Update host #848
Merged
Update host #848
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4 to 5. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@v4...v5) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: riku6460 <[email protected]>
Co-authored-by: あわわわとーにゅ <[email protected]> Co-authored-by: tar_bin <[email protected]>
Cherry-picked from TeamNijimiss/misskey@8003596 Co-authored-by: nafu-at <[email protected]>
Co-authored-by: まっちゃてぃー。 <[email protected]>
Co-authored-by: あわわわとーにゅ <[email protected]>
Cherry-picked from 89b27d8 Co-authored-by: tamaina <[email protected]>
… / feat: moderators can see following/followers of all users (misskey-dev#14375) Cherry-picked from 0d508db Co-authored-by: Daiki Mizukami <[email protected]>
cherry picked from commit 93fc06d Co-authored-by: かっこかり <[email protected]>
…て照会できるように (misskey-dev#14371) cherry picked from commit 9fbc1b7 Co-authored-by: syuilo <[email protected]> Co-authored-by: taichan <[email protected]>
cherry picked from commit 129af06 Co-authored-by: かっこかり <[email protected]>
…4424) cherry picked from commit bf8c42e Co-authored-by: taichan <[email protected]>
cherry picked from commit bf8c42e Co-authored-by: かっこかり <[email protected]> Co-authored-by: Hazel K <[email protected]>
…#14521) cherry picked from commit be0906a Co-authored-by: かっこかり <[email protected]>
…v#14627) cherry picked from commit dd124a8 Co-authored-by: Julia Johannesen <[email protected]> Co-authored-by: かっこかり <[email protected]>
…ies (misskey-dev#14825) This is allowed according to the Activity vocabulary: https://www.w3.org/TR/activitystreams-vocabulary/#dfn-icon The issue is noticeable in combination with Bridgy Fed: snarfed/bridgy-fed#1408 (cherry picked from commit 8eb7749)
…y-dev#14970) (cherry picked from commit b3c2de2)
* enhance: Add a few validation fixes from Sharkey See the original MR on the GitLab instance: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484 Co-Authored-By: Dakkar <[email protected]> * fix: primitive 2: acceptance of cross-origin alternate Co-Authored-By: Laura Hausmann <[email protected]> * fix: primitive 3: validation of non-final url * fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities * fix: primitives 5 & 8: reject activities with non string identifiers Co-Authored-By: Laura Hausmann <[email protected]> * fix: primitive 6: reject anonymous objects that were fetched by their id * fix: primitives 9, 10 & 11: http signature validation doesn't enforce required headers or specify auth header name Co-Authored-By: Laura Hausmann <[email protected]> * fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections * fix: code style for primitive 14 * fix: primitive 15: improper same-origin validation for note uri and url Co-Authored-By: Laura Hausmann <[email protected]> * fix: primitive 16: improper same-origin validation for user uri and url * fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array * fix: code style for primitive 17 * fix: check attribution against actor in notes While this isn't strictly required to fix the exploits at hand, this mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a preemptive countermeasure. * fix: primitive 18: `ap/get` bypasses access checks One might argue that we could make this one actually preform access checks against the returned activity object, but I feel like that's a lot more work than just restricting it to administrators, since, to me at least, it seems more like a debugging tool than anything else. * fix: primitive 19 & 20: respect blocks and hide more Ideally, the user property should also be hidden (as leaving it in leaks information slightly), but given the schema of the note endpoint, I don't think that would be possible without introducing some kind of "ghost" user, who is attributed for posts by users who have you blocked. * fix: primitives 21, 22, and 23: reuse resolver This also increases the default `recursionLimit` for `Resolver`, as it theoretically will go higher that it previously would and could possibly fail on non-malicious collection activities. * fix: primitives 25-33: proper local instance checks * revert: fix: primitive 19 & 20 This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c. --------- Co-authored-by: Dakkar <[email protected]> Co-authored-by: Laura Hausmann <[email protected]> Co-authored-by: syuilo <[email protected]> (cherry picked from commit 5f67520)
* Fix poll update spoofing * fix: Disallow negative poll counts --------- Co-authored-by: syuilo <[email protected]> (cherry picked from commit b9cb949)
* fix(backend): check target IP before sending HTTP request * fix(backend): allow accessing private IP when testing * Apply suggestions from code review Co-authored-by: anatawa12 <[email protected]> * fix(backend): lint and typecheck * fix(backend): add isLocalAddressAllowed option to getAgentByUrl and send (HttpRequestService) * fix(backend): allow fetchSummaryFromProxy, trueMail to access local addresses --------- Co-authored-by: anatawa12 <[email protected]> Co-authored-by: syuilo <[email protected]> (cherry picked from commit 090e939)
(cherry picked from commit 0f59adc)
(cherry picked from commit 53e827b)
* Fix type error in security fixes (cherry picked from commit fa3cf6c) * Fix error in test function calls (cherry picked from commit 1758f29) * Fix style error (cherry picked from commit 23c4aa2) * Fix another style error (cherry picked from commit 36af07a) * Fix `.punyHost` misuse (cherry picked from commit 6027b51) * attempt to fix test: make yaml valid --------- Co-authored-by: Julia Johannesen <[email protected]> (cherry picked from commit 3a6c2aa)
* fix(backend): fix apResolver * fix * add comments * tweak comment (cherry picked from commit c1f19fa)
* fix exception handling for Like activities (cherry picked from commit 8f42e84) * fix exception handling for Announce activities (cherry picked from commit cfc3ab4) * fix exception handling for Undo activities * Update Changelog --------- Co-authored-by: Hazelnoot <[email protected]> (cherry picked from commit f25fc52)
ActivityPub関連の脆弱性の修正
fixes nsfwjs error in b3f73d7
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What
Why
Additional info (optional)
Checklist