Merge branch 'glitch-soc:main' into emojis-v4

.github/workflows/codeql.yml

@@ -31,7 +31,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -44,7 +44,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -57,6 +57,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
         with:
           category: '/language:${{matrix.language}}'

.rubocop.yml

@@ -74,14 +74,12 @@ Metrics/ModuleLength:
 Metrics/AbcSize:
   Exclude:
     - 'lib/mastodon/cli/*.rb'
-    - db/*migrate/**/*
 
 # Reason: Currently disabled in .rubocop_todo.yml
 # https://docs.rubocop.org/rubocop/cops_metrics.html#metricscyclomaticcomplexity
 Metrics/CyclomaticComplexity:
   Exclude:
     - lib/mastodon/cli/*.rb
-    - db/*migrate/**/*
 
 # Reason:
 # https://docs.rubocop.org/rubocop/cops_metrics.html#metricsparameterlists

Dockerfile

@@ -103,6 +103,7 @@ RUN \
     procps \
     tini \
     tzdata \
+    wget \
   ; \
 # Patch Ruby to use jemalloc
   patchelf --add-needed libjemalloc.so.2 /usr/local/bin/ruby; \

Gemfile.lock

@@ -131,16 +131,16 @@ GEM
     attr_required (1.0.1)
     awrence (1.2.1)
     aws-eventstream (1.3.0)
-    aws-partitions (1.860.0)
-    aws-sdk-core (3.189.0)
+    aws-partitions (1.873.0)
+    aws-sdk-core (3.190.1)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.651.0)
       aws-sigv4 (~> 1.8)
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.74.0)
+    aws-sdk-kms (1.75.0)
       aws-sdk-core (~> 3, >= 3.188.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.141.0)
+    aws-sdk-s3 (1.142.0)
       aws-sdk-core (~> 3, >= 3.189.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.8)
@@ -175,7 +175,8 @@ GEM
     blurhash (0.1.7)
     bootsnap (1.17.0)
       msgpack (~> 1.2)
-    brakeman (6.1.0)
+    brakeman (6.1.1)
+      racc
     browser (5.3.1)
     brpoplpush-redis_script (0.1.3)
       concurrent-ruby (~> 1.0, >= 1.0.5)
@@ -301,7 +302,7 @@ GEM
     faraday_middleware (1.2.0)
       faraday (~> 1.0)
     fast_blank (1.0.1)
-    fastimage (2.2.7)
+    fastimage (2.3.0)
     ffi (1.15.5)
     ffi-compiler (1.0.1)
       ffi (>= 1.0.0)
@@ -456,9 +457,9 @@ GEM
       azure-storage-blob (~> 2.0.1)
       hashie (~> 5.0)
     memory_profiler (1.0.1)
-    mime-types (3.5.1)
+    mime-types (3.5.2)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2023.1003)
+    mime-types-data (3.2023.1205)
     mini_mime (1.1.5)
     mini_portile2 (2.8.5)
     minitest (5.20.0)
@@ -481,7 +482,7 @@ GEM
     net-smtp (0.4.0)
       net-protocol
     nio4r (2.5.9)
-    nokogiri (1.15.5)
+    nokogiri (1.16.0)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     oj (3.16.3)
@@ -510,7 +511,7 @@ GEM
       validate_email
       validate_url
       webfinger (~> 1.2)
-    openssl (3.1.0)
+    openssl (3.2.0)
     openssl-signature_algorithm (1.3.0)
       openssl (> 2.0)
     orm_adapter (0.5.0)
@@ -543,7 +544,7 @@ GEM
     psych (5.1.2)
       stringio
     public_suffix (5.0.4)
-    puma (6.4.0)
+    puma (6.4.1)
       nio4r (~> 2.0)
     pundit (2.3.1)
       activesupport (>= 3.0.0)
@@ -679,10 +680,10 @@ GEM
       rubocop (~> 1.41)
     rubocop-factory_bot (2.24.0)
       rubocop (~> 1.33)
-    rubocop-performance (1.20.0)
+    rubocop-performance (1.20.1)
       rubocop (>= 1.48.1, < 2.0)
       rubocop-ast (>= 1.30.0, < 2.0)
-    rubocop-rails (2.23.0)
+    rubocop-rails (2.23.1)
       activesupport (>= 4.2.0)
       rack (>= 1.1)
       rubocop (>= 1.33.0, < 2.0)
@@ -782,7 +783,7 @@ GEM
       unf (~> 0.1.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2023.3)
+    tzinfo-data (1.2023.4)
       tzinfo (>= 1.0.0)
     unf (0.1.4)
       unf_ext
@@ -797,7 +798,7 @@ GEM
       public_suffix
     warden (1.2.9)
       rack (>= 2.0.9)
-    webauthn (3.0.0)
+    webauthn (3.1.0)
       android_key_attestation (~> 0.3.0)
       awrence (~> 1.1)
       bindata (~> 2.4)

SECURITY.md

@@ -13,10 +13,8 @@ A "vulnerability in Mastodon" is a vulnerability in the code distributed through
 
 ## Supported Versions
 
-| Version | Supported        |
-| ------- | ---------------- |
-| 4.2.x   | Yes              |
-| 4.1.x   | Yes              |
-| 4.0.x   | No               |
-| 3.5.x   | Until 2023-12-31 |
-| < 3.5   | No               |
+| Version | Supported |
+| ------- | --------- |
+| 4.2.x   | Yes       |
+| 4.1.x   | Yes       |
+| < 4.1   | No        |

app/controllers/admin/export_domain_blocks_controller.rb

@@ -68,7 +68,7 @@ def export_headers
 
     def export_data
       CSV.generate(headers: export_headers, write_headers: true) do |content|
-        DomainBlock.with_limitations.each do |instance|
+        DomainBlock.with_limitations.order(id: :asc).each do |instance|
           content << [instance.domain, instance.severity, instance.reject_media, instance.reject_reports, instance.public_comment, instance.obfuscate]
         end
       end

app/controllers/api/v1/streaming_controller.rb

@@ -13,7 +13,9 @@ def index
 
   def streaming_api_url
     Addressable::URI.parse(request.url).tap do |uri|
-      uri.host = Addressable::URI.parse(Rails.configuration.x.streaming_api_base_url).host
+      base_url = Addressable::URI.parse(Rails.configuration.x.streaming_api_base_url)
+      uri.host = base_url.host
+      uri.port = base_url.port
     end.to_s
   end
 end

app/controllers/concerns/signature_verification.rb

@@ -91,14 +91,23 @@ def signed_request_actor
     raise SignatureVerificationError, "Public key not found for key #{signature_params['keyId']}" if actor.nil?
 
     signature             = Base64.decode64(signature_params['signature'])
-    compare_signed_string = build_signed_string
+    compare_signed_string = build_signed_string(include_query_string: true)
 
     return actor unless verify_signature(actor, signature, compare_signed_string).nil?
 
+    # Compatibility quirk with older Mastodon versions
+    compare_signed_string = build_signed_string(include_query_string: false)
+    return actor unless verify_signature(actor, signature, compare_signed_string).nil?
+
     actor = stoplight_wrap_request { actor_refresh_key!(actor) }
 
     raise SignatureVerificationError, "Could not refresh public key #{signature_params['keyId']}" if actor.nil?
 
+    compare_signed_string = build_signed_string(include_query_string: true)
+    return actor unless verify_signature(actor, signature, compare_signed_string).nil?
+
+    # Compatibility quirk with older Mastodon versions
+    compare_signed_string = build_signed_string(include_query_string: false)
     return actor unless verify_signature(actor, signature, compare_signed_string).nil?
 
     fail_with! "Verification failed for #{actor.to_log_human_identifier} #{actor.uri} using rsa-sha256 (RSASSA-PKCS1-v1_5 with SHA-256)", signed_string: compare_signed_string, signature: signature_params['signature']
@@ -180,11 +189,18 @@ def verify_signature(actor, signature, compare_signed_string)
     nil
   end
 
-  def build_signed_string
+  def build_signed_string(include_query_string: true)
     signed_headers.map do |signed_header|
       case signed_header
       when Request::REQUEST_TARGET
-        "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.path}"
+        if include_query_string
+          "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.original_fullpath}"
+        else
+          # Current versions of Mastodon incorrectly omit the query string from the (request-target) pseudo-header.
+          # Therefore, temporarily support such incorrect signatures for compatibility.
+          # TODO: remove eventually some time after release of the fixed version
+          "#{Request::REQUEST_TARGET}: #{request.method.downcase} #{request.path}"
+        end
       when '(created)'
         raise SignatureVerificationError, 'Invalid pseudo-header (created) for rsa-sha256' unless signature_algorithm == 'hs2019'
         raise SignatureVerificationError, 'Pseudo-header (created) used but corresponding argument missing' if signature_params['created'].blank?

app/javascript/flavours/glitch/components/media_attachments.jsx

@@ -15,7 +15,7 @@ export default class MediaAttachments extends ImmutablePureComponent {
     lang: PropTypes.string,
     height: PropTypes.number,
     width: PropTypes.number,
-    revealed: PropTypes.bool,
+    visible: PropTypes.bool,
   };
 
   static defaultProps = {
@@ -52,7 +52,7 @@ export default class MediaAttachments extends ImmutablePureComponent {
   };
 
   render () {
-    const { status, width, height, revealed } = this.props;
+    const { status, width, height, visible } = this.props;
     const mediaAttachments = status.get('media_attachments');
     const language = status.getIn(['language', 'translation']) || status.get('language') || this.props.lang;
 
@@ -100,7 +100,7 @@ export default class MediaAttachments extends ImmutablePureComponent {
               height={height}
               inline
               sensitive={status.get('sensitive')}
-              revealed={revealed}
+              visible={visible}
               onOpenVideo={noop}
             />
           )}
@@ -115,7 +115,7 @@ export default class MediaAttachments extends ImmutablePureComponent {
               lang={language}
               sensitive={status.get('sensitive')}
               defaultWidth={width}
-              revealed={revealed}
+              visible={visible}
               height={height}
               onOpenMedia={noop}
             />

app/javascript/flavours/glitch/features/report/components/status_check_box.jsx

@@ -45,7 +45,7 @@ class StatusCheckBox extends PureComponent {
           </div>
         </div>
 
-        <StatusContent status={status} media={<MediaAttachments status={status} revealed={false} />} />
+        <StatusContent status={status} media={<MediaAttachments status={status} visible={false} />} />
       </div>
     );
 

app/javascript/flavours/glitch/features/ui/components/focal_point_modal.jsx

@@ -221,7 +221,7 @@ class FocalPointModal extends ImmutablePureComponent {
       const worker = createWorker({
         workerPath: tesseractWorkerPath,
         corePath: tesseractCorePath,
-        langPath: `${assetHost}/ocr/lang-data/`,
+        langPath: `${assetHost}/ocr/lang-data`,
         logger: ({ status, progress }) => {
           if (status === 'recognizing text') {
             this.setState({ ocrStatus: 'detecting', progress });

app/javascript/flavours/glitch/reducers/accounts_map.js

@@ -2,8 +2,13 @@ import { Map as ImmutableMap } from 'immutable';
 
 import { ACCOUNT_LOOKUP_FAIL } from '../actions/accounts';
 import { importAccounts } from '../actions/accounts_typed';
+import { domain } from '../initial_state';
 
-export const normalizeForLookup = str => str.toLowerCase();
+export const normalizeForLookup = str => {
+  str = str.toLowerCase();
+  const trailingIndex = str.indexOf(`@${domain.toLowerCase()}`);
+  return (trailingIndex > 0) ? str.slice(0, trailingIndex) : str;
+};
 
 const initialState = ImmutableMap();
 

app/javascript/flavours/glitch/styles/mastodon-light/diff.scss

@@ -296,10 +296,15 @@ html {
   }
 
   &__item {
+    color: $darker-text-color;
+
+    &--dangerous {
+      color: $error-value-color;
+    }
+
     a,
     button {
       background: $white;
-      color: $darker-text-color;
     }
   }
 }
@@ -311,9 +316,9 @@ html {
 .privacy-dropdown__option.active .privacy-dropdown__option__content strong,
 .privacy-dropdown__option:hover .privacy-dropdown__option__content,
 .privacy-dropdown__option:hover .privacy-dropdown__option__content strong,
-.dropdown-menu__item a:active,
-.dropdown-menu__item a:focus,
-.dropdown-menu__item a:hover,
+.dropdown-menu__item:not(.dropdown-menu__item--dangerous) a:active,
+.dropdown-menu__item:not(.dropdown-menu__item--dangerous) a:focus,
+.dropdown-menu__item:not(.dropdown-menu__item--dangerous) a:hover,
 .actions-modal ul li:not(:empty) a.active,
 .actions-modal ul li:not(:empty) a.active button,
 .actions-modal ul li:not(:empty) a:active,

app/javascript/mastodon/components/media_attachments.jsx

@@ -15,6 +15,7 @@ export default class MediaAttachments extends ImmutablePureComponent {
     lang: PropTypes.string,
     height: PropTypes.number,
     width: PropTypes.number,
+    visible: PropTypes.bool,
   };
 
   static defaultProps = {
@@ -51,7 +52,7 @@ export default class MediaAttachments extends ImmutablePureComponent {
   };
 
   render () {
-    const { status, width, height } = this.props;
+    const { status, width, height, visible } = this.props;
     const mediaAttachments = status.get('media_attachments');
     const language = status.getIn(['language', 'translation']) || status.get('language') || this.props.lang;
 
@@ -99,6 +100,7 @@ export default class MediaAttachments extends ImmutablePureComponent {
               height={height}
               inline
               sensitive={status.get('sensitive')}
+              visible={visible}
               onOpenVideo={noop}
             />
           )}
@@ -113,6 +115,7 @@ export default class MediaAttachments extends ImmutablePureComponent {
               lang={language}
               sensitive={status.get('sensitive')}
               defaultWidth={width}
+              visible={visible}
               height={height}
               onOpenMedia={noop}
             />