Commit graph

3977 commits

Author SHA1 Message Date
Marie
da54742291
add boolean to ignore folderId sorting, show all files on drive cleaner 2025-05-07 09:06:50 +02:00
Hazelnoot
95cd19b049 Merge branch 'develop' into merge/2025-03-24 2025-05-06 11:20:46 -04:00
Marie
216ab3aea7 merge: remove http/https protocol in uri on masto api (!980)
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/980

Closes #1046

Approved-by: Hazelnoot <acomputerdog@gmail.com>
Approved-by: dakkar <dakkar@thenautilus.net>
2025-05-06 08:33:19 +00:00
Marie
893f964def merge: check signatures with and without query - fix #1036 (!966)
View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/966

Closes #1036

Approved-by: Hazelnoot <acomputerdog@gmail.com>
Approved-by: Marie <github@yuugi.dev>
2025-05-05 23:23:30 +00:00
Marie
142b3b552e update comment 2025-05-05 23:04:43 +00:00
Marie
621f2e2ee4
upd: add logger, check hostname, add catch 2025-05-06 01:02:27 +02:00
Marie
cb3f5f598d Update instance.ts 2025-05-05 17:33:27 +00:00
Marie
e2be44fb99 change regex to include a zero-length match 2025-05-05 13:03:39 +00:00
Marie
581cc2b513 remove http/https protocol 2025-05-05 13:00:31 +00:00
Hazelnoot
76597d1a4c check role assignments in featured timeline 2025-05-04 08:55:57 -04:00
Hazelnoot
f6eb3148f3 use bucket rate limit for featured timeline 2025-05-04 08:55:26 -04:00
Hazelnoot
e87afe5804 fix more type errors because TS can't make up its mind 2025-05-03 22:21:38 -04:00
Hazelnoot
ff8b22ce60 apply optimized domain block pattern to silence and bubble checks 2025-05-03 21:54:25 -04:00
Hazelnoot
f4dafd709c check suspended users/hosts in following feed 2025-05-03 21:43:53 -04:00
dakkar
3f611fe234 honour blocked hosts in global-timeline 2025-05-02 15:57:56 +01:00
dakkar
31d93c8052 nicer SQL checks for blocked hosts
instead of passing a (possibly gigantic) array from JS, we get
PostgreSQL to look at the value in the `meta` table directly

tested the `federation/instances` endpoint, and the `QueryService`
methods; I have not tested the charts
2025-05-02 15:57:56 +01:00
Hazelnoot
54b5c930cb enforce maxFileSize for remote users 2025-05-02 08:37:42 -04:00
Hazelnoot
3199c309e2 make bubble timeline visibility checks match local timeline 2025-05-01 12:14:45 -04:00
Hazelnoot
8dce293dff add setting to disable proxy account (resolves #766) 2025-05-01 12:07:38 -04:00
dakkar
ec404fd3ce remove leftover debug line 2025-04-30 20:30:52 +01:00
Hazelnoot
d18885eefc fix type errors in e2e tests 2025-04-30 11:13:54 -04:00
Hazelnoot
6e4e4fdc33 fix type errors in mastodon API 2025-04-30 11:13:46 -04:00
Hazelnoot
4ea1b6aa4d fix type errors in SponsorsService.ts 2025-04-30 11:13:38 -04:00
Hazelnoot
dc087d4477 update @nestjs/platform-express to match other nestjs versions 2025-04-29 16:18:37 -04:00
Hazelnoot
25c96c1688 update broken SWC release (https://github.com/swc-project/swc/issues/10413) 2025-04-29 16:14:10 -04:00
Hazelnoot
dc9106dfb3 remove outdated packages from megalodon 2025-04-29 16:07:56 -04:00
Hazelnoot
9c301fa5aa Merge branch 'misskey-develop' into merge/2025-03-24
# Conflicts:
#	.github/workflows/api-misskey-js.yml
#	.github/workflows/changelog-check.yml
#	.github/workflows/check-misskey-js-autogen.yml
#	.github/workflows/get-api-diff.yml
#	.github/workflows/lint.yml
#	.github/workflows/locale.yml
#	.github/workflows/on-release-created.yml
#	.github/workflows/storybook.yml
#	.github/workflows/test-backend.yml
#	.github/workflows/test-federation.yml
#	.github/workflows/test-frontend.yml
#	.github/workflows/test-misskey-js.yml
#	.github/workflows/test-production.yml
#	.github/workflows/validate-api-json.yml
#	package.json
#	packages/backend/package.json
#	packages/backend/src/server/api/ApiCallService.ts
#	packages/backend/src/server/api/endpoints/drive/files/create.ts
#	packages/frontend-shared/js/url.ts
#	packages/frontend/package.json
#	packages/frontend/src/components/MkFileCaptionEditWindow.vue
#	packages/frontend/src/components/MkInfo.vue
#	packages/frontend/src/components/MkLink.vue
#	packages/frontend/src/components/MkNote.vue
#	packages/frontend/src/components/MkNotes.vue
#	packages/frontend/src/components/MkPageWindow.vue
#	packages/frontend/src/components/MkReactionsViewer.vue
#	packages/frontend/src/components/MkTimeline.vue
#	packages/frontend/src/components/MkUrlPreview.vue
#	packages/frontend/src/components/MkUserPopup.vue
#	packages/frontend/src/components/global/MkPageHeader.vue
#	packages/frontend/src/components/global/MkUrl.vue
#	packages/frontend/src/components/global/PageWithHeader.vue
#	packages/frontend/src/pages/about-misskey.vue
#	packages/frontend/src/pages/announcements.vue
#	packages/frontend/src/pages/antenna-timeline.vue
#	packages/frontend/src/pages/channel.vue
#	packages/frontend/src/pages/instance-info.vue
#	packages/frontend/src/pages/note.vue
#	packages/frontend/src/pages/page.vue
#	packages/frontend/src/pages/role.vue
#	packages/frontend/src/pages/tag.vue
#	packages/frontend/src/pages/timeline.vue
#	packages/frontend/src/pages/user-list-timeline.vue
#	packages/frontend/src/pages/user/followers.vue
#	packages/frontend/src/pages/user/following.vue
#	packages/frontend/src/pages/user/home.vue
#	packages/frontend/src/pages/user/index.vue
#	packages/frontend/src/ui/deck.vue
#	packages/misskey-js/generator/package.json
#	pnpm-lock.yaml
#	scripts/changelog-checker/package-lock.json
#	scripts/changelog-checker/package.json
2025-04-29 15:54:11 -04:00
syuilo
d6ae4c980b feat(frontend): タイトルバーを表示できるように 2025-04-29 09:43:15 +09:00
Julia
d10fdfe973
Merge commit from fork
* SP-2025-03.1 always wrap icon&thumbnail URLs

if they're not HTTP URLs, the frontend won't be able to display them
anyway (`<img src="mailto:…">` or '<div stile="background-image:
url(nntp:…)">` aren't going to work!), so let's always run them through the
media proxy, which will fail harder (fetching a `javascript:` URL
won't do anything in the backend, might do something in the frontend)
and will always protect the client's address in cases like `gemini:`
where the browser could try to fetch

* SP-2025-03.2 use object binding for more styles

interpolating a random (remote-controlled!) string into a `style`
attribute is a bad idea; using VueJS object binding, we should get
proper quoting and therefore safe parse failures instead of CSS
injections / XSS

* SP-2025-03.3 slightly more robust "self" URL handling

parse URLs instead of treating them as strings; this is still not
perfect, but the `URL` class only handles full URLs, not relative
ones, so there's so way to ask it "give me a URL object that
represents this resource relative to this base URL"

notice that passing very weird URLs to `MkUrl` and `MkUrlPreview` will
break the frontend (in dev mode) because there's an untrapped `new
URL(…)` that may explode; production builds seem to safely ignore the
error, though

---------

Co-authored-by: dakkar <dakkar@thenautilus.net>
2025-04-29 08:15:54 +09:00
おさむのひと
7e8cc4d7c0
fix: 添付ファイルのあるリクエストを受けたときの初動を改善 (#15896)
* wip

* ロールポリシーの値も参照するように

* エンドポイントのテストを追加

* fix review

* add spdx

* fix CHANGELOG.md

* fix test

* regenerate

* add log

* Revert "add log"

This reverts commit 4b2bf59a609b85ca0bfcc9b71438db782f11983d.

* add log

* fix

* Revert "add log"

This reverts commit c5a73d57da0f30ec5215e08a8b4d78785cce48d1.
2025-04-29 08:15:09 +09:00
dakkar
4981e5ba36 Merge branch 'develop' into merge/2025-03-24 2025-04-28 15:31:28 +01:00
zyoshoka
aaa31c9d64
fix(backend): correct response schema of chat endpoints (#15904) 2025-04-28 18:58:08 +09:00
かっこかり
b5268fa240
fix(test): fix federation test (#15900) 2025-04-28 11:24:26 +09:00
renovate[bot]
b94ff3590b
fix(deps): update [backend] update dependencies (#15811)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2025-04-28 09:29:52 +09:00
anatawa12
ec92bf47f1
Exclude blocked instance note from most timelines (#15792)
* Exclude blocked instance note from most timelines

* Exclude blocked instance note from FTT timelines

* Exclude blocked instance note from featured

* fix type
2025-04-28 07:21:00 +09:00
Julia Johannesen
ac905118cc
Merge branch 'stable' into merge-stable-into-develop 2025-04-27 16:19:44 -04:00
Julia Johannesen
35df3944c1
Update summaly 2025-04-27 13:31:27 -04:00
Julia Johannesen
0bb4e57b0c
Security fixes
Co-Authored-By: dakkar <dakkar@thenautilus.net>
2025-04-27 13:05:09 -04:00
syuilo
9481b5a6e8 feat: アップロード可能な最大ファイルサイズをロールごとに設定可能に 2025-04-27 09:35:44 +09:00
なっかあ
de073d6d69
Fix #15876 絵文字がアニメーションしない問題を修正 (#15881) 2025-04-27 09:16:41 +09:00
Hazelnoot
335603f073 fix null checks for background in UserEntityService.ts 2025-04-24 15:07:26 -04:00
Marie
e6888131b7 baseQueueOptions > baseWorkerOptions 2025-04-24 18:57:32 +00:00
Hazelnoot
cdf9921f2c fix build errors in ApRendererService.ts 2025-04-24 14:55:18 -04:00
Hazelnoot
a4dd19fdd4 merge upstream again 2025-04-24 14:23:45 -04:00
Hazelnoot
ac894986f9 Merge branch 'develop' into merge/2025-03-24
# Conflicts:
#	CONTRIBUTING.md
#	packages/backend/src/core/activitypub/models/ApPersonService.ts
2025-04-24 13:07:41 -04:00
饺子w (Yumechi)
7a41cfe28b
enhance(backend): DB note (userId) インデクス -> (userId, id) 複合インデクスにする (#15879)
* enhance(backend): use composite index for ordering notes by user

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>

* fixup! enhance(backend): use composite index for ordering notes by user

---------

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
2025-04-23 14:29:42 +09:00
dakkar
fda71c4147 make toPuny work better in testing 2025-04-21 16:44:13 +01:00
dakkar
58c0ac6c89 check signatures with and without query - fix #1036
@Oneric explained:

> Spec says query params must be included in the signature; Mastodon
> being Mastodon used to always exclude it though and for
> compatibility everyone followed this. At some point GtS decided to
> follow spec instead which caused interop issues, but succeeded in
> getting Mastodon (and others like *oma) to accept incoming requests
> with (and also still without) query params though outgoing requests
> remaing query-param-free. Some still only accept query-param-less
> requests though and GtS uses a retry mechanism to resend any request
> failing with 401 with an query-parama-less signature once. (Also
> see:
> https://docs.gotosocial.org/en/latest/federation/http_signatures/ )
>
> So for incoming requests both versions need to be checked. For
> outgoing requests, unless you want to jump through retry hoops like
> GtS, omitting query-params is the safer bet for now (presumably this
> will only change if Mastodon ever decides to send out requests
> signed with query params)
2025-04-21 16:44:13 +01:00
piuvas
6df82f4eef
remove redundant sql query. 2025-04-20 23:21:50 -03:00
piuvas
06fb6fbeca
requested changes. 2025-04-20 23:20:59 -03:00