Commit graph

3696 commits

Author SHA1 Message Date
Marie
216ab3aea7 merge: remove http/https protocol in uri on masto api (!980)
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/980

Closes #1046

Approved-by: Hazelnoot <acomputerdog@gmail.com>
Approved-by: dakkar <dakkar@thenautilus.net>
2025-05-06 08:33:19 +00:00
Marie
893f964def merge: check signatures with and without query - fix #1036 (!966)
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/966

Closes #1036

Approved-by: Hazelnoot <acomputerdog@gmail.com>
Approved-by: Marie <github@yuugi.dev>
2025-05-05 23:23:30 +00:00
Marie
cb3f5f598d Update instance.ts 2025-05-05 17:33:27 +00:00
Marie
e2be44fb99 change regex to include a zero-length match 2025-05-05 13:03:39 +00:00
Marie
581cc2b513 remove http/https protocol 2025-05-05 13:00:31 +00:00
dakkar
ec404fd3ce remove leftover debug line 2025-04-30 20:30:52 +01:00
Julia Johannesen
ac905118cc
Merge branch 'stable' into merge-stable-into-develop 2025-04-27 16:19:44 -04:00
Julia Johannesen
35df3944c1
Update summaly 2025-04-27 13:31:27 -04:00
Julia Johannesen
0bb4e57b0c
Security fixes
Co-Authored-By: dakkar <dakkar@thenautilus.net>
2025-04-27 13:05:09 -04:00
dakkar
fda71c4147 make toPuny work better in testing 2025-04-21 16:44:13 +01:00
dakkar
58c0ac6c89 check signatures with and without query - fix #1036
@Oneric explained:

> Spec says query params must be included in the signature; Mastodon
> being Mastodon used to always exclude it though and for
> compatibility everyone followed this. At some point GtS decided to
> follow spec instead which caused interop issues, but succeeded in
> getting Mastodon (and others like *oma) to accept incoming requests
> with (and also still without) query params though outgoing requests
> remaing query-param-free. Some still only accept query-param-less
> requests though and GtS uses a retry mechanism to resend any request
> failing with 401 with an query-parama-less signature once. (Also
> see:
> https://docs.gotosocial.org/en/latest/federation/http_signatures/ )
>
> So for incoming requests both versions need to be checked. For
> outgoing requests, unless you want to jump through retry hoops like
> GtS, omitting query-params is the safer bet for now (presumably this
> will only change if Mastodon ever decides to send out requests
> signed with query params)
2025-04-21 16:44:13 +01:00
piuvas
6df82f4eef
remove redundant sql query. 2025-04-20 23:21:50 -03:00
piuvas
06fb6fbeca
requested changes. 2025-04-20 23:20:59 -03:00
piuvas
8609426e71
remove fortnite. 2025-04-20 14:21:44 -03:00
piuvas
46fa99fc28
requested changes to verifyFieldLinks
Co-authored-by: dakkar <dakkar@thenautilus.net>
2025-04-20 12:34:00 -03:00
piuvas
1d9876d3fa
make link detection slightly more performant. 2025-04-19 23:20:21 -03:00
piuvas
8a60c7df02
verify links in remote profiles. 2025-04-19 23:10:27 -03:00
piuvas
6a77512737
refactor link verification. 2025-04-19 23:04:48 -03:00
Marie
28ad2ae534 fix: friendlycaptcha always failing 2025-04-15 20:13:16 +00:00
Marie
4f64803ef2 merge: make MOTD html unescaped. (requires discussion?) (!759)
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/759

Approved-by: Hazelnoot <acomputerdog@gmail.com>
Approved-by: Marie <github@yuugi.dev>
2025-04-15 07:45:51 +00:00
Zlendy
ce26d8d3cb
feat: Allow injection of raw HTML strings inside <head> 2025-04-11 22:56:26 +02:00
Marie
865a9c4906 merge: Prevent streaming API denial-of-service (resolves #1019) (!951)
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/951

Closes #1019

Approved-by: dakkar <dakkar@thenautilus.net>
Approved-by: Marie <github@yuugi.dev>
2025-03-30 10:40:56 +00:00
dakkar
3a6bba3306 merge: Remove visibility of DMs for non-recipient users (!912)
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/912

Approved-by: dakkar <dakkar@thenautilus.net>
Approved-by: Marie <github@yuugi.dev>
2025-03-30 09:20:54 +00:00
Hazelnoot
922a7ba1d4 track the number of concurrent requests to redis, and bypass if the request is guaranteed to reject 2025-03-29 09:47:05 -04:00
Hazelnoot
47ea8527fd fix wsmessage rate limit definition 2025-03-29 09:44:38 -04:00
Hazelnoot
fafb811333 increase limits on WS note subscriptions and cached notes 2025-03-28 11:44:29 -04:00
Hazelnoot
86e34175d3 SkRateLimiterService revision 3: cache lockouts in memory to avoid redis calls 2025-03-28 11:43:30 -04:00
Hazelnoot
c41d617e63 limit the number of active connections per client, and limit upgrade requests by user 2025-03-28 11:03:31 -04:00
Hazelnoot
eff7321860 avoid duplicate channels in WS connection 2025-03-28 11:03:31 -04:00
Hazelnoot
14a7309cfb avoid leaking cached notes in WS connection 2025-03-28 11:03:31 -04:00
Hazelnoot
045ff5d2c0 make sure that note subscriptions can't stay above limit 2025-03-28 11:03:31 -04:00
Hazelnoot
b8fd9d0bc0 clear subscriptions when connection closes 2025-03-28 11:03:31 -04:00
Hazelnoot
831329499d limit the number of note subscriptions per connection 2025-03-28 11:03:31 -04:00
Hazelnoot
bf1c9b67d6 close websocket when rate limit exceeded 2025-03-28 11:03:31 -04:00
Hazelnoot
18655386f3 convert streaming rate limit to bucket 2025-03-28 11:03:31 -04:00
dakkar
920bf71eb5 merge: More Mastodon API fixes (resolves #405, #471, and #984) (!954)
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/954

Closes #405, #471, and #984

Approved-by: Marie <github@yuugi.dev>
Approved-by: dakkar <dakkar@thenautilus.net>
2025-03-28 12:45:54 +00:00
Hazelnoot
848a07a170 Ignore notifications that reference missing notes 2025-03-27 20:30:04 -04:00
Hazelnoot
a92416904f use exclusive ranges in api/i/notifications and /api/v1/notifications 2025-03-27 20:20:42 -04:00
Hazelnoot
58cdee77d5 convert notification types in mastodon API 2025-03-27 19:51:43 -04:00
Hazelnoot
8a9979b3d3 don't render CW as HTML for mastodon 2025-03-27 19:51:43 -04:00
Hazelnoot
ebc3abea54 hide sensitive content from Discord previews 2025-03-27 19:51:43 -04:00
Hazelnoot
36dee5ff20 render profile bios in masto API 2025-03-27 19:51:43 -04:00
Hazelnoot
81f7346f80 fixes to CW and quote conversion for mastodon 2025-03-27 19:51:43 -04:00
Hazelnoot
1fa290c3eb handle errors in mastodon search endpoints 2025-03-27 19:51:43 -04:00
Hazelnoot
971bc6fd3e improve mastodon API error handling 2025-03-27 19:51:43 -04:00
Hazelnoot
a81a00e94d rename MastodonConverters.ts to matching naming scheme 2025-03-27 19:51:43 -04:00
Hazelnoot
4754942301 add additional required CORS headers for masto-api requests 2025-03-27 19:51:43 -04:00
Hazelnoot
984be9e7aa enable local timeline in Phanpy clients 2025-03-27 19:51:43 -04:00
Hazelnoot
3c54680860 support reactions in mastodon API 2025-03-27 19:51:43 -04:00
Hazelnoot
fbdee815da remove unused async from toMastoApiHtml / fromMastoApiHtml 2025-03-27 19:51:43 -04:00