Amelia Yukii
a6e257f502
Merge branch 'feture/code-injection-fix' into 'develop'
...
CVE: Fixed code injection from twitter import
See merge request TransFem-org/Sharkey!390
(cherry picked from commit 127f8556d4
)
2a8e93e4
Fixed code injection from twitter import
2024-02-01 15:07:35 +00:00
Marie
1805150533
fix: visibility check on masto import
...
Originally from PR #288
2023-12-31 22:41:35 +01:00
dakkar
8bc77072cb
fix: sort multiple config files
...
`globSync` doesn't guarantee the order in which it returns the
matching paths, so without the `sort()`, the config files may be
merged differently each time the server is started
2023-12-31 18:44:53 +00:00
Marie
4f2fa60a72
merge: bugfix auth-fetch ask to never cache responses ( #284 )
...
Reviewed-on: https://git.joinsharkey.org/Sharkey/Sharkey/pulls/284
2023-12-31 19:24:29 +01:00
Marie
3ec00398a3
fix: security with notes/show endpoint
2023-12-31 19:21:59 +01:00
Marie
233eff48f3
merge: pleroma note import - Use hashed filename for exists check ( #283 )
...
Reviewed-on: https://git.joinsharkey.org/Sharkey/Sharkey/pulls/283
2023-12-31 18:43:38 +01:00
Marie
b1c26201ca
upd: Note Length customization
...
note length is now configurable through the config file
Closes #281
falls back to 3000 (misskey default) if not used/included in config
2023-12-31 18:22:02 +01:00
Marie
031d748d0c
fix: /oauth/oauth to /oauth
2023-12-31 17:25:38 +01:00
dakkar
61c193c08f
lint
2023-12-31 16:17:45 +00:00
smitten
8d6d5923da
Simplify hash steps
2023-12-31 11:14:41 -05:00
smitten
327694d4cf
Use base64url digest
2023-12-31 09:13:51 -05:00
smitten
e9428a5a05
Use hex digest
2023-12-31 09:03:46 -05:00
dakkar
6d5d3d9ea1
auth-fetch: ask to never cache responses
...
I could have factored out all the lines that set cache headers, but
that would have made future merges even more complicated ☹
thanks ShittyCopper for reporting the problem!
2023-12-31 13:27:38 +00:00
Marie
b700fadbe3
upd: add home as a visibility for mastodon imports
2023-12-31 06:32:39 +01:00
Marie
07f06d7ed6
fix: if condition
2023-12-31 04:09:44 +01:00
Marie
fc6581b948
fix: correct followers visibility on import
2023-12-31 03:50:05 +01:00
Marie
667daebb79
upd: prevent vanilla mastodon imports from importing DMs
...
Also adds the visibility function to mastodon imports
2023-12-31 03:48:51 +01:00
smitten
0bb0d69543
Use hashed filename for exists check
2023-12-30 20:44:31 -05:00
trivernis
5f2e07d81f
Revert unnecessary changes to backend package.json
2023-12-29 20:05:19 +01:00
Trivernis
5af915e17e
Merge branch 'develop' into feature/config-dropdir
2023-12-29 20:04:22 +01:00
Marie
18e82c0627
fix: frontend not being able to build
2023-12-28 19:37:22 +01:00
Marie
870f70a683
upd: up sfm.js version
2023-12-28 13:06:11 +01:00
Marie
9a9f61a6c0
fix: typecheck
2023-12-28 12:52:12 +01:00
Marie
592027cf68
merge: upstream
2023-12-28 09:54:32 +01:00
Chocolate Pie
530a282524
fix(test): CIが落ちている問題を修正 ( #12816 )
...
* fix(test): CIが落ちているのを修正
* fix(ci)?: CIの`typecheck`が落ちる問題を修正
* fix(ci): コンフィグファイルのタイポを修正
2023-12-28 09:46:46 +01:00
MomentQYC
3f60d7c44b
Add a prompt for Tor Browser users ( #12776 )
...
* perf: Add a prompt for Tor Browser users
* typo
2023-12-28 09:46:46 +01:00
Kagami Sascha Rosylight
544b8106b2
feat(backend/oauth): allow CORS for token endpoint ( #12814 )
...
* feat(backend/oauth): allow CORS for token endpoint
* no need to explicitly set origin to `*`
* Update CHANGELOG.md
2023-12-28 09:46:19 +01:00
Chocolate Pie
82822e29d9
Merge pull request from GHSA-7pxq-6xx9-xpgm
...
* fix: fix improper authorization when accessing with third-party application
* refactor: refactor type definitions
* fix: get rid of unnecessary access limitation
* enhance: サードパーティアプリケーションがWebsocket APIを使えるように
* fix: add missing parentheses
* Revert "fix(backend): add missing kind definition for admin endpoints to improve security"
This reverts commit 5150053275
.
* frontend: 翻訳の抜けを訂正, read:adminとwrite:adminはアクセス発行トークンのデフォルトでは非表示にする
* enhance(test): misskey-ghsa-7pxq-6xx9-xpgmに関するテストを追加
* enhance(test): Websocket APIに対するテストも追加
* enhance(refactor): `@/misc/api-permissions.ts`を`misskey-js/permissions`に統合
* fix(frontend): アクセストークン発行UIで全ての権限を有効にした際、管理者用APIへのアクセスも許可してしまう問題を修正
* enhance(backend): Websocketの接続に最低限必要な権限を変更
* fix(backend): `/api/admin/meta`をサードパーティアプリケーションからはアクセスできないように
* fix(backend): エンドポイントにアクセスするために必要な権限を変更
* fix(frontend/locale): Add missing type declaration
* chore: update `misskey-js/src/autogen`
---------
Co-authored-by: tamaina <tamaina@hotmail.co.jp>
2023-12-28 09:45:54 +01:00
shiosyakeyakini
790f509ebe
fix(backend): 非センシティブのみ(リモートはいいねのみ)が昨日していない問題を修正 ( #12801 ) ( #12802 )
...
Co-authored-by: sorairo <sorairo@shiosyakeyakini.info>
Co-authored-by: syuilo <Syuilotan@yahoo.co.jp>
2023-12-28 09:45:15 +01:00
zyoshoka
8daff4a998
refactor(frontend): Reactivityで型を明示するように ( #12791 )
...
* refactor(frontend): Reactivityで型を明示するように
* fix: プロパティの参照が誤っているのを修正
* fix: 初期化の値を空配列に書き換えていた部分をnullに置き換え
2023-12-28 09:45:15 +01:00
anatawa12
34cdba6c11
fix: 自分のdirect noteがuser list timelineに追加されない ( #12782 )
...
* fix: 自分のdirect noteがuser list timelineに追加されない
* docs(changelog): Fix: 自分のdirect noteがuser list timelineに追加されない
2023-12-28 09:43:12 +01:00
Nya Candy
6f65091cef
fix: lint ( #12761 )
2023-12-28 09:42:47 +01:00
おさむのひと
f743cba26b
fix(backend): 1702718871541-ffVisibility.jsのdownが壊れている ( #12767 )
2023-12-28 09:42:47 +01:00
syuilo
42cc909c5b
enhance(backend): センシティブワードの設定がハッシュタグトレンドにも適用されるように
2023-12-28 09:42:47 +01:00
Marie
1f5256b99c
upd: mute reaction notifications if thread is muted
...
Closes #263
2023-12-27 23:53:37 +01:00
trivernis
06d110a773
Lock glob to exact package version 10.3.10
2023-12-27 21:02:10 +01:00
trivernis
93094bcb72
Keep only the changes to loading the config files using glob patterns
2023-12-27 16:35:14 +01:00
trivernis
df7f4aa3ec
Add support for glob syntax to config file env variables
...
This change allows loading config files using glob syntax, for
exakple `production-*.yml` to load all config files prefixed with
*production*. With this change the config file can also be configured
using two additional env variables `SHARKEY_CONFIG_YML`
and `SHARKEY_CONFIG_FILE`.
2023-12-27 16:08:37 +01:00
Trivernis
8b31c12607
Merge branch 'develop' into feature/config-dropdir
2023-12-27 14:11:42 +01:00
trivernis
64d34f595c
Change loadConfig to load all yaml files in the config directory
2023-12-27 14:09:59 +01:00
Marie
5bc036180f
upd: module versions
2023-12-25 21:37:13 +01:00
Marie
fd57c7e24c
merge: authorized fetch ( #247 )
...
Closes #217
2023-12-24 10:02:53 +01:00
dakkar
a3dd61dec4
fix logging
2023-12-23 21:27:48 +00:00
dakkar
e6c02909c7
fix typo
...
thanks @Marie
2023-12-23 20:11:53 +00:00
Marie
53365159e8
merge: real-time updates on note detail view ( #246 )
...
Closes #223
Reviewed-on: https://git.joinsharkey.org/Sharkey/Sharkey/pulls/246
Reviewed-by: Marie <marie@kaifa.ch>
2023-12-23 21:00:00 +01:00
dakkar
477cda0b63
authorized fetch: log when things go wrong
2023-12-23 15:26:42 +00:00
dakkar
1984416e3e
authorized fetch: let /@instance.actor through
...
this is probably never actually used, but it still looks like a good
idea (also, FireFish does it)
thanks @ShittyKoper for noticing!
2023-12-23 15:26:42 +00:00
dakkar
e5ea882ed7
authorized fetch #217
...
the implementation is copied from the other places we already check
HTTP signatures, and cross-checked with Firefish's implementation
2023-12-23 15:26:42 +00:00
Marie
6526968f2d
fix: check
2023-12-23 16:08:04 +01:00
dakkar
683b4aafb2
real-time updates on note detail view
...
`useNoteCapture` already subscribes to all updates for a note, so
we can tell it when a note gets replied to, too
Since I'm not actually adding any extra subscription in the client,
just an extra callback, there should be no overhead when replies are
not coming in.
Also, all the timelines already call `useNoteCapture` for each note
displayed, so we know the whole `GlobalEventService` thing works fine.
Many thanks to VueJS for taking care of all the DOM complications
2023-12-23 14:09:51 +00:00