )
...
Bumps [sass](https://github.com/sass/dart-sass ) from 1.48.0 to 1.49.0.
- [Release notes](https://github.com/sass/dart-sass/releases )
- [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md )
- [Commits](https://github.com/sass/dart-sass/compare/1.48.0...1.49.0 )
---
updated-dependencies:
- dependency-name: sass
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 21:25:26 +09:00
f0d73d82f8
Bump json-ld-preloaded from 3.1.6 to 3.2.0 ( #17353 )
...
Bumps [json-ld-preloaded](https://github.com/ruby-rdf/json-ld-preloaded ) from 3.1.6 to 3.2.0.
- [Release notes](https://github.com/ruby-rdf/json-ld-preloaded/releases )
- [Commits](https://github.com/ruby-rdf/json-ld-preloaded/compare/3.1.6...3.2.0 )
---
updated-dependencies:
- dependency-name: json-ld-preloaded
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 21:23:42 +09:00
7b2c733dfc
Bump fabrication from 2.23.1 to 2.24.0 ( #17356 )
...
Bumps [fabrication](https://github.com/paulelliott/fabrication ) from 2.23.1 to 2.24.0.
- [Release notes](https://github.com/paulelliott/fabrication/releases )
- [Changelog](https://github.com/paulelliott/fabrication/blob/master/Changelog.markdown )
- [Commits](https://github.com/paulelliott/fabrication/commits )
---
updated-dependencies:
- dependency-name: fabrication
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 21:22:51 +09:00
cea00f593e
Bump sidekiq from 6.3.1 to 6.4.0 ( #17350 )
...
Bumps [sidekiq](https://github.com/mperham/sidekiq ) from 6.3.1 to 6.4.0.
- [Release notes](https://github.com/mperham/sidekiq/releases )
- [Changelog](https://github.com/mperham/sidekiq/blob/main/Changes.md )
- [Commits](https://github.com/mperham/sidekiq/compare/v6.3.1...v6.4.0 )
---
updated-dependencies:
- dependency-name: sidekiq
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 21:22:10 +09:00
69cb20bca4
Bump @babel/plugin-transform-runtime from 7.16.8 to 7.16.10 ( #17361 )
...
Bumps [@babel/plugin-transform-runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-runtime ) from 7.16.8 to 7.16.10.
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.16.10/packages/babel-plugin-transform-runtime )
---
updated-dependencies:
- dependency-name: "@babel/plugin-transform-runtime"
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:52:40 +09:00
daf2d8952d
Bump cld3 from 3.4.3 to 3.4.4 ( #17357 )
...
Bumps [cld3](https://github.com/akihikodaki/cld3-ruby ) from 3.4.3 to 3.4.4.
- [Release notes](https://github.com/akihikodaki/cld3-ruby/releases )
- [Commits](https://github.com/akihikodaki/cld3-ruby/compare/v3.4.3...v3.4.4 )
---
updated-dependencies:
- dependency-name: cld3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:48:05 +09:00
2dfb67f0c9
Bump aws-sdk-s3 from 1.111.1 to 1.111.3 ( #17368 )
...
Bumps [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby ) from 1.111.1 to 1.111.3.
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases )
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md )
- [Commits](https://github.com/aws/aws-sdk-ruby/commits )
---
updated-dependencies:
- dependency-name: aws-sdk-s3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:46:52 +09:00
029d89bfea
Bump bootsnap from 1.10.1 to 1.10.2 ( #17367 )
...
Bumps [bootsnap](https://github.com/Shopify/bootsnap ) from 1.10.1 to 1.10.2.
- [Release notes](https://github.com/Shopify/bootsnap/releases )
- [Changelog](https://github.com/Shopify/bootsnap/blob/main/CHANGELOG.md )
- [Commits](https://github.com/Shopify/bootsnap/compare/v1.10.1...v1.10.2 )
---
updated-dependencies:
- dependency-name: bootsnap
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:45:45 +09:00
ee7fafe1c8
Bump node-fetch from 2.6.1 to 2.6.7 ( #17366 )
...
Bumps [node-fetch](https://github.com/node-fetch/node-fetch ) from 2.6.1 to 2.6.7.
- [Release notes](https://github.com/node-fetch/node-fetch/releases )
- [Commits](https://github.com/node-fetch/node-fetch/compare/v2.6.1...v2.6.7 )
---
updated-dependencies:
- dependency-name: node-fetch
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:44:01 +09:00
2033ca6b31
Bump nanoid from 3.1.23 to 3.2.0 ( #17342 )
...
Bumps [nanoid](https://github.com/ai/nanoid ) from 3.1.23 to 3.2.0.
- [Release notes](https://github.com/ai/nanoid/releases )
- [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md )
- [Commits](https://github.com/ai/nanoid/compare/3.1.23...3.2.0 )
---
updated-dependencies:
- dependency-name: nanoid
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:41:22 +09:00
4b5629cc3d
Bump @babel/preset-env from 7.16.8 to 7.16.11 ( #17358 )
...
Bumps [@babel/preset-env](https://github.com/babel/babel/tree/HEAD/packages/babel-preset-env ) from 7.16.8 to 7.16.11.
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.16.11/packages/babel-preset-env )
---
updated-dependencies:
- dependency-name: "@babel/preset-env"
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:39:43 +09:00
0d82c0359d
Bump rubocop from 1.24.1 to 1.25.0 ( #17322 )
...
Bumps [rubocop](https://github.com/rubocop/rubocop ) from 1.24.1 to 1.25.0.
- [Release notes](https://github.com/rubocop/rubocop/releases )
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md )
- [Commits](https://github.com/rubocop/rubocop/compare/v1.24.1...v1.25.0 )
---
updated-dependencies:
- dependency-name: rubocop
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:39:08 +09:00
d528db801f
Bump @babel/core from 7.16.7 to 7.16.12 ( #17360 )
...
Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core ) from 7.16.7 to 7.16.12.
- [Release notes](https://github.com/babel/babel/releases )
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md )
- [Commits](https://github.com/babel/babel/commits/v7.16.12/packages/babel-core )
---
updated-dependencies:
- dependency-name: "@babel/core"
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-01-25 20:34:55 +09:00
808e7cd906
Bump rails from 6.1.4.1 to 6.1.4.4 ( #17159 )
...
* Bump rails from 6.1.4.1 to 6.1.4.4
Bumps [rails](https://github.com/rails/rails ) from 6.1.4.1 to 6.1.4.4.
- [Release notes](https://github.com/rails/rails/releases )
- [Commits](https://github.com/rails/rails/compare/v6.1.4.1...v6.1.4.4 )
---
updated-dependencies:
- dependency-name: rails
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
* Revert marcel to 1.0.1
Avoid some regression that need to be investigated
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Claire <claire.github-309c@sitedethib.com >
2022-01-25 20:34:37 +09:00
244726e2e8
disable legacy XSS filtering ( #17289 )
...
Browsers are phasing out X-XSS-Protection, but Safari and IE still support it.
2022-01-24 13:14:26 +01:00
dd63923c0a
Fix link_to_login argument handling when a block is passed ( #17345 )
2022-01-24 03:29:03 +01:00
0a120d86d2
Fix error-prone SQL queries ( #15828 )
...
* Fix error-prone SQL queries in Account search
While this code seems to not present an actual vulnerability, one could
easily be introduced by mistake due to how the query is built.
This PR parameterises the `to_tsquery` input to make the query more robust.
* Harden code for Status#tagged_with_all and Status#tagged_with_none
Those two scopes aren't used in a way that could be vulnerable to an SQL
injection, but keeping them unchanged might be a hazard.
* Remove unneeded spaces surrounding tsquery term
* Please CodeClimate
* Move advanced_search_for SQL template to its own function
This avoids one level of indentation while making clearer that the SQL template
isn't build from all the dynamic parameters of advanced_search_for.
* Add tests covering tagged_with, tagged_with_all and tagged_with_none
* Rewrite tagged_with_none to avoid multiple joins and make it more robust
* Remove obsolete brakeman warnings
* Revert "Remove unneeded spaces surrounding tsquery term"
The two queries are not strictly equivalent.
This reverts commit 86f16c537e06c6ba4a8b250f25dcce9f049023ff.
2022-01-23 18:10:10 +01:00
a63495230a
Change percent to rate in retention metrics API ( #16910 )
2022-01-23 16:01:25 +01:00
bddd9ba36d
Add OMNIAUTH_ONLY environment variable to enforce externa log-in ( #17288 )
...
* Remove support for OAUTH_REDIRECT_AT_SIGN_IN
Fixes #15959
Introduced in #6540 , OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.
However, it did not prevent the log-in form on /about introduced by #10232 from
appearing, and completely broke with the introduction of #15228 .
As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.
* Add OMNIAUTH_ONLY environment variable to enforce external log-in only
* Disable user registration when OMNIAUTH_ONLY is set to true
* Replace log-in links When OMNIAUTH_ONLY is set with exactly one OmniAuth provider
2022-01-23 15:52:58 +01:00
