merge: try to honour user blocks on AP requests - #248 (!456 )

View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/456
merge: hide images/videos in og cards, when under a CW - fixes #487 (!488 )
2024-11-22 04:23:09 +02:00 · 2024-04-12 13:11:40 +00:00 · 2024-04-11 20:40:38 +00:00 · 2024-04-11 18:00:40 +00:00 · 2024-04-11 17:21:32 +00:00 · 2024-04-11 10:07:25 +00:00
8 changed files with 46 additions and 10 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -11,7 +11,7 @@ testCommit:
  variables:
    POSTGRES_PASSWORD: ci
  script:
-    - apt-get update && apt-get install -y git wget curl build-essential python3 
+    - apt-get update && apt-get install -y git wget curl build-essential python3
    - cp .config/ci.yml .config/default.yml
    - corepack enable
    - corepack prepare pnpm@latest --activate
@ -55,6 +55,8 @@ getImageTag:
  only:
    - stable
    - develop
+    - tags
+
 buildDocker:
  stage: deploy
  needs:
@ -78,6 +80,8 @@ buildDocker:
  only:
    - stable
    - develop
+    - tags
+
 mergeManifests:
  stage: deploy
  needs:
@ -103,3 +107,4 @@ mergeManifests:
  only:
    - stable
    - develop
+    - tags
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
 	"name": "sharkey",
-	"version": "2024.3.1",
+	"version": "2024.3.2-devel",
 	"codename": "shonk",
 	"repository": {
 		"type": "git",
--- a/packages/backend/package.json
+++ b/packages/backend/package.json
@ -172,7 +172,7 @@
 		"stringz": "2.1.0",
 		"systeminformation": "5.22.0",
 		"tinycolor2": "1.6.0",
-		"tmp": "0.2.2",
+		"tmp": "0.2.3",
 		"tsc-alias": "1.8.8",
 		"tsconfig-paths": "4.2.0",
 		"typeorm": "0.3.20",
--- a/packages/backend/src/queue/processors/ImportNotesProcessorService.ts
+++ b/packages/backend/src/queue/processors/ImportNotesProcessorService.ts
@ -421,7 +421,7 @@ export class ImportNotesProcessorService {
 					if (file.name) {
 						this.driveService.updateFile(exists, { comment: file.name }, user);
 					}
-					
+
 					files.push(exists);
 				}
 			}
--- a/packages/backend/src/server/ActivityPubServerService.ts
+++ b/packages/backend/src/server/ActivityPubServerService.ts
@ -31,6 +31,7 @@ import type { MiNote } from '@/models/Note.js';
 import { QueryService } from '@/core/QueryService.js';
 import { UtilityService } from '@/core/UtilityService.js';
 import { UserEntityService } from '@/core/entities/UserEntityService.js';
+import { UserBlockingService } from '@/core/UserBlockingService.js';
 import { bindThis } from '@/decorators.js';
 import { IActivity } from '@/core/activitypub/type.js';
 import { isPureRenote } from '@/misc/is-pure-renote.js';
@ -78,6 +79,7 @@ export class ActivityPubServerService {
 		private metaService: MetaService,
 		private utilityService: UtilityService,
 		private userEntityService: UserEntityService,
+		private userBlockingService: UserBlockingService,
 		private instanceActorService: InstanceActorService,
 		private apRendererService: ApRendererService,
 		private apDbResolverService: ApDbResolverService,
@ -206,6 +208,17 @@ export class ActivityPubServerService {
 			return true;
 		}

+		if (userId) {
+			/* this check is not really effective, because most requests we
+				 get are signed by the remote instance user, not the user
+				 who's requesting the information 😭 */
+			const blocked = await this.userBlockingService.checkBlocked(userId, authUser.user.id);
+			if (blocked) {
+				reply.code(401);
+				return true;
+			}
+		}
+
 		let httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);

 		if (!httpSignatureValidated) {
@ -706,6 +719,8 @@ export class ActivityPubServerService {
 				return;
 			}

+			if (await this.shouldRefuseGetRequest(request, reply, note.userId)) return;
+
 			// リモートだったらリダイレクト
 			if (note.userHost != null) {
 				if (note.uri == null || this.utilityService.isSelfHost(note.userHost)) {
@ -739,6 +754,8 @@ export class ActivityPubServerService {
 				return;
 			}

+			if (await this.shouldRefuseGetRequest(request, reply, note.userId)) return;
+
 			if (!this.config.checkActivityPubGetSignature) reply.header('Cache-Control', 'public, max-age=180');
 			this.setResponseType(request, reply);
 			return (this.apRendererService.addContext(await this.packActivity(note)));
@ -861,6 +878,8 @@ export class ActivityPubServerService {
 				return;
 			}

+			if (await this.shouldRefuseGetRequest(request, reply, note.userId)) return;
+
 			if (!this.config.checkActivityPubGetSignature) reply.header('Cache-Control', 'public, max-age=180');
 			this.setResponseType(request, reply);
 			return (this.apRendererService.addContext(await this.apRendererService.renderLike(reaction, note)));
@ -868,7 +887,7 @@ export class ActivityPubServerService {

 		// follow
 		fastify.get<{ Params: { follower: string; followee: string; } }>('/follows/:follower/:followee', async (request, reply) => {
-			if (await this.shouldRefuseGetRequest(request, reply)) return;
+			if (await this.shouldRefuseGetRequest(request, reply, request.params.follwer)) return;

 			// This may be used before the follow is completed, so we do not
 			// check if the following exists.
@ -910,6 +929,8 @@ export class ActivityPubServerService {
 				return;
 			}

+			if (await this.shouldRefuseGetRequest(request, reply, followRequest.followerId)) return;
+
 			const [follower, followee] = await Promise.all([
 				this.usersRepository.findOneBy({
 					id: followRequest.followerId,
--- a/packages/backend/src/server/FileServerService.ts
+++ b/packages/backend/src/server/FileServerService.ts
@ -192,6 +192,7 @@ export class FileServerService {
 						reply.header('Content-Range', `bytes ${start}-${end}/${file.file.size}`);
 						reply.header('Accept-Ranges', 'bytes');
 						reply.header('Content-Length', chunksize);
+						reply.code(206);
 					} else {
 						image = {
 							data: fs.createReadStream(file.path),
@ -261,7 +262,6 @@ export class FileServerService {
 					const parts = range.replace(/bytes=/, '').split('-');
 					const start = parseInt(parts[0], 10);
 					let end = parts[1] ? parseInt(parts[1], 10) : file.file.size - 1;
-					console.log(end);
 					if (end > file.file.size) {
 						end = file.file.size - 1;
 					}
@ -431,6 +431,7 @@ export class FileServerService {
 					reply.header('Content-Range', `bytes ${start}-${end}/${file.file.size}`);
 					reply.header('Accept-Ranges', 'bytes');
 					reply.header('Content-Length', chunksize);
+					reply.code(206);
 				} else {
 					image = {
 						data: fs.createReadStream(file.path),
@ -527,6 +528,9 @@ export class FileServerService {
 		if (!file.storedInternal) {
 			if (!(file.isLink && file.uri)) return '204';
 			const result = await this.downloadAndDetectTypeFromUrl(file.uri);
+			if (!file.size) {
+				file.size = (await fs.promises.stat(result.path)).size;
+			}
 			return {
 				...result,
 				url: file.uri,
--- a/packages/backend/src/server/web/views/note.pug
+++ b/packages/backend/src/server/web/views/note.pug
@ -5,8 +5,8 @@ block vars
 	- const title = user.name ? `${user.name} (@${user.username})` : `@${user.username}`;
 	- const url = `${config.url}/notes/${note.id}`;
 	- const isRenote = note.renote && note.text == null && note.fileIds.length == 0 && note.poll == null;
-	- const images = (note.files || []).filter(file => file.type.startsWith('image/') && !file.isSensitive)
-	- const videos = (note.files || []).filter(file => file.type.startsWith('video/') && !file.isSensitive)
+	- const images = note.cw ? [] : (note.files || []).filter(file => file.type.startsWith('image/') && !file.isSensitive)
+	- const videos = note.cw ? [] : (note.files || []).filter(file => file.type.startsWith('video/') && !file.isSensitive)

 block title
 	= `${title} | ${instanceName}`
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -392,8 +392,8 @@ importers:
        specifier: 1.6.0
        version: 1.6.0
      tmp:
-        specifier: 0.2.2
-        version: 0.2.2
+        specifier: 0.2.3
+        version: 0.2.3
      tsc-alias:
        specifier: 1.8.8
        version: 1.8.8
@ -18813,6 +18813,12 @@ packages:
    engines: {node: '>=14'}
    dependencies:
      rimraf: 5.0.5
+    dev: true
+
+  /tmp@0.2.3:
+    resolution: {integrity: sha512-nZD7m9iCPC5g0pYmcaxogYKggSfLsdxl8of3Q/oIbqCqLLIO9IAF0GWjX1z9NZRHPiXv8Wex4yDCaZsgEw0Y8w==}
+    engines: {node: '>=14.14'}
+    dev: false

  /tmpl@1.0.5:
    resolution: {integrity: sha512-3f0uOEAQwIqGuWW2MVzYg8fV/QNnc/IpuJNG837rLuczAaLVHslWHZQj4IGiEl5Hs3kkbhwL9Ab7Hrsmuj+Smw==}
Author	SHA1	Message	Date
dakkar	14eb42c5ef	merge: try to honour user blocks on AP requests - #248 (!456 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/456	2024-04-12 13:11:40 +00:00
dakkar	e0afeff248	merge: hide images/videos in og cards, when under a CW - fixes #487 (!488 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/488 Closes #487 Approved-by: Marie <marie@kaifa.ch> Approved-by: Amelia Yukii <amelia.yukii@shourai.de>	2024-04-11 20:40:38 +00:00
Marie	cfc8081cec	merge: bump tmp@0.2.3 - fixes #464 (!475 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/475 Closes #464 Approved-by: Marie <marie@kaifa.ch> Approved-by: Luna <her@mint.lgbt> Approved-by: Amelia Yukii <amelia.yukii@shourai.de>	2024-04-11 18:00:40 +00:00
Marie	011ccd3a9a	merge: bump `devel` version (!486 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/486 Approved-by: Marie <marie@kaifa.ch> Approved-by: Amelia Yukii <amelia.yukii@shourai.de>	2024-04-11 17:21:32 +00:00
Amelia Yukii	28065fc1d1	merge: handle ranged requests for proxied files - fixes #494 (!490 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/490 Closes #494 Approved-by: Amelia Yukii <amelia.yukii@shourai.de> Approved-by: Marie <marie@kaifa.ch>	2024-04-11 10:07:25 +00:00
dakkar	960f4fcff7	detect size of remote files - fixes #494 without this, remote files are assumed to have size 0 (even if we just downloaded them!) and the range-related code won't run	2024-04-09 16:21:30 +01:00
dakkar	92eec2178f	return 206 for every ranged response - fixes #494	2024-04-09 15:42:29 +01:00
dakkar	56dca6dbf5	hide images/videos in og cards, when under a CW - fixes #487	2024-04-07 16:58:13 +01:00
dakkar	2a634e0309	bump devel version	2024-03-30 12:48:03 +00:00
dakkar	e6970a0e7c	Merge branch 'stable' into bump-devel-version	2024-03-30 12:44:31 +00:00
Amelia Yukii	571272a564	merge: release 2024.3.2 (!485 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/485 Approved-by: Amelia Yukii <amelia.yukii@shourai.de>	2024-03-30 11:19:08 +00:00
dakkar	30bb0f60a2	version bump	2024-03-30 11:09:00 +00:00
dakkar	328546c4cd	Merge branch 'develop' into release/2024-03-30	2024-03-30 11:08:26 +00:00
dakkar	f4e89f2e6b	bump tmp@0.2.3 - fixes #464 see also https://github.com/raszi/node-tmp/issues/295	2024-03-19 17:13:43 +00:00
dakkar	606531a4b3	try to honour user blocks on AP requests - #248 as the comment says, this doesn't really work, because requests can be signed by the remote instance actor instead of the real remote user e.g. Misskey (and us) seems to always sign as the instance actor when fetching notes ☹	2024-03-03 14:54:36 +00:00
dakkar	2cad97c1ab	merge: release 2024.3.1 (!449 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/449 Approved-by: Amelia Yukii <amelia.yukii@shourai.de> Approved-by: Marie <marie@kaifa.ch>	2024-03-02 17:43:24 +00:00
dakkar	6ecfe7c7c3	remove duplicate method	2024-03-02 17:34:31 +00:00
dakkar	23f476dbf3	Merge branch 'develop' into release/2024.3.1	2024-03-02 17:28:34 +00:00
Amelia Yukii	7a1251423f	merge: Add missing IMPORTANT_NOTES.md from Sharkey/OldJoinSharkey (!443 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/443 Approved-by: dakkar <dakkar@thenautilus.net> Approved-by: Amelia Yukii <amelia.yukii@shourai.de>	2024-02-24 18:20:48 +00:00
Marie	7f5492a395	Add missing IMPORTANT_NOTES.md from Sharkey/OldJoinSharkey	2024-02-24 18:20:48 +00:00
Amelia Yukii	11d9fd9199	merge: import upstream ssrf fix on our stable (!425 ) View MR for information: https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/425 Approved-by: Leah <kevinlukej@gmail.com> Approved-by: Amelia Yukii <amelia.yukii@shourai.de>	2024-02-17 13:06:47 +00:00
syuilo	6132bc3b3e	fix of `9a70ce8f5e` Co-Authored-By: RyotaK <49341894+Ry0taK@users.noreply.github.com>	2024-02-17 12:54:45 +00:00
dakkar	fef7a7b99a	bump version	2024-02-17 12:38:01 +00:00
tamaina	1948ca9aa8	Merge pull request from GHSA-qqrm-9grj-6v32	2024-02-17 12:36:44 +00:00
Amelia Yukii	848e1f9a56	version is better (cherry picked from commit `fb455e4fd9`)	2024-02-01 16:11:48 +00:00
Amelia Yukii	9c4353ee79	Update .gitlab-ci.yml (cherry picked from commit `8c5818acf0`)	2024-02-01 16:10:47 +00:00
Amelia Yukii	a6e257f502	Merge branch 'feture/code-injection-fix' into 'develop' CVE: Fixed code injection from twitter import See merge request TransFem-org/Sharkey!390 (cherry picked from commit `127f8556d4`) `2a8e93e4` Fixed code injection from twitter import	2024-02-01 15:07:35 +00:00
Amelia Yukii	310e1a1262	Merge branch 'Amelia-stable-patch-29368' into 'stable' Update docker-compose_example.yml See merge request TransFem-org/Sharkey!389	2024-02-01 14:44:14 +00:00
Amelia Yukii	15f3c046d1	Update docker-compose_example.yml	2024-02-01 14:42:19 +00:00
Amelia Yukii	01d695428a	Revert "build stable with stable tag" This reverts commit `acf3e3460f`	2024-02-01 14:15:10 +00:00
Amelia Yukii	acf3e3460f	build stable with stable tag	2024-02-01 14:00:56 +00:00
Amelia Yukii	4c8116859c	Revert "Merge branch 'cherry-pick-3b2d47b1' into 'stable'" This reverts merge request !386	2024-02-01 13:55:44 +00:00
Amelia Yukii	0e13397db7	Merge branch 'cherry-pick-3b2d47b1' into 'stable' build stable with stable tag See merge request TransFem-org/Sharkey!386	2024-02-01 13:41:34 +00:00
Amelia Yukii	ad8818508f	Update file .gitlab-ci.yml (cherry picked from commit `3b2d47b1e3`)	2024-02-01 13:38:19 +00:00
Amelia Yukii	d444ee662f	Merge branch 'cherry-pick-522ab39d' into 'stable' Merge branch 'gitlab-ci' into 'develop' See merge request TransFem-org/Sharkey!383	2024-02-01 10:23:23 +00:00
Amelia Yukii	4c354fff2d	Merge branch 'gitlab-ci' into 'develop'	2024-02-01 10:23:23 +00:00
Marie	b81448edf6	merge: release 2023.12.0	2023-12-31 23:19:41 +01:00
Marie	134d2895f0	fix: merge conflict	2023-12-31 23:11:15 +01:00
Marie	7ba8fde9b9	chore: change version	2023-12-31 22:49:43 +01:00
Marie	1022280465	release: 2023.11.2	2023-12-01 00:01:19 +01:00
Marie	021d3924e6	chore: change version	2023-11-30 23:57:04 +01:00
Mar0xy	b6d50d781f	Merge branch 'stable' of https://github.com/transfem-org/Sharkey into stable	2023-11-26 18:47:44 +01:00
Mar0xy	1d411bb885	chore: fix locales	2023-11-26 18:47:20 +01:00
Marie	f7afd1ae4a	release: 2023.11.1	2023-11-26 17:28:42 +01:00
Marie	1ef1f2a03c	Merge branch 'stable' into release/2023.11.1	2023-11-26 17:26:30 +01:00
Marie	829ce4f86a	merge: 2023.11.0	2023-11-07 20:16:20 +01:00
Mar0xy	6d5d863150	merge: last minute changes	2023-11-07 20:07:53 +01:00
Marie	fc7d4bc420	chore: set release version	2023-11-07 19:39:18 +01:00