diff options
| author | Eugen Rochko <eugen@zeonfederated.com> | 2020-06-02 19:24:53 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-06-02 19:24:53 +0200 |
| commit | 5d8398c8b8b51ee7363e7d45acc560f489783e34 (patch) | |
| tree | 1e0b663049feafdc003ad3c01b25bf5d5d793402 /config | |
| parent | 9b7e3b4774d47c184aa759364d41f40e0cdfa210 (diff) | |
Add E2EE API (#13820)
Diffstat (limited to 'config')
| -rw-r--r-- | config/brakeman.ignore | 228 | ||||
| -rw-r--r-- | config/initializers/doorkeeper.rb | 3 | ||||
| -rw-r--r-- | config/initializers/inflections.rb | 1 | ||||
| -rw-r--r-- | config/locales/en.yml | 4 | ||||
| -rw-r--r-- | config/routes.rb | 18 |
5 files changed, 138 insertions, 116 deletions
diff --git a/config/brakeman.ignore b/config/brakeman.ignore index 7e3828f7e..baa993c78 100644 --- a/config/brakeman.ignore +++ b/config/brakeman.ignore @@ -1,33 +1,13 @@ { "ignored_warnings": [ { - "warning_type": "Mass Assignment", - "warning_code": 105, - "fingerprint": "0117d2be5947ea4e4fbed9c15f23c6615b12c6892973411820c83d079808819d", - "check_name": "PermitAttributes", - "message": "Potentially dangerous key allowed for mass assignment", - "file": "app/controllers/api/v1/search_controller.rb", - "line": 30, - "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", - "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)", - "render_path": null, - "location": { - "type": "method", - "class": "Api::V1::SearchController", - "method": "search_params" - }, - "user_input": ":account_id", - "confidence": "High", - "note": "" - }, - { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "04dbbc249b989db2e0119bbb0f59c9818e12889d2b97c529cdc0b1526002ba4b", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/report.rb", - "line": 90, + "line": 112, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "Admin::ActionLog.from(\"(#{[Admin::ActionLog.where(:target_type => \"Report\", :target_id => id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Account\", :target_id => target_account_id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)].map do\n \"(#{query.to_sql})\"\n end.join(\" UNION ALL \")}) AS admin_action_logs\")", "render_path": null, @@ -47,7 +27,7 @@ "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/status.rb", - "line": 87, + "line": 100, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "result.joins(\"INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")", "render_path": null, @@ -61,39 +41,62 @@ "note": "" }, { - "warning_type": "Mass Assignment", - "warning_code": 105, - "fingerprint": "28d81cc22580ef76e912b077b245f353499aa27b3826476667224c00227af2a9", - "check_name": "PermitAttributes", - "message": "Potentially dangerous key allowed for mass assignment", - "file": "app/controllers/admin/reports_controller.rb", - "line": 56, - "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", - "code": "params.permit(:account_id, :resolved, :target_account_id)", - "render_path": null, + "warning_type": "Dynamic Render Path", + "warning_code": 15, + "fingerprint": "20a660939f2bbf8c665e69f2844031c0564524689a9570a0091ed94846212020", + "check_name": "Render", + "message": "Render path contains parameter value", + "file": "app/views/admin/action_logs/index.html.haml", + "line": 26, + "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", + "code": "render(action => Admin::ActionLogFilter.new(filter_params).results.page(params[:page]), {})", + "render_path": [ + { + "type": "controller", + "class": "Admin::ActionLogsController", + "method": "index", + "line": 8, + "file": "app/controllers/admin/action_logs_controller.rb", + "rendered": { + "name": "admin/action_logs/index", + "file": "app/views/admin/action_logs/index.html.haml" + } + } + ], "location": { - "type": "method", - "class": "Admin::ReportsController", - "method": "filter_params" + "type": "template", + "template": "admin/action_logs/index" }, - "user_input": ":account_id", - "confidence": "High", + "user_input": "params[:page]", + "confidence": "Weak", "note": "" }, { "warning_type": "Dynamic Render Path", "warning_code": 15, - "fingerprint": "4b6a895e2805578d03ceedbe1d469cc75a0c759eba093722523edb4b8683c873", + "fingerprint": "371fe16dc4c9d6ab08a20437d65be4825776107a67c38f6d4780a9c703cd44a5", "check_name": "Render", "message": "Render path contains parameter value", - "file": "app/views/admin/action_logs/index.html.haml", - "line": 4, + "file": "app/views/admin/email_domain_blocks/index.html.haml", + "line": 17, "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", - "code": "render(action => Admin::ActionLog.page(params[:page]), {})", - "render_path": [{"type":"controller","class":"Admin::ActionLogsController","method":"index","line":7,"file":"app/controllers/admin/action_logs_controller.rb","rendered":{"name":"admin/action_logs/index","file":"/home/eugr/Projects/mastodon/app/views/admin/action_logs/index.html.haml"}}], + "code": "render(action => EmailDomainBlock.where(:parent_id => nil).includes(:children).order(:id => :desc).page(params[:page]), {})", + "render_path": [ + { + "type": "controller", + "class": "Admin::EmailDomainBlocksController", + "method": "index", + "line": 10, + "file": "app/controllers/admin/email_domain_blocks_controller.rb", + "rendered": { + "name": "admin/email_domain_blocks/index", + "file": "app/views/admin/email_domain_blocks/index.html.haml" + } + } + ], "location": { "type": "template", - "template": "admin/action_logs/index" + "template": "admin/email_domain_blocks/index" }, "user_input": "params[:page]", "confidence": "Weak", @@ -106,7 +109,7 @@ "check_name": "Redirect", "message": "Possible unprotected redirect", "file": "app/controllers/remote_interaction_controller.rb", - "line": 21, + "line": 24, "link": "https://brakemanscanner.org/docs/warning_types/redirect/", "code": "redirect_to(RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id])))", "render_path": null, @@ -120,32 +123,13 @@ "note": "" }, { - "warning_type": "Dynamic Render Path", - "warning_code": 15, - "fingerprint": "67afc0d5f7775fa5bd91d1912e1b5505aeedef61876347546fa20f92fd6915e6", - "check_name": "Render", - "message": "Render path contains parameter value", - "file": "app/views/stream_entries/embed.html.haml", - "line": 3, - "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", - "code": "render(action => \"stream_entries/#{Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase}\", { Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase.to_sym => Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity, :centered => true, :autoplay => ActiveModel::Type::Boolean.new.cast(params[:autoplay]) })", - "render_path": [{"type":"controller","class":"StatusesController","method":"embed","line":63,"file":"app/controllers/statuses_controller.rb","rendered":{"name":"stream_entries/embed","file":"/home/eugr/Projects/mastodon/app/views/stream_entries/embed.html.haml"}}], - "location": { - "type": "template", - "template": "stream_entries/embed" - }, - "user_input": "params[:id]", - "confidence": "Weak", - "note": "" - }, - { "warning_type": "SQL Injection", "warning_code": 0, "fingerprint": "6f075c1484908e3ec9bed21ab7cf3c7866be8da3881485d1c82e13093aefcbd7", "check_name": "SQL", "message": "Possible SQL injection", "file": "app/models/status.rb", - "line": 92, + "line": 105, "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/", "code": "result.joins(\"LEFT OUTER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")", "render_path": null, @@ -159,22 +143,43 @@ "note": "" }, { - "warning_type": "Dynamic Render Path", - "warning_code": 15, - "fingerprint": "8d843713d99e8403f7992f3e72251b633817cf9076ffcbbad5613859d2bbc127", - "check_name": "Render", - "message": "Render path contains parameter value", - "file": "app/views/admin/custom_emojis/index.html.haml", - "line": 45, - "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", - "code": "render(action => filtered_custom_emojis.eager_load(:local_counterpart).page(params[:page]), {})", - "render_path": [{"type":"controller","class":"Admin::CustomEmojisController","method":"index","line":11,"file":"app/controllers/admin/custom_emojis_controller.rb","rendered":{"name":"admin/custom_emojis/index","file":"/home/eugr/Projects/mastodon/app/views/admin/custom_emojis/index.html.haml"}}], + "warning_type": "Mass Assignment", + "warning_code": 105, + "fingerprint": "7631e93d0099506e7c3e5c91ba8d88523b00a41a0834ae30031a5a4e8bb3020a", + "check_name": "PermitAttributes", + "message": "Potentially dangerous key allowed for mass assignment", + "file": "app/controllers/api/v2/search_controller.rb", + "line": 28, + "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", + "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)", + "render_path": null, "location": { - "type": "template", - "template": "admin/custom_emojis/index" + "type": "method", + "class": "Api::V2::SearchController", + "method": "search_params" }, - "user_input": "params[:page]", - "confidence": "Weak", + "user_input": ":account_id", + "confidence": "High", + "note": "" + }, + { + "warning_type": "Mass Assignment", + "warning_code": 105, + "fingerprint": "8f63dec68951d9bcf7eddb15af9392b2e1333003089c41fb76688dfd3579f394", + "check_name": "PermitAttributes", + "message": "Potentially dangerous key allowed for mass assignment", + "file": "app/controllers/api/v1/crypto/deliveries_controller.rb", + "line": 23, + "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/", + "code": "params.require(:device).permit(:account_id, :device_id, :type, :body, :hmac)", + "render_path": null, + "location": { + "type": "method", + "class": "Api::V1::Crypto::DeliveriesController", + "method": "resource_params" + }, + "user_input": ":account_id", + "confidence": "High", "note": "" }, { @@ -204,10 +209,22 @@ "check_name": "Render", "message": "Render path contains parameter value", "file": "app/views/admin/accounts/index.html.haml", - "line": 47, + "line": 54, "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", "code": "render(action => filtered_accounts.page(params[:page]), {})", - "render_path": [{"type":"controller","class":"Admin::AccountsController","method":"index","line":12,"file":"app/controllers/admin/accounts_controller.rb","rendered":{"name":"admin/accounts/index","file":"/home/eugr/Projects/mastodon/app/views/admin/accounts/index.html.haml"}}], + "render_path": [ + { + "type": "controller", + "class": "Admin::AccountsController", + "method": "index", + "line": 12, + "file": "app/controllers/admin/accounts_controller.rb", + "rendered": { + "name": "admin/accounts/index", + "file": "app/views/admin/accounts/index.html.haml" + } + } + ], "location": { "type": "template", "template": "admin/accounts/index" @@ -219,40 +236,40 @@ { "warning_type": "Redirect", "warning_code": 18, - "fingerprint": "ba699ddcc6552c422c4ecd50d2cd217f616a2446659e185a50b05a0f2dad8d33", + "fingerprint": "ba568ac09683f98740f663f3d850c31785900215992e8c090497d359a2563d50", "check_name": "Redirect", "message": "Possible unprotected redirect", - "file": "app/controllers/media_controller.rb", - "line": 14, + "file": "app/controllers/remote_follow_controller.rb", + "line": 21, "link": "https://brakemanscanner.org/docs/warning_types/redirect/", - "code": "redirect_to(MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original))", + "code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(@account))", "render_path": null, "location": { "type": "method", - "class": "MediaController", - "method": "show" + "class": "RemoteFollowController", + "method": "create" }, - "user_input": "MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original)", + "user_input": "RemoteFollow.new(resource_params).subscribe_address_for(@account)", "confidence": "High", "note": "" }, { "warning_type": "Redirect", "warning_code": 18, - "fingerprint": "bb7e94e60af41decb811bb32171f1b27e9bf3f4d01e9e511127362e22510eb11", + "fingerprint": "ba699ddcc6552c422c4ecd50d2cd217f616a2446659e185a50b05a0f2dad8d33", "check_name": "Redirect", "message": "Possible unprotected redirect", - "file": "app/controllers/remote_follow_controller.rb", - "line": 19, + "file": "app/controllers/media_controller.rb", + "line": 20, "link": "https://brakemanscanner.org/docs/warning_types/redirect/", - "code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(Account.find_local!(params[:account_username])))", + "code": "redirect_to(MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original))", "render_path": null, "location": { "type": "method", - "class": "RemoteFollowController", - "method": "create" + "class": "MediaController", + "method": "show" }, - "user_input": "RemoteFollow.new(resource_params).subscribe_address_for(Account.find_local!(params[:account_username]))", + "user_input": "MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original)", "confidence": "High", "note": "" }, @@ -275,27 +292,8 @@ "user_input": ":account_id", "confidence": "High", "note": "" - }, - { - "warning_type": "Dynamic Render Path", - "warning_code": 15, - "fingerprint": "fbd0fc59adb5c6d44b60e02debb31d3af11719f534c9881e21435bbff87404d6", - "check_name": "Render", - "message": "Render path contains parameter value", - "file": "app/views/stream_entries/show.html.haml", - "line": 23, - "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/", - "code": "render(partial => \"stream_entries/#{Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase}\", { :locals => ({ Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase.to_sym => Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity, :include_threads => true }) })", - "render_path": [{"type":"controller","class":"StatusesController","method":"show","line":34,"file":"app/controllers/statuses_controller.rb","rendered":{"name":"stream_entries/show","file":"/home/eugr/Projects/mastodon/app/views/stream_entries/show.html.haml"}}], - "location": { - "type": "template", - "template": "stream_entries/show" - }, - "user_input": "params[:id]", - "confidence": "Weak", - "note": "" } ], - "updated": "2019-02-21 02:30:29 +0100", - "brakeman_version": "4.4.0" + "updated": "2020-06-01 18:18:02 +0200", + "brakeman_version": "4.8.0" } diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb index e03380cec..63cff7c59 100644 --- a/config/initializers/doorkeeper.rb +++ b/config/initializers/doorkeeper.rb @@ -95,7 +95,8 @@ Doorkeeper.configure do :'admin:read:reports', :'admin:write', :'admin:write:accounts', - :'admin:write:reports' + :'admin:write:reports', + :crypto # Change the way client credentials are retrieved from the request object. # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then diff --git a/config/initializers/inflections.rb b/config/initializers/inflections.rb index 0667a542c..ebb7541eb 100644 --- a/config/initializers/inflections.rb +++ b/config/initializers/inflections.rb @@ -19,6 +19,7 @@ ActiveSupport::Inflector.inflections(:en) do |inflect| inflect.acronym 'ActivityStreams' inflect.acronym 'JsonLd' inflect.acronym 'NodeInfo' + inflect.acronym 'Ed25519' inflect.singular 'data', 'data' end diff --git a/config/locales/en.yml b/config/locales/en.yml index 116db4498..5943dd4f6 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -721,6 +721,10 @@ en: hint_html: "<strong>Tip:</strong> We won't ask you for your password again for the next hour." invalid_password: Invalid password prompt: Confirm password to continue + crypto: + errors: + invalid_key: is not a valid Ed25519 or Curve25519 key + invalid_signature: is not a valid Ed25519 signature date: formats: default: "%b %d, %Y" diff --git a/config/routes.rb b/config/routes.rb index 920a48fe7..31333999e 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -79,6 +79,7 @@ Rails.application.routes.draw do resource :outbox, only: [:show], module: :activitypub resource :inbox, only: [:create], module: :activitypub + resource :claim, only: [:create], module: :activitypub resources :collections, only: [:show], module: :activitypub end @@ -339,6 +340,23 @@ Rails.application.routes.draw do end end + namespace :crypto do + resources :deliveries, only: :create + + namespace :keys do + resource :upload, only: [:create] + resource :query, only: [:create] + resource :claim, only: [:create] + resource :count, only: [:show] + end + + resources :encrypted_messages, only: [:index] do + collection do + post :clear + end + end + end + resources :conversations, only: [:index, :destroy] do member do post :read |