From 0e8f23ebeeb4cea2d11a92d737adca337645144a Mon Sep 17 00:00:00 2001 From: David Roetzel Date: Mon, 30 Sep 2024 12:25:54 +0200 Subject: [PATCH 01/12] Merge commit from fork This should not change the set of words matched by `USERNAME_RE` but does change the one matched by `MENTION_RE`. Indeed, the previous regexp allowed a domain part to start with `.` or `-`, which the new regexp does not allow. Co-authored-by: Claire --- app/models/account.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/models/account.rb b/app/models/account.rb index 17882db9a..5d6e8864d 100644 --- a/app/models/account.rb +++ b/app/models/account.rb @@ -65,8 +65,8 @@ class Account < ApplicationRecord BACKGROUND_REFRESH_INTERVAL = 1.week.freeze - USERNAME_RE = /[a-z0-9_]+([a-z0-9_.-]+[a-z0-9_]+)?/i - MENTION_RE = %r{(? Date: Mon, 23 Sep 2024 17:05:43 +0200 Subject: [PATCH 02/12] Update dependency ruby-saml --- Gemfile.lock | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 436f670a6..f27adf9ae 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -469,7 +469,7 @@ GEM net-protocol net-ssh (7.1.0) nio4r (2.7.3) - nokogiri (1.16.6) + nokogiri (1.16.7) mini_portile2 (~> 2.8.2) racc (~> 1.4) nsa (0.3.0) @@ -532,7 +532,7 @@ GEM pundit (2.3.0) activesupport (>= 3.0.0) raabro (1.4.0) - racc (1.7.3) + racc (1.8.1) rack (2.2.9) rack-attack (6.7.0) rack (>= 1.0, < 4) @@ -604,8 +604,7 @@ GEM responders (3.1.0) actionpack (>= 5.2) railties (>= 5.2) - rexml (3.3.5) - strscan + rexml (3.3.7) rotp (6.3.0) rouge (4.1.2) rpam2 (4.0.2) @@ -667,7 +666,7 @@ GEM rubocop-factory_bot (~> 2.22) ruby-prof (1.6.3) ruby-progressbar (1.13.0) - ruby-saml (1.15.0) + ruby-saml (1.17.0) nokogiri (>= 1.13.10) rexml ruby2_keywords (0.0.5) @@ -731,7 +730,6 @@ GEM redlock (~> 1.0) strong_migrations (0.8.0) activerecord (>= 5.2) - strscan (3.1.0) swd (1.3.0) activesupport (>= 3) attr_required (>= 0.0.5) From 2abaa9b68af77e1f7d77c2f4ace54789b3f47f27 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 23 Sep 2024 17:06:08 +0200 Subject: [PATCH 03/12] Update dependency omniauth-saml --- Gemfile.lock | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index f27adf9ae..0268f9f75 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -478,16 +478,16 @@ GEM sidekiq (>= 3.5) statsd-ruby (~> 1.4, >= 1.4.0) oj (3.16.1) - omniauth (2.1.1) + omniauth (2.1.2) hashie (>= 3.4.6) rack (>= 2.2.3) rack-protection omniauth-rails_csrf_protection (1.0.1) actionpack (>= 4.2) omniauth (~> 2.0) - omniauth-saml (2.1.0) - omniauth (~> 2.0) - ruby-saml (~> 1.12) + omniauth-saml (2.1.2) + omniauth (~> 2.1) + ruby-saml (~> 1.17) omniauth_openid_connect (0.6.1) omniauth (>= 1.9, < 3) openid_connect (~> 1.1) @@ -544,7 +544,7 @@ GEM httpclient json-jwt (>= 1.11.0) rack (>= 2.1.0) - rack-protection (3.0.5) + rack-protection (3.0.6) rack rack-proxy (0.7.6) rack From d096965eec092ab934f6f6b003ab682d5f005ef0 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 23 Sep 2024 17:07:27 +0200 Subject: [PATCH 04/12] Update dependency puma --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 0268f9f75..bcf8ad42b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -527,7 +527,7 @@ GEM premailer (~> 1.7, >= 1.7.9) private_address_check (0.5.0) public_suffix (5.0.3) - puma (6.4.2) + puma (6.4.3) nio4r (~> 2.0) pundit (2.3.0) activesupport (>= 3.0.0) From 378af3a0a08abc15d759d71c05523c39e8bbdc5f Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 23 Sep 2024 17:08:19 +0200 Subject: [PATCH 05/12] Update dependency fugit --- Gemfile.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index bcf8ad42b..4c9345e9a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -201,7 +201,7 @@ GEM climate_control (0.2.0) cocoon (1.2.15) color_diff (0.1) - concurrent-ruby (1.2.3) + concurrent-ruby (1.3.4) connection_pool (2.4.1) cose (1.3.0) cbor (~> 0.5.9) @@ -256,7 +256,7 @@ GEM multi_json encryptor (3.0.0) erubi (1.12.0) - et-orbi (1.2.7) + et-orbi (1.2.11) tzinfo excon (0.100.0) fabrication (2.30.0) @@ -306,8 +306,8 @@ GEM fog-json (>= 1.0) ipaddress (>= 0.8) formatador (0.3.0) - fugit (1.8.1) - et-orbi (~> 1, >= 1.2.7) + fugit (1.11.1) + et-orbi (~> 1, >= 1.2.11) raabro (~> 1.4) fuubar (2.5.1) rspec-core (~> 3.0) From 9bfbba3224030095a21c48b9270775748ab6c39a Mon Sep 17 00:00:00 2001 From: Claire Date: Fri, 20 Sep 2024 16:58:06 +0200 Subject: [PATCH 06/12] Fix issue when encountering reblog of deleted post in feed rebuild (#32001) --- app/lib/feed_manager.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/lib/feed_manager.rb b/app/lib/feed_manager.rb index 8b7f20811..32236f20d 100644 --- a/app/lib/feed_manager.rb +++ b/app/lib/feed_manager.rb @@ -557,7 +557,7 @@ class FeedManager arr = crutches[:active_mentions][s.id] || [] arr.push(s.account_id) - if s.reblog? + if s.reblog? && s.reblog.present? arr.push(s.reblog.account_id) arr.concat(crutches[:active_mentions][s.reblog_of_id] || []) end From e66aaee1a4b47e458a2df23f65620b9b2bbc6eed Mon Sep 17 00:00:00 2001 From: Claire Date: Thu, 12 Sep 2024 14:58:12 +0200 Subject: [PATCH 07/12] Fix security context sometimes not being added in LD-Signed activities (#31871) --- app/lib/activitypub/linked_data_signature.rb | 9 ++++++++- spec/lib/activitypub/linked_data_signature_spec.rb | 9 ++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/app/lib/activitypub/linked_data_signature.rb b/app/lib/activitypub/linked_data_signature.rb index 9459fdd8b..c42313b05 100644 --- a/app/lib/activitypub/linked_data_signature.rb +++ b/app/lib/activitypub/linked_data_signature.rb @@ -4,6 +4,7 @@ class ActivityPub::LinkedDataSignature include JsonLdHelper CONTEXT = 'https://w3id.org/identity/v1' + SIGNATURE_CONTEXT = 'https://w3id.org/security/v1' def initialize(json) @json = json.with_indifferent_access @@ -46,7 +47,13 @@ class ActivityPub::LinkedDataSignature signature = Base64.strict_encode64(keypair.sign(OpenSSL::Digest.new('SHA256'), to_be_signed)) - @json.merge('signature' => options.merge('signatureValue' => signature)) + # Mastodon's context is either an array or a single URL + context_with_security = Array(@json['@context']) + context_with_security << 'https://w3id.org/security/v1' + context_with_security.uniq! + context_with_security = context_with_security.first if context_with_security.size == 1 + + @json.merge('signature' => options.merge('signatureValue' => signature), '@context' => context_with_security) end private diff --git a/spec/lib/activitypub/linked_data_signature_spec.rb b/spec/lib/activitypub/linked_data_signature_spec.rb index e821cee6b..8a867790a 100644 --- a/spec/lib/activitypub/linked_data_signature_spec.rb +++ b/spec/lib/activitypub/linked_data_signature_spec.rb @@ -99,16 +99,11 @@ RSpec.describe ActivityPub::LinkedDataSignature do describe '#sign!' do subject { described_class.new(raw_json).sign!(sender) } - it 'returns a hash' do + it 'returns a hash with a signature, the expected context, and the signature can be verified', :aggregate_failures do expect(subject).to be_a Hash - end - - it 'contains signature' do expect(subject['signature']).to be_a Hash expect(subject['signature']['signatureValue']).to be_present - end - - it 'can be verified again' do + expect(Array(subject['@context'])).to include('https://w3id.org/security/v1') expect(described_class.new(subject).verify_actor!).to eq sender end end From 20f06798a0d33895f391b322670abaaf4bb68a73 Mon Sep 17 00:00:00 2001 From: Claire Date: Fri, 20 Sep 2024 12:10:09 +0200 Subject: [PATCH 08/12] Change Mastodon to issue correctly-signed queries by default (#31994) --- app/lib/request.rb | 2 +- app/services/activitypub/fetch_replies_service.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/lib/request.rb b/app/lib/request.rb index 8d4120868..4f3f3ff43 100644 --- a/app/lib/request.rb +++ b/app/lib/request.rb @@ -77,7 +77,7 @@ class Request @url = Addressable::URI.parse(url).normalize @http_client = options.delete(:http_client) @allow_local = options.delete(:allow_local) - @full_path = options.delete(:with_query_string) + @full_path = !options.delete(:omit_query_string) @options = options.merge(socket_class: use_proxy? || @allow_local ? ProxySocket : Socket) @options = @options.merge(timeout_class: PerOperationWithDeadline, timeout_options: TIMEOUT) @options = @options.merge(proxy_url) if use_proxy? diff --git a/app/services/activitypub/fetch_replies_service.rb b/app/services/activitypub/fetch_replies_service.rb index e2ecdef16..46cab6caf 100644 --- a/app/services/activitypub/fetch_replies_service.rb +++ b/app/services/activitypub/fetch_replies_service.rb @@ -49,7 +49,7 @@ class ActivityPub::FetchRepliesService < BaseService rescue Mastodon::UnexpectedResponseError => e raise unless e.response && e.response.code == 401 && Addressable::URI.parse(collection_or_uri).query.present? - fetch_resource_without_id_validation(collection_or_uri, nil, true, request_options: { with_query_string: true }) + fetch_resource_without_id_validation(collection_or_uri, nil, true, request_options: { omit_query_string: false }) end end From 346c37df80cfd13add09d86dc36be85decd096d8 Mon Sep 17 00:00:00 2001 From: Claire Date: Mon, 23 Sep 2024 17:36:15 +0200 Subject: [PATCH 09/12] Fix replies collection being cached improperly --- app/controllers/activitypub/replies_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/activitypub/replies_controller.rb b/app/controllers/activitypub/replies_controller.rb index c38ff89d1..25f095cfa 100644 --- a/app/controllers/activitypub/replies_controller.rb +++ b/app/controllers/activitypub/replies_controller.rb @@ -14,7 +14,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController before_action :set_replies def index - expires_in 0, public: public_fetch_mode? + expires_in 0, public: @status.distributable? && public_fetch_mode? render json: replies_collection_presenter, serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json', skip_activities: true end From d2842db18dc617673289f1d153899acfd20065bc Mon Sep 17 00:00:00 2001 From: Claire Date: Fri, 27 Sep 2024 14:31:00 +0200 Subject: [PATCH 10/12] Ignore CVE-2024-8796, which does not impact us --- .bundler-audit.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.bundler-audit.yml b/.bundler-audit.yml index 0671df390..c867b1abf 100644 --- a/.bundler-audit.yml +++ b/.bundler-audit.yml @@ -4,3 +4,7 @@ ignore: # We have rate-limits on authentication endpoints in place (including second # factor verification) since Mastodon v3.2.0 - CVE-2024-0227 + # devise-two-factor advisory about generated secrets being weaker than expected + # We call `generate_otp_secret` ourselves with a requested length of 32 characters, + # which exceeds the recommended remediation of 26 characters, so we're safe + - CVE-2024-8796 From 245a74f9cae1b693c42b62795497ce89ecce9fb1 Mon Sep 17 00:00:00 2001 From: Claire Date: Thu, 26 Sep 2024 21:27:57 +0200 Subject: [PATCH 11/12] =?UTF-8?q?Add=20=E2=80=9CA=20Mastodon=20update=20is?= =?UTF-8?q?=20available.=E2=80=9D=20message=20on=20admin=20dashboard=20for?= =?UTF-8?q?=20non-bugfix=20updates=20(#32106)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/lib/admin/system_check/software_version_check.rb | 6 ++++-- config/locales/en.yml | 3 +++ spec/lib/admin/system_check/software_version_check_spec.rb | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/app/lib/admin/system_check/software_version_check.rb b/app/lib/admin/system_check/software_version_check.rb index e142feddf..e5cacfe35 100644 --- a/app/lib/admin/system_check/software_version_check.rb +++ b/app/lib/admin/system_check/software_version_check.rb @@ -14,14 +14,16 @@ class Admin::SystemCheck::SoftwareVersionCheck < Admin::SystemCheck::BaseCheck def message if software_updates.any?(&:urgent?) Admin::SystemCheck::Message.new(:software_version_critical_check, nil, admin_software_updates_path, true) - else + elsif software_updates.any?(&:patch_type?) Admin::SystemCheck::Message.new(:software_version_patch_check, nil, admin_software_updates_path) + else + Admin::SystemCheck::Message.new(:software_version_check, nil, admin_software_updates_path) end end private def software_updates - @software_updates ||= SoftwareUpdate.pending_to_a.filter { |update| update.urgent? || update.patch_type? } + @software_updates ||= SoftwareUpdate.pending_to_a end end diff --git a/config/locales/en.yml b/config/locales/en.yml index 7db5e1bad..e14ca08fc 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -858,6 +858,9 @@ en: message_html: You haven't defined any server rules. sidekiq_process_check: message_html: No Sidekiq process running for the %{value} queue(s). Please review your Sidekiq configuration + software_version_check: + action: See available updates + message_html: A Mastodon update is available. software_version_critical_check: action: See available updates message_html: A critical Mastodon update is available, please update as quickly as possible. diff --git a/spec/lib/admin/system_check/software_version_check_spec.rb b/spec/lib/admin/system_check/software_version_check_spec.rb index de4335fc5..cc4c80e7a 100644 --- a/spec/lib/admin/system_check/software_version_check_spec.rb +++ b/spec/lib/admin/system_check/software_version_check_spec.rb @@ -51,8 +51,8 @@ describe Admin::SystemCheck::SoftwareVersionCheck do Fabricate(:software_update, version: '99.99.99', type: 'major', urgent: false) end - it 'returns true' do - expect(check.pass?).to be true + it 'returns false' do + expect(check.pass?).to be false end end From 7e47439787f8afe5930c9d7ddafc3c94e605d091 Mon Sep 17 00:00:00 2001 From: Claire Date: Fri, 27 Sep 2024 14:36:08 +0200 Subject: [PATCH 12/12] Bump version to 4.2.13 --- CHANGELOG.md | 21 +++++++++++++++++++++ docker-compose.yml | 6 +++--- lib/mastodon/version.rb | 2 +- 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b2229f9fd..f3e364320 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,27 @@ All notable changes to this project will be documented in this file. +## [4.2.13] - 2024-09-30 + +### Security + +- Fix ReDoS vulnerability on some Ruby versions ([GHSA-jpxp-r43f-rhvx](https://github.com/mastodon/mastodon/security/advisories/GHSA-jpxp-r43f-rhvx)) +- Update dependencies + +### Added + +- Add “A Mastodon update is available.” message on admin dashboard for non-bugfix updates (#32106 by @ClearlyClaire) + +### Changed + +- Change Mastodon to issue correct HTTP signatures by default (#31994 by @ClearlyClaire) + +### Fixed + +- Fix replies collection being cached improperly +- Fix security context sometimes not being added in LD-Signed activities (#31871 by @ClearlyClaire) +- Fix error when encountering reblog of deleted post in feed rebuild (#32001 by @ClearlyClaire) + ## [4.2.12] - 2024-08-19 ### Fixed diff --git a/docker-compose.yml b/docker-compose.yml index d4d5e89fe..2645c9eeb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -56,7 +56,7 @@ services: web: build: . - image: ghcr.io/mastodon/mastodon:v4.2.12 + image: ghcr.io/mastodon/mastodon:v4.2.13 restart: always env_file: .env.production command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000" @@ -77,7 +77,7 @@ services: streaming: build: . - image: ghcr.io/mastodon/mastodon:v4.2.12 + image: ghcr.io/mastodon/mastodon:v4.2.13 restart: always env_file: .env.production command: node ./streaming @@ -95,7 +95,7 @@ services: sidekiq: build: . - image: ghcr.io/mastodon/mastodon:v4.2.12 + image: ghcr.io/mastodon/mastodon:v4.2.13 restart: always env_file: .env.production command: bundle exec sidekiq diff --git a/lib/mastodon/version.rb b/lib/mastodon/version.rb index f0e0554c3..da6bca7b3 100644 --- a/lib/mastodon/version.rb +++ b/lib/mastodon/version.rb @@ -13,7 +13,7 @@ module Mastodon end def patch - 12 + 13 end def default_prerelease