9a3d047f3e
Run `bin/rails app:update` with Rails 7.1 ( #27522 )
2023-10-25 13:56:09 +00:00
379115e601
Add SELF_DESTRUCT env variable to process self-destructions in the background ( #26439 )
2023-10-23 15:46:21 +00:00
c3e0eb3699
Change Content-Security-Policy to be tighter on media paths ( #26889 )
2023-10-23 14:27:07 +02:00
bcd0171e5e
Fix `Lint/UselessAssignment` cop ( #27472 )
2023-10-19 16:55:06 +02:00
23f8e93c64
Fixes #23135 - Allow cross origin request for /nodeinfo/2.0 API ( #27413 )
2023-10-16 13:39:25 +02:00
e0da64bb4e
Fix empty ENV variables not using default nil value ( #27400 )
2023-10-13 19:00:53 +02:00
85db392464
Autofix Rubocop cops for config/ ( #24145 )
2023-10-03 15:24:12 +02:00
56c0babc0b
Fix rubocop `Layout/ArgumentAlignment` cop ( #26060 )
2023-09-28 15:48:47 +02:00
8acc75435b
Change S3 checksum mode to be disabled by default ( #27007 )
2023-09-21 14:00:51 +02:00
a04ae16201
Fix CSP when using `ONE_CLICK_SSO_LOGIN` ( #26901 )
2023-09-13 19:54:04 +02:00
9a70cac9de
Fix #26849 by adding the domain of the current SSO provider to the form-action CSP ( #26857 )
2023-09-12 13:04:51 +02:00
ea31929776
Fix invalid Content-Type header for WebP images ( #26773 )
2023-09-04 09:46:33 +02:00
9e26cd5503
Add `authorized_fetch` server setting in addition to env var ( #25798 )
2023-09-01 15:41:10 +02:00
286a21afdc
Support webpacker live-reloading on Docker ( #26419 )
2023-08-29 10:17:57 +02:00
b95867ad1f
Allow setting a custom HTTP method in CacheBuster ( #26528 )
...
Co-authored-by: Jorijn Schrijvershof <jorijn@jorijn.com>
2023-08-18 08:18:40 +02:00
dd049fc37a
Fix ES_PRESET not being applied to Chewy's internal index ( #26489 )
2023-08-14 19:00:56 +02:00
f5778caa3a
Add `ES_PRESET` option to customize numbers of shards and replicas ( #26483 )
...
Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
2023-08-14 17:46:16 +02:00
4bc0dd751c
Add `S3_DISABLE_CHECKSUM_MODE` environment variable for compatibility with some S3-compatible providers ( #26435 )
2023-08-10 14:15:18 +02:00
12c43e4ab5
Re-add StatsD support through the `nsa` gem ( #26310 )
2023-08-03 20:28:14 +02:00
e258b4cb64
Refactor: replace whitelist_mode mentions with limited_federation_mode ( #26252 )
2023-08-02 19:32:48 +02:00
ad81be6c8e
Update rubocop rules for linelength ( #26190 )
2023-07-28 23:11:45 +02:00
bada7a65aa
Ignore long line in regex initializer ( #26182 )
2023-07-26 09:45:27 +02:00
e5f1000ad1
Fix CSP headers being unintendedly wide ( #26105 )
2023-07-21 13:34:15 +02:00
934c7b33d1
Change default KeyGenerator digest to SHA1 to fix cookies in rolling upgrades ( #26023 )
2023-07-21 13:17:43 +02:00
b848ba3867
Paperclip: add support for Azure blob storage ( #23607 )
2023-07-19 09:02:49 +02:00
ce43ed144c
Rails 7.0 update ( #25668 )
2023-07-13 09:36:07 +02:00
2e1391fdd2
Fix `Naming/MemoizedInstanceVariableName` cop ( #25928 )
2023-07-12 10:08:51 +02:00
1d557305d2
Enable Rubocop Style/FrozenStringLiteralComment ( #23793 )
2023-07-12 09:47:08 +02:00
e4cfe4b3db
First pass at multi-database for read replica using Rails native adapter ( #25693 )
...
Co-authored-by: emilweth <7402764+emilweth@users.noreply.github.com>
2023-07-08 19:45:36 +02:00
dc8f1fbd97
Merge pull request from GHSA-9928-3cp5-93fm
...
* Fix attachments getting processed despite failing content-type validation
* Add a restrictive ImageMagick security policy tailored for Mastodon
* Fix misdetection of MP3 files with large cover art
* Reject unprocessable audio/video files instead of keeping them unchanged
2023-07-06 15:05:05 +02:00
ba06a2f104
Revert "Rails 7 update" ( #25667 )
2023-07-02 11:14:22 +02:00
50c2a03695
Rails 7 update ( #24241 )
2023-07-02 10:38:53 +02:00
f378f10404
Fix compatibility of recent migration with PostgreSQL 10 ( #25324 )
2023-06-07 01:53:50 +02:00
c66250abf1
Autofix Rubocop Regex Style rules ( #23690 )
...
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2023-06-06 14:50:51 +02:00
e428670e61
Fix CSP headers when S3_ALIAS_HOST includes a path component ( #25273 )
2023-06-05 17:35:05 +02:00
e49819142f
Remove unmaintained `nsa` gem ( #25265 )
2023-06-05 01:57:05 +02:00
94329f28e1
Change wording of “Content cache retention period” setting to highlight destructive implications ( #23261 )
2023-06-02 18:09:08 +02:00
942d850b0a
Allow carets in URL search params ( #25216 )
2023-06-01 12:14:49 +02:00
c0b9664a31
Autofix Rubocop spacing in config ( #25022 )
2023-05-22 13:17:56 +02:00
cee4369cf5
Autofix Rubocop Lint/AmbiguousOperatorPrecedence ( #25002 )
2023-05-16 10:51:59 +02:00
d9a958fcf7
Fix Performance/RedundantMerge cop ( #24817 )
2023-05-04 05:25:43 +02:00
d902a707a3
Fix Rails/CompactBlank cop ( #24690 )
2023-04-30 14:07:21 +02:00
5a2aa06a51
Fix Rails/Present cop ( #24688 )
2023-04-30 06:47:50 +02:00
49fad26eca
Drop EOL Ruby 2.7 ( #24237 )
2023-04-27 01:46:18 +02:00
4687967176
Autofix Rubocop Style/NumericLiterals ( #24468 )
2023-04-23 22:30:07 +02:00
5c499f54e3
Change root Chewy strategy to emit a warning instead of erroring out in production mode ( #24327 )
2023-04-03 15:05:39 +02:00
500d6f93be
Autofix Rubocop Style/IdenticalConditionalBranches ( #24322 )
2023-03-31 09:33:52 +02:00
a9b5598c97
Change user settings to be stored in a more optimal way ( #23630 )
...
Co-authored-by: Claire <claire.github-309c@sitedethib.com>
2023-03-30 14:44:00 +02:00
e084b5b82d
Fix user archive takeout when using OpenStack Swift or S3 providers with no ACL support ( #24200 )
2023-03-27 17:07:37 +02:00
f432db7b9f
Fix sidekiq jobs not triggering Elasticsearch index updates ( #24046 )
2023-03-12 23:47:55 +01:00
922837dc96
Upgrade to latest redis-rb 4.x and fix deprecations ( #23616 )
...
Co-authored-by: Jean Boussier <jean.boussier@gmail.com>
2023-03-04 16:38:28 +01:00
de137e6bb0
Added support for specifying S3 storage classes in environment ( #22480 )
2023-03-03 20:53:37 +01:00
c6ef56fd5e
Change rate limits to 1,500/5m per user, 300/5m per app ( #23347 )
2023-02-02 00:07:49 +01:00
596923da4a
Fix typos in source documentation ( #21046 )
...
Fixed 2 source comment/documentation typos
2022-12-15 15:57:26 +01:00
d587a268fd
Add logging for Rails cache timeouts ( #21667 )
...
* Reduce redis cache store connect timeout from default 20 seconds to 5 seconds
* Log cache store errors
2022-11-27 20:37:37 +01:00
7955d4b959
Add form-action CSP directive ( #20781 )
2022-11-17 10:55:03 +01:00
a2931d19ae
Add missing admin scopes ( fix #20892 ) ( #20918 )
2022-11-17 10:50:21 +01:00
43b0b2f3f4
Fix wrong directive `unsafe-wasm-eval` to `wasm-unsafe-eval` ( #20729 )
2022-11-15 03:39:06 +01:00
b46b7c3d5e
Use "unsafe-wasm-eval" instead of "unsafe-eval" in script-src CSP ( #20606 )
...
* Add "unsafe-eval" to script-src CSP
* Use 'unsafe-wasm-eval' instead of 'unsafe-eval'
2022-11-15 03:22:38 +01:00
21fd25a269
Fix rate limiting for paths with formats ( #20675 )
2022-11-14 20:26:31 +01:00
9d039209cc
Add `Cache-Control` header to openstack-stored files ( #20610 )
...
When storing files in S3, paperclip is configured with a Cache-Control header
indicating the file is immutable, however no such header was added when using
OpenStack storage.
Luckily Paperclip's fog integration makes this trivial, with a simple
`fog_file` `Cache-Control` default doing the trick.
2022-11-14 05:26:49 +01:00
290d78cea4
Allow unsetting x-amz-acl S3 Permission headers ( #20510 )
...
Some "S3 Compatible" storage providers (Cloudflare R2 is one such example) don't support setting ACLs on individual uploads with the `x-amz-acl` header, and instead just have a visibility for the whole bucket. To support uploads to such providers without getting unsupported errors back, lets use a black `S3_PERMISSION` env var to indicate that these headers shouldn't be sent.
This is tested as working with Cloudflare R2.
2022-11-13 06:57:10 +01:00
aafbc82d88
Add "unsafe-eval" to script-src CSP ( #18817 )
2022-10-26 19:23:16 +02:00
bf0ab3e0fa
Fix vacuum scheduler missing lock, locks never expiring ( #19458 )
...
Remove vacuuming of orphaned preview cards
2022-10-26 12:10:48 +02:00
0d6b878808
Add user content translations with configurable backends ( #19218 )
2022-09-23 23:00:12 +02:00
546672e292
Change "Allow trends without prior review" setting to include statuses ( #17977 )
...
* Change "Allow trends without prior review" setting to include posts
* Fix i18n-tasks
2022-08-28 04:00:39 +02:00
861b35dd54
Support "http_hidden_proxy" ENV var for hidden service only proxy ( #18427 )
...
* Support "http_hidden_proxy" ENV var for hidden service only proxy
* Fallback to http_proxy if http_hidden_proxy is not set
2022-08-25 04:41:14 +02:00
e7aa2be828
Change how hashtags are normalized ( #18795 )
...
* Change how hashtags are normalized
* Fix tests
2022-07-13 15:03:28 +02:00
ae4f068a84
Fix CAS_DISPLAY_NAME, SAML_DISPLAY_NAME and OIDC_DISPLAY_NAME being ignored ( #18568 )
2022-06-01 19:22:55 +02:00
96129c2f10
Fix confirmation redirect to app without `Location` header ( #18523 )
2022-05-26 22:03:54 +02:00
679b7158e3
Change search indexing to use batches to minimize resource usage ( #18451 )
2022-05-18 23:29:14 +02:00
7b0fe4aef9
Fix opening and closing Redis connections instead of using a pool ( #18171 )
...
* Fix opening and closing Redis connections instead of using a pool
* Fix Redis connections not being returned to the pool in CLI commands
2022-04-29 22:43:07 +02:00
8284110c55
Fix stoplight not using REDIS_NAMESPACE ( #18160 )
2022-04-28 18:11:31 +02:00
3917353645
Fix single Redis connection being used across all threads ( #18135 )
...
* Fix single Redis connection being used across all Sidekiq threads
* Fix tests
2022-04-28 17:47:34 +02:00
6e418bf346
Fix cookies secure flag being set when served over Tor ( #17992 )
2022-04-08 12:47:18 +02:00
39b489ba4c
fix: `s3_force_single_request` not parsed ( #17922 )
2022-04-01 23:56:23 +02:00
cefa526c6d
Refactor formatter ( #17828 )
...
* Refactor formatter
* Move custom emoji pre-rendering logic to view helpers
* Move more methods out of Formatter
* Fix code style issues
* Remove Formatter
* Add inline poll options to RSS feeds
* Remove unused helper method
* Fix code style issues
* Various fixes and improvements
* Fix test
2022-03-26 02:53:34 +01:00
895212bb2f
Fix PgHero suggesting migrations ( #17807 )
...
* Fix PgHero suggesting migrations
Fixes #17768
* Keep migration suggestions in development env
2022-03-15 20:27:49 +01:00
eb9a7e3626
Fix LetterOpennerWeb CSP ( #17770 )
2022-03-14 19:20:40 +01:00
46ad7fea9d
Bump rack-attack from 6.5.0 to 6.6.0 ( #17405 )
...
* Bump rack-attack from 6.5.0 to 6.6.0
Bumps [rack-attack](https://github.com/rack/rack-attack ) from 6.5.0 to 6.6.0.
- [Release notes](https://github.com/rack/rack-attack/releases )
- [Changelog](https://github.com/rack/rack-attack/blob/master/CHANGELOG.md )
- [Commits](https://github.com/rack/rack-attack/compare/v6.5.0...v6.6.0 )
---
updated-dependencies:
- dependency-name: rack-attack
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* Fix usage of deprecated API
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
2022-03-12 09:23:53 +01:00
a6ed6845c9
Allow login through OpenID Connect ( #16221 )
...
* added OpenID Connect as an SSO option
* minor fixes
* added comments, removed an option that shouldn't be set
* fixed Gemfile.lock
* added newline to end of Gemfile.lock
* removed tab from Gemfile.lock
* remove chomp
* codeclimate changes and small name change to make function's purpose clearer
* codeclimate fix
* added SSO buttons to /about page
* minor refactor
* minor style change
* removed spurious change
* removed unecessary conditional from ensure_valid_username and added support for auth.info.name in user_params_from_auth
* minor changes
2022-03-09 12:07:35 +01:00
b5329e0035
Spelling ( #17705 )
...
* spelling: account
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: affiliated
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: appearance
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: autosuggest
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: cacheable
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: component
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: conversations
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: domain.example
Clarify what's distinct and use RFC friendly domain space.
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: environment
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: exceeds
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: functional
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: inefficiency
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: not
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: notifications
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: occurring
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: position
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: progress
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: promotable
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: reblogging
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: repetitive
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: resolve
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: saturated
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: similar
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: strategies
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: success
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: targeting
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: thumbnails
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: unauthorized
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: unsensitizes
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: validations
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* spelling: various
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
2022-03-06 22:51:40 +01:00
73f5e4a1d9
Fix various typos ( #17621 )
...
Found via `codespell -q 3 -S ./CHANGELOG.md,./AUTHORS.md,./config/locales,./app/javascript/mastodon/locales -L ba,keypair,medias,ro`
2022-02-22 20:14:17 +01:00
8603a07504
Fix error when trying to register ( #17600 )
2022-02-21 14:55:38 +01:00
f9e7f2e409
Avoid return within block ( #17590 )
...
This prevents the error: LocalJumpError (unexpected return)
2022-02-18 20:21:21 +01:00
1de2e3f980
Throttle IPv6 signup for subnet ( #17588 )
2022-02-18 13:51:51 +01:00
cfa583fa71
Remove support for OAUTH_REDIRECT_AT_SIGN_IN ( #17287 )
...
Fixes #15959
Introduced in #6540 , OAUTH_REDIRECT_AT_SIGN_IN allowed skipping the log-in form
to instead redirect to the external OmniAuth login provider.
However, it did not prevent the log-in form on /about introduced by #10232 from
appearing, and completely broke with the introduction of #15228 .
As I restoring that previous log-in flow without introducing a security
vulnerability may require extensive care and knowledge of how OmniAuth works,
this commit removes support for OAUTH_REDIRECT_AT_SIGN_IN instead for the time
being.
2022-01-23 15:50:41 +01:00
8e84ebf0cb
Remove IP tracking columns from users table ( #16409 )
2022-01-16 13:23:50 +01:00
ea61d3acd6
Fix media API limit ( #17272 )
2022-01-10 14:25:24 +01:00
fe71548844
Fix warnings on Rails boot ( #16946 )
2021-12-27 00:47:20 +01:00
06631fdc53
Fix ElasticSearch to Elasticsearch ( #17050 )
2021-11-26 08:30:02 +01:00
3419d3ec84
Bump chewy from 5.2.0 to 7.2.3 (supports Elasticsearch 7.x) ( #16915 )
...
* Bump chewy from 5.2.0 to 7.2.2
* fix style (codeclimate)
* fix style
* fix style
* Bump chewy from 7.2.2 to 7.2.3
2021-11-18 22:02:08 +01:00
6da135a493
Fix reviving revoked sessions and invalidating login ( #16943 )
...
Up until now, we have used Devise's Rememberable mechanism to re-log users
after the end of their browser sessions. This mechanism relies on a signed
cookie containing a token. That token was stored on the user's record,
meaning it was shared across all logged in browsers, meaning truly revoking
a browser's ability to auto-log-in involves revoking the token itself, and
revoking access from *all* logged-in browsers.
We had a session mechanism that dynamically checks whether a user's session
has been disabled, and would log out the user if so. However, this would only
clear a session being actively used, and a new one could be respawned with
the `remember_user_token` cookie.
In practice, this caused two issues:
- sessions could be revived after being closed from /auth/edit (security issue)
- auto-log-in would be disabled for *all* browsers after logging out from one
of them
This PR removes the `remember_token` mechanism and treats the `_session_id`
cookie/token as a browser-specific `remember_token`, fixing both issues.
2021-11-06 00:13:58 +01:00
c8ce728705
Support authentication for ElasticSearch ( #16890 )
...
* Support authentication for ElasticSearch
* Fix chewy auth settings
2021-10-24 17:20:03 +02:00
b21f3aa21d
Minor memory optimizations ( #16507 )
...
Reduce constant memory usage by ~100kB and further reduce boot-up memory
allocations and temporary memory use by a further ~200kB.
2021-10-14 21:04:57 +02:00
2ed1c92c63
New env variable: CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED ( #16655 )
...
When using a CAS server, the users only have a temporary email
`change@me-foo-cas.com` which can't be changed but by an
administrator.
We need a new environment variable like for SAML to assume the email
from CAS is verified.
* config/initializers/omniauth.rb: define CAS option for assuming
email are always verified.
* .env.nanobox: add new variable as an example.
2021-08-25 18:41:24 +02:00
211d5c3c30
Fix inefficiencies in auto-linking code ( #16506 )
...
The auto-linking code basically rewrote the whole string escaping non-ascii
characters in an inefficient way, and building a full character offset map
between the unescaped and escaped texts before sending the contents to
TwitterText's extractor.
Instead of doing that, this commit changes the TwitterText regexps to include
valid IRI characters in addition to valid URI characters.
2021-07-15 15:56:58 +02:00
b715cede4d
Fix mailer jobs for deleted notifications erroring out ( #16294 )
...
Fixes an oversight in the Rails 6 migration
2021-05-24 03:02:46 +02:00
97539b6a96
Fix host check on healthcheck path not being disabled ( #16270 )
...
Fixes #16251
There was a typo in #16243
2021-05-17 22:36:08 +02:00
f09322f9cc
Disable host check on healthcheck path ( #16243 )
2021-05-16 19:48:59 +02:00
Matt Jankowski