Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version up v4.2.8 #1398

Merged
merged 21 commits into from
Mar 17, 2024
Merged

Version up v4.2.8 #1398

merged 21 commits into from
Mar 17, 2024

Conversation

claustra01
Copy link
Member

No description provided.

ClearlyClaire and others added 21 commits February 14, 2024 11:02
@ClearlyClaire
Update dependency nokogiri to 1.16.2
b7230cd
@ClearlyClaire
Update dependency sidekiq-unique-jobs to 7.1.33
ae2dce8
@ThisIsMissEm @ClearlyClaire
Disable administrative doorkeeper routes (mastodon#29187)
6d43b63
@ClearlyClaire
Add sidekiq_unique_jobs:delete_all_locks task and disable `sidekiq-…
1a33d34 
…unique-jobs` UI by default (mastodon#29199)
@ClearlyClaire @ThisIsMissEm
Merge pull request from GHSA-7w3c-p9j8-mq3x
0b0c7af 
* Ensure destruction of OAuth Applications notifies streaming

Due to doorkeeper using a dependent: delete_all relationship, the destroy of an OAuth Application bypassed the existing AccessTokenExtension callbacks for announcing destructing of access tokens.

* Ensure password resets revoke access to Streaming API

* Improve performance of deleting OAuth tokens

---------

Co-authored-by: Emelia Smith <[email protected]>
@ClearlyClaire
Merge pull request from GHSA-vm39-j3vx-pch3
f170052 
* Prevent different identities from a same SSO provider from accessing a same account

* Lock auth provider changes behind `ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true`

* Rename methods to avoid confusion between OAuth and OmniAuth
@ClearlyClaire
Bump version to v4.2.6
7c8ca0c
@ClearlyClaire
Fix OmniAuth tests (mastodon#29201)
76a37bd
@ClearlyClaire
Fix user creation failure handling in OAuth paths (mastodon#29207)
870ee80
@ClearlyClaire @mjankowski
Update nsa gem to version 0.3.0 (mastodon#29065) (mastodon#29206)
e4ec4ce 
Co-authored-by: Matt Jankowski <[email protected]>
@ClearlyClaire
Update dependency pg to 1.5.5
684f999
@ClearlyClaire
Merge pull request from GHSA-jhrq-qvrm-qr36
15de520 
* Fix insufficient Content-Type checking of fetched ActivityStreams objects

* Allow JSON-LD documents with multiple profiles
@ClearlyClaire
Bump version to v4.2.7
0e4e98f
@ClearlyClaire
Fix linting failure
c5d56de
@ClearlyClaire
Update dependencies (mastodon#29346)
fbb0789
@ClearlyClaire
Automatically switch from open to approved registrations in absence o…
28b666b 
…f moderators (mastodon#29337)
@ClearlyClaire
Fix auto-close email being sent to users with devops permissions inst…
4fd22ac 
…ead of settings permissions (mastodon#29356)
@ClearlyClaire
Change registrations to be disabled by default for new servers (masto…
328a9b8 
…don#29353)
@ClearlyClaire
Fix link verifications when page size exceeds 1MB (mastodon#29361)
9a78026
@ClearlyClaire
Fix processing of Link objects in Image objects (mastodon#29363)
f3ad918
@ClearlyClaire
Bump version to v4.2.8 (mastodon#29370)
bdb6650
@claustra01 claustra01 merged commit bc3c942 into main Mar 17, 2024
18 of 23 checks passed
@claustra01 claustra01 deleted the version-up-v4.2.8 branch March 17, 2024 16:25
@claustra01 claustra01 restored the version-up-v4.2.8 branch March 17, 2024 16:25
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 17, 2024
View reviewed changes
app/helpers/jsonld_helper.rb
return false unless response.mime_type == 'application/ld+json'

response.headers[HTTP::Headers::CONTENT_TYPE]&.split(';')&.map(&:strip)&.any? do |str|
str.start_with?('profile="') && str[9...-1].split.include?('https://www.w3.org/ns/activitystreams')

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

'
https://www.w3.org/ns/activitystreams
Loading
' can be anywhere in the URL, and arbitrary hosts may come before or after it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@claustra01 @ClearlyClaire @ThisIsMissEm