misskey/packages/backend
Julia 5f675201f2
Merge commit from fork
* enhance: Add a few validation fixes from Sharkey

See the original MR on the GitLab instance:
https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484

Co-Authored-By: Dakkar <dakkar@thenautilus.net>

* fix: primitive 2: acceptance of cross-origin alternate

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 3: validation of non-final url

* fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities

* fix: primitives 5 & 8: reject activities with non
string identifiers

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 6: reject anonymous objects that were fetched by their id

* fix: primitives 9, 10 & 11: http signature validation
doesn't enforce required headers or specify auth header name

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections

* fix: code style for primitive 14

* fix: primitive 15: improper same-origin validation for
note uri and url

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 16: improper same-origin validation for user uri and url

* fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array

* fix: code style for primitive 17

* fix: check attribution against actor in notes

While this isn't strictly required to fix the exploits at hand, this
mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a
preemptive countermeasure.

* fix: primitive 18: `ap/get` bypasses access checks

One might argue that we could make this one actually preform access
checks against the returned activity object, but I feel like that's a
lot more work than just restricting it to administrators, since, to me
at least, it seems more like a debugging tool than anything else.

* fix: primitive 19 & 20: respect blocks and hide more

Ideally, the user property should also be hidden (as leaving it in leaks
information slightly), but given the schema of the note endpoint, I
don't think that would be possible without introducing some kind of
"ghost" user, who is attributed for posts by users who have you blocked.

* fix: primitives 21, 22, and 23: reuse resolver

This also increases the default `recursionLimit` for `Resolver`, as it
theoretically will go higher that it previously would and could possibly
fail on non-malicious collection activities.

* fix: primitives 25-33: proper local instance checks

* revert: fix: primitive 19 & 20

This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c.

---------

Co-authored-by: Dakkar <dakkar@thenautilus.net>
Co-authored-by: Laura Hausmann <laura@hausmann.dev>
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
2024-11-21 08:20:09 +09:00
..
.vscode
assets enhance(backend): notify new login (#14673) 2024-10-03 15:06:04 +09:00
migration feat: 過去のノートを非公開化/フォロワーのみ表示可能にできる機能 (#14814) 2024-10-22 17:08:53 +09:00
nsfw-model feat: auto nsfw detection (#8840) 2022-07-07 21:06:37 +09:00
scripts enhance(backend): check_connect.js で全RedisとDBへの接続を確認するように (#14853) 2024-10-28 21:06:54 +09:00
src Merge commit from fork 2024-11-21 08:20:09 +09:00
test fix(backend): Webhook Test一致性 (#14863) 2024-11-12 09:51:18 +09:00
test-federation fix(misskey-js): WebSocketの型定義をReconnectingWebsocketに依存するように (#14850) 2024-10-28 11:43:05 +09:00
test-server refactor/perf(backend): provide metadata statically (#14601) 2024-09-22 12:53:13 +09:00
.madgerc Create .madgerc 2022-09-20 01:04:08 +09:00
.swcrc fix: misskey-js、bubble-game、reversiのビルドをesbuildに統合する (#13600) 2024-03-30 15:28:19 +09:00
eslint.config.js test(backend): add federation test (#14582) 2024-10-15 13:37:00 +09:00
jest.config.cjs enhance(backend): テストの高速化 (#12939) 2024-01-08 17:43:52 +09:00
jest.config.e2e.cjs enhance(backend): テストの高速化 (#12939) 2024-01-08 17:43:52 +09:00
jest.config.fed.cjs test(backend): add federation test (#14582) 2024-10-15 13:37:00 +09:00
jest.config.unit.cjs enhance(backend): テストの高速化 (#12939) 2024-01-08 17:43:52 +09:00
jsconfig.json
ormconfig.js fix: postgre -> postgres (#9814) 2023-02-07 19:50:38 +09:00
package.json use execa 8.0.1 2024-11-15 19:48:31 +09:00
README.md chore: ✌️ 2022-12-24 14:39:17 +09:00
tsconfig.json update deps (#11764) 2023-09-04 13:33:38 +09:00

Misskey Backend