From fcabc993038b81b310bc3752ac756a406679013a Mon Sep 17 00:00:00 2001 From: rinsuki <428rinsuki+git@gmail.com> Date: Sun, 4 Dec 2022 05:34:51 +0900 Subject: [PATCH] =?UTF-8?q?master=E3=83=96=E3=83=A9=E3=83=B3=E3=83=81?= =?UTF-8?q?=E3=82=92master=5Fsecurity=E3=81=A8=E3=83=9E=E3=83=BC=E3=82=B8?= =?UTF-8?q?=20(#9260)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fix: forkbomb 2 * 12.119.2 Co-authored-by: mei23 --- CHANGELOG.md | 4 ++++ package.json | 2 +- packages/backend/src/remote/activitypub/models/mention.ts | 4 +--- packages/backend/src/remote/activitypub/models/note.ts | 4 ++-- packages/backend/src/remote/activitypub/resolver.ts | 1 + 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3ecc8ef1f..d97e34b77 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,10 @@ You should also include the user name that made the change. --> +## 12.119.2 (2022/12/04) +### Bugfixes +- Server: Backported versions mitigate isn't working @mei23 + ## 12.119.1 (2022/12/03) ### Bugfixes - Server: Mitigate AP reference chain DoS vector @skehmatics diff --git a/package.json b/package.json index 5a190d79b..a23a075d7 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "misskey", - "version": "12.119.1", + "version": "12.119.2", "codename": "indigo", "repository": { "type": "git", diff --git a/packages/backend/src/remote/activitypub/models/mention.ts b/packages/backend/src/remote/activitypub/models/mention.ts index 13f77424e..7483992d2 100644 --- a/packages/backend/src/remote/activitypub/models/mention.ts +++ b/packages/backend/src/remote/activitypub/models/mention.ts @@ -5,11 +5,9 @@ import { IObject, isMention, IApMention } from '../type.js'; import Resolver from '../resolver.js'; import { resolvePerson } from './person.js'; -export async function extractApMentions(tags: IObject | IObject[] | null | undefined) { +export async function extractApMentions(tags: IObject | IObject[] | null | undefined, resolver: Resolver) { const hrefs = unique(extractApMentionObjects(tags).map(x => x.href as string)); - const resolver = new Resolver(); - const limit = promiseLimit(2); const mentionedUsers = (await Promise.all( hrefs.map(x => limit(() => resolvePerson(x, resolver).catch(() => null))), diff --git a/packages/backend/src/remote/activitypub/models/note.ts b/packages/backend/src/remote/activitypub/models/note.ts index 5d63f2605..8aca589c9 100644 --- a/packages/backend/src/remote/activitypub/models/note.ts +++ b/packages/backend/src/remote/activitypub/models/note.ts @@ -97,7 +97,7 @@ export async function createNote(value: string | IObject, resolver?: Resolver, s throw new Error('actor has been suspended'); } - const noteAudience = await parseAudience(actor, note.to, note.cc); + const noteAudience = await parseAudience(actor, note.to, note.cc, resolver); let visibility = noteAudience.visibility; const visibleUsers = noteAudience.visibleUsers; @@ -111,7 +111,7 @@ export async function createNote(value: string | IObject, resolver?: Resolver, s let isTalk = note._misskey_talk && visibility === 'specified'; - const apMentions = await extractApMentions(note.tag); + const apMentions = await extractApMentions(note.tag, resolver); const apHashtags = await extractApHashtags(note.tag); // 添付ファイル diff --git a/packages/backend/src/remote/activitypub/resolver.ts b/packages/backend/src/remote/activitypub/resolver.ts index ad0df0c97..6514c0660 100644 --- a/packages/backend/src/remote/activitypub/resolver.ts +++ b/packages/backend/src/remote/activitypub/resolver.ts @@ -23,6 +23,7 @@ export default class Resolver { constructor(recursionLimit = 100) { this.history = new Set(); + this.recursionLimit = recursionLimit; } public getHistory(): string[] {